Replacing SSNs to combat Identity Theft
As previously discussed in my blog post, Do Health Care Providers Need Your SSN?, your PII (Personally Identifiable Information—please, never “PII data”, which is redundant) can be monetized by evildoers. Given sufficient data and effort, identity theft fraudsters can use your health insurance to fraudulently obtain treatment, exploit your credit rating to take out loans or credit cards in your name using your credit, and even conceivably talk their way into accessing your bank account balance. The Powers That Be recognize this, and the U.S. Senate recently discussed replacing the Social Security Number (SSN) with something higher-tech, presumably some sort of electronic identity using multi-factor authentication.
While initially appealing, such an approach has its own risks, particularly for those trailblazers who will be the first to deal with the inevitable theft of their new credentials: how difficult will it be for convince officials and businesses that they really, really are victims despite the new, “unbeatable” system?
Phased rollout will also be difficult, with two systems necessarily coexisting for some period. We will likely see delays forced by cost considerations, as software and possibly even hardware is upgraded to support the new system. Recall the issues with EMV, a global standard for cards equipped with computer chips and the technology used to authenticate chip-card transactions. One of the reasons EMV took so long to gain U.S. adoption was the cost of replacing billions of credit cards (although banks could have simply started issuing them years ago as part of normal card replacement, and thus avoided the self-inflicted mass rollout they recently endured).
Other countries are ahead of the U.S. in instituting such measures for real or de facto national IDs. Estonia, for example, has a chip-based national ID card that uses digital certificates. Unfortunately, a security flaw was recently discovered in the technology used, and thus many Estonians must update their personal certificates. Of course, nobody planned for such a massive update, and the online service has been crashing, leaving folks in limbo.
None of this should be used to argue against improving on the humble nine-digit SSN. Just as EMV does not magically prevent credit card fraud, an SSN replacement will not abolish identity theft, but it should help. Meanwhile, if you are a victim of identity theft, you actually can get a new SSN. The linked page is forthright about the fact that your old SSN will persist in various systems, and you can expect a certain amount of hassle updating it with banks, credit agencies, et al. But it is possible. However, wouldn’t it be even better if the orgs that had your SSN number protected it from theft in the first place?
About the Author
Phil Smith III is a distinguished technologist and Senior Architect & Product Manager, Mainframe & Enterprise, at Micro Focus, formerly HPE Software. He is the author of the popular blog series, Cryptography for Mere Mortals.
Learn how Voltage can protect social security numbers and other sensitive information with SecureData.