Is it time to stop using Social Security as ID?
The Equifax data breach has led policymakers and citizens alike to ask a startling question: Do we need to figure out a way to stop using Social Security numbers?
Seriously.
Is it possible that so many crooks already have our number that there’s no other way to stop the filing of fake federal tax returns or protect our IDs so fraudsters don’t open up credit cards in our names?
Has the Social Security number outlived its usefulness? That was suggested by cybersecurity coordinator Rob Joyce, who spoke at a recent conference organized by the Washington Post. The White House is looking at ways to phase out the use of Social Security numbers, Joyce said.
Likewise, former Equifax CEO Richard Smith testified in Washington that another system is needed with a rising numbers of hacks.
There are no details of how this would work. And don’t expect any quick changes, either, even as we grapple with the fallout from the Equifax data breach first announced in early September.
Equifax says hackers may have stolen personal information from up 145.5 million people. The breach involved Social Security numbers, birth dates, names and addresses. Equifax noted that some driver’s license numbers may have been stolen, too.
Brian Krebs, who writes the blog KrebsOnSecurity.com, said he’d suspect that one day we’ll be told that even more people will turn out to have been compromised as part of the Equifax breach.
“I’ve been telling people to assume you’re compromised,” he said.
Krebs. who tracks what’s for sale via the many online marketplaces that criminals use, said it’s hard to know where some stolen data came from at this point because there have been so many breaches.
He has noticed a lot of scammers this past month who are trying to trick other con artists into thinking they have the “Equifax” data for sale online.
Krebs said the Equifax verification model, which asks personal questions such as information about your past car loans or mortgage, can be readily found elsewhere online.
Krebs reported in May about another hacking incident involving an Equifax subsidiary, TALX, which provides online payroll and tax services.
Equifax said then that crooks were able to reset a four-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees.
ID thieves, of course, can use data from W-2 forms to file fraudulent federal income tax returns to engage in tax refund fraud.
“It’s not hard to see why people are getting so cynical about this,” Krebs said. “Equifax does not view consumers as their customers — they’re the product.”
As for trying to move away from Social Security numbers as an ID, it’s a gigantic step for banks, employers and others to totally abandon the practice of using Social Security numbers, which were developed in 1936.
Many see a reason for change.
“We do need to develop a new verification system based on some sort of two-factor authentication that does not include Social Security numbers,” said Mike Litt, consumer advocate for the Public Interest Research Group.
Litt said the organization’s leadership has called for moving away from Social Security numbers for a decade. PIRG experts gave testimony in Washington in 2003 indicating that “overuse and easy access to Social Security numbers helps drive the identity theft epidemic.”
“Fundamentally, this nation needs to wean the private sector of its over-reliance on Social Security numbers as unique identifiers and database keys,” said Edmund Mierzwinski, consumer program director for PIRG.
John Ulzheimer, a credit expert who formerly worked for credit-scoring company FICO, suggested that perhaps Social Security numbers could be restricted to track earnings.
He noted other combinations of data can be used for many financial services.
“Heck, my phone and several of my bank’s apps use my fingerprint for authentication,” Ulzheimer said.
But he acknowledges this might be a tough sell.
“That will be a slow-turning ship, though, given how ingrained Social Security numbers have become,” he said.