Our Identity Management System is Broken
One of the very first numbers we are given in this life is the number we’re supposed to keep the MOST secret: our Social Security Number (SSN). It’s the number most commonly associated with our identities in the US; despite the fact that Social Security cards carried a warning that stated, “Not for Identification” until 1972. The original intent of the SSN was simply to track US citizens’ earnings and contributions to the Social Security program. However, we are asked for our Social Security number seemingly every time we turn around: when applying for credit, when paying taxes, when applying for a job, when visiting a doctor, and when applying for a new account virtually anywhere (transactional or not). If we’re supposed to keep this secret number secret, why are we forced to give it out at every turn?
Using that secret number for identification purposes has long been a topic of discussion, but the conversation reached a potential tipping point recently with the Equifax breach, as hackers stole 143 million Americans’ (thus far) SSNs. That’s roughly 45% of all US citizens for those of you scoring at home.
It’s Not Just Equifax
Equifax lost more than SSN’s; the stolen information may include:
- Consumer Names
- Social Security Numbers
- Driver’s License Numbers
Additionally, 209,000 credit cards were compromised.
However, Equifax was far from the first large SSN breach in recent history. In July, the Kansas Department of Commerce lost 5 million SSNs. Before that, the IRS was breached for 700,000 SSNs. The Anthem breach before that revealed 80 million SSNs, and the OPM breach before that lost 21.5 million SSNs. We’re getting pretty close to all Americans statistically having their SSNs compromised, but it gets worse. Since 2010, nearly 2,500 reported data breaches have involved the theft of SSNs.
Act As If Your SSN Is Already Compromised
One of the things we preach about cybersecurity is that it’s not a matter of IF, it’s a matter of WHEN. If you assume you already are, or will be, compromised, your behavior will change from concentrating ONLY on what you can do to prevent something bad from happening, to also how you can recover from that incident.
The greatest concern with your SSN being compromised is an identity thief opening new accounts in your name or accessing large lines of credit. We shouldn’t be overly concerned about applying for a new in-store credit card, but high-value accounts like a high-limit credit card or a large loan (auto or home). Most cards offer consumer protections, but loans are a much tougher battle.
The first thing you should consider doing is to monitor your credit regularly. While Equifax has offered a free year of credit monitoring (in the hopes of up-selling you that service – or better yet, their premium identity monitoring services for $19.95/month), there are numerous free options available to all consumers. Please perform some research and due diligence around these services to help you understand the pros and cons of each, as well as to verify their legitimacy. Here are some suggestions:
The best option to ensure an identity thief cannot open new accounts in your name is to place a credit freeze on your account. A credit freeze essentially blocks any potential creditors from being able to access your credit file, meaning fraudulent individuals can apply for accounts in your name, but since your credit report cannot be accessed, no new accounts will be opened. Once you complete the credit freeze application process, you will be provided a PIN associated with your account. The credit freeze will remain in place until you “thaw” your credit.
To implement a credit freeze, you will likely have to enroll with all three (3) major credit bureaus – Equifax, Experian, and TransUnion – as there is no central location to freeze one’s credit. The freeze may require a fee to implement, depending on your state. Equifax has a nifty chart of the types of credit freeze one can implement in each state, along with fees, here: https://help.equifax.com/s/article/ka137000000DSDyAAO/What-are-the-security-freeze-fees-in-my-state
To remove or “thaw” a credit freeze, simply call the credit bureau and provide the PIN associated with your account. It’s a good idea to check with the organization with whom you are looking to open a line of credit to determine which credit bureau they utilize, which will save you from having to thaw your credit at all three bureaus. Thawing your credit should not take longer than 24 hours.
Another alternative to the credit freeze is the fraud alert. A fraud alert may be placed on your credit file, which will require your approval before a lender or other organization can access your credit report. The upside to a fraud alert is that the credit bureau with whom you placed the alert must notify the other credit bureaus, meaning it’s a centralized process. However, a fraud alert is only good for 90 days and must be renewed manually each time. Additionally, while the entity attempting to access your credit report is supposed to obtain your approval, they are not legally required to do so.
What’s The Next Step?
Just as the system of using SSNs as our most secret-and-unique identifier is clearly broken, there is no clear-cut solution. Currently, it is extremely difficult to change a Social Security Number outside of extreme circumstances. In 2015, for example, only 274 individuals were able to change their SSN successfully. The ability to change one’s SSN has been discussed more frequently in recent times, but it won’t ever be as easy as changing the password to your Gmail account.
Biometrics have been discussed as a replacement to an identifying number, as the use of biometrics is much more viable today than even 5 years ago. However, there are numerous ways to defeat fingerprint scans, facial recognition, voice-activation, etc. Additionally, once that’s established or stolen, there’s no changing a biometric.
Relying on one central factor – whether it’s a number, a biometric, or an alternative we’ve not yet discussed – is a tricky proposition. Good security practices tell us that if we have something that’s truly important, we should layer security controls around that important thing. Effective security controls often include multi-factor authentication, which happens to be most frequently implemented in the form of a secret number (something you know) and a biometric (something you are).
Regardless, the best control we have in place today is the credit freeze. If there’s something you don’t want unauthorized individuals to access – your credit – then don’t let anyone have access unless you grant express written permission via the thawing of your credit.
Perhaps Equifax will be the Target-moment for the Social Security Number and its relevance to being our most unique barrier. After the Target breach, the card industry moved (finally) toward a security chip in issued cards. While it’s not yet fully implemented (nearly 4 years later), we’re making progress. Dropping the SSN as our unique identifier will not be an overnight process, but moving toward better methods of authenticating our identities is a must.
One thing is for sure – don’t operate under the false-pretense that your SSN has not been compromised, even if Equifax’s phishy website told you that you were safe. Take action and assume that your identity has been compromised. You’ll thank yourself later.
Written by: Jon Waldman
Partner, Executive Vice President of IS Consulting
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.