The telecommunications company T-Mobile confirmed last month, when hackers gained access to 54 million users’ personal data, including names, addresses, dates of birth and – perhaps worst of all – social security numbers. The latter are a great score for identity thieves because they can be used to unlock financial services, public benefits and private medical information.
This is just the latest major data breach that reveals such identifying information on a massive scale, making hundreds of millions of Americans more vulnerable to identity theft. To curb the problem, some experts call for stopping social security numbers, and suggest that we replace them with another – and less inherently vulnerable – way of proving one’s identity. But security experts believe the government does not need to do away with them altogether. Instead, those organizations that use social security numbers as proof of identity should begin to require more than a single form of ID.
Federal Trade Commission opted 1.4 million reports of identity theft in 2020, and that year such fraud cost victims an estimated $ 56 billion, according to financial consulting firm Javelin Strategy & Research. Identity thieves can use a variety of information to emulate people, but one of the best keys to accessing money is the social security number or SSN. This series of nine digits, which the federal government began issuing in 1936, was originally assigned to people simply to determine their social benefits.
“It was not set up to be this universal, unique identifier,” explains Eva Velasquez, president and CEO of the Identity Theft Resource Center, a nonprofit organization that supports victims of such crimes. But eventually, the lifetime number became a convenient way for people to apply for credit cards, student loans, mortgages and other lines of credit – among other services. “Often [SSNs can be used to] get medical goods or services, and that includes prescriptions, durable medical equipment and things like that, ”says Velasquez. “And then of course [they are used to apply for] public services: things like unemployment, SNAP [Supplemental Nutrition Assistance Program] services, assistance to families with dependent children. “Access to such a wide range of assets makes the numbers a primary target for hackers.
With tens of thousands of millions of SSNs now exposed by data breaches, a number of politicians and security experts have urged companies to phase out the use of these identifiers. In 2017 Rob Joyce, then White House Cyber Security Coordinator and now Director of Cyber Security at the National Security Agency, suggested changing the social security number with an option that is harder to crack: a much longer string of characters known as a cryptographic key. But any single number, whether it has nine digits or 100, can still be stolen from a warehouse and shared online. “As soon as you develop or create another static, unique identifier, it’s just going to be a different number you issue to everyone,” Velasquez says. “Then it becomes valuable to the thief, so they will target the systems that have this data.”
Modern technology has enabled other ways to verify identity: A password administrator can generate a long, hard-to-guess password for each account, and this type of program often makes it easy to change these passwords in the event of a data breach. A USB key can be connected to a computer to authenticate its owner. Biometric information, such as a fingerprint or face, can be scanned by a smartphone. However, experts do not recommend replacing the social security number with any of these methods alone; the safest option is to protect identity with several factors. “Instead of focusing our security risks on this single data point, we need to develop these more holistic and multi-layered approaches to identity management,” says Velasquez. “So if one or two elements of this identity are compromised, it does not compromise the whole identity.”
The practice of proving one’s identity by stating a fact one knows, such as a social security number, is called knowledge-based authentication or KBA. And it’s extremely vulnerable to hackers because the only thing they need to pretend to be someone is to steal that special knowledge, explains Rachel Tobac, an ethical hacker and CEO of SocialProof Security, an organization that helps companies to spot potential vulnerabilities to cyberattacks. “For example, it could be hacked out of you and stolen by a social engineer. It could be involved in a breach and dumped publicly online when a company that you trust with your KBA … [is] hit by a cyber attack, ”she says. Some types of KBA, such as birthdays or mothers’ maiden names, may even appear on social media that anyone can find. Technically, a password is another form of KBA, Tobac adds – but if a password is stolen, it can be reset. “I can not just go ahead and change my birthday, my social security number, my address, every time a website or institution that I trust with that information has a cybersecurity incident,” she points out.
For effective multifactor authentication, or MFA, it is not enough just to require two or more pieces of knowledge. After all, breaches like the latest at T-Mobile release a range of data about each victim. Instead, Tobac says, the other factors should come from another source: something you have or something you is. The former category may include a physical USB key or even a phone which can receive a text message with a unique one-time code. The latter category includes physical features that can be measured by biometric scans. For example, a multifactor authentication process may require a person to enter their social security number and follow up with a password sent to their phone. Another version may involve them entering a password and then scanning their fingerprints.
However, not even multifactor authentication provides perfect security. A determined hacker can use a SIM swapping technique to transfer your phone number to another device, allowing them to intercept the text message that should provide another layer of security. A biometric scan can be cheated. But by requiring more forms of authentication, a system creates much more friction for malicious actors. “I can not sit here and tell you that this method will be 100 percent fail-safe,” Tobac says. “But for most people, with most threat models, it will stop the attackers.”
Despite its strength, multifactor authentication is far from universally required. Some credit bureaus, customer support hotlines, government accounts, and other services continue to rely on simple knowledge-based authentication, such as a social security number. But the more secure approach is gradually becoming more popular. “We are already on that track. We are seeing movement in that direction,” Velasquez said, pointing out that the U.S. federal government, financial industry and technology companies are beginning to demand more layers of authentication. Tobac agrees. “I can see the wheels turning They are not turning fast enough, but they are turning, “she says.” And I think we need to keep putting pressure on the companies we all depend on to protect our data, our security, our privacy. , to move from KBA to MFA flow. “