Social Security numbers (SSNs) were never meant to be a personal identifier, but the latest large cybersecurity breach, at Equifax, shows that’s not always the case. As a result, White House Cyber Coordinator Rob Joyce is calling for replacements to the Social Security numbering system. One option would be a public-private “key” system that uses changeable, public-facing identifiers for some environments and more permanent identifiers for others.
“SSNs were originally designed to be secret, private and only shared when needed,” says Morey Haber, vice president of technology at BeyondTrust, which develops privileged account management and vulnerability management solutions. “That is still true, but due to information technology they have been leaked and breached en masse.”
Learn more about why SSNs are vulnerable and what other options might include.
Why Are SSNs Vulnerable?
One of the main reasons SSNs are troublesome when used as identifiers is that they are one of the very permanent one-to-one markers of identification. “The Social Security number and date of birth cannot be changed,” says Robert Siciliano, an identity-theft expert. “When cybercrooks get personal data off of these online retailers and service providers, it invades the customer’s privacy.”
And as Haber says, compounding the problem is the fact that people still need to use their SSNs even if the number has been compromised. “The risk is magnified since we still use them the same way as initially designed — for taxes — but now criminals can target large quantities of them,” he says.
What Other Options Are Available?
Proving identity to access or change important information in financial, health and other applications is a challenge. “Databases have been used for years to store and safeguard identifier information,” Haber says. “Even with the best-privileged access and encryption, we have seen breaches. Whatever new system for identifiers is selected, the storage must be equally as robust to last the next hundred years.”
Biometrics — the use of fingerprints, retinal scans or facial features as identifiers — are an option, but they’re not foolproof. “The problem is they can change over time,” Haber says. “People can lose limbs or have accidents, and if the database is stolen, the risk of fraud goes up with no resolution.” An additional layer of security, such as two-factor authentication, could help, he says.
Is Change Likely?
The Trump administration’s proposal to replace SSNs is not new, Siciliano says. “In 2007 the Office of Management and Budget ordered agencies to eliminate all nonessential uses of Social Security numbers, and the Department of Defense is currently working on limiting its use of the numbers,” he says. But the private sector will also need to look at changes.
“Online enterprises must take full responsibility for stolen data,” Siciliano says. “It’s a real serious issue when static data like date of birth and SSN are breached, as opposed to temporary data, like a password or answer to a security question.” He says governments need to reassess the idea of using static data like date of birth and SSN, while online enterprises must embrace the possibility that legislation will eventually make it illegal to require SSNs from users.