Equifax: Rethinking Social Security Numbers as Identifiers, Part I

By on Sep 14, 2017

Revelations about compromised social security numbers at Equifax remind us that the United States needs to modernize the national identification standard for its citizens. In 2017, it is unrealistic for a social security number (SSN) to be shared and distributed to many parties and stay confidential for the better part of a century.

This is not a problem that we are just now recognizing. As early as 25 years ago, computer science advocates voiced concerns around sharing an SSN, a single piece of permanent information, with others as a means of proving your identity. Part of the problem is there hasn’t been a forcing function or an incentive to change the way these identity transactions work. Simply having these pieces of information constituted the ability of an individual to prove his or her identity.

The irony in all of this is that we have not taken steps to come up with a better standard despite recognizing that this single piece of information is not adequate in many other places, such as credit cards.

For many years, your credit card number, expiration date, and CID number were the things that proved that you could charge against an account. A few years ago, millions of credit card numbers were compromised during several major retail sector data breaches. We recognized that this model needed to be changed, and we transitioned to “chip and PIN” or smart card–based credit card capabilities. Although we are still transitioning to this model, we can see the benefits of the upgrade.

If you look at how the underlying technologies work for credit cards using a chip, there is never any disclosure of the secret information to parties with whom you are transacting. You are simply using math, cryptography algorithms to prove that you are you, as opposed to giving them something that would let them impersonate you. The simplest technical requirement truly boils down to that.

We need to move to a system in which an individual can prove his or her identity to somebody, but not make it such that when you prove your identity, you are giving the other party the ability to impersonate you in a completely different transaction.

The question we need to ask as U.S. citizens is why would we move forward to a more secure system for financial instruments such as credit cards, but lag in our progress toward a more secure system for proving our identities as individuals.

There are challenges to implementing any new standard, but the Equifax data breach means that the SSN toothpaste is already out of the tube. We cannot put it back. If almost half of U.S. citizens have their SSNs and other personal information compromised, we cannot assume that the information can be used any longer as the sole criteria for someone proving their identity.

My next post will dig into what a transition to a new U.S. identification standard will involve.

About the Author

Steve Grobman

Steve Grobman sets the technical strategy and direction to create technologies that protect smart, connected computing devices and infrastructure worldwide. Grobman leads McAfee’s development of next generation cyber-defense and data science technologies, and threat and vulnerability research. Prior to joining McAfee, he dedicated more than two decades to senior technical leadership positions related to cybersecurity ...

Read more posts from Steve Grobman

Subscribe to McAfee Securing Tomorrow Blogs