What gives banks right to consider SSN an authenticator?
Is there a law allowing that?
Common sense suggests it should only be possible if user explicitly accepted "I agree that knowing my SSN is enough to prove it's me and I agree to be liable to any debts created with just my SSN presented".
But isn't your SSN given by the government? Does the US government require anyone to sign such an agreement before they get an SSN? Without it, a bank claiming I owe them money because "we got your SSN" is fraudulent, plain and simple. Report the bank to the FBI.
But that's probably far too sensible European thinking.
I regularly keep hearing reports of how the US handling of money is basically medieval with some badly thought out insecure bits pasted on top. And some of that gets exported! It sucks that I need to own a credit card to be able to make international purchases on the internet. Why is there not an international version of iDEAL?
You misunderstand US law. Yes, someone can use my SSN (along with other private information) to create a debt. That doesn't make me liable. If it shows up on my credit report, I can disclaim responsibility using existing legal protections. As long as I truly didn't create the debt, it is the debt holder's problem.
Is there a law allowing that?
Common sense suggests it should only be possible if user explicitly accepted "I agree that knowing my SSN is enough to prove it's me and I agree to be liable to any debts created with just my SSN presented".