Equifax: Rethinking Social Security Numbers as Identifiers, Part I

By on

Revelations about compromised social security numbers at Equifax remind us that the United States needs to modernize the national identification standard for its citizens. In 2017, it is unrealistic for a social security number (SSN) to be shared and distributed to many parties and stay confidential for the better part of a century.

This is not a problem that we are just now recognizing. As early as 25 years ago, computer science advocates voiced concerns around sharing an SSN, a single piece of permanent information, with others as a means of proving your identity. Part of the problem is there hasn’t been a forcing function or an incentive to change the way these identity transactions work. Simply having these pieces of information constituted the ability of an individual to prove his or her identity.

The irony in all of this is that we have not taken steps to come up with a better standard despite recognizing that this single piece of information is not adequate in many other places, such as credit cards.

For many years, your credit card number, expiration date, and CID number were the things that proved that you could charge against an account. A few years ago, millions of credit card numbers were compromised during several major retail sector data breaches. We recognized that this model needed to be changed, and we transitioned to “chip and PIN” or smart card–based credit card capabilities. Although we are still transitioning to this model, we can see the benefits of the upgrade.

If you look at how the underlying technologies work for credit cards using a chip, there is never any disclosure of the secret information to parties with whom you are transacting. You are simply using math, cryptography algorithms to prove that you are you, as opposed to giving them something that would let them impersonate you. The simplest technical requirement truly boils down to that.

We need to move to a system in which an individual can prove his or her identity to somebody, but not make it such that when you prove your identity, you are giving the other party the ability to impersonate you in a completely different transaction.

The question we need to ask as U.S. citizens is why would we move forward to a more secure system for financial instruments such as credit cards, but lag in our progress toward a more secure system for proving our identities as individuals.

There are challenges to implementing any new standard, but the Equifax data breach means that the SSN toothpaste is already out of the tube. We cannot put it back. If almost half of U.S. citizens have their SSNs and other personal information compromised, we cannot assume that the information can be used any longer as the sole criteria for someone proving their identity.

My next post will dig into what a transition to a new U.S. identification standard will involve.

Categories: Business
Tags: , , ,

Leave a Comment

Similar articles

Simply by downloading the right combination of apps, parents can now track their child's location 24/7, monitor their same social conversations, and inject their thoughts into their lives in a split second. To a parent, that's called safety. To kids, it’s considered maddening. Kids are making it clear that parents armed with apps are overstepping ...
Read Blog
A new banking trojan has emerged and is going after users’ Android devices. Dubbed Cerberus, this remote access trojan allows a distant attacker to take over an infected Android device, giving the attacker the ability to conduct overlay attacks, gain SMS control, and harvest the victim's contact list. What's more, the author of the Cerberus ...
Read Blog
5G has been nearly a decade in the making but has really dominated the mobile conversation in the last year or so. This isn’t surprising considering the potential benefits this new type of network will provide to organizations and users alike. However, just like with any new technological advancement, there are a lot of questions ...
Read Blog