The recent Equifax breach wasn't just a failing of one company's digital defenses — it exposed a fundamental weakness of how the entire financial services industry handles consumer identity. What's surprising is how deep the problem goes.
In hindsight, it's clear that Social Security numbers (SSNs) should not be — and probably should never have been — used as a ubiquitous personal identifier. It's also clear that it is time to fix this issue once and for all, but it's not as simple as asking three credit bureaus to switch to some other identifier. The usage of the SSN has a deep history and could take years to untangle from the modern financial ecosystem.
A brief history of the SSN
It may be surprising given the pervasive nature of the SSN today, but up until 1972 these numbers were not used as a form of identification outside of their original stated purpose. In fact, the Social Security card itself explicitly made this clear, with the phrase “NOT TO BE USED FOR IDENTIFICATION” printed on the front until that year.
The SSN was created in 1936 for the sole purpose of tracking the earnings histories of U.S. workers, for use in determining Social Security benefit entitlement and computing benefit levels. However, without any other form of national identity card or number, the SSN outgrew its original purpose as both the public and private sectors found uses for the number as a more useful identifier than name and address. In database terms, the SSN is a near-perfect “primary key” — a unique number from which other data items relating to an individual can be indexed.
The scope creep of the SSN is well documented by the Social Security Administration. In 1960, the number was first used as a personal identifier for federal workers. From here, federal usage of the SSN snowballed into it becoming a form of military ID, a requirement for Medicare and an identifier for government bond purchasing, among other purposes. But the tipping point for the transition from private to public sector can be dated to 1970 when legislation was enacted that required banks, savings and loan associations, credit unions and securities dealers to obtain the SSNs of all customers.
While ostensibly the SSN was still a government credential, in lieu of any alternative it rapidly became a stamp of identity for every U.S. citizen.
Convenience trumps common sense
The aggressive spread of SSN use, coupled with a lack of tracking and accountability, means there is no way of determining just how widespread SSN use is. What may be surprising is that only a relatively restricted list of government agencies and financial organizations are actually required to request an individual’s SSN. This does not include landlords, cable companies, mobile operators, universities and colleges or even credit reporting agencies.
These agencies use SSNs because doing so is easier and more convenient than creating their own unique identifiers. Even names and addresses can have duplicates.
The Social Security Administration (SSA) states: “You should be careful about sharing your number, even when you’re asked for it. You should ask why your number is needed, how it’ll be used, and what will happen if you refuse.”
However, there is no legal recourse for individuals discriminated against for not supplying their SSN, hence the normalization of the practice of asking for SSNs for even the most trivial of reasons. And of course, the SSN has become interwoven with consumers' credit files, making it the most simple means of a business running a credit check via one of the three credit bureaus.
Who's in control?
As high-profile data breaches spread in parallel to the overall growth of the Internet, states across the country have enacted laws to restrict the printing and display of SSNs on identification cards, the mailing of SSNs, and requirements to send SSNs on the Internet.
For example, California enacted legislation in 2001 that generally prohibited businesses from engaging in certain activities with SSNs, such as posting or publicly displaying SSNs, mailing documents that make SSNs visible on or through the envelope, printing SSNs on cards necessary for accessing products or services, or requiring people to transmit an SSN over the Internet unless the connection is secure or the number is encrypted. Over 20 states have passed laws similar to California’s, and five states have placed significant restrictions on the private solicitation of or insistence on collecting SSNs — Alaska, Kansas, Rhode Island, Maine and New Mexico.
This still leaves a vast portion of the U.S. unaddressed.
Prior to the Equifax breach, restriction of the display and dissemination of SSNs may have had a role in limiting the availability of SSNs on the black market. However, post-Equifax this activity is somewhat futile — we must assume that given the scale of the breach, any and all SSNs are public domain and that the United States needs to quickly decouple identification of an individual from this static identifier, putting the genie back into the pre-1972 bottle.
But is this realistic?
Security experts agree that the way forward will probably be more stick than carrot and that federal intervention will be the most likely catalyst for change.
“The credit bureaus' case will be made in congress in coming weeks, and there will likely be some resolution to open ended questions, which may include some mandatory breach regulations or laws at the federal level,” says Seth Ruden, principal fraud consultant for payment risk solutions at ACI Worldwide. “We’re overdue for a federal response, and congressional oversight will likely drive some change, which has teeth. This may include authentication requirements, and few things are as compelling to driving cases for change than regulation.”
There are also forces at work outside the U.S. that may ultimately influence a move away from SSNs in the U.S.
PSD2, the European response to managing a growing market of alternative and digital financial transactions, is setting up a minimum standard for identity management controls. Much like the EMV chip-card standard, this is going to have an effect of influencing other regions to adopt similar security and provide a case study in how a disjointed market can move in unison to achieve a common goal.
If there is a point of divergence in terms of identity management that could have a material impact on U.S. commerce with other countries, this too could precipitate a change.
“We are two steps behind our peers, and parts of the developing world has been using stronger authentication practices for many years than we have implemented in the USA. The opportunity to significantly learn from this event exists, in that this is an opportunity to leapfrog and arrive at an outcome that effectively positions us with our rightful peers,” says Ruden.
To fix this identity crisis, it will take political will and consumer pressure to come to some sort of alignment that recognizes that a significant problem now exists and needs to be solved, particularly since the private sector is unlikely to voluntarily step up, says Joram Borenstein, vice president of marketing and alliances/partners at NICE Actimize.
“There is little appetite in the private sector to pay for this," says Borenstein. "If one assumes this will be resolved at the national level, such resolution would require legislation and therefore probably be impacted by political trends, lobbying, and more.”
The execution of any such solution is also unclear at this time. Borenstein considers that there are some major questions relating to getting to the end state: “We need to determine if we want to solve this in a piecemeal approach that starts incrementally or in a boil-the-ocean approach. Changing from SSNs to an alternative system will not occur overnight since we’re talking about more than 300 million people whose identities are verified based on a system that goes back roughly 80 years. That being said, to make a change will require a combination of new thinking, new laws, and possibly new technology.”
Julie Conroy, research director at Aite Group, agrees but is concerned about the ability for regulators to fully grasp the scope of the problem.
“Quite honestly, I think the only way we get there is through legislation that fundamentally alters the identity management paradigm, but I don’t see that level of understanding of the issues nor the ability to execute in Congress at this point," Conroy said.
SSNs aren't the only problem
Financial institutions often suggest that consumers can be proactive in protecting their accounts and identities through the use of fraud alerts, apps that can limit account access, and monitoring their credit reports. Not all of these options are user friendly, but they are far more accessible than the prospect of getting a new SSN.
According to the SSA, if you decide to apply for a new number, you’ll need to prove your identity, age, and U.S. citizenship or immigration status. You’ll also need to provide evidence you’re having ongoing problems because of the misuse. It also explicitly points out that “a new number probably won’t solve all your problems … a new number won’t guarantee you a fresh start.”
Further to this, it may be more problematic to have a new number in instances of identity theft than limping on with the existing, exposed SSN.
“For some victims of identity theft, a new number actually creates new problems. If the old credit information isn’t associated with your new number, the absence of any credit history under your new number may make it more difficult for you to get credit," the SSA states.
Perhaps the bigger issue is that consumers feel the problem is too big for them to address on their own, or even to demand a solution from lawmakers. As the news cycle advances, apathy and acceptance may have already set in — the window of opportunity for restricting SSNs may be closing as consumer outrage wanes.
“I would argue that consumers are already beginning to forget about this incident," says Borenstein. “While there have been spikes in the number of people signing up for credit freezes, monitoring, and other services, these spikes are not as dramatic as some experts would have anticipated and will inevitably diminish over time.”
Conroy concurs: “It will be costly, and consumers will forget quickly. We’ve seen that before. That’s why a fundamental change will require governmental action.”