Government and industry rely on Social Security numbers as a fail-safe way to ensure people are who they claim to be, but massive data breaches have led cybersecurity experts to argue the nine-digit identifier is past its prime.
High-profile data breaches have dumped hundreds of millions of Social Security numbers into the online wilderness recently, fueling a rise in identity theft and financial fraud. In 2015, experts estimated between 60 and 80 percent of Social Security numbers have at some point been stolen by hackers, and that was before the massive breach at Equifax exposed information on 143 million Americans last year.
With so many numbers floating in the online wilderness, cyber advocates on Thursday told a House panel agencies and companies could no longer trust them as a certain means to verify people’s identities.
“Social Security numbers are so deeply compromised and so widely available to the public…that they can no longer be used as an authenticator,” said Paul Rosenzweig, a cybersecurity expert at the R Street Institute, before the House Ways and Means Subcommittee on Social Security. While he and other witnesses largely agreed the number can still work as a unique government ID, the days of using it to prove someone is who they say are long over.
“Using my Social Security number as an authenticator is as stupid as using the last four letters as my last name as authenticator, or the last four digits of my phone number,” said Rosenzweig.
The government began assigning Social Security numbers in 1936 to track workers’ earnings and federal benefits. Since then it’s morphed into “a de facto national identifier” used by businesses, schools, hospitals and other groups in ways that were never intended, said Steve Grobman, a senior vice president and chief technology officer at McAfee.
Leaving so many valuable assets bundled to one number presents ever growing privacy and security risks, and panelists argued it’s time to begin exploring other ways for agencies and other groups to verify identity.
Acting Social Security Administration Commissioner Nancy Berry said the agency is open to exploring new authentication methods, but noted advanced solutions often come with a high price tag. Grobman pushed back hard against this notion, highlighting the “staggering” price of doing nothing outweighs the cost of building a new system.
Last year identity theft cost Americans $16.8 billion, according to Javelin Strategy and Research.
Lawmakers and witnesses debated the pros and cons of several alternative authenticators—like ID-embedded cards, biometric data and blockchain tech—but agreed on the need for change as recent breaches rendered Social Security numbers essentially public information.
“It’s clear [Social Security numbers] aren’t a secret anymore, and it’s time to stop pretending they are,” said Chairman Sam Johnson, R-Texas.