People have been banging the drum for years, but perhaps now the massive Equifax breach will force the issue to the forefront: it’s way, way past time to dump social security numbers (SSNs) as a national ID in the United States, as SSNs are a terrible way to identify or authenticate yourself. Here’s why.
You can’t change them if they are compromised
This tweet by @SarahJamieLewis sums up the issue quite nicely:
Don't forget to change your name, date of birth, home address and social security number regularly.
— Sarah Jamie Lewis (@SarahJamieLewis) September 7, 2017
When your identity is stolen, the onus is on you, the victim, to spend hours tracking down fraudulent activity against your social security number and to remain vigilant to flag anything else that might appear.
Unlike a credit card number, where you can simply notify the company to stop activity on your old credit card and to generate you a new number, once your SSN has been breached, you’re still stuck with using it. You might be given some free credit monitoring and advice on how to freeze your credit, but aside from that, you are pretty much on your own to bear the brunt of the damage with little defensive recourse, which is why hackers love getting their hands on them.
Adding to the problem is that SSNs are so tied to lines of credit in the US through credit bureaus such as Equifax, and all a hacker needs is some basic information (often easily found online, if not already made public) and an SSN, and they can cause serious long-term damage to their victim, making it nigh-impossible for them to take out loans, apply for credit cards, get a mortgage or insurance. Little to no additional authentication is needed to cause significant pain, and it just shouldn’t be that easy.
Too many businesses and services require it
The SSN became the de-facto national ID number simply by chance and not by design. The Social Security Administration (SSA) maintains that you need to hand over your SSN to employers and financial institutions – and not to anyone else, but this has been largely ignored.
The original purpose of the SSN was to track employment-related information, including your overall income and how much you’ve contributed to the US Social Security Administration. In the 1970s, the SSN became inextricably tied to overall US finances and US citizenship when regulations were put in place requiring banks and lenders to track the SSNs of their applicants.
That started the ball rolling for the SSN to become inextricably tied to almost any major transaction or event in an American citizen’s life: passport applications, military service, filing taxes, receiving federal benefits such as Medicare, even blood donations and school lunch programs.
As time rolled on, the number of transactions requiring an SSN just to function in American society snowballed, simply because the SSN was the most convenient option for tracking and verifying American citizenship and identity.
Some businesses have found out the hard way that if you are going to be asking for even a partial social security number, you have to be prepared to protect it, and have moved away from asking for it. Still, as we’ve now seen with Equifax, even if your business is to wheel and deal with SSNs, securing them is no easy feat.
They can be cracked or reverse engineered
As an identifier, it’s been proven that guessing a social security number is pretty trivial. After all, the social security number wasn’t meant to be secure in the first place — it was only after 2011 that its first three digits weren’t tied to your location of birth. This was an attempt to help secure the SSNs from being randomly guessed, but it’s too little to late.
As an authenticator, the problem of SSNs being unchangeable rears its ugly head again. Many services may ask for the last four digits of your social security number to prove you are who you say you are. According to Javelin Research, 80% of the top 25 banks and 96% of credit card issuers in 2014 allowed their customers (or imposters) to authenticate with an SSN.
In essense, this is a four-digit password that you are forced to re-use over and over, flying directly in the face of advice to use complex and unique passwords.
The Social Security Number issue is thorny, especially as it relates to privacy and the supposed need (or not) for some kind of national identifier in the US — a controversial topic to say the least.
Whether or not the Equihack spurs a bigger conversation about reducing the SSNs ubiquity remains to be seen. But as long as businesses that have no need to access a social security number keep asking for it, we’re going to see more and more data breaches with the SSNs of millions compromised again and again.
And even for businesses that do really need your social security number – including credit bureaus like Equifax – clearly there’s a lot more that needs to be done by these businesses and the government to mitigate the damage that can be done to citizens when their SSNs are compromised.
Laurence Marks
So why don’t you tell us about the Equifax hack? Were the SSNs stored in plaintext? Simple cypher. Salted? Just exactly how careless were they?
Paul Ducklin
Firstly, the reason we didn’t tell you is that we don’t know. (How could we?)
Secondly, it won’t really matter how the data was stored if it turns out it was stolen via a web/database vulnerability that ran unauthorised queries against the database and exfiltrated the results. (That’s a bit like locking all your valuables up in safe deposit boxes in a secure vault but then hiring a guard who will go off and fetch the contents of any box, without checking your ID, as long as you ask nicely.)
anon
We need an opt out right to refuse to give out our privacy data and regulations to minimize who can store it.
Contact your legislator! Equifax appears to have timed release of their news during hurricane season, thereby minimizing the attention this thorny issue will get.
Mark Stockley
Correlation does not equal causation. They might have timed the release to coincide with hurricane season but there is no evidence that they did and it could easily be a coincidence.
For all we know (and it is not unlikely) Equifax were asked by law enforcement not to say anything for a period of time. Or perhaps they had other reasons. Perhaps good ones, perhaps misguided ones, we just don’t know.
What we do know is that they haven’t exactly covered themselves in glory with the way they’ve managed the breach notification. It doesn’t exactly smack of “well executed master plan” so I’m tempted to rely on Halon’s Razor for this:
“Never attribute to malice that which is adequately explained by stupidity”
Paul Ducklin
IMO, even the word “correlation” (which implies some sort of relationship, albeit not a causal one) doesn’t apply here. After all, you could argue this the other way around by saying that the best way to bury bad news is a press release late on a Friday arvo, so the fact that Equifax avoided Friday shows they *weren’t* trying to bury it.
(On a point of order, Hanlon’s Razor is just a special-case restatement of Occam’s Razor, therefore – by Occam’s Razor, it it best described simply as “Occam’s Razor” :-)
Sam
Malice is the ultimate form of stoopidity..or is stupidity the ultimate form of malice??
Ji
For the record Hurricane season only runs for 6 months of the year…
The Atlantic hurricane season is a time when most tropical cyclones are expected to develop across the northern Atlantic Ocean. It is currently defined as the time frame from June 1 through November 30, though in the past the season was defined as a shorter time frame
EquiFail
The government is (as usual) the main cause of the problem here, by having forced a de facto national ID number on us in the form of our SSN, and then allowing that number to be spread far and wide to creditors, credit bureaus, banks, mortgage companies, car dealerships, universities, and everything else under the sun. And of course, if our SSN is compromised, it’s impossible to change. It’s time for both legislation and the market to scrap the SSN for good.
Paul Ducklin
It’s not *impossible* to get a new SSN, as it happens. But for most people, being an ongoing victim of ID fraud seems to be something of a prerequisite. (The words are that you need to be at a “continued disadvantage”. It is also possible to attempt a religious objection to your current number, thought you can’t object having a number in the first place.)
We discussed this here (the SSN part starts at about 17’00”):
https://nakedsecurity.sophos.com/2017/09/08/learning-from-the-equifax-breach-join-us-on-facebook-live/
Michael Dinich
The IRS website was hacked a few years ago and bandits made off with scores of Social Security Numbers. I am not convinced that the government can come up with a viable solution. The best chance is if some third party company creates a private market solution.
Eric Martin
I maintain that our SSNs should remain as the de-factor national ID, and that their continued use after compromise is still very low due to the ability of everyone of us to ‘mitigate’ the risks of such further misuse through credit locks, monitoring, and other such methods to secure further unauthorized misuse. There are many ‘paid’ options for securing one’s identity against theft, such as LifeLock, IdentityTheft Shield, and numerous others, so instead of changing the current SSN, I favor requiring Americans to ‘insure’ them, just like we’re required to insure our vehicles, and this would help to mitigate, if not eliminate, further violations of federal law in regards to their misuse and abuse by those who intend to do us harm.