Replacing the Social Security Number

Adopting a continuous "know your customer" (KYC) mentality.

social security card
Thinkstock

Social security numbers are meant to act as an identifier. But if ill-intended actors snatch that number, it can be used for identity fraud. New technologies, like behavioral biometrics, are being developed as a new means of authentication, ending reliance on a single, centrally stored ID.

Why do we use social security numbers as a form of ID?

Social Security Numbers were initially created in 1936 for the sole purpose of tracking the earnings of U.S. workers. Now, the social security number may be the most commonly used numbering system in the United States. Born out of convenience, these numbers have transformed into a national, federated form of ID. The simplicity of using a unique number already assigned to most U.S. citizens encouraged widespread use of these numbers by government agencies and enterprises to easily identify people in large record systems and databases. Today, social security numbers are required for everything from opening bank accounts to applying for loans, marriage licenses and jobs.

In theory, social security numbers should be an acceptable method of identification. However, the problem with social security numbers is that, like passwords, credit cards and other personally identifiable information (PII), they are centrally stored by businesses in one place. These databases create an attractive target for hackers, as it removes the work of having to scour multiple places to look for the information they seek to steal. As a result, social security numbers are easy to steal, and easy to use once obtained. It is also much harder for the owner of a number to have it changed, meaning fraudsters can take advantage for extended periods of time.

Some of the biggest cyber attacks that have occurred in the last year have proved just how easy it is to steal social security numbers. The global WannaCry ransomware attack began by striking hospitals and healthcare systems in the UK, as the data stored are considered highly valuable on the black market. Healthcare organizations often struggle to put up the most basic cyber safeguards, and many still function on legacy IT systems that have not been updated. Hospitals and other institutions also tend to store patient information – from insurance provider to social security numbers – on centralized systems, and since these databases have little to no protection, even the smallest cyberattack is felt on a large scale. 

Equifax is another benchmark example. Out of the 146 million people affected worldwide, about 145.5 million social security numbers were stolen – topping the list of compromised PII. What makes this instance even worse is that even an individual who is not a direct customer can still be affected. Anyone who obtains these stolen credentials can commit anything from account takeover to racking up credit card charges. But fraudsters who get their hands on social security numbers can create major headaches for the true owner, such as stealing their identity or creating synthetic IDs, and using it to steal goods, commit crimes, file false tax returns, and more.

If social security numbers are so easy to steal, why do we still rely on them?

A key issue is that since we rely on social security numbers to such a great extent, it is becoming increasingly difficult to do without them. Like passwords, they are familiar – they’ve existed as a method of identification and authentication since 1972. Not to mention, they are convenient.  Social security numbers are assigned to virtually every U.S. citizen; everyone has one. Replacing them would be a cumbersome task for the government.

Other countries have attempted to make a change. In India, the government implemented its unified ID program, Aadhaar, where the entire country has shifted to a digital identification method with biometric markers and a 12-digit number assigned to every citizen. Aadhaar is tied to aspects of their lives. Similarly, Estonia’s government issued an e-Residency program with digital national ID cards using cryptographic keys, assigned to every citizen.  But recently, both sets of ID have proved vulnerable to cyberattacks. With PII of Indian and Estonian citizens stored on one central, digital server, those ID numbers are easy targets for hackers.

However, we are entering a world of self-sovereign identity, where individuals seek to take back control of their PII. People don’t want to rely on government agencies or third parties to issue identifiers or store their information. They want to create and own their identifiers, and choose which information they want to share, and with who they want to share it with.

Are other alternatives on the table?

Biometrics are quickly growing into a popular form of identification, as we witnessed with the launch of Apple’s FaceID. But even though fixed biometric markers like facial scans and fingerprints are hard to replicate, they’re not foolproof, especially when stored in one easy-to-access location.

Another alternative being explored is behavioral biometrics. Models are derived from an individual’s behavioral patterns using AI and stored on their device. These models are based on the specific way an individual taps, types and swipes their device, also accounting for geolocation and device type. AI algorithms continuously build upon these models and analyze them for even the slightest sign of potential fraudulent behavior. 

The added benefit of storing behavioral biometrics on-device goes beyond making hacking more difficult – it gives people control of their virtual ID. The user is given control over their own identity, on their own device. With that, users are empowered to authorize access to someone even for a temporary basis with, for instance, a virtual one-time token. If a user is conducting an online transaction, he or she may grant a bank a QR code with the specific PII it is requesting for verification.

Blockchain is also being considered by many as a driver for self-sovereign identity. Rather than a single, centralized entity controlling where the data is stored, blockchain can be used to store hashed attestations of user data while minimizing the number of hackers trying to break into a centralized system. Services can be authorized by validating this hash on the blockchain with user consent and behavioral authentication.

Though it may take time before social security numbers are completely replaced, the alternative methods being explored are promising. Methods like behavioral biometrics, decentralization and on-device secure storage will prove to be formidable solution, taking the responsibility of protecting PII away from businesses and government entities, and giving individuals the power of choice.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Winter 2018 issue of Security Smart