Nearly every 12 hours, on average in 2014, there was an institutional data breach somewhere in the United States—a record 783 cases reported last year, according to the nonprofit Identity Theft Resource Center. And the dire consequence is that these attacks give criminals access to what security experts call “the keys to the kingdom”: our Social Security numbers.
In recent months, cyber-attacks have compromised the personal data and Social Security numbers of 47,000 employees and actors affiliated with Sony Corp., 800,000 workers at the U.S. Postal Service, 11 million customers of Premera Blue Cross, and up to 78.8 million customers at Anthem Blue Cross Blue Shield.
Which raises the question: Is it time to abolish Social Security numbers? Or at least radically change the way we use them?
These numbers—collected by banks, insurers, health care plans, universities and the government to match people to their records—have become all-purpose ID numbers. And therein lies the problem. Our use of Social Security numbers is “fundamentally, structurally flawed,” says Chris Hoofnagle, a UC Berkeley lecturer on computer crime and privacy law.
The biggest sticking point about the Social Security number, security-wise, is that it’s commonly used both as an identifier and an authenticator. Private companies and government agencies including the IRS and insurance companies collect the SSN as a unique number that identifies each person unambiguously. But it’s also used by other organizations as a sort of password—a way of making sure that people are really who they say they are. As the authors of a 2008 Federal Trade Commission report investigating SSN security wrote, “These entities, in effect, treat the SSN as a secret piece of information, available only to the consumer and themselves, and give access to information or benefits only when the consumer is able to supply and confirm his or her SSN.”
But the SSN isn’t really secret at all, because it’s so commonly used. Using the Social Security number as both an identifier and authenticator is akin to, say, using your username on one website as a password on another site, except everyone knows that you’re using your username as the password. You don’t have to be a security expert to see why that’s a bad idea.
In theory, only select groups—your bank, your insurance company, your doctor—have your Social Security number. But even if SSNs aren’t readily available to malicious parties, it’s not impossible to simply guess them. In 2009, two Carnegie Mellon researchers found that they could derive Social Security numbers from freely available information about individuals’ birthplaces and dates, and they managed to guess full sequences with alarming accuracy. “Unless mitigating strategies are implemented,” they wrote, “the predictability of SSNs exposes them to risks of identify theft on mass scales.”
How did things get so bad? It wasn’t by design. When the Social Security number was created in 1936, the Social Security Administration intended it solely as a way to track the earnings of working Americans in order to determine the amount of Social Security benefits owed to them. Eventually, though, companies in the private sector realized that they needed to differentiate hundreds of millions of Americans, and that using this new government numbering system seemed the perfect way to do it—Social Security numbers were permanent, unique, and common across organizations. “The ability to enumerate people in an authoritative way is very valuable, so the private sector quickly latched onto it,” Hoofnagle says. “There was never a law prohibiting private sector SSN use, so as a result we’re in the situation we’re in.”
Which means we’re rapidly entering a world where our sensitive data moves through companies without our knowledge, says Hoofnagle. It’s often entrusted to people or corporations we don’t know—and, he adds, shouldn’t necessarily trust.
Once someone with ill intent possesses our SSN, they have the potential to unlock our private finances. A 2014 assessment by the Bay Area–based Javelin Strategy & Research discovered that 80 percent of the top 25 banks and 96 percent of top credit card issuers would surrender your account access to anyone who could recite your Social Security number.
As accountability and responsibility become more diffuse, companies aren’t usually able to track down the criminals when security gets compromised. “The people who stole the data are often never caught,” Hoofnagle says. “So victims will go sue a bank and say, my data were stolen, and the courts will say ‘Yeah, but you haven’t been harmed.’ ”
“It could just be that they’re interested in stealing money from you. But it could be that they want to extort you. Which is it? You don’t know, and you might not know for years.”
