Why are people still using SSNs as identifiers?

It’s been a year since we discovered the biggest consumer data-breach ever. 150 million people had their personal identifying information leak out of Equifax’s servers.

Identity information including social security numbers—which were of course never intended to be used as an identifier. Soon after the breach went public, there were calls for the SSN to be made obsolete—or at least replaced by some sort of biometric identifier.

So where are we now? Has anything really changed? In this week’s inaugural ID Blogwatch, we ring the bell for the good-old/bad-old SSN.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: RIP Iridium Flares…



What’s the craic? Joe Uchill reckons After Equifax’s mega-breach, nothing changed:

The Equifax data breach was supposed to change everything about cybersecurity regulation. [But] it’s not clear it changed much of anything.

…

A year ago … 145.5 million U.S. adults had their social security numbers stolen in an easily preventable breach. If [anything] was … to shock Washington into enacting sweeping privacy reforms, this should have been it.

…

After the first of several hearings involving Equifax, Sen. Chuck Grassley (R-Iowa) … said it was “long past time” for federal standards. [Also] Congress appeared poised to create a national breach notification law. [And] several investigations were supposed to penalize the credit bureau for lax cybersecurity.

…

What actually happened: The bills petered out.

…

The cybersecurity field averages one “this-changes-everything” event a year, none of which actually changes everything.



Well, if not “everything,” how about “something”? Zack Whittaker offers—A year later, Equifax lost your data but faced little fallout:

A lot can change in a year. Not when you’re Equifax.

…

The company failed to patch a [Struts] server it knew was vulnerable for months, which let hackers … steal data on 147 million consumers. Names, addresses, Social Security numbers and more. … Millions of British and Canadian nationals were also affected.

…

While the millions affected can take solace in the beating Equifax got in the press, those demanding regulatory action might be in for a disappointingly long wait. .



However, bagofbeans thinks it’s untrue to say nothing’s changed in a year:

Something important has changed. … Free credit freezes are due this month thanks to Economic Growth, Regulatory Relief, and Consumer Protection Act.

…

The bad news is that FTC is pretending it only applies to the big 3: Equifax, Experian and TransUnion.



12 months on, Veridium CMO Lori Cohen tells her story—My identity has been stolen:

I’m now one of some nine million Americans the FTC estimates have had their identities stolen each year. [I] suspect the Equifax breach was behind this.

…

I found out my identity was stolen on May 15th. … I suspect the thieves were holding on to our identities, hoping to lull us into thinking we’d be fine.

…

These cyber criminals made off with ALL of the things that make up our identity, at least all the things in the category: what you know. … That’s the information you need to open a new credit card and … wreak havoc on your life.

…

If only it were more common for identity to be tied to who you are — your biometrics — instead of what you know, life would be easier. … If the final step to get a new credit card or a loan was actually proving you are who you say with biometrics … identity thieves would be out of luck.

…

I wish I could turn back the clock and have my identity protected by my biometrics. Instead, I’ll be waiting for the other shoe to drop. When and where I’ll soon find out.



So whose problem is it? Here’s nimbius’s cloudy opinion: [You’re fired—Ed.]

This is an industry issue. … Equifax is running out of keys. … They are running out of the very currency that funds their business model. If you can no longer trust SSN’s because every hacker on the planet has them … your assets [are] effectively worthless.

…

[And] then you become worthless as a saleable service to your real customers: banks.



This must be concentrating minds, right? Here’s more from Kajetan Champlewski—@mildincompetent:

The only reason that it’s so bad your SSN gets leaked, is because people keep using SSNs for proof of identity, when they were never meant for that.

…

Equifax is one of many problems that will keep happening if people continue to use SSN for identity.



So what can we learn from how other countries tackle this problem? brantondaveperson has news for us:

Other countries don’t have this problem.



And ShanghaiBill explainifies:

Only in America do we rely on critical information being both secret and widely known. Mere knowledge of someone’s SSN, DOB, and address should not be enough to clean out their bank account nor establish credit.

…

No other country has this problem. Until we fix [it], data breaches and identity theft will continue to be major problems.



But wait, is anyone else feeling a little déjà vu here? This was Nafeesa Syeed and Elizabeth Dexheimer, 11 months back—Social Security Numbers Should Go:

The Trump administration is exploring ways to replace the use of Social Security numbers … in the wake of consumer credit agency Equifax Inc.’s massive data breach … according to Rob Joyce, special assistant to the president and White House cybersecurity coordinator.

…

Joyce said officials are looking into “what would be a better system” that [uses] a “modern cryptographic identifier,” such as public and private keys.



And this is what Laura Hautala had to say—Let’s replace Social Security numbers:

It would be fair to ask what your Social Security number is even good for anymore. It’s no longer really a secret form of identification, so let’s think of something else.

…

Major data breaches often spur complaints that [it] was never intended to be a universal form of identification. … If we phase out Social Security numbers, though, we’ll need something that won’t just get compromised all over again.



Of course, storing these immutable identifiers where they’re easily hacked is part of the problem. Heed the roar of Rory—@I_amGermany:

Every developer has their story of that ancient box that should be updated but nobody owns it yet somehow it runs a critical piece of production. … Software dev is also a very young industry. We have to learn through our mistakes and stop ignoring the older industries for guidance. Infosec is going through the same thing.

…

Just look at Equifax. … 150 million people having their SSN and credit information stolen is beyond criminal. [But it’s] impossible to opt-out of collection and contains information that you can not change(SSN), as well as full credit history. There was nothing a user could do to protect themselves.



Meanwhile, Aditya Chaturvedi—@__itya—cuts to the core of the issue (and gets a tiny bit sweary):

The SSN poses great risk. You can get all sorts of **** done there with the SSN and a little bit of social engineering.

…

You lose one little number and now you are super susceptible to identity theft. There are dozens of posts on reddit everyday how someone tried to scam them using it.



And Finally…

Iridium Flares Are Disappearing From The Skies (video)



You have been reading ID Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or idbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: U.S. Government, via Wikimedia Commons (public domain)