Hackers claimed to have stolen more than 2 billion records containing sensitive information including Social Security numbers, with some data reportedly leaked online.
I'm pretty sure mine has been stolen a dozen times at this point. You should never assume your SSN is private information, but you should treat it as such to limit how many people have it.
The main issues here are:
applications for credit - freeze your credit at the major credit bureaus - Experian, Equifax, Transunion (bonus points for ARS and SageStream); make sure to unfreeze if you apply for a credit card or bank account though
impersonating - like applying for jobs and whatnot; this shouldn't directly impact you, and it's on the employer to make sure they know who they're employing
password resets - the best you can do is use MFA, though many services will allow resets with just personal information; I hope this changes, and some orgs are doing things to prevent abuse (e.g. Fidelity has voice recognition to cut down on support scams)
Honestly, we really need to stop using the SSN as identification.
Eh, there are good parts to it as well. The only Federal ID I have is my passport, so there's no reason for them to track me across state lines. If I get pulled over in Oregon, they don't necessarily know my driving history in California or Nevada, so I'm more likely to get a warning than a ticket. If I had a Federal ID, they'd probably communicate across state lines more.
Formally request that large transactions through your bank be done with you present, in person. Ask if you can set a limit and only if done in person also temporarily lift that limit.
Obtain a credit card. Either you fight to get your money back when fraud hits, or they fight to get their money back. You can guess which team is better staffed. I was procrastinating for ages getting one myself. Then another fraudulent transaction hit. Despite having a fair amount of knowledge in this realm and doing a solid amount of research independently AND reporting it immediately, it still took days to get money actually placed back into my account. AND THEN IT HAPPENED AGAIN with a brand new card within 30 days. Likely the shitty auto update service large organizations can subscribe to, or I got unlucky on a brute force attempt. Either way, a CC will save you this hassle.
Bitwarden.
Passwords only on your phone. No biometrics without a backup plan.
Yeah, I only use credit cards or cash these days, and leave my debit cards frozen/locked. The only time I would need my debit card is to use an ATM, and it's easy enough to login on my phone and unlock it. I've had several fraudulent charges on various cards, and so far it has been resolved with a short phone call and a reissue, and my replacements seem to come faster than new credit cards. The rewards are nice, but the purchase protections are the real reason I use them.
biometrics
Biometrics are really nice, and on newer phones, way more secure than a PIN. They're also local-only, so they're quite privacy-friendly.
But absolutely have a backup. I use a long PIN as my backup, and my bank lets me use a long PIN on my debit card as well, so I keep them the same (easier to remember that way). I use my fingerprint for pretty much everything, but I also have my phone reboot itself after a period of inactivity, which forces a PIN login (again, helps me remember it). Oh, and it's a random PIN, so not something anyone could guess (I'm a developer, so I used a small Python script: import random; ''.join(str(random.randint(9)) for _ in range(N)) where N is your desired length). I ran three of those and picked one.
And yeah, Bitwarden is fantastic. I apparently have >300 logins, and there's no way I'd be able to remember that many unique passwords.
Isn't it the address being leaked with it that makes this notable?
You can't add a number to a SSN and also add a number to the street address to then narrow down which full names are associated with that SSN to then possibly be able to use it.
The address does make it a lot more useful, but the point that I am making is simply that the number itself has never been secure, and this kinda failure was inevitable due to only needing slightly more info than the number itself. A number which itself is already partially identifying.
We shouldn't use social security numbers like we do.
First 3 digits are the area number assigned to a geographic. Next 2 are a group number and are not used serially but have a rather unusual usage sequence. The last 4 are a serial number assigned in order.
Yeah, the SSN system is the stupidest freaking thing ever for all the crap we use it for. but trying to implement a better system is met with cries of "GOVERNMENT OVERREACH, COMMUNISTS! OH GOD IN HEAVEN, MUH RIGHTS!!!1!". So....we haven't really done anything about it, and probably won't in my lifetime.
It's unfortunate that SSN has come to be used as a form of proof of existence as a person, but I'm glad at least that more effective means of formally tracking and quantifying us have been successfully fought back. Banks, governments, service providers and employers having some friction and uncertainty in whether their database entry accurately corresponds to you is itself a valuable form of privacy.
I've been reading the book Seeing Like A State and I think it has some pretty good points about how civic legibility and record keeping is established as a tool of centralized control and can be a dangerous double edged sword.
There was another post or comment about this topic and a person posted a list of websites to freeze your credit. Does anyone know where that comment went?
Might be worth investing in a credit monitoring service. I use aura, it was definitely the simplest way to freeze each one from the same portal. I also use their call filtering service so any unknown number that calls me gets silenced before my phone rings and a message says, “I’m a spam filter, please state the nature of the call.” It’s saved me so much goddamn looking at who’s calling.
On top of that, gives me alerts, credit scores on the regular so I can notice if anything is up, it’s been systematically requesting takedowns of all my info on those data broker sites…other shit too, honestly. I forget. But it’s definitely made my life much more pleasant.