Experts say SSN is TMI
Technology exists to end reliance on the vital ID, but new laws on privacy are a must.
As confusion ensued from the Equifax data breach affecting up to 143 million consumers, what remained very clear was that some of the stolen data will haunt people forever.
Social Security numbers, birth dates, home address histories — you just can’t change those things, which led privacy researcher Sarah Jamie Lewis to quip on Twitter, “Don’t forget to change your name, date of birth, home address and Social Security number regularly.”
The Equifax breach stabbed millions of Americans in the gut because this was a company consumers rarely dealt with — let alone consciously shared details with — such as annual incomes, automobile purchases and mailing addresses. But such data and untold more were potentially siphoned out of Equifax’s database months ago by cybercriminals.
While there’s outrage that Equifax failed to protect consumer data properly, the security industry and
consumer advocates say that common data used to verify people are who they say they are — most notably the Social Security number — should never have been used in the first place.
“Things like your address, your birth date, your name. They’re not secrets. They were never meant to be secrets,” said Patrick Harding, chief technology officer at Ping Identity in Denver. “The fact that those together can be used to impersonate you, that’s wrong. We started in the wrong place.”
Social Security numbers were never intended to verify a person is who he says he is, according to the Social Security Administration’s history page. The unique number, created in 1936, was meant to track a person’s work history for Social Security benefits.
Of course, even the agency realized that the number has since become widely used because it is unique to an individual. Companies often ask for SSNs whether they need them or not. And Americans rarely flinch when asked to share the number to apply for a home loan, apartment lease, health insurance, credit card or a job.
“Generally, there are no restrictions in federal law precluding the use of the SSN by the private sector, so businesses may ask individuals for an SSN whenever they wish,” according to the agency.
“I warned Congress more than 25 years ago that it was a mistake to allow the Social Security number to be used as a general purpose identifier. And over the last 25 years, the United States has experienced a dramatic increase in identity theft and financial fraud, largely traced to the growing use of the SSN,” said Mark Rotenberg, president of the Electronic Privacy Information Center and an adjunct professor at Georgetown University law school. “They should have listened.”
Because this breach was so massive, regulators have perked up and privacy advocates feel change is coming. On Monday, U.S. Sen. Brian Schatz, D-Hawaii, reintroduced legislation that would force credit reporting agencies to share with consumers what is being collected and shared about them. Nearly 30 U.S. politicians this week shot off letters to Equifax CEO Richard Smith demanding answers. On Thursday, the Federal Trade Commission said it doesn’t typically comment on ongoing investigations but felt intense public interest required notice that it, too, is investigating the breach.
In May, a data-privacy regulation will go into effect to embolden citizens in the European Union to find out what personal data a company has collected, ask who it has been shared with and then demand that it all be deleted. Companies that do business in the EU could be penalized up to 4 percent of global revenues. If the General Data Protection Regulation had been in effect, Equifax could have been fined $126 million since some affected consumers live in Europe.
Not too long ago, Social Security numbers were commonly printed on student ID cards and driver’s licenses. But with the rise of identity theft in the digital age, there has been a clampdown to try to protect the number from public exposure. Colorado’s legislature revised its Consumer Protection law in 2006 to prohibit the public display of an individual’s Social Security number. But that hasn’t stopped companies from asking for a home address and Social Security number when someone applies for a new credit card.
“What we need to move to is a system where an individual can prove their identity to somebody, but to make it such that when you do, you’re not giving that party information to impersonate you,” said Steve Grobman, chief technology officer at security software firm McAfee Inc. “Is the tech there to do this? The short answer is yes. So why would we move to another, securer system for our credit cards faster than a system that would prove our identities?”
Grobman is referring to the move in 2015 by credit companies Visa and Mastercard forcing U.S. retailers to move to chip cards to cut down on counterfeit cards. The chip technology produces a unique code for each transaction so the actual card number isn’t shared. For added security, some banks also require a PIN code.
Technology exists to protect and verify identities. More secure solutions rely on multiple methods to prove a person’s identity. Denver cybersecurity firm Ping Identity offers multifactor authentication, which is a mix of unique passwords, geolocation, biometrics and verification on a second device such as a mobile phone.
“There is no silver bullet that I’m aware of, but there are alternatives to allow you to prove you are who you are,” said Harding. “There are applications emerging where to register, you type in information and use your iPhone to scan your driver’s license so they can match the two together with the photo on the screen. They can pull the data off the driver’s license.”
Biometrics, including Apple’s new facial recognition for its iPhone X, doesn’t just rely on an image of a face. It uses infrared technology to scan 30,000 dots on your face and capture a 3-D image plus movement. Its older Touch ID technology, requiring a fingerprint to unlock the phone, looks underneath the top layer of skin to identify the nooks and crannies of the layer that can’t be seen. The data is also stored on an encrypted chip, rather than someone’s cloud, so it’s never shared with an outsider.
And there is behavioral biometrics, which goes beyond mere recognition of a body part, Harding said.
“A service can determine who you are based on the way you’re typing or the way you hold your phone. You can start to detect that this is Patrick holding the phone as opposed to someone else,” he said. “Combine that with facial recognition and geolocation, all of those things can be used together to determine who you are.”
The mass leakage of Social Security numbers and other difficult-to-change data has happened before. The U.S. Office of Personnel Management, which is akin to a human resources department for the federal government, concluded that two breaches in 2015 resulted in the theft of at least 21.5 million Social Security numbers. Also in 2015, health care insurer Anthem Inc. said potentially 80 million records that may have included Social Security numbers were stolen.
Those incidences probably had something to do with the record number of identity theft complaints filed with the FTC’s identitytheft.gov site that year. Complaints jumped 47 percent from the prior year to 490,226. The FTC said 2015 had an usually high rate of tax or wage-related identity theft. It was the same year cybercriminals used Turbo Tax and stolen data to profit from tax rebates before the real taxpayers had done their own taxes.
Identity-theft complaints to the FTC declined in 2016, but at 399,225, it’s the second highest year since 2001.
Consumers should monitor their bank accounts. They can take Equifax up on its offer of free credit monitoring for one year. But that will only tell consumers when someone has applied for credit in their name. Others suggest a credit freeze, which prevents anyone — including the consumer — from getting approved for new credit. Consumers who set this up, however, would get a PIN in case they need to end the freeze temporarily.
“Sadly, the reliance on trivial discoverable information as part of securing loans as well as lack of information security investment has created a world where identity theft is common and preventing it is mostly out of your control,” said Lewis, who is based in Vancouver. “If your data hasn’t been stolen this time, there have been plenty of opportunities in the past and will be plenty in the future. So the best advice is to stay calm and be prepared.”