Former CEO of Equifax Richard Smith hasn't gotten much right of late following his former company's data breach and fumbling of the aftermath. But one thing Smith has correct is that Social Security numbers need to go.
In testimony before the US House of Representatives Committee on Financial Services, Smith was grilled by legislators, but did garner some agreement when he said the following:
We should consider the creation of a public private partnership to begin a dialogue on replacing the Social Security Number as the touchstone for identity verification in this country. It is time to have identity verification procedures that match the technological age in which we live.
Social Security numbers were hatched as a way for US citizens to get benefits. Over time, these nine-digit identifiers became the primary way a person is identified. With Social Security numbers part of the haul from the Equifax data breach, it's clear that these identifiers are a single point of failure. The Social Security number is the key to the fraud kingdom and perhaps the ultimate example of legacy infrastructure and processes.
White House Cybersecurity Coordinator Rob Joyce said last week that the Social Security identification system is fatally flawed. Speaking at a Washington Post Cybersecurity Summit, he said "every time we use the Social Security number you pit it at risk." Joyce has asked departments and agencies to kick around ideas to move away from Social Security numbers and use more secure identifiers.
What's unclear is what replaces the Social Security number, which launched in 1936 . The Social Security Administration has issued more than 450 million original Social Security numbers.
Tech Pro Research: Information security incident reporting policy | Lunch and learn: Dealing with the risks of identity theft | TechRepublic: FDIC hit by 50+ breaches in a two year period | Video: 3 billion reasons to change your passwords
Matt Devost, Accenture security global cyber defense practice lead, knows how a compromised Social Security number can be a big headache. His Social Security number was compromised 20 years ago.
"The issue we have today is that a Social Security number is kept as a secret to authenticate access and identity," said Devost. "We need to be moving away from that and add biometrics on top of that or the equivalent of a private wallet with blockchain."
Read also:Executive's guide to implementing blockchain technology | How it works: Blockchain explained in 500 words
Devost advocates that the US government would move away from Social Security numbers and replace it with biometrics or a blockchain equivalent. This transition would take years, but in the meantime, industries could use more holistic ways to identify a person. The Social Security number can't be the primary way to access things like credit and health care benefits.
"The Social Security number is not private, but you can verify relationships based on relationships," Devost said.
Indeed, Affirm, a financial services company led by former PayPal CTO Max Levchin, aims to bring fair pricing and transparency to consumer credit. To approve loans, Affirm does a "soft" credit check and uses home addresses, mobile phone numbers, email addresses, data of birth and last four digits of your Social Security number to verify identity.
Devost noted that Affirm is an example of how relationships at financial institutions can be used to verify identity. Social identities and scraping known data sources can also verify identity and minimize Social Security numbers.
Other security layers could include personal identification numbers as well as private keys.
One approach to ponder is Estonia's. The country has created a digital identification system and has courted residents. Some UK businesses see Estonia's e-residency approach as Brexit insurance.
Estonia has also built an e-residency platform and deployed blockchain technology. The country is also planning a new digital authentication app for Android and iOS called Smart-ID. To wit:
While this transition away from Social Security numbers is being hashed out, industries could at least implement two-factor authentication and other security layers. For instance, Devost outlines a scenario where a cybercriminal would try to open a credit account in your name and you'd get an alert in your banking app.
These security layers are easy to implement and use financial institutions and other established accounts to verify a person. "These layered ways would be a great stutter step to something more permanent," Devost said.
The interim measures will important since phasing out Social Security numbers will take decades to implement. A system built today with biometrics or blockchain would be rolled out for U.S. births. The existing population would be grandfathered in. "The new system would roll out as new people are born," Devost said.
The Equifax saga: