One of the most shocking things about Thursday’s announcement of the Equifax data breach is the sheer scale of the numbers involved. Particularly the Social Security numbers. Yes, there have been plenty of large data breaches before—5 million SSNs revealed in a Kansas Department of Commerce leak in July, 80 million in the notorious 2015 Anthem health insurance breach—but with Equifax’s revelation that 143 million Americans may have had their SSNs stolen (along with other sensitive personal information), security experts are pressing for a fundamental reassessment in how, and why, we identify ourselves.
Considered along with the data stolen from various other breaches, hacks, and leaks, “it’s a safe assumption that everyone’s Social Security number has been compromised and their identity data has been stolen,” says Jeremiah Grossman, the chief of security strategy at the defense and threat monitoring firm SentinelOne. “While it may not be explicitly true, we have to operate under that assumption now.”
SSNs, which have been around since the 1930s, have only one intended purpose: to track US citizens’ earnings and contributions to the Social Security program. (In an uncanny twist, the Social Security Administration itself sometimes uses Equifax services to help verify a person’s identity during the process of setting up a “My Social Security” account, an SSA spokesperson told WIRED on Friday. But the Administration doesn’t share Social Security numbers with Equifax.) Other collection of SSNs is generally legal, but the Social Security Administration has no involvement in wider use of the numbers. “The card was never intended to serve as a personal identification document,” the Administration says on its website. “The universality of SSN ownership has in turn led to the SSN’s adoption by private industry as a unique identifier. Unfortunately, this universality has led to abuse.”
Problems stem from a number of places. Your Social Security number is supposed to be kept secret, which is an increasing challenge in the digital era. And unlike other, similar secrets (like credit card numbers and passwords), SSNs are extremely difficult to change. The Social Security Administration can issue you a new one in extreme cases of identity theft or abuse. Even if you are able to alter your SSN, though, so many institutions already have your original number on file that criminals can often successfully leverage the stolen information for years. On top of all of that, the new number you receive remains tied to the old one.
“The SSN is used for purposes entirely unrelated to its original purpose. That almost always leads to problems,” says Marc Rotenberg, president of the Electronic Privacy Information Center, which has been advocating for SSN usage reform for more than two decades. “Congress needs to step up and hold hearings. We need laws that limit the collection and use of SSNs. And we need to penalize companies that collect SSNs but can’t protect [them].”
The conventional wisdom about SSN security, which is actually pretty wise, is to limit how often you give your information out. Some organizations that ask for your SSN can still interact with you without it, and sometimes there are ways around providing it. (For example, some utilities like internet providers won’t require your SSN if you pay them a deposit to insure your account.) But too often these measures are inconvenient or impractical, and there are still numerous situations in which it is impossible to avoid submitting your SSN, like on tax forms or background checks. Some regulatory initiatives have had success curtailing SSN distribution, like this week’s Center for Medicare Services announcement that SSNs will be removed from Medicare benefits cards. But that step alone took years to implement.
Experts across numerous privacy and security fields agree that the solution to the over-collection and over-use of SSNs isn’t one particular replacement, but a diverse array of authentications like individual codes (similar to passwords), biometrics, and even physical tokens to create more variation in the ID process. Some also argue that the government likely won’t be the driving force behind the shift. “We have a government that works at a glacial pace in the best of times,” says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. “There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication. Change may come from enterprise and private companies responding to the threat by requiring additional identifiers.”
Health care companies, for instance, could use a different system from education, which could use a different approach than financial institutions. If credit reporting agencies like Equifax use different identifiers than SSNs, your electric company and your wireless provider could ask for those identifiers to run background checks. And if this new identifier were easy enough to change (unlike SSNs), breaches, leaks, and other unintended exposures would be less consequential.
“The whole SSN as identifier regime needs to be scrapped,” says Eduard Goodman, global privacy officer at the identity theft protection firm CyberScout. “As we see more and more issues with the centralization of data, different schemes for different uses—biometrics for in-person interactions/transactions, some form of advanced encryption or blockchain technologies online. The solutions are already in front of our eyes.”
Having a few identifiers to keep track of would be more complicated for consumers than the current system, but it would have numerous benefits and would still be less to manage than the tangle of usernames and passwords that exist online. “Can I imagine a world where we don’t have this one identifier floating around?” SentinelOne’s Grossman asks. “We have it on the web. We don’t log into Facebook or LinkedIn or Google with our social security number, so I can imagine that world. We actually live it online.”
The personal security situation on the internet as it stands now is certainly fraught, but it would be possible for organizations to implement strong and diverse authentication factors that cut down on the dramatic exposure that currently exists with SSNs. Even simply mailing customers an additional pin number has allowed the Internal Revenue Service to reduce identity theft-related tax fraud. “It’s kind of a watershed moment, but whether and what kind of changes companies implement will depend on their business model and how much of a hit they take,” after data breaches, Goodwin’s Sharton says. “These incidents can be reputationally devastating.”
The impacts of Equifax’s breach could push the company to advocate for new identifiers and authenticators in the credit reporting and financial sectors. Everyone with a Social Security number–also known as the hundreds of millions of people in the US with a Social Security number– is counting on a change.