It's worth noting that SSN is far worse than a credit card number.

"Something you know" isn't a great standard as the entirety of auth, but it'll probably stay common for practical reasons. But "something you know and can never change if breached" is absolutely idiotic, and there are plenty of good alternatives already in existence.

"Improper use of this card and/or number by the number holder or any other person is punishable by fine, imprisonment or both."

We could start by exacting real consequences for those who abuse SSNs.

Currently it's between 48 months and 27 years (see federal sentencing guidelines) if caught. What sort of real consequences would you like to see? I don't think making the numbers above bigger would make that much of a difference.

Sorry, could you source that?

I just looked around and only found 42 U.S. Code § 408, which offers a maximum penalty of five years (higher for Social Security workers or medical professionals engaged in fraud).

Also, the vast majority of the text concerns misuse of an SSN to defraud of mislead the government, particularly by claiming benefits. (8) does read "discloses, uses, or compels the disclosure of the social security number of any person in violation of the laws of the United States", but at a quick look I only see prosecutions where that was tied to benefit fraud.

I don't think 5 years is an insufficient sentence, and I think the urge to raise sentences as a deterred is usually counterproductive. But I do think there's room for progress here.

Most SSN abuse as identification appears to be prosecuted as simple identity theft, not SSN fraud. Adding the secondary charge specifically for SSN abuse might encourage thieves to rely on other, less permanent information like passwords.

More broadly, I'd rather see the government concede that SSNs have become a standard form of identification, and make the renewal process less heinous. Right now you have to show grievous hardship over an extended period, can't appeal a bad decision, and will still lose your credit history when the new one is issued. That's simply not a reasonable system for a number people are expected to give out so often.

Well, you have to also consider that many violations are by anonymous fraudsters who are generally outside of the reach of the U.S. government.

So, enforcement is a lot easier said than done.

what alternative do you have in mind ?

Well, I haven't yet patented an alternative, but I think it's pretty clear that, in this climate of routine breaches, the old system of secret data is no longer viable.

But, if you're interested in building an alternative, then off the top of my head, I'd suggest that we've got the blockchain. We've all got omnipresent palm-sized computing devices. We've got 2FA schemes, and more. The tools are there for you to create a much more robust system than one that says "here are a handful of secret numbers. Don't let anyone else see them or else your life may be ruined".

To paraphrase a comment about virtual currencies: If you have a hard problem and try to solve it with a blockchain, you now have 2 hard problems.