Site icon Sophos News

Equifax: highlighting the problems with social security numbers

People have been banging the drum for years, but perhaps now the massive Equifax breach will force the issue to the forefront: it’s way, way past time to dump social security numbers (SSNs) as a national ID in the United States, as SSNs are a terrible way to identify or authenticate yourself. Here’s why.

You can’t change them if they are compromised

This tweet by @SarahJamieLewis sums up the issue quite nicely:

When your identity is stolen, the onus is on you, the victim, to spend hours tracking down fraudulent activity against your social security number and to remain vigilant to flag anything else that might appear.

Unlike a credit card number, where you can simply notify the company to stop activity on your old credit card and to generate you a new number, once your SSN has been breached, you’re still stuck with using it. You might be given some free credit monitoring and advice on how to freeze your credit, but aside from that, you are pretty much on your own to bear the brunt of the damage with little defensive recourse, which is why hackers love getting their hands on them.

Adding to the problem is that SSNs are so tied to lines of credit in the US through credit bureaus such as Equifax, and all a hacker needs is some basic information (often easily found online, if not already made public) and an SSN, and they can cause serious long-term damage to their victim, making it nigh-impossible for them to take out loans, apply for credit cards, get a mortgage or insurance. Little to no additional authentication is needed to cause significant pain, and it just shouldn’t be that easy.

Too many businesses and services require it

The SSN became the de-facto national ID number simply by chance and not by design. The Social Security Administration (SSA) maintains that you need to hand over your SSN to employers and financial institutions – and not to anyone else, but this has been largely ignored.

The original purpose of the SSN was to track employment-related information, including your overall income and how much you’ve contributed to the US Social Security Administration. In the 1970s, the SSN became inextricably tied to overall US finances and US citizenship when regulations were put in place requiring banks and lenders to track the SSNs of their applicants.

That started the ball rolling for the SSN to become inextricably tied to almost any major transaction or event in an American citizen’s life: passport applications, military service, filing taxes, receiving federal benefits such as Medicare, even blood donations and school lunch programs.

As time rolled on, the number of transactions requiring an SSN just to function in American society snowballed, simply because the SSN was the most convenient option for tracking and verifying American citizenship and identity.

Some businesses have found out the hard way that if you are going to be asking for even a partial social security number, you have to be prepared to protect it, and have moved away from asking for it. Still, as we’ve now seen with Equifax, even if your business is to wheel and deal with SSNs, securing them is no easy feat.

They can be cracked or reverse engineered

As an identifier, it’s been proven that guessing a social security number is pretty trivial. After all, the social security number wasn’t meant to be secure in the first place — it was only after 2011 that its first three digits weren’t tied to your location of birth. This was an attempt to help secure the SSNs from being randomly guessed, but it’s too little to late.

As an authenticator, the problem of SSNs being unchangeable rears its ugly head again. Many services may ask for the last four digits of your social security number to prove you are who you say you are. According to Javelin Research, 80% of the top 25 banks and 96% of credit card issuers in 2014 allowed their customers (or imposters) to authenticate with an SSN.

In essense, this is a four-digit password that you are forced to re-use over and over, flying directly in the face of advice to use complex and unique passwords.

The Social Security Number issue is thorny, especially as it relates to privacy and the supposed need (or not) for some kind of national identifier in the US — a controversial topic to say the least.

Whether or not the Equihack spurs a bigger conversation about reducing the SSNs ubiquity remains to be seen. But as long as businesses that have no need to access a social security number keep asking for it, we’re going to see more and more data breaches with the SSNs of millions compromised again and again.

And even for businesses that do really need your social security number – including credit bureaus like Equifax – clearly there’s a lot more that needs to be done by these businesses and the government to mitigate the damage that can be done to citizens when their SSNs are compromised.


Exit mobile version