Whether they’ve been obtained by an institutional cyber-attack or a tricky email phishing scheme, a disturbing number of stolen Social Security numbers are floating around out there, and could wind up for sale on the black market. The Javelin report says one of every three people notified of a data breach in 2013 became a victim of fraud. The rest remain potential victims, exposed to the constant possibility of injury down the line—an insidious state of affairs in which a constant low-grade paranoia is a perfectly rational response. Hoofnagle sums up the situation: “There’s someone out there who has all this information about you, and you don’t know who they are, and you don’t know why they stole it. It could just be that they’re interested in stealing money from you. But it could be that they want to extort you. Which is it? You don’t know, and you might not know for years.”
Still, he says, corporate data security has improved through the years, thanks to security-breach notification laws, enacted first in 2003 in California, that require companies to alert affected customers after a data breach. “It’s a really exciting time in the field because the security-breach notification laws have really created different incentives for security, and companies are scrambling to figure out how to make their systems more secure,” Hoofnagle says. “So things are much better on the corporate side than they were ten years ago. Ten years ago if there was a security breach, they just wouldn’t tell anyone.”
The government has taken steps to mitigate the risk, as well. In 2011, the Social Security Administration changed its formula for creating new SSNs, so the first five digits are randomly assigned and thus harder to guess. And the tax-collecting Internal Revenue Service tries to halt suspicious tax returns, and thus refund checks to criminals using stolen SSNs—one federal estimate projected that over five years such fraud would rake in some $26 billion, but the IRS recently reported that it was doing better than predicted at catching fraudsters in the act.
For now, we can hope that high-profile breaches prompt companies to rethink how they handle their customers’ sensitive information.
But what about the customers themselves, who are constantly called upon to provide personal information and can’t possibly keep tabs on the privacy policies of every company they do business with? “Ultimately, you can’t protect yourself completely,” says Hoofnagle. “I mean, what’s the answer, don’t have health care? So we’re going to have to find a way through all this. “
Nor is it practical to eliminate our dependence on Social Security numbers—too much business and government infrastructure is built upon those permanent digits.
OK, so we’re all screwed. But there are still ways to minimize our risk of theft. Paul Stephens, director of policy and advocacy at the San Diego–based Privacy Rights Clearinghouse, says consumers can easily monitor their credit for free by requesting a credit report from one of the three national consumer reporting agencies, a different one every four months (available at www.annualcreditreport.com). After you receive a report, it’s a simple matter of reviewing it and disputing any errors you find. For purchases, Stephens recommends using a credit card instead of a debit card, because debit cards can serve as a direct pipeline into your checking account.
“That’s the interesting thing about ID theft. It’s taking advantage of the alacrity of businesses to grant credit. So if you can slow down the credit decision, it could help avoid fraud.”
Beyond these concrete actions, Stephens suggests adopting a proactive, protective stance towards your personal information. When asked to hand over your Social Security number other than for legitimate uses involving taxation or income, offer up questions of your own: Why do they need this information? How are they going to use it? Can I use a different form of ID? For online transactions, where there’s no one to bargain with, Hoofnagle offers a rule of thumb: “Free services are more privacy-invasive than paid ones. So when you actually purchase a service, the incentives of the companies are more in line with yours, and they have fewer incentives to monetize the data by selling it.”
Another tactic to limit your exposure: Request that your banks and credit card companies place a note on your account stating that you will provide other info as a form of authentication, but never your SSN. “That way,” notes the Javelin report, “they will know never to ask since anyone who attempts to access your account with this information is a fraudster.”
And, in the event that your data is compromised in a security breach, it’s easy to set up a fraud alert, which will flag potential creditors like stores and restaurants to take extra steps to ensure “you” actually are you. “That’s the interesting thing about ID theft,” Hoofnagle says. “It’s taking advantage of the alacrity of businesses to grant credit. So if you can slow down the credit decision, it could help avoid fraud.”
These precautions are important to take. But for sanity’s sake, it’s probably also helpful to cultivate a blithe but aware resignation to counterbalance the paranoia. In the end, Hoofnagle says, “Often there is no privacy-preserving choice, and that’s the reality we’re now living in.” Then he laughs.