You can do a lot with a SSN in Finland. The first 6 digits are your date of birth followed by 4 random characters. If I had your SSN (and address) I could:
- Phone up the tax office and find out about all your finances, and make adjustments to your tax percentages and affairs.
- Phone your medical provider, and very possibly socially engineer them into revealing medial information. I could book an appointment with your doctor for example and impersonate you on the phone appointment.
- Call all your utility providers and cancel contract without you knowing about it.
- I highly suspect I could call your phone provider and take over your phone number, and in some cases use this to take over your email.
Whilst SSN should not be treated as a non-secret, the reality is that it is a secret and is often the only line of defense when dealing with companies.
The problem is that using a government issued ID is easy since everyone has one. That's the wrong use for something like a SSN, but you're right, it's what's done in practice.
We should be moving away from that. Government issued ID should merely be the equivalent of a user name, with any real use requiring additional factors of authentication (password, security key, etc). Unfortunately, most of these other factors are also easily accessible (mother's maiden name, date of birth, etc).
Ideally, we'd have something like:
- number issued at birth (like present system), frozen until individual activates it
- individual sets password when unfreezing
- all accesses must be explicitly allowed by the user
- user can grant/revoke/audit access, and access is denied by default
- no private data is stored in the account
- companies that use the account for authentication are required to delete user data when the user requests it, and these systems are audited to ensure this happens
However, that's not the case. We should be fighting to change that. Having something like an email address or identification number become public knowledge shouldn't matter one bit...
- Phone up the tax office and find out about all your finances, and make adjustments to your tax percentages and affairs.
- Phone your medical provider, and very possibly socially engineer them into revealing medial information. I could book an appointment with your doctor for example and impersonate you on the phone appointment.
- Call all your utility providers and cancel contract without you knowing about it.
- I highly suspect I could call your phone provider and take over your phone number, and in some cases use this to take over your email.
Whilst SSN should not be treated as a non-secret, the reality is that it is a secret and is often the only line of defense when dealing with companies.