Virtually every person alive today faces the insurmountable challenge of protecting their own identity because of one common root cause — the rampant misuse of Social Security numbers as proof of identity. These numbers were never designed for this purpose but the continued reliance on them by financial institutions, government agencies and others puts us all at risk. There is a solution to this problem, but it’s a little counter-intuitive: to better protect our identities, we need to publish everyone’s SSN.
Understanding our contemporary situation requires exploring two background issues: the cybersecurity principles of identification and authentication and the history and origins of the SSN.
In the cybersecurity field, we draw a firm distinction between two related concepts: identification and authentication. Identification takes place when someone makes a claim of identity. I can walk up to the security desk of a government building and introduce myself as the president of the United States. That might be an outrageous claim of identity, but it is an identification claim nonetheless.
No security guard in their right mind would ever take action based upon this claim alone — they would clearly ask me to prove my identity. That’s where authentication comes into play: providing evidence that proves an individual’s identification claim. When presenting myself in person, I likely would authenticate my identity claim by presenting a driver’s license or other government-issued credentials.
We complete the identification and authentication process in the digital sphere on a daily basis. This might be as simple as providing a username (identification) and then a secret password known only to us (authentication). In the case of strongly secured systems, we might be asked to prove our identity in two or more ways. For example, the system might ask us to supplement our password by also acknowledging the login attempt through an app on our smartphone.
This process, known as multifactor authentication, combines some knowledge that we have in our minds with a physical device in our possession. An attacker who steals my password through a phishing attack would probably have a hard time getting their hands on my smartphone as well. It’s similarly unlikely that a thief who stole my smartphone would also be able to obtain my password.
Now let’s shift our attention for a moment and take a historical look at the Social Security number. The U.S. government began issuing SSNs to citizens in 1936 as part of the implementation of the Social Security system under President Franklin Delano Roosevelt’s New Deal. The Social Security system promised to pay retirement and disability benefits based upon an individual’s lifetime contributions to the system through payroll taxes. At that point in history, the nation lacked any systematic way to uniquely identify individual employees and track their Social Security contributions, and the Social Security number was created to address that specific need.
Over the past eight decades, we’ve seen the use of SSNs spread like wildfire. As the digital age dawned, administrators and technologists latched onto this government-issued identifier for two reasons: its uniqueness and its ubiquity. Everyone in the nation was issued an SSN shortly after birth and the number remained unique and constant throughout their lifetime. This simplified the work of database managers who otherwise struggled to determine whether two different “John Smith” records in their systems indeed referred to the same person.
Throughout the 1980s and 1990s, the demand for digital information grew and organizations of all types engineered their information systems around this identifier. I remember being issued my first Notre Dame ID card in 1993 with my Social Security Number prominently embossed on it. Everyone from the checkers in the dining halls to cashiers at the bookstore made paper impressions of that card as students traveled around campus. I also remember visiting professors’ offices in Cushing Hall to find my exam grades posted on their doors. Instead of posting scores by name, they would post a list of Social Security numbers and scores in an effort to preserve privacy. This seemed perfectly reasonable and nobody objected.
Around the turn of the century, our attitudes toward the use of SSNs shifted suddenly and dramatically. The driving force behind this change was the emergence of the internet and electronic commerce. Suddenly, we had digital access to financial transactions, real estate records and other sensitive online resources. The firms holding these records needed a way to ensure that they were truly dealing with the correct person, so they turned to a reliable, time-tested tool — the Social Security Number — for the same reasons that their counterparts did decades earlier: SSNs were unique and ubiquitous.
That decision, made in the offices of financial institutions around the country, was disastrous and directly led to the identity theft crisis that we face today.
The decision to use SSNs in this manner is fundamentally flawed. It confuses the concepts of identification and authentication. The SSN was always intended to serve only as an identifier and it has served admirably in that role for more than 80 years. But it was never intended to serve as an authentication tool and is incapable of doing so.
The simple reason that we can’t use SSNs as authenticators is the fact that they are not secret. Unlike our passwords, which should be known only to us, knowledge of our SSNs is widespread. Every employer I’ve ever had, from my first paper route to Notre Dame, has my SSN in their records. The same is true for every school I’ve ever attended, every bank I’ve ever conducted business with and countless other organizations. And that doesn’t even include the unknown number of hackers who have stolen records from any of those sources. When we rely upon SSNs as an authentication tool, we allow dozens or hundreds of people from our past lives to easily impersonate us.
As individuals, there’s not very much that we can do about this situation. We don’t have the ability to change the business practices of the organizations that handle our information. In fact, that letter in my mailbox underscored the fact that we don’t even know the identities of all of the organizations that handle our personal information. All of our SSNs have likely fallen into the wrong hands many times and we don’t even have the ability to change them. It’s as if we gave the keys to our home to every houseguest and contractor who’s ever entered it, but we lack the ability to change the locks.
Nor can we expect that companies will change their business practices on their own. They’ve had the opportunity to do so for years and we still find ourselves in this untenable situation today. The only solutions to this dilemma require dramatic legislative action. That’s why I’m proposing that we resolve as a nation to publish all Social Security numbers publicly with five years’ advance notice.
While publishing SSNs may seem counterintuitive, it will actually protect our privacy by achieving two important goals. First, it will destroy the illusion we’re currently living under that SSNs are secret. They are not. Second, it provides time for industry and government to collaborate on a technical solution to this problem. We already have the technology to protect things as simple as our social media accounts with multifactor authentication. Why can’t we do the same for our sensitive personal records? Five years should be more than sufficient to solve the technical and administrative hurdles to strong authentication. Let’s create the driving force required to get the job done once and for all.
We’re not going to eliminate the misuse of Social Security numbers in the near future. Until we’re able to do so, there are some simple steps that you can take right now to protect yourself from identity theft:
Mike Chapple is the academic director of the Notre Dame Master of Science in Business Analytics program and associate teaching professor of IT, Analytics, and Operations where he teaches undergraduate and graduate courses in business analytics and cybersecurity.