Last month we posted an infographic depicting the perverse evolution of the social security number. Today, we're diving deeper into the real issues that the misused identity proxy presents to consumers while discussing why businesses need to abandon this approach to identity verification.
The idea that the Social Security Number can be used to authenticate a person's identity is one of the great identity fallacies in the United States today. Just about everybody in the country has a social security number and they are each unique, so why not use them for identity verification? Well, the answer is simple - SSNs were never designed for identity verification. What's more, we've known SSNs are problematic since their inception and organizations still use them for identity verification.
Businesses that are still relying on SSNs for identity authentication are putting themselves and their customers at risk.
A brief history:
The SSN has a long history in the United States, but its start highlights just how limited it is when used as an all-purpose identifier. Initially, the SSN was defined for a single purpose - to simplify how employers and government agencies track the earnings of workers in the United States. As Social Security benefits are determined relative to a person's earnings throughout life, the ability to track an individual accurately is critical. Thus the SSN, a number that is unique to each individual.
The problem is that this number is not meant as a particularly secure identifier. It is unique so that it stands out in paperwork, but it is meant to exist within fairly static, closed environments. Because of this, SSNs were designed to make sense from an organizational perspective, not a security one. SSNs were initially designed as a 9-numeral code that included:
- Three digits to identify the geographic region where the person was initially registered
- Two digits that represent an individual's birth year
- Four numbers that act as a serial number
Over time, this system evolved. When it was finalized in 1936, there was a three-digit area number, two-digit group number and four-digit serial number. This decision on the numeric code was based on logistical issues that went into organizing how SSNs were applied for and distributed, meaning there needed to be logic to how the numbers were generated. The system evolved slightly over time, but the underlying principles behind the numbers remains the same.
Consider password best practices for a moment. It is widely recognized that a simple, easy-to-remember password based on a personal detail will be insecure because somebody can find that information and identify any code an individual may have created around that knowledge. Complex, randomly-generated passwords are considered best from a pure security perspective.
Yet SSNs are increasingly used for user authentication in the most sensitive situations, and they aren't even based on random generation. There is a logic to how an SSN is created, and all it takes is a hacker to identify that logic and they can crack that system.
And this isn't theoretical - it's already happened.
SSNs are far from ideal.
The fatal flaw of how the SSN code can be broken became evident in 2009, when researchers at Carnegie Mellon were able to create an algorithm to predict any person's SSN based on widely available data. A Slate report analyzing this issue at the time said that the algorithm was so simple that it was shocking nobody had broken the system before.
SSN theft is a major problem, so much so that more than a million SSNs were stolen for use in employment-related identity theft between 2011 and 2015, and the IRS, aware of the problem, didn't alert those affected, the Washington Times reported.
The SSN-for-identification problem has become so acute that industry expert Adam Levin told the Christian Science Monitor that SSNs have become a skeleton key for those hoping to perpetrate fraud. Citing a study from the Identity Theft Resource Center, the news source pointed out that approximately 164.4 million records containing SSNs were involved in data breaches during 2015.
Even if you wanted to believe that SSNs aren't too bad as an identifier because they are unique to individuals, they have become so difficult to adequately protect that they can't be trusted. If you think of an SSN as something a person possesses, and therefore can be considered an identifier for them, you're out of luck. It is time to look for alternatives.
What to do about the SSN problem?
Financial institutions have long depended on SSNs as a quick way to verify a person's identity - often using the number alongside alternative forms of identification. However, increased use of digital platforms for loan applications, account creation and similar processes makes finding adequate forms of ID difficult. Combining a password with confirmation of SSN at login, for example, isn't going to keep accounts safe from fraud.
As hackers have unearthed new vulnerabilities, leading identity management providers have developed new ways to use the best forms of identification within digital channels. At Confirm, we offer technology to digitally scan driver's licenses and similar robust identification cards that would otherwise be used for in-person identification and verify their authenticity. The days of depending on less-than-ideal identifiers are disappearing as digital tools allow for sophisticated analysis automated within software.
With SSNs so widely recognized as problematic, organizations that continue to rely on them set themselves up for expensive breaches that capture public attention. As consumers start to pay more attention to data privacy issues, there's a very real chance that they'll move away from organizations relying on inferior identity verification methods such as SSNs.