Shostack + Friends Blog Archive


More on SSNs and Risk

In writing about Delta Blood Bank earlier today, one of the issues I was thinking about was the unnecessary use of social security numbers, and how it’s an industry standard. One area where this is particularly evident is in the bifurcated market for cell phones. At one end are providers like Virgin and MetroPCS, who sell low-end, no-roaming plans. (Although, really, if you don’t need to roam, and can accept their poor network, MetroPCS’ $40 all you can eat nationwide is quite a deal.) At the other end are the nationals, such as AT&T or Tmobile, all of whom insist on doing a credit check and using your SSN as a password after they’re done. Now, these companies do offer pre-paid, no credit deals, but they stink.

I’m trying to figure out why companies don’t let you buy whatever plan you’d like, on whichever system you prefer. There are minor technical difficulties, like running out of money on overage, but the advantages, which I’ll outline shortly, seem to outweigh them.

The first advantage is in cash flow. If a customer prefers to pre-pay, the company gets their money 60 days earlier. They don’t have to borrow that cash, and can earn interest on it. If all a company’s customers switched to paying earlier, then it would save 1/6th of its annual interest payments, and get interest on about the same amount of cash. (Assuming that the company holds the cash until it delivers the service.) That’s not chump change. Now, the accounting treatment may be a little different. (This is based on a conversation with Samablog, who knows more about accounting than I ever hope to. Errors mine.) That’s because selling accounts receivable is somewhat easier if you haven’t delivered service yet. If you don’t deliver, the bank doesn’t collect, but it’s also not liable for delivering anything. So you get a slightly better rate for the receivable than you do selling your pre-paid income stream.

The second advantage is in liability. If you’re not loaning a customer money, you fall under fewer rules like GLB (FISMA) or SB 1836.

The third advantage would be in privacy, meaning here perceived ID theft risk–by not asking for this information, it’s clearly impossible to abuse it.

One disadvantage is you can’t sell your customer’s personal information so easily. Does that compensate? Are there others? If not, why is no one doing this?