Identity After Equifax: Rethinking the SSN
By Doug Pollack - Article on October 05, 2017
- Cyber Security
- Identity Theft and Fraud
The Equifax breach brings new urgency to the question of how we establish and protect our personal identities. By exposing the Social Security numbers (SSNs) of over 145 million Americans, the breach set millions up for what one expert called “a lifetime game of Whack-a-Mole,” with identity theft cropping up over and over in unexpected places.
SSNs have become a universal identifier, tracking an individual from birth through education, employment, and retirement, in sickness and in health, till death and beyond. Having so much of our lives tied to any single identifier makes us appallingly vulnerable if that information is exposed. Yet we still need to recognize our citizens, customers, patients, and students in order to serve them, so it’s time we came up with ways to identify people without putting them at risk.
As many pundits have observed in the wake of the Equifax breach, Social Security numbers were never intended to be used as personal identifiers. (It says so right on your Social Security card!) The Social Security Administration established the system in 1936 as a way to track each American’s work history to determine their Social Security benefits. But the convenience of having one unique identifier for each American was seductive, and SSN use grew, slowly at first and then faster. The IRS didn’t require taxpayers to furnish SSNs for tax reporting until 1961. When Medicare was enacted in 1965, older adults needed an SSN to claim benefits. In 1969, the Department of Defense began using SSNs to identify armed services personnel. In 1970, the Bank Records and Foreign Transactions Act required banks, savings and loan associations, credit unions, and securities dealers to obtain the SSNs of all of their customers.
Over the last four decades, government and security experts have warned about the risks of using SSNs as personal identifiers. And over those same decades, the SSN came to be required to prove citizenship, enter public school, get medical care, buy savings bonds, receive numerous government benefits, and more. Initiatives to prevent counterfeiting of Social Security cards date back 30 years, but with the digitization of everything, no self-respecting criminal would waste time counterfeiting cards. SSNs have become the single most universal and unchanging aspect of our personal identities, and they are now spread across thousands of business and government systems, linked to the Internet and mostly free for the taking.
The current grave risks to personal identity boil down to both too much and too little control. First, the SSN is used to control too many aspects of our lives. In the hands of a criminal, it provides the power to take over our financial and medical identities, to steal our rights as citizens, and to impersonate us and ruin our good names. The flip side is that individuals have too little control over how their SSNs are used. Consumers were particularly angered by the Equifax breach because they have no choice what information credit bureaus collect on them or how it is used. Finally, too many organizations are exercising too little control to protect the personal data they hold. According to Equifax, the breach of 145 million consumer records didn’t even touch its core systems. As threat intelligence expert Alex George observed in a recent Wired article, “If 143 million people could be affected and this does not touch your core, where were you keeping this data?”
While there is no perfectly secure scheme for personal identification, there are things we can do to make the situation a lot better.
First, we need to take away the destructive power of the SSN. No single identifier should provide access to so many aspects of our lives, and it’s possible that we’ll soon see legislative action to curtail the use of SSNs.
Second, we need to give the individual more control over the use of his or her identity. Many banks and online retailers have begun using 2-factor authentication and even biometrics to confirm transactions such as opening of a new account. While bio-metrics can be faked, that requires more sophistication and often physical possession of a device, making identity theft more difficult and less likely. The transaction alerts that many banks and credit card companies now offer are also a great control mechanism, giving consumers the chance to intervene immediately if they see fraudulent activity.
Finally, both businesses and consumers need to apply a lot more intelligence to the problem of identity protection. Consumers are almost universally naive about the threat of identity theft, and most will supply their SSN on request, without stopping to consider why it’s required, whether they can refuse, or whether the requestor is legitimate. At best, that puts their SSN in more systems where it could be breached; at worst, it makes them prey to all sorts of phishing, phone, and other scams.
Businesses, too, need to get smarter about the personal data they gather. The more data you hold, the bigger a target you become for cyber attacks and the greater the risk if your systems are breached. If you’re not legally required to use SSNs, why ask for them? Businesses that do need to store SSNs should use data segmentation, encryption, and other methods to mitigate risks, and all businesses should consider machine intelligence and other tools to help spot misuse such as new account fraud or unusual patterns of activity around a SSN.
Cyber attacks are now a fact of life, and they’re not going to subside any time soon. They are too profitable for criminals, too useful for nation-state attackers, and, with the explosion of digitization, too easy for hackers to accomplish. It will take a determined partnership between business, consumers, and government to change those factors, and one strong step would be to move away from vulnerable, powerful identifiers such as SSNs. It won’t be an easy transition, but in the end, it could save businesses and consumers billions of dollars that are now wasted in the aftermath of data breaches and identity theft. More importantly, by treating customers and clients as more than numbers, by working with them to stop identity theft, organizations will build stronger, more trusted relationships with the people they serve. And good relationships are good business.
Last month, the House of Representatives' Ways and Means Subcommittee on Social Security and the Oversight and Government Reform IT Subcommittee examined efforts by federal agencies to reduce the use of Social Security numbers (SSNs) and the security challenges facing these agencies.
Financial fraud, unfortunately, is but one risk from this incident and the next incident may be exploited for child identity fraud, social security fraud, driver’s license fraud, and other criminal behavior.