Equifax: Rethinking Social Security Numbers as Identifiers, Part I

By on

Revelations about compromised social security numbers at Equifax remind us that the United States needs to modernize the national identification standard for its citizens. In 2017, it is unrealistic for a social security number (SSN) to be shared and distributed to many parties and stay confidential for the better part of a century.

This is not a problem that we are just now recognizing. As early as 25 years ago, computer science advocates voiced concerns around sharing an SSN, a single piece of permanent information, with others as a means of proving your identity. Part of the problem is there hasn’t been a forcing function or an incentive to change the way these identity transactions work. Simply having these pieces of information constituted the ability of an individual to prove his or her identity.

The irony in all of this is that we have not taken steps to come up with a better standard despite recognizing that this single piece of information is not adequate in many other places, such as credit cards.

For many years, your credit card number, expiration date, and CID number were the things that proved that you could charge against an account. A few years ago, millions of credit card numbers were compromised during several major retail sector data breaches. We recognized that this model needed to be changed, and we transitioned to “chip and PIN” or smart card–based credit card capabilities. Although we are still transitioning to this model, we can see the benefits of the upgrade.

If you look at how the underlying technologies work for credit cards using a chip, there is never any disclosure of the secret information to parties with whom you are transacting. You are simply using math, cryptography algorithms to prove that you are you, as opposed to giving them something that would let them impersonate you. The simplest technical requirement truly boils down to that.

We need to move to a system in which an individual can prove his or her identity to somebody, but not make it such that when you prove your identity, you are giving the other party the ability to impersonate you in a completely different transaction.

The question we need to ask as U.S. citizens is why would we move forward to a more secure system for financial instruments such as credit cards, but lag in our progress toward a more secure system for proving our identities as individuals.

There are challenges to implementing any new standard, but the Equifax data breach means that the SSN toothpaste is already out of the tube. We cannot put it back. If almost half of U.S. citizens have their SSNs and other personal information compromised, we cannot assume that the information can be used any longer as the sole criteria for someone proving their identity.

My next post will dig into what a transition to a new U.S. identification standard will involve.

Categories: Business
Tags: , , ,

Leave a Comment

Similar articles

2018 was a wild ride when it came to cybersecurity. While some hackers worked to source financial data, others garnered personal information to personalize cyberattacks. Some worked to get us to download malware in order to help them mine cryptocurrency or harness our devices to join their botnets. And the ways in which they exact ...
Read Blog
Your home screen is just a matrix of numbers. Your device loses its charge quickly, or restarts suddenly. Or, you notice outgoing calls that you never dialed. Chances are your smartphone has been hacked. The sad truth is that hackers now have a multitude of ways to get into your phone, without ever touching it. ...
Read Blog
Rockstar Games’ Red Dead Redemption 2 has struck a popular chord with many online gamers. Unfortunately, the Western-themed action-adventure game has also become a popular vessel for malicious activity among cybercriminals as well. Scammers are tricking gamers into giving up their personal information with phony “free” downloads of the online game, while simultaneously making a ...
Read Blog