Former CEO of Equifax Richard Smith hasn't gotten much right of late following his former company's data breach and fumbling of the aftermath. But one thing Smith has correct is that Social Security numbers need to go.
In testimony before the US House of Representatives Committee on Financial Services, Smith was grilled by legislators, but did garner some agreement when he said the following:
We should consider the creation of a public private partnership to begin a dialogue on replacing the Social Security Number as the touchstone for identity verification in this country. It is time to have identity verification procedures that match the technological age in which we live.
Social Security numbers were hatched as a way for US citizens to get benefits. Over time, these nine-digit identifiers became the primary way a person is identified. With Social Security numbers part of the haul from the Equifax data breach, it's clear that these identifiers are a single point of failure. The Social Security number is the key to the fraud kingdom and perhaps the ultimate example of legacy infrastructure and processes.
White House Cybersecurity Coordinator Rob Joyce said last week that the Social Security identification system is fatally flawed. Speaking at a Washington Post Cybersecurity Summit, he said "every time we use the Social Security number you pit it at risk." Joyce has asked departments and agencies to kick around ideas to move away from Social Security numbers and use more secure identifiers.
What's unclear is what replaces the Social Security number, which launched in 1936 . The Social Security Administration has issued more than 450 million original Social Security numbers.
Tech Pro Research: Information security incident reporting policy | Lunch and learn: Dealing with the risks of identity theft | TechRepublic: FDIC hit by 50+ breaches in a two year period | Video: 3 billion reasons to change your passwords
"The issue we have today is that a Social Security number is kept as a secret to authenticate access and identity," said Devost. "We need to be moving away from that and add biometrics on top of that or the equivalent of a private wallet with blockchain."
Devost advocates that the US government would move away from Social Security numbers and replace it with biometrics or a blockchain equivalent. This transition would take years, but in the meantime, industries could use more holistic ways to identify a person. The Social Security number can't be the primary way to access things like credit and health care benefits.
"The Social Security number is not private, but you can verify relationships based on relationships," Devost said.
Indeed, Affirm, a financial services company led by former PayPal CTO Max Levchin, aims to bring fair pricing and transparency to consumer credit. To approve loans, Affirm does a "soft" credit check and uses home addresses, mobile phone numbers, email addresses, data of birth and last four digits of your Social Security number to verify identity.
Devost noted that Affirm is an example of how relationships at financial institutions can be used to verify identity. Social identities and scraping known data sources can also verify identity and minimize Social Security numbers.
Other security layers could include personal identification numbers as well as private keys.
One approach to ponder is Estonia's. The country has created a digital identification system and has courted residents. Some UK businesses see Estonia's e-residency approach as Brexit insurance.
Estonia has also built an e-residency platform and deployed blockchain technology. The country is also planning a new digital authentication app for Android and iOS called Smart-ID. To wit:
- Estonia has 1.3 million people: Here's how it plans to get 10 million e-residents by 2025
- Android, iOS secure ID: Estonia says it's taking digital authentication to new levels
- An end to ID theft? This facial recognition is so smart even twins can't fool it
- What's suddenly luring Brexit-hit Britons? Estonia's digital citizenship for anyone
- Why ripples from this Estonian blockchain experiment may be felt around the world
- Estonia's plan for anyone to be a citizen, digitally: Here's why thousands are signing up
While this transition away from Social Security numbers is being hashed out, industries could at least implement two-factor authentication and other security layers. For instance, Devost outlines a scenario where a cybercriminal would try to open a credit account in your name and you'd get an alert in your banking app.
These security layers are easy to implement and use financial institutions and other established accounts to verify a person. "These layered ways would be a great stutter step to something more permanent," Devost said.
The interim measures will important since phasing out Social Security numbers will take decades to implement. A system built today with biometrics or blockchain would be rolled out for U.S. births. The existing population would be grandfathered in. "The new system would roll out as new people are born," Devost said.
The Equifax saga:
- Equifax ex-chief admits responsibility 'starts at the top' for devastating data breach
- Equifax: An additional 2.5M Americans affected by breach
- Equifax lesson: It's time for tougher rules, regulations, fines to combat breaches
- Equifax confirms Apache Struts security flaw it failed to patch is to blame for hack
- Equifax exposes credit services' woeful IT, processes, security
- More than credit scores: Why Equifax for Business matters
- Equifax's big fat fail: How not to handle a data breach
- Equifax chief executive steps down after massive data breach
- Equifax CIO, CSO step down
- Massive Equifax data breach exposes as many as 143 million customer
- Cyberwar: A guide to the frightening future of online conflict
- Governments and nation states are now officially training for cyberwarfare: An inside look
- The new art of war: How trolls, hackers and spies are rewriting the rules of conflict
- Inside the secret digital arms race: Facing the threat of a global cyberwar
- The undercover war on your internet secrets: How online surveillance cracked our trust in the web
- Encryption: In the battle between math and politics there is only one winner
- The impossible task of counting up the world's cyber armies
- Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you
- In the grey area between espionage and cyberwar