Guest Post by Will Ellis
What would you do if someone broke into your house and stole your Social Security card? You'd probably be freaked out, and you'd probably get a new home security system.
Well, it might already have happened. Not the break-in, but the theft. Social Security numbers are among the most valuable pieces of information available for sale on the Dark Web, and they are also — worryingly — frequently released as part of data breaches.
Take the hack, back in September, of Equifax, one of the three major credit bureaus. This breach of SSNs and other personal information of millions of Americans resulted in a staggering number of records that were compromised and possibly used by identity thieves.
The breach has been useful in one way, though: it's given people cause to stop and think about the SSN system itself. Shortly after the breach, a White House cybersecurity coordinator said that the federal government was looking into more secure replacements for Social Security numbers. Others, like the website have claimed that “the Social Security number has outlived its usefulness."
I agree. Here's why:
The primary problem with SSNs is that the system has been made completely insecure by advances in information technology.
It’s worth remembering that the system was first designed in 1936 as a way of identifying people, but has not evolved since then. Back in the days of paper records, finding someone’s SSN was pretty hard, short of breaking into their house or the Social Security office. That’s changed.
SSNs can be found in two ways. The first is that, believe it or not, there is computer software that can correctly guess SSNs in a significant majority of cases. An algorithm created by researchers in 2009 could predict an SSN correctly 44 percent of the time in the U.S. overall and up to 90 percent of the time in smaller, individual states.
It gets worse. Whenever you enter your SSN into a website, you are potentially revealing this information to the website owner, hackers, or anyone else, because the average website is under attack due to a variety of common vulnerabilities. This is especially true if you are traveling when you need to be extra careful to keep your data safe.
Then there are more direct attacks. One of the big trends in cybersecurity over the past few years has been the rise of advanced phishing attacks which specifically target individuals and encourage them to share their SSN with hackers. These attacks are growing ever more sophisticated and increasingly hard to spot.
These problems would be less of an issue if the government was agile and responsive when it came to responding to data leaks, and with working with the victims of them to solve the issue.
Unfortunately, the government is useless when it comes to giving people new SSNs, even when they’ve been the victim of a hack. The agency says a different number can be assigned if a “victim of identity theft continues to be disadvantaged by using the original number.” So even if your SSN is leaked, you have to prove that someone else is using it to steal your identity before you can get a new one.
All of these problems lead to a simple conclusion: the SSN system is not fit for purpose and should be replaced. But what are the alternatives?
Well, there are plenty.
There are a number of feasible alternatives to using the SSN system. In fact, in many ways, the technological advances that have made the system obsolete are exactly those that could be used to replace it.
Let’s look at two of them:
Blockchain has something of a bad reputation outside tech circles, where people associate it with crime. But the basic building blocks of the system are simple enough. Rather than storing information in a central repository (where it is vulnerable) blockchains store personal information in a distributed network.
Storing SSNs (or, likely, a new number) in this kind of system could make them much more secure. And some countries are already doing this. Estonia, for instance, uses blockchain to give each citizen a secure digital identity card to access public, financial, medical, and emergency services, as well as to drive, pay taxes online, e-vote, provide digital signatures, and travel within the European Union without a passport.
The problem, at the moment, is that blockchain systems are still quite slow when processing information. But that should improve pretty rapidly.
Another solution would be a biometric database. Biometric information such as fingerprints or iris scans are already used by the United States, albeit to track visitors to the country rather than citizens, a system known as Biometric Exit.
Using biometrics instead of SSNs would have one huge advantage: they are essentially impossible to fake or to steal. Your iris identifies you uniquely, and no-one can replicate it.
On the other hand, using biometrics raises other concerns. Apple’s use of face-recognition technology in the latest iPhones has caused a lot of controversy, because people don’t want tech giants having access to personal information like this. This would likely be of even greater concern if the government tried to build a similar database.
Each of these solutions has problems of its own, of course. But at least they would be built with security in mind. They would also be designed, from the ground up, to do the job they are supposed to do.
Because that’s the biggest problem with SSNs. The numbers were originally designed to identify people to Social Security offices. Now they are used as an informal, poorly designed, national identity database. Given what we expect the SSN system to do nowadays, it’s no surprise that it is looking more and more obsolete.
Will Ellis is an IT Security Consultant and the founder of Privacy Australia. He develops the guts beneath beautiful websites and can't wait to see what the blockchain world will look like once the technology fully emerges. He invests in cryptocurrencies and studies history.
May 7th, 2021
August 17th, 2022
October 1st, 2020
Sign up below to receive a monthly newsletter containing relevant news, resources and expert tips on Identity Theft and other products and services.