If they have your address; birthday; and SSN a whole lot. Generally, they could apply for credit cards; loans; set something to bill to you; etc...

Fortunately, it's getting harder without previous addresses or other verification methods.

For non-Americans that don't know, our Social Security number is generally assigned at birth or when you become a citizen by the Social Security Administration. Social Security is a disabled or elderly benefit we all pay into (roughly 7.5% employee and 7.5% employer - ~15% total). It's the only number we all get, since not everyone gets a driver's license; ID; passport; or other identifier. Unfortunately, it's been used to identify us for everything, and until recently was typically in plaintext on most forms (medical; tax; student; etc...).

CGP Grey has a good summary of how it came about and why it's become a problem: https://www.youtube.com/watch?v=Erp8IAUouus

> It's the only number we all get, since not everyone gets a driver's license; ID; passport; or other identifier. Unfortunately, it's been used to identify us for everything, and until recently was typically in plaintext on most forms (medical; tax; student; etc...).

I fail to see the problem with that. As you said, it's an identifier, like an username or your full name. There should be no issue with everyone knowing your full name, or your username; why there should be an issue with everyone knowing your SSN, or it being in plaintext everywhere?

Because it was used as BOTH an identifier AND proof of identity, for a long time. If it were used properly as simply an identifier, you'd be right, but there are still many cases where knowledge of the number is used as proof (or partial proof, along with birthdate/address/etc) of identity.

I heard there was a similar problem with the bank account number in the US - that you could use it to withdraw money without an actual password or strong identification. Hence the popularity of cheques, PayPal and similar services that weren't needed that much in Europe.

You're right that bank account numbers in the US are insecure, but you're wrong that this is why checks are popular here.

Checks are actually the source of the problem. If you have access to blank check stock and MICR laser toner (both readily available on Amazon, since business accounting departments will routinely print their own checks for payroll / bills), you can make seemingly valid checks to withdraw funds from any account number. This is still a problem.

The reason why checks are popular is because until recently there hasn't been a cheap + accessible + official + unencumbered way to do electronic transfers between personal accounts. The infrastructure existed (ACH), but only businesses could actually initiate deposits/withdrawals. Individuals could initiate full-service wire transfers, but those are risky (there's no way to reverse one done in error) and banks typically charge $25/transfer - which is far too expensive to use for anything routine.

PayPal came into existence so people could purchase goods online (on eBay, specifically) and have the option of performing a chargeback if the goods weren't delivered as advertised.

(Checks will probably still persist for some time, since all the online payment services want to charge percentage fees if they think you're acting as a business. The beauty of checks is that they just work and don't insist on taking a cut of the payment.)

> why there should be an issue with everyone knowing your SSN, or it being in plaintext everywhere

Because far too many businesses, esp. financial ones (banks/credit unions/etc.) have also incorrectly used it as a password to authenticate that "voice on phone" is really John Q. Public and/or that "grifter in chair across desk" is really John Q. Public. I.e., they used the fact that "person X" knew number Y as proof that person X was really person X.

We can argue that it was never intended to be used this way (a true statement), that knowledge of it provides no such proof (also true), and that using it as such was always wrong on the part of these businesses (also true), but the fact is, many did use it this way, and, sadly, many still do use it this way. And it is this misuse that is the "issue" with everyone knowing everyone's SSN.

> username

Think of it as being the username and password. That's how many institutions have treated it for a long time.

Do you need SSN for voting? I heard that you don't need an ID (at least in some states) which was very weird for me but if they ask SSN instead, that is at least something I guess?

No, SSN is not used for voting.

Voting requirements and eligibility are set individually by each state, sometimes even in finer detail, New York City wanted to give immigrants the right to vote in local school board elections for example.

SSN are administered by the federal government and are opt-in(however most people apply for one) so it is not something a state can really use as a voting requirement.

State I currently live in(GA), you need to bring a photo ID for in person voting: - Drivers License(from any state or federal government) - State ID card - Student ID card - ID badge from any state or federal workplace - Passport - Military ID - Tribal ID Data was cross check to an online voter registration database.

Prior state (NC), I think the ID requirements were similar(possibly more relaxed) but at that time the data was checked to the voter roll, a book with the name and address of all the people in the precinct. When you went to vote, you signed by your name and then it was crossed off the list.

The SSN is used as a way to genuinely identify someone, unfortunately - it’s like having to give out your password each time you rent an apartment or buy a car or obtain medical care or any number of other transactions. Having this info (along with other basic info like name/address/date of birth) lets you effectively pretend you are them. You can take loans out in their name or call some service to do a password reset (since you have all the info to verify you are them) or whatever else. But it’s not like there is one particular way in which the information can be used - it’s dependent on what businesses LET you do with that info. In 2024, NO business should use SSN to verify identity or authorize sensitive transactions but many do, and what they let you do varies significantly.

I think it’s important to distinguish between identification and authentication. As a unique database primary key, they’re fine. The problem was when a bunch of businesses decided it’d be too expensive to check things like government ID and started using them for authentication purposes. Nobody blinks an eye at using a phone number or email address on an application, but we should treat using your SSN or past addresses for authentication the same way we would if someone says they could approve a loan if you know your phone number and zip code.