When last year’s massive Equifax breach exposed the Social Security numbers (SSNs) of more than 145 million Americans, the role of the SSN in identity came into question. Should SSNs be removed altogether from identity proofing and authentication? What alternatives can identity providers use in lieu of SSNs?
ID.me CEO Blake Hall appeared at KNOW Identity Conference 2018 alongside Brandy Travis, Chief Marketing Officer at Aristotle, Chris Ryan, a Senior Fraud Solutions Business Consultant at Experian, and Geoff Miller, SVP-Global Head Fraud & Identity Solutions at TransUnion, to dig into where the SSN is valuable, possible alternatives to the SSN, and how the industry should move forward in regards to the identifier.
The SSN as a Permanent, Unique Identifier — Not a Password
Ryan kicked off the discussion by noting that despite large data breaches exposing the SSN, it still functions well as a permanent unique identifier tracking an individual’s earning history.
“It’s a permanent identifier that follows you throughout your working career against which you and multiple employers can make contributions for your social security benefits. I think that’s all an essential use of the Social Security number, it’s original intent,” Ryan said.
That the SSN is both permanent and unique is vital. Hall agreed that without the SSN, it would be difficult to differentiate citizens with identical information.
“When you’re talking about uniquely describing a person’s legal identity, Social Security numbers are very important. How do you tell 100 John Smiths who share the same date of birth apart?” Hall said. “We need a permanent and unique identifier that can differentiate these individuals.”
Outside of uniquely identifying individuals, the SSN’s use becomes more limited. It was once common practice in the private and public sectors to use a full SSN or the last four digits in knowledge-based authentication. The old logic was that if a specific SSN is only known to the individual who owns it, they could use it like a password to access high-risk services online.
In a post-Equifax world, this is no longer the case. Millions of SSNs leaked on the dark web are now public, opening any account that uses an SSN as a password to takeover. Once the question of uniqueness is answered, organizations must use other methods like devices, biometrics, and government identity documents to verify that the user claiming an identity is in fact that person.
Hall likened the combination of name, date of birth, and SSN to a username. For example, on Twitter each user possesses a handle that is unique to their own account. Other users can find that account using that unique handle, but they can’t log into it because the password remains a secret. If the industry treated static identifiers like names, dates of Birth, and SSNs like usernames instead of passwords, that information can’t be used to hack online accounts.
“If we think about name, date of birth, and SSN as our legal ‘handle’ that uniquely describes us, it’s fine as long as its divorced from the passwords used to claim ownership of that identity,” Hall said.
Alternatives to the SSN in Identity Verification
If knowledge of an SSN can’t securely function as proof that a user is in fact the described identity (e.g. as a password), then what should organizations use instead?
Telecommunications data can add a powerful layer of identity verification and authentication. Data points such as the tenure of a cell phone number, the specific tower a phone is pinging, and whether or not the SIM card has been swapped recently can help determine if a device is a trustworthy source of identity. Users can also use their phones to enable two-factor authentication (2FA).
Hall said that the interlocking data points cell phones provide are also harder to spoof, reducing the risk of fraud.
“There’s a saying in banking called ‘over the tenure of an account’: it means, the longer I know you, the better I know you,” Hall said. “If you have a legitimate user who has paid their phone bill for seven months, they are pinging a cell phone tower within a mile of their address on record, and there hasn’t been a SIM swap or phone port, then for a bad guy to take over your identity they would have to pay your phone bill for seven months and stand outside your house with a verified device to try to claim your identity. That’s not a scalable attack vector and that’s good.”
However, phone numbers can’t replace SSNs as a unique identifier on their own. Miller explained that unlike SSNs, phone numbers aren’t permanently tied to specific identities.
“I wouldn’t necessarily use [phone numbers] as the sole matching element because of permanence,” Miller said. “It sounds very easy at the high level, but then what if I’m on a company plan? Do I get to keep that number when I leave the company? Or what if I’m on a family plan or on my partner’s plan? It becomes a little more complex.”
Publishing the SSN can empower attribute providers and stop fraud
Now that SSNs are public, it’s impossible for them to become secret again. This state of affairs creates an opportunity for both criminals and federal agencies.
For example, synthetic identity theft is a type of fraud that creates a fictitious identity using attributes that belong to real people. Miller shared with the panel that he worked with a company to identify synthetic identities and found that 80% of SSNs that were synthetic belonged to children under the age of 10. Since those children are too young to have a credit history, the fraud can go undetected for years.
One proposed solution for preventing synthetic identity fraud is for the federal government to publish SSNs as a reference point for identity verification services. The Senate recently passed the “Economic Growth, Regulatory Relief, and Consumer Protection Act,” which includes language allowing financial organizations to look up an individual’s name, date of birth, and SSN in the Social Security Administration’s (SSA) database. If the bill becomes law, the SSA can become a datasource for identity verification.
“SSA’s ownership of social security numbers is a source of truth,” Ryan said. “It can be better leveraged with a number of restrictions and a number of technology capabilities to make that smooth and less vulnerable. That would be helpful. From a synthetic identity standpoint, knowing that that individual is associated with the Social Security number they provided gives us the sense that it’s an actual existing number. “
Travis brought the conversation full circle, noting that if the government is to become more involved in identity, it should focus on protecting data from hackers.
“We think that the government should get involved with how data is actually stored,” Travis said. “As you know, there’ve been a ton of data breaches in the past year. When you’re looking at the 2016 election, there were hacks left and right. If we’re ever going to look at online voting, we have to get a handle on that.”
Defining the role of government in protecting and publishing data like the SSN can have lasting ramifications for American democracy. Hall said that the government must take an active role in identity to protect American elections and identities from interference.
“There’s got to be a regime or paradigm for government to act as an attribute provider,” Hall concluded. “If we don’t do this, if we don’t fix identity, there’s going to be more foreign actors that undermine our democracy.”