Time to dump Social Security numbers, experts say
With so many cyber attacks, another system is needed
The Equifax data breach has generated a new, startling buzz: Do we really need to figure out a way to stop using Social Security numbers?
Is it possible that so many crooks already have our number that there’s no other way to stop the filing of fake federal tax returns or protect our IDs so that fraudsters don’t open up credit cards in our names?
Has the Social Security number outlived its usefulness? That was suggested by cybersecurity coordinator Rob Joyce, who spoke this week at a cyber conference organized by The Washington Post.
The White House is looking at ways to phase out the use of Social Security numbers, Joyce said.
Former Equifax CEO Richard Smith testified this week in Washington, too, that another system is needed other than using Social Security numbers following rising numbers of hacks.
There are no details of how this would work. And don’t expect any quick changes, either, even as we grapple with the fallout from the Equifax data breach first announced Sept. 7.
MORE TROUBLE FOR EQUIFAX, YAHOO
The Equifax story, of course, just grows more annoying for con- sumers by the minute.
This week, Equifax bumped up its number and now says hackers may have stolen personal information from up to 145.5 million people, or 2.5 million more than initially reported.
The Equifax breach involved Social Security numbers, birth dates, names and addresses. Equifax noted that some driver’s license numbers may have been stolen, too.
It’s not uncommon, of course, for retailers, restaurants and others to revise their numbers upward after the first announcement of a security breach.
Brian Krebs, who writes the blog KrebsOnSecurity.com, said he’d suspect that one day we’ll be told that even more people will turn out to have been compromised as part of the Equifax breach. “I’ve been telling people to assume you’re compromised,” he said.
Krebs pointed out in an article this week that Yahoo said 1 billion accounts were hit by a cyber attack in 2013. But this week, Verizon Communications, which acquired Yahoo in June, disclosed that all 3 billion of Yahoo’s user accounts were compromised.
With the Yahoo breach, crooks obtained names, birth dates, phone numbers and passwords, as well as security questions used to reset lost passwords.
Krebs — who tracks what’s for sale via the many online marketplaces that criminals use — said it’s hard to know where some stolen data came from at this point because there have been so many breaches. He has noticed a lot of scammers this past month who are trying to trick other con artists into thinking they have the “Equifax” data for sale online.
More infuriating news: The Internal Revenue Service somehow saw fit to award a multimillion dollar no-bid contract to Equifax to prevent fraud in late September. The service is to verify taxpayer identities.
FLAWED SECURITY PROTOCOLS
Krebs said the Equifax verifica- tion model, which asks personal questions such as information about your past car loans or a mortgage, can be readily found elsewhere online.
Krebs reported in May about another hacking incident involving an Equifax subsidiary, TALX, which provides online payroll and tax services.
Equifax said then that crooks were able to reset a 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees.
ID thieves, of course, can use data from W-2 forms to file fraudulent federal income tax returns to engage in tax refund fraud.
“It’s not hard to see why people are getting so cynical about this,” Krebs said. “Equifax does not view consumers as their customers — they’re the product.”
As for trying to move away from Social Security numbers — developed in 1936 — as an ID, it’s a gigantic step for banks, employers and others to totally abandon the practice.
MANY SEE A REASON FOR CHANGE
“We do need to develop a new verification system based on some sort of two-factor authentication that does not include Social Security numbers,” said Mike Litt, consumer advocate for the Public Interest Research Group.
Litt said the organization’s leadership has called for moving away from Social Security numbers for a decade. PIRG experts gave testimony in Washington in 2003 indicating that “over-use and easy access to Social Security numbers helps drive the identity theft epidemic.”
“Fundamentally, this nation needs to wean the private sector of its over-reliance on Social Security numbers as unique identifiers and database keys,” said Edmund Mierzwinski, consumer program director for PIRG.
John Ulzheimer, a credit expert who formerly worked for credit-scoring company FICO, said perhaps Social Security numbers could be restricted to track earnings.
He noted other combinations of data can be used for many financial services.
“Heck, my phone and several of my bank’s apps use my fingerprint for authentication,” Ulzheimer said.
But he acknowledges this might be a tough sell.
“That will be a slow-turning ship, though, given how ingrained Social Security numbers have become,” he said.
“This nation needs to wean the private sector of its overreliance on Social Security numbers as unique identifiers.”
Edmund Mierzwinski of the Public Interest Research Group