Editor’s Note: Mike Chapple is associate teaching professor of information technology, analytics and operations at the University of Notre Dame’s Mendoza College of Business. The opinions expressed in this commentary are his own.
On Tuesday, we learned that more than 100 million Capital One customers’ information was leaked.
And back in June, we learned that the American Medical Collection Agency, a billing collection agency, suffered a data breach affecting millions of patients. The perpetrators had access to systems containing Social Security numbers, bank account numbers, credit card numbers and medical records belonging to millions of individuals. Initial reports of the breach came through an SEC filing made by Quest Diagnostics informing investors that at least 11.9 million Quest patients were affected by the breach. LabCorp also used AMCA’s services, and the affected system stored information about 7.7 million of its patients. It’s likely that the number of affected individuals will continue to increase as details of other AMCA customers come to light.
We’ve heard this story so many times that we already know how it will unfold. Giant company announces breach. CEO makes statement of contrition. Executive in charge of cybersecurity is publicly fired. Customers receive letters of apology and identity monitoring services. We go back to life as normal until another breach restarts the cycle.
It’s time to break that cycle by fixing the root cause: the misuse of Social Security numbers as proof of identity by financial institutions, insurance companies, landlords, health care providers and just about everyone else. Congress can cure this addiction with a drastic remedy: directing the Social Security Administration to publish all active Social Security numbers five years from today, rendering them useless as authenticators while providing time for the industry to implement a secure authentication alternative. Congress could also choose to adopt privacy regulations that either incentivize strong security practices or punish negligent behavior.
Social Security numbers were never intended to be kept secret. When post offices around the nation began issuing these numbers in 1936, they had one purpose: serving as national identification numbers for tracking who was eligible for Social Security benefits. The ubiquity of SSNs quickly led to their unofficial adoption as national identification numbers for government agencies, credit reporting firms, lenders and others. Those of us who attended college in the ’80s and ‘90s recall university professors posting grade reports on their office doors and replacing names with SSNs to protect privacy.
More Tech & Innovation Perspectives
Our current use of SSNs mixes two concepts: identification and authentication. Identification mechanisms allow us to uniquely identify an individual, while authentication mechanisms allow us to confirm an individual’s claim of identity. Think of it this way: When you walk up to the front desk of a hotel to check in, you might identify yourself by name, but then the desk clerk asks to see your driver’s license to authenticate your claimed identity. In the online world, you might identify yourself with an email address, but you authenticate that claim with your password.
We currently use Social Security numbers as both identifiers and authenticators. But Social Security numbers are, in fact, only identifiers since there’s no password or other authentication mechanism associated with them. When you share your number with a lender, landlord, potential employer or your dentist, there’s nothing stopping them from using it to impersonate you. And that’s where publishing all SSNs comes in. Making all SSNs available to the public would make it impossible to use them as authentication since everyone would know everyone else’s SSN. And they could then still be used for identification.
How many digital and paper files scattered around the world contain this nine-digit key to your identity?
Even if you haven’t already been the victim of identity theft, chances are good that hackers already have your SSN. It may be sitting in an illicit digital file somewhere, as hackers wait for the right opportunity to use it. If you weren’t affected by the AMCA breach, there were plenty of other opportunities for your data to fall into the wrong hands.
Have you ever served in the military or worked for the federal government? Your information was probably included in one of several data breaches at the Department of Veterans Affairs, the National Archives and the Office of Personnel Management.
Have you ever held health insurance through Anthem, Premera Blue Cross Blue Shield or Excellus Blue Cross Blue Shield? They’ve also suffered breaches.
If you’ve ever had a credit card, mortgage or car loan, your SSN was probably included in data stolen from Equifax covering over 145 million Americans with active credit files.
Think you’re safe because you never give out your full SSN and only allow businesses to use the last four digits? In 2009, researchers at Carnegie Mellon University demonstrated that they could accurately predict the first five SSN digits for 44% of individuals born between 1989 and 2003 based on their date and place of birth.
When we mistreat identifiers as authenticators, we facilitate identity theft. Anyone who has ever obtained your SSN, legitimately or illegitimately, can claim your identity as their own. And, worst of all, there isn’t much that you can do to thwart them. Unlike a password, it’s extremely difficult to change your SSN. It’s as if everyone you ever invited into your house kept a copy of the key and you’re unable to change the locks.
Secure authentication technology already exists. We use it every day to protect our social media accounts, email inboxes and the dozens of other mundane logins that are part of our everyday lives. Shouldn’t we cover our most sensitive financial information with at least that same minimum level of protection?
Unfortunately, implementing strong authentication is difficult and expensive, and there’s no incentive for credit reporting agencies, financial institutions or other bureaucracies to invest in the technology required to replace our current use of SSNs. Without a burning platform, nothing will change. But Congress can light the necessary fire by directing the publication of all SSNs in five years.
This is a drastic, but necessary, measure. Mandating the future publication of SSNs creates a digital time bomb that will force a fix to a fundamentally flawed system. While setting a time bomb may seem irresponsible, remember that the millions of SSNs already in the hands of hackers constitute millions of individual time bombs, waiting to throw off their shrapnel of identity theft. One of those bombs might have your name and Social Security number written on it. Let’s disarm them.
This article was first published on June 5, 2019 and has been updated to reflect the Capital One data breach.