The litany of SSN breaches over the years provides evidence that the system is ripe for exploitation by individuals, businesses and even government officials at various levels.
First Published 10th November 2017
One number to rule them all.
4 min read | Reflare Research Team
The US Senate Commerce Committee has begun to gather input on potential replacements for Social Security Numbers. In this briefing, we will have a look at the challenges faced by identity mechanisms designed before the digital age.
Social Security Numbers
Unlike most countries, the United States (for political and historical reasons beyond the scope of this briefing) does not issue a mandatory national identification number or document to its citizens. This makes it difficult where individuals have to be correctly identified. While the passport is a national identification document with a unique number, owning one is not mandatory. Currently, just slightly more than 40% of US citizens own a valid passport. For personal identification, driver's licenses are the most common form of ID. However, since they are issued on a state level and are also not mandatory, they are not ideal when it comes to identifying the country’s citizens.
As a result, Social Security Numbers (SSNs) have slowly become the de-facto national ID within the United States. SSNs were originally intended to track citizens for social security payments, but have since become required for most tax-related transactions. Increasingly, they are also required for loan applications, renting or buying property, credit checks, applications for government assistance and many more activities where correctly identifying a person is critical.
Changing Requirements
As the brief history above explains, SSNs were never intended to be used as general identification numbers. Early Social Security Cards even had explicit warning text printed on them urging citizens not to use the card or number for identification purposes. Social Security Cards do not contain photos or birthdays of the person they are assigned to, making identity verification difficult at best. Thus a stolen Social Security Card or SSN will allow a criminal to steal the victim’s identity with relative ease.
While the national identity numbers issued by other countries are quite often temporary (with a new number being issued with each updated document, with a validity of around a decade), social security numbers are assigned for life. New SSNs are restricted to a limited number per individual. And even so, authorities will entertain this under exceptional circumstances and will require extensive evidence to support the issuance of a new replacement SSN.
What’s Next?
Breaches, such as the Equifax breach a few weeks back, have exposed the social security numbers of a significant majority of US citizens to the public and/or criminals willing to pay for them. Due to the difficulty of replacing SSNs, this has prompted government officials to look for alternatives.
The simplest solution would be re-issuing new SSNs to all citizens and create a clean slate. However, it would likely not take long for those new numbers to be compromised by new breaches.
Centralized national IDs with linked ID numbers that are regularly rotated are likely to face significant political opposition in the US. Then again, SSNs already present a de-facto national ID number, so this opposition could be overcome in light of the recent breaches.
Lastly, high-tech alternatives such as government-issued cryptographic keys that allow citizens to prove their identity through cryptographic signatures (without disclosing the key itself) present an interesting option. While such systems are used in Brazil, Korea and Finland, their introduction would present the same political problems as launching a national ID card, along with the challenges of implementing a relatively complex technological solution across a large population.