NO SAFETY IN NUMBERS

By Mike Chapple | Fall 2019

THE MISUSE OF SOCIAL SECURITY NUMBERS PUTS US ALL AT RISK FOR CYBER CRIME. 


 

I recently opened my mailbox to discover a generic-looking letter from a company with an unfamiliar name. I’m not sure why I didn’t toss that letter in the recycling bin with the handful of other junk mail that arrived that day, but I opened it to discover that my personal information was involved in yet another data breach. Worse yet, the stolen information included not only my Social Security number but those of my three teenaged children.

I had never conducted business with the company sending me this letter, but they apparently processed insurance claims for a health care provider that my family uses. The letter didn’t disclose which provider shared my records with them, but that was water under the bridge. I once again found myself in the same powerless situation facing millions of Americans each year — the keys to my family’s identities had been stolen and I had no ability to change the locks.


 

Virtually every person alive today faces the insurmountable challenge of protecting their own identity because of one common root cause — the rampant misuse of Social Security numbers as proof of identity. These numbers were never designed for this purpose but the continued reliance on them by financial institutions, government agencies and others puts us all at risk. There is a solution to this problem, but it’s a little counter-intuitive: to better protect our identities, we need to publish everyone’s SSN.

Understanding our contemporary situation requires exploring two background issues: the cybersecurity principles of identification and authentication and the history and origins of the SSN.

In the cybersecurity field, we draw a firm distinction between two related concepts: identification and authentication. Identification takes place when someone makes a claim of identity. I can walk up to the security desk of a government building and introduce myself as the president of the United States. That might be an outrageous claim of identity, but it is an identification claim nonetheless.

illustration of a hand holding a burning social security cardNo security guard in their right mind would ever take action based upon this claim alone — they would clearly ask me to prove my identity. That’s where authentication comes into play: providing evidence that proves an individual’s identification claim. When presenting myself in person, I likely would authenticate my identity claim by presenting a driver’s license or other government-issued credentials.

We complete the identification and authentication process in the digital sphere on a daily basis. This might be as simple as providing a username (identification) and then a secret password known only to us (authentication). In the case of strongly secured systems, we might be asked to prove our identity in two or more ways. For example, the system might ask us to supplement our password by also acknowledging the login attempt through an app on our smartphone.

This process, known as multifactor authentication, combines some knowledge that we have in our minds with a physical device in our possession. An attacker who steals my password through a phishing attack would probably have a hard time getting their hands on my smartphone as well. It’s similarly unlikely that a thief who stole my smartphone would also be able to obtain my password.

Now let’s shift our attention for a moment and take a historical look at the Social Security number. The U.S. government began issuing SSNs to citizens in 1936 as part of the implementation of the Social Security system under President Franklin Delano Roosevelt’s New Deal. The Social Security system promised to pay retirement and disability benefits based upon an individual’s lifetime contributions to the system through payroll taxes. At that point in history, the nation lacked any systematic way to uniquely identify individual employees and track their Social Security contributions, and the Social Security number was created to address that specific need.

Over the past eight decades, we’ve seen the use of SSNs spread like wildfire. As the digital age dawned, administrators and technologists latched onto this government-issued identifier for two reasons: its uniqueness and its ubiquity. Everyone in the nation was issued an SSN shortly after birth and the number remained unique and constant throughout their lifetime. This simplified the work of database managers who otherwise struggled to determine whether two different “John Smith” records in their systems indeed referred to the same person.

Throughout the 1980s and 1990s, the demand for digital information grew and organizations of all types engineered their information systems around this identifier. I remember being issued my first Notre Dame ID card in 1993 with my Social Security Number prominently embossed on it. Everyone from the checkers in the dining halls to cashiers at the bookstore made paper impressions of that card as students traveled around campus. I also remember visiting professors’ offices in Cushing Hall to find my exam grades posted on their doors. Instead of posting scores by name, they would post a list of Social Security numbers and scores in an effort to preserve privacy. This seemed perfectly reasonable and nobody objected.

Around the turn of the century, our attitudes toward the use of SSNs shifted suddenly and dramatically. The driving force behind this change was the emergence of the internet and electronic commerce. Suddenly, we had digital access to financial transactions, real estate records and other sensitive online resources. The firms holding these records needed a way to ensure that they were truly dealing with the correct person, so they turned to a reliable, time-tested tool — the Social Security Number — for the same reasons that their counterparts did decades earlier: SSNs were unique and ubiquitous.

That decision, made in the offices of financial institutions around the country, was disastrous and directly led to the identity theft crisis that we face today.

The decision to use SSNs in this manner is fundamentally flawed. It confuses the concepts of identification and authentication. The SSN was always intended to serve only as an identifier and it has served admirably in that role for more than 80 years. But it was never intended to serve as an authentication tool and is incapable of doing so.

illustration of two burning matchesThe simple reason that we can’t use SSNs as authenticators is the fact that they are not secret. Unlike our passwords, which should be known only to us, knowledge of our SSNs is widespread. Every employer I’ve ever had, from my first paper route to Notre Dame, has my SSN in their records. The same is true for every school I’ve ever attended, every bank I’ve ever conducted business with and countless other organizations. And that doesn’t even include the unknown number of hackers who have stolen records from any of those sources. When we rely upon SSNs as an authentication tool, we allow dozens or hundreds of people from our past lives to easily impersonate us.

As individuals, there’s not very much that we can do about this situation. We don’t have the ability to change the business practices of the organizations that handle our information. In fact, that letter in my mailbox underscored the fact that we don’t even know the identities of all of the organizations that handle our personal information. All of our SSNs have likely fallen into the wrong hands many times and we don’t even have the ability to change them. It’s as if we gave the keys to our home to every houseguest and contractor who’s ever entered it, but we lack the ability to change the locks.

Nor can we expect that companies will change their business practices on their own. They’ve had the opportunity to do so for years and we still find ourselves in this untenable situation today. The only solutions to this dilemma require dramatic legislative action. That’s why I’m proposing that we resolve as a nation to publish all Social Security numbers publicly with five years’ advance notice.

While publishing SSNs may seem counterintuitive, it will actually protect our privacy by achieving two important goals. First, it will destroy the illusion we’re currently living under that SSNs are secret. They are not. Second, it provides time for industry and government to collaborate on a technical solution to this problem. We already have the technology to protect things as simple as our social media accounts with multifactor authentication. Why can’t we do the same for our sensitive personal records? Five years should be more than sufficient to solve the technical and administrative hurdles to strong authentication. Let’s create the driving force required to get the job done once and for all.


 

Three Things You Can Do Today to Protect Your Identity

We’re not going to eliminate the misuse of Social Security numbers in the near future. Until we’re able to do so, there are some simple steps that you can take right now to protect yourself from identity theft:

  1. Limit the disclosure of your SSN. While it’s inevitable that other people have access to your SSN, you should at least limit your risk by sharing it with the smallest possible number of people and organizations. Your employer, financial institutions and government agencies need your SSN. Most other organizations do not. The next time you encounter a form at your doctor’s office asking for your SSN, just leave it blank. It’s likely nobody will bat an eye.
  2. Monitor your credit. You can access your own credit reports for free by visiting annualcreditreport.com. You can also take advantage of free credit monitoring services offered by companies who breach your personal information. However you choose to do it, check your credit reports for any unusual activity on a regular basis.
  3. Freeze your credit. All three of the major credit bureaus allow you to freeze your credit report, preventing anyone from opening an account in your name unless you unfreeze your records. Take advantage of those services. Learn more by visiting the Federal Trade Commission (FTC) website.


 


Mike ChappleMIKE CHAPPLE

Mike Chapple is the academic director of the Notre Dame Master of Science in Business Analytics program and associate teaching professor of IT, Analytics, and Operations where he teaches undergraduate and graduate courses in business analytics and cybersecurity.