Why do some companies ask last 4 digits of my SSN or a scan of my ID? What are my risks?

Question

Yesterday I found out that some major service provider (online rentals) that I use now requires proof of my identity if I want to continue and make a booking. I was offered 2 options:

1. Enter last 4 digits of my social security number and answer several questions.
2. Scan some form of ID card (passport, driving license or other valid government ID)

I decided to give up the last 4 digits of my SSN, but I was a little bit shocked of what happened next. On the next step they started asking me questions that I did not expect them to know the answers to:

• Which state did I live in 2005?
• Where is XXX street (on which I lived in 2013 & 2014) located?
• Etc.

Based on the questions and proposed answers it seemed like they already knew the answers to those questions. The reason why I think they already knew the answers is because I didn't live in the US in 2006-2012, and they seemed to know that I lived in the US in 2005 and then since 2013.

How did they know it? So it's so easy for a company to get this information? I don't feel comfortable!

Now I have a few questions:

1. Why do some companies want the last 4 digits of my SSN?

2. How do they supposedly use it? How do last 4 digits of SSN help check my identity? How does it work?

3. What can a hacker do if they somehow steal this information (my name, date of birth, address, last 4 digits of SSN)? How can this information be used against me?

4. Do you think they could get those personal questions and answers just based on my name, address & date of birth, or they could get that information somehow only after I entered last 4 digits of my SSN?

5. What can a hacker do if they somehow steal a photo of my ID?

6. What do you think is safer: sending last 4 digits of SSN or a photo of ID card?

Answer 1

I live outside the US so I'm not sure exactly how SSNs are normally used, but it sounds like they're using these details as a key to look you up in an external identity verification service.

This isn't too uncommon in relation to property rentals seeing as most physical rental agencies want scans of your ID, etc. any way.

1) Why do some companies want last 4 digits of my SSN?

2) How do they supposedly use it? How do last 4 digits of SSN help check my identity? How does it work?

It's very unlikely that anyone else has the same first and last name, plus the same last 4 digits in their SSN.

Therefore I can imagine this combination being used as a key to look up your record in an external database. Once they have your record the are asking you questions against that information to prove you are indeed that person.

3) What can a hacker do if they somehow steal this information (my name, date of birth, address, last 4 digits of SSN)? How can this information be used against me?

To some extent it's protecting you. It wouldn't be too difficult for an attacker to obtain the information you mention, however it would be much more difficult for them to answer questions like "Which state did you live in 2005?".

Therefore if they tried to use your details to rent a property under your name (eg. to run a meth lab) they'd hopefully be prevented by not being able to answer the additional questions.

Having said that, there is of course the threat that an attacker might be able to access your records via the identity authentication service. Hopefully the identity verification service would require sufficient controls to protect your data before providing access.

It's a trade-off between convenience, protecting you against the company as a threat to your privacy, and protecting you and the company against fraudulent renters.

4) Do you think they could get those personal questions and answers just based on my name, address & date of birth, or they could get that information somehow only after I entered last 4 digits of my SSN?

Probably, I imagine credit providers (eg. your bank) would at least have a history of your postal address and they'd be able to uniquely identify your record from this information.

From a practical standpoint, I'm not sure the specifics of how they might provide that information to an identity verification service. It seems reasonably likely it could happen though.

5) What can a hacker do if they somehow steal a photo of my ID?

6) What do you think is safer: sending last 4 digits of SSN or a photo of ID card?

There's a lot of factors to consider, but I'd say sending SSN is safer assuming there's no additional verification (ie. no extra questions) when you upload your photo ID.

The reason being is that an attacker could just resubmit your photo ID every time and pass verification. However, if they only had your SSN they'd have to answer those questions too (which hopefully change every time).

Answer 2

The last 4 of your SSN is considered "public" data. The questions you were asked were part of LexusNexus (http://www.lexisnexis.com/). It's a clearinghouse that businesses and government agencies use to assert your identity. It is a bit disconcerting the things that are in the database, but it is normal.

As for the photo ID question, that'll have to be a question you answer from the risk you are willing to take. Given that the last 4 of your SSN is "public" data, anybody can take your photo in public, which are you willing to reveal? Is it the information on the ID or the last 4 of your SSN?