On Oct. 2, the nation’s second-largest wireless provider emailed subscribers a notice that said a great deal about the problems big business is having keeping personal data private.
“Today, when you call AT&T or visit some retailers, we require the last four digits of your Social Security number as part of the process to access your account,” the notice said. “Going forward, we will instead require a personalized passcode.”
AT&T, like many businesses, had been demanding that customers give it a number intended for use in a federal social welfare program, and had come to regret it. Earlier this year, the company agreed to a $25 million settlement with the U.S. Federal Communications Commission (FCC) after security breaches at offshore call centers. Some of its employees had been harvesting customer data, including full or partial Social Security numbers, and then selling it to criminals, who used the numbers to crack smartphones. The call centers were in Mexico, the Philippines and Colombia, and the breach affected 280,000 U.S. customers.
AT&T’s customers were just a fraction of the millions of Americans affected by security breaches in 2014 and 2015, and the Social Security number is a prized part of the data honeypot sought by hackers. In some cases, like AT&T’s, theft comes from the inside; in many others, the perpetrators were outside hackers. Some of the criminals were motivated by money, while in other cases, including the Anthem breach (78.8 million people’s records exposed) and the federal Office of Personnel Management (22.1 million people exposed), cyber-espionage may have been involved.
And of course there’s the Internal Revenue Service, which first announced in May that the Social Security numbers of 100,000 people were used to file false tax returns during the 2015 filing season. By August, the agency had raised the number of people affected to 330,000. The IRS paid $5.8 billion last year to tax fraudsters, according to the Government Accountability Office, though the agency — whose enforcement staff and IT budget have been affected by budget cuts — blocked billions more in losses. (People affected by SSN-related tax fraud can apply for an IRS-issued IP PIN or identity protection PIN.)
Since 2005 there have been at least 5,593 data breaches that compromised more than 828 million accounts of all types, according to the Identity Theft Research Center, a nonprofit group that tracks cyberfraud. At least 1,515 of those breaches exposed Social Security numbers.
In combination, a person’s full name, Social Security number and birthdate have become a skeleton key for identity verification and, thus, identity theft. Yet the nine-digit number was never intended to be anything of the kind. In fact, from 1946 to 1971, cards came printed with the disclaimer: “FOR SOCIAL SECURITY PURPOSES – NOT FOR IDENTIFICATION.” That was before the rise of the personal computer; the data-rich environment of public- and private-sector digital transactions, from online voter registration to shopping; and the accompanying cavalcade of data breaches, from Target to the Pentagon.
Politicians frequently talk about whether Social Security is solvent. (It is, until at least 2033, and it will probably be restructured to operate much longer and avoid unpopular cuts.) Some candidates talk about data security, with Democrat Jim Webb decrying Chinese cyber-attacks in the party’s first debate and Republican Mike Huckabee suggesting that we launch a cyberwar against China. (The nation will not admit nor deny its role in the hacks.) But few politicians have tackled the less prominent but still thorny question of whether the Social Security number, as used, has become one of the biggest liabilities in data security.
Podcast: Farai Chideya on our data age.
The problem is that the number has taken on two functions that should remain separate to ensure digital security: identification and authentication.
“Your email address is a form of identification,” said Alessandro Acquisti, an information technology professor and privacy expert at Carnegie Mellon University. “You can share it publicly, so that people can contact you via that address. The password you use to access your email, instead, is a form of authentication: It should stay secret, because you want to be the only one who can access your emails.”
No secure system would allow the same text to be used for both email addresses and passwords, he noted, but that’s exactly how SSNs are being used. They are often in databases as identifiers — for example, in college enrollment rosters of students. But credit card companies use the number as a form of authentication, “leading to heightened risks of identity theft once those databases get breached and compromised,” Acquisti said.
Acquisti co-wrote a study demonstrating that some Social Security numbers could be reverse-engineered from information publicly posted on social media sites. (Until recently the agency generated the first three digits of a SSN from a person’s birth location, and the second two from a rotation linked to birthdate.) But he emphasizes that this is not the crux of the issue, and without “regulatory oversight prohibiting the usage of SSNs for authentication purposes,” the numbers are bound to remain a key part of identity theft.
The Social Security Administration has always said that people are required to give the number only to employers and to financial institutions. But as agency spokesperson William Jarrett wrote in an email, “refusing to give the number might mean doing without the purchase or service for which the number was requested.” In other words, you are not legally compelled to use your SSN for most of the transactions for which the numbers are used today, but then again, vendors don’t have to serve you if you refuse. (No shoes, no shirt, no SSN, no service?)
The federal government is taking some steps to address the future of data security, including the National Strategy for Trusted Identities in Cyberspace, or NSTIC. Founded in 2011 by presidential order and housed at the Department of Commerce, NSTIC’s program office seeks to build public-private partnerships around identity security and offers funding for pilot programs.
The office’s acting director, Mike Garcia, said he agrees with Acquisti that the SSN “is a pretty good identifier, but it’s a really bad authenticator.” So, he argues, are passwords — at least the kind that humans routinely generate.
“A password that people can hold in their head can be cracked,” said Garcia, an economist who worked in cybersecurity for seven years. “Passwords are a fundamentally broken solution; we have to create a marketplace where passwords can die.”
What would that look like? It could be a set of cryptographic keys, either as part of an encryption system on a computer or phone, or on an external device for people who cannot afford a smartphone or computer. There are also ways of piggybacking on forms of identification that have high standards of proof — such as driver’s licenses — and cross-referencing them digitally with new photos provided by an individual.
“One thing I’ve learned [about a digital security system] is that it will break, no matter what it is,” Garcia says. “If there’s a value behind what it’s doing, it will be broken.” This, he argues, is why market-driven solutions are preferable, as companies seek new ways of staying ahead of data thieves.
For its part, AT&T is beginning to shift away from requiring a SSN to authenticate accounts. For now, customers will decide when to generate their new four- to eight-digit passcode, so the transition won’t be immediate.
A company spokesman, Jim Greer, wrote in an email that the decision was a “proactive” security move designed to “enhance customer account security by making it tougher for fraudsters and social engineers to access accounts that they should not be accessing.”
Last year, a study by Javelin Strategy and Research, which analyzes payments used in commerce, found that 96 percent of the top credit card companies and 80 percent of the top 25 banks allowed customers — or fraudsters — to access accounts using SSN authentication. The company advises clients to prominently inform customers that their Social Security number will never be used for authentication, making it easier for those customers to identify calls or emails from scammers if they ask for that information.
For now, in the absence of federal regulations, it’s completely up to companies whether they decide to follow that advice. Congress is considering the Tax Refund Theft Prevention Act, a bill that would try to increase the chances of catching tax-ID fraud by tightening the window for employers to deliver forms, including W-2 statements, to the government. This would mean less lag time between when filers (real or false) submit their wage documents and possibly get refunds, and when the government uses employer-submitted filings to verify the amounts. It would also broaden the identity protection PIN program. But the bill doesn’t address the use of the SSN by private companies for authentication.
The Social Security number evolved from a nine-digit code for a single benefits program into a digital key to American identity. The question now is whether it should be, or even can be, removed from the type of service it was never designed for. In the meantime, billions of dollars and millions of identities remain vulnerable.