By Jason M. Rubin
SSNs were never meant to be used for identification purposes
When Carnegie Mellon researchers announced in July 2009 that they had been able to accurately predict people's Social Security numbers (SSNs) by scouring various publicly available information sources, the reaction among much of the media and the general public was shock. But the ease with which the researchers reported accomplishing this feat-which surely excited the ranks of criminals and fraudsters already coveting SSNs as a key component in identity theft-points out the simple fact that these highly sensitive numbers have been vulnerable all along.
"The issue has always been there," says Naomi Lefkovitz, an attorney with the Federal Trade Commission's (FTC) Division of Privacy and Identity Protection, "but many sectors of society and our economy rely on SSNs as identifiers, and it