Equifax mass ID theft leads US to rethink on Social Security number

05 Oct 2017

Even as India goes all out with its Aadhaar identification drive, the US is exploring ways to replace the use of Social Security numbers as the main method of assuring people's identities in the wake of the massive data breach at consumer credit agency Equifax Inc.

White House cybersecurity coordinator Rob Joyce said on Tuesday that he believed the United States should begin to do away with Social Security numbers as a national identification method and move on to something more modern.

Speaking at the Washington Post's Cybersecurity Summit, Joyce - a veteran of the National Security Agency's hacking division - said the time has come from the government to turn to cryptographic identifiers for its citizens.

"I believe the Social Security number has outlived its usefulness," Joyce said, noting that the number cannot be changed even after it has been compromised. ''Every time we use the Social Security number, you put it at risk.''

Social Security numbers are only changed in rare cases, meaning even victims of identity theft are often left using the same number that has already been stolen from them.

The administration has called on federal departments and agencies to look into the vulnerabilities of employing the identifier tied to retirement benefits, as well as how to replace the existing system, according to Joyce.

"It's a flawed system that we can't roll back after a breach," Joyce said.  "It's really clear there needs to be a change."

Joyce's comments come just weeks after the data breach at credit reporting firm Equifax that resulted in the theft of personal information including Social Security numbers for as many as 145 million US citizens. The breach effectively compromised the national identification number of nearly half of the entire country.

Former Equifax chief executive Richard Smith, testifying before the House Energy and Commerce Committee in the first of four hearings this week, agreed with Joyce, saying the rising number of hacks involving Social Security numbers have eroded its security value.

At the hearings, lawmakers from both parties expressed outrage over the size of the breach as well as the company's response and grilled Smith on the timeline of the incident, including when top executives learned about it.

''The concept of a Social Security number in this environment being private and secure - I think it's time as a country to think beyond that,'' Smith said. ''What is a better way to identify consumers in our country in a very secure way? I think that way is something different than an SSN, a date of birth and a name.''

In response to the breach Equifax has provided consumers with credit monitoring services and other tools designed to help protect their identity. But the compromised Social Security numbers will put those Americans at risk for the rest of their lives, and their personal information will likely be sold and traded online among criminals and other malicious elements.

Talking to Bloomberg, Bruce Schneier, a fellow at Harvard's Kennedy School of Government, pointed to India's wide-scale rollout of Aadhaar, a unique number provided after collecting biometric information. ''In the US, a more secure system could be designed, but magic math costs money,'' he said.

Joyce has reportedly raised the issue of ditching Social Security numbers with the Trump administration, where he is a special adviser. The administration has in turn asked federal departments and agencies to look into the vulnerabilities associated with the current system and how to go about replacing it with a newer, more secure alternative.

''It's a flawed system that we can't roll back that risk after we know we've had a compromise,'' Joyce said. ''I personally know my Social Security number has been compromised at least four times in my lifetime. That's just untenable.''

He had a suggestion for a replacement for SSNs: a ''modern cryptographic identifier'' like public and private keys. These keys utilize encryption methods to authenticate an individual. A person has a public key that is accessible by anyone who wants to communicate with them and a private key that only they hold. That private key must be verified in order to receive or send a message.

The administration is also participating in discussions Congress is having about the requirements of protecting personal data and breach notifications for companies.

The US government began issuing Social Security numbers in 1936. Nearly 454 million different numbers have been issued, according to the Social Security Administration. Supplanting such an ingrained apparatus would not happen overnight.

The original intent was to track US workers' earning to determine their Social Security benefits. But the rise of computers, government agencies and companies found new uses for the number, which gradually grew into a national identifier.