After the Equifax EFX, +2.45% breach exposed the data of potentially 146 million people, the Trump Administration is exploring replacements for Social Security numbers as a means of identification. Rob Joyce, special assistant to the president and White House cybersecurity coordinator said at a conference Tuesday that the Social Security number “has outlived its usefulness.”
“It’s a flawed system that we can’t roll back that risk after we know we’ve had a compromise,” he said. “I personally know my Social Security number has been compromised at least four times in my lifetime. That’s just untenable.”
A lifelong, unchanging identifier like a Social Security number makes hacks more appealing to scammers and inevitably puts consumers at high risk. “Today, the Social Security number may be the most commonly used numbering system in the United States,” according to the Social Security Administration. That’s good news for hackers, bad news for consumers.
The Social Security number was created in 1936 to keep track of earnings and was never meant to be an independent identifier, according to Sam Rehman, chief technology officer of Arxan. In fact, until 1972, it said “not for identification” at the bottom of all cards.
“We need to find a way like most other systems that require true consent to authorize,” Rehman said. He suggested a new public key infrastructure for the U.S., which is a set of policies to manage digital certificates that correspond with people and use encryption for more security. Joyce said this is an option being considered by the federal government.
Put simply, the new identifier would be a unique number known only to the user that changes periodically and automatically. Replacing the Social Security number, this could be layered with additional forms of security like biometric identification or non-numerical identifiers like birth date, occupation, and other unique facts about an individual. This is the case in India, where an effort was launched in 2010 to create biometric identifiers for each of the 1.2 billion people in the country to crack down on welfare fraud.
When a hacker steals someone’s Social Security number, they have access to their accounts indefinitely. Today, 96% of top credit card issuers and 80% of the top 25 banks allow people to access an account if they have the correct Social Security number, according to a 2014 study by Javelin Strategy & Research. If these numbers were regularly rotated, hacking would be far more difficult.
The government only issues new Social Security numbers in extreme cases of identity theft, abuse, and harassment. Americans requiring a new number must fill out an application explaining the need for a number and then wait 60 to 90 days.
Lior Gavish, vice president at security company Barracuda, said biometric security is one of the most user-friendly ways to authenticate an identity, requiring only a fingerprint scan or, increasingly, a face scan. More laptops and phones are being built with fingerprint scanning options. “That is the future,” he said.
Paper forms at the doctor’s office or insurance forms could ask highly personal, but easy-to-remember details about a consumer’s life, Seth Ruden, senior fraud consultant at global payments systems company ACI Worldwide said. What car model do you use? What is your mother’s last name? What was the name of your first school? These are questions already being used to verify online bank accounts.
The Social Security Administration, which created these numbers, has ceased to print the full Social Security number on some of its correspondence. “The agency now advises individuals to keep their Social Security card in a safe place and not to carry it with them,” the agency says. Federal survey-takers are less willing to supply Social Security numbers, it adds.
As unlikely as it currently seems even in the wake of the Equifax hack, Ruden said the move away from the Social Security number is inevitable.