Social Security Numbers Are Not Secure: What Should We Use Instead? – Community News
Social Security

Social Security Numbers Are Not Secure: What Should We Use Instead?

Telecommunications company T-Mobile last month confirmed that hackers have gained access to the personal information of 54 million users, including names, addresses, dates of birth and – perhaps worst of all – social security numbers. The latter are a big hit for identity thieves because they can be used to unlock financial services, government benefits, and personal medical information.

This is just the latest major data breach where such identifying information has been exposed on a large scale, leaving hundreds of millions of Americans more vulnerable to identity theft. To fix the problem, some experts are calling for an end to Social Security numbers, suggesting we should replace them with another — and less inherently vulnerable — way of proving one’s identity. But security experts believe that the government should not abolish them altogether. Instead, the organizations that use Social Security numbers as proof of identity will have to demand more than a single proof of identity.

The Federal Trade Commission registered 1.4 million reports of identity theft in 2020, and such fraud cost victims an estimated $56 billion that year, according to financial consultancy firm Javelin Strategy & Research. Identity thieves can use a variety of information to impersonate individuals, but one of the best keys to accessing money is the Social Security Number, or SSN. This nine-digit series, which the federal government began issuing in 1936, was originally assigned to people to determine their Social Security benefits.

“It’s not set up to be this universal, unique identifier,” explains Eva Velasquez, president and CEO of the Identity Theft Resource Center, a nonprofit that supports victims of such crimes. But eventually, the lifetime number became an easy way for people to apply for credit cards, student loans, mortgages, and other lines of credit, among other things. “Often [SSNs can be used to] getting medical goods or services, and that includes prescriptions, durable medical equipment and things like that,” Velasquez says. “And then of course [they are used to apply for] government benefits: things like unemployment, SNAP [Supplemental Nutrition Assistance Program] benefits, assistance to families with dependent children.” Access to such a wide range of assets makes the numbers a prime target for hackers.

With tens of millions of SSNs exposed to data breaches, a number of politicians and security experts have called on companies to phase out the use of these identifiers. In 2017, Rob Joyce, then cybersecurity coordinator at the White House and now director of cybersecurity at the National Security Agency, suggested replacing the Social Security number with a harder-to-crack option: a much longer string of characters known as a cryptographic key. But any lone number, whether it has nine or 100 digits, can still be stolen from a repository and shared online. “Once you develop or create another static, unique identifier, it just becomes another number that you give to everyone,” Velasquez says. “Then that becomes valuable to the thief, so they will target the systems that have that data.”

Modern technology has enabled other ways to verify identity: A password manager can generate a long, hard-to-guess password for any account, and this type of program often makes it easy to change those passwords in the event of a data breach. A USB key can be plugged into a computer to authenticate its owner. Biometric information, such as a fingerprint or face, can be scanned by a smartphone. But experts don’t recommend replacing the Social Security number with any of these methods alone; the safest option is to protect identity with multiple factors. “Rather than focusing our security risks on this single point of data, we need to develop these more holistic and multi-layered approaches to identity management,” said Velasquez. “So if one or two elements of that identity are compromised, it doesn’t endanger the entire identity.”

The practice of proving one’s identity by providing a fact that one knows, such as a Social Security number, is called knowledge-based authentication or CBA. And it’s extremely vulnerable to hackers because they can only steal that bit of knowledge, because all they have to do is steal that bit of knowledge, explains Rachel Tobac, an ethical hacker and CEO of SocialProof Security, an organization that helps companies identify potential vulnerabilities. for cyber attacks. “For example, it can be plucked from you and stolen by a social engineer. It can be involved in a breach and publicly dumped online when a company you trust with your CBA… [is] hit by a cyber attack,” she says. Some types of CBA, such as birthdays or mother’s maiden names, may even appear on social media for everyone to find. Technically, a password is another form of KBA, Tobac adds, but if a password is stolen, it can be reset. “I can’t just go ahead and change my birthday, my Social Security number, my address every time a website or an institution I trust with that information has a cybersecurity incident,” she stresses.

For effective multifactor authentication or MFA it is not enough simply to have two or more knowledge. After all, breaches like the recent one at T-Mobile release a variety of data about each victim. Instead, Tobac says, the other factors should come from a different source: something you to have or something you to be. The first category can be a physical USB key or even a phone, which can receive a text message with a unique one-time code. The last category includes physical features, which can be measured by biometric scans. For example, a multi-factor authentication process may require a person to enter their Social Security number and then send a codeword to their phone. Another version allows them to enter a password and then scan their fingerprint.

However, even multi-factor authentication does not provide perfect security. A determined hacker could use a SIM-swapping technique to transfer your phone number to another device so they can intercept the text message that was supposed to provide a second layer of security. A biometric scan can be fooled. But by requiring multiple forms of authentication, a system creates much more friction for malicious actors. “I can’t sit here and tell you that this method will be 100 percent fail-safe,” Tobac says. “But for most people, with most threat models, it will stop the attackers.”

Despite its strength, multifactor authentication is far from universally required. Some credit bureaus, customer support hotlines, government accounts and other services continue to rely on simple knowledge-based authentication, such as a Social Security number. But the more secure approach is gradually becoming more popular. “We are already on that track. We’re seeing a move in that direction,” Velasquez said, pointing out that the US federal government, the financial industry and tech companies are beginning to demand multiple layers of authentication. Tobacco agrees. “I see the wheels turning. They don’t spin fast enough, but they spin,” she says. “And I think we need to keep putting pressure on the companies we all rely on to protect our data, our security and our privacy, to move from CBA to MFA flow.”