The Social Security Number in the United States is the closest thing we have to a national identification system. It’s widely used to deal with the government, open lines of credit, and serves as the unique ID for a tax payer. It’s effectively your financial and governmental digital footprint identifier from which all actions are compared.
Great, right? We can use it to ensure people pay their taxes, connect bank records and large financial transactions to an identity, ferret out money laundering and illicit business, and get a personal balance sheet on anyone who has credit.
Except, once that number is disclosed, it’s disclosed. Unlike a payment card number, there is no wide-scale method to reissue a social security number. Like a PAN used for eCommerce transactions today, it’s static. Once disclosed, your SSN can be replayed to do bad things like open lines of credit or falsely file taxes to get a refund sent elsewhere. I’m reminded of one of Jack McCoy’s favorite sayings in the courtroom, “You can’t un-ring the bell!”
It’s time to call on governments around the world, starting with the US government, to replace and reform the current, static “national identifier” that citizens are forced to use and change the Social Security numbering system. The debate on what a new system should look like will be complex for most policy makers. Using something like the Public Key Infrastructure could be an option, as long as there is a way to validate an identity before old keys are revoked in favor of new ones.
Perhaps we can take a tip from banks around the world and do the same thing that banks do when a payment card is compromised—reissue. We will need something longer than nine digits for sure, and that will cost the government and companies billions (aggregate) to update legacy systems that depend on a nine- or eleven-position value. As numbers are reissued, they would trickle down to systems like the IRS as an invalid number. The individual would then get the ability to update their information with a newly issued SSN.
Equifax has a long road ahead full of senior management inquiries, testimony, lawsuits, fines, and begging the public to trust it again. Experian and TransUnion should use this wake-up call to review their own systems as they all manage similar data used to determine credit worthiness. But most of all, we need to move away from static, for-life identification systems that are vulnerable to replay.
Edit: Yeah, sometimes when you are writing rapidly you have a revision problem. Fixed that so the suggestion is clear.
Possibly Related Posts:
- Ten Things Companies Get Wrong About CIAM
- Protect Yourself and Freeze Your Credit
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug
- Pushing Vendors to Abandon SMS