With reports of a massive data breach at Capital One this week came a now-familiar warning: roughly 140,000 Social Security numbers of the bank’s credit card applicants had apparently been stolen, along with another 80,000 bank account numbers.
Capital One’s announcement came shortly after a $700 million settlement was announced by the Federal Trade Commission in the 2017 data breach at Equifax, which exposed more than 140 million Social Security numbers.
And even before vast breaches became common in recent years, Social Security numbers were far from secret. They’re widely shared with employers, doctor’s offices, schools, and banks. For decades, they were often printed on identification cards from driver’s licenses to college student IDs.
Being used by so many different institutions makes them genuinely useful for making sure two different files actually refer to the same person named, say, John Smith. But it also makes them increasingly worthless as secret passwords.
“We’ve shared our Social Security Numbers with every company where we’ve ever worked, every financial institution where we’ve ever opened an account, and countless other organizations throughout our lifetime,” writes Mike Chapple, an associate teaching professor of IT, analytics and operations at Notre Dame’s Mendoza College of Business, in an email to Fast Company. “This widespread sharing of our Social Security Numbers makes them completely unsuitable for use as proof of our identities.”
For generations, they were even generated in a way that makes them easy to guess if you know when somebody was born.
Yet Social Security numbers are routinely used to help verify consumer identities at all sorts of institutions, whether applying for credit or calling in with a question about a bank account or insurance policy. Experts say that’s partly because switching to a more secure system is genuinely challenging—and partly because of inertia on the part of businesses and regulators who could roll out more secure ways for people to demonstrate their identities.
“Knowledge is sort of the low-hanging fruit”
Banks and other institutions accept some fraud as the cost of doing business, says Jim Fenton, an independent tech consultant who’s worked on identity and privacy issues.
“They can deal with it the same way stores deal with shoplifting,” he says. “They accept a certain degree of shoplifting as what they call shrinkage.”
After all, the cost of handling a few fraudulent credit card transactions or even loans taken out under false names often pales compared to the cost of upgrading legacy computers to handle more sophisticated identity verification. And moving to systems that require users do more than prove they know a code like a Social Security number, password, or PIN takes some setup, says Pat Cox, vice president at telecom and tech company Neustar.
“Biometrics are tricky because you’ve got to first capture the fingerprint,” he says. “Knowledge is sort of the low-hanging fruit. That’s the problem.”
While many institutions have looked into alternative ways to verify identities, from blockchain tech to biometrics, they’re also naturally reluctant to invest in a technology that might turn out to be a dead end, says Neal O’Farrell, executive director of the nonprofit Identity Theft Council.
Companies also haven’t seen that much pressure from customers—perhaps partly because consumers haven’t seen enough concrete harm from data breaches to be motivated to, say, boycott companies that have been struck by them, he says.
“Until that happens, there’s no real urgency for these organizations to take that massive risk and investment of dumping the Social Security number for some alternative,” says O’Farrell.
Despite recent privacy-focused settlements with companies like Equifax and Facebook, advocates also argue lawmakers and regulators haven’t done enough to nudge big corporation to invest heavily in privacy.
“Federal lawmakers have been taking huge amounts of money from the technology and banking industries and refusing to do anything meaningful to protect people’s privacy and security,” said Laila Abdelaziz, a campaigner at digital rights group Fight for the Future, in a statement. “Congress has bowed to industry demands that they regulate themselves, and as a result they’ve endangered the safety of the entire nation. Breaches like this one will continue to happen until Congress passes strong protections demanding private companies build technology with people’s safety and security in mind.”
The promise of Estonia’s digital ID system
Some other countries, perhaps most notably Estonia, have set up national digital identification systems that people can use to prove who they are online or in person without simply relying on a password-style code like U.S. Social Security numbers. It’s similar in concept to how modern cellphones can securely identify themselves to networks without being cloned by nearby fraudsters.
It’s no panacea: Estonian digital IDs did have to be updated in 2017 after some security vulnerabilities were uncovered in the underlying code. And many experts have suggested it would be hard to adopt in the U.S., where the idea of a national ID card has long made people wary, even despite Social Security cards and numbers being essentially mandatory for most citizens simply to work, bank, drive, and pay taxes.
“Your attitudes toward this sort of thing are a very culture-specific phenomenon,” says Fenton. “The U.S. doesn’t want to have people have a centralized government ID.”
Another challenge, says Steven Bellovin, a computer science professor at Columbia University, is that even the most secure ID system has to handle people who’ve had their IDs lost or stolen, which often means identifying people by some less secure means.
To be sure, many organizations have taken steps to bolster security beyond just prompting for Social Security numbers and passwords. From email providers to banks, many institutions have enabled customers to set up two-factor authentication, where they need to also verify their identity with biometric identifiers like a fingerprint or proof that they’re in possession of a device like a smartphone. And some organizations have started requiring new customers prove who they are by uploading, say, a selfie with an ID like a driver’s license, but that’s by no means universal.
One way to hurry things like, Chapple suggested in a recent opinion piece for CNN, would be for the government to simply publish everyone’s Social Security number after a lead time of, say, five years. By making the numbers officially public, officials would force businesses to acknowledge what some fraud victims have already learned the hard way: Social Security numbers just aren’t particularly secret.
“Publishing these numbers would remove the false presumption that there is any secrecy in these numbers and require financial institutions and others to adopt stronger authentication techniques,” he tells Fast Company. “This is difficult work that will take time, so setting a deadline five years from now provides sufficient time for the technical, procedural, and legal groundwork required to move away from the use of SSNs.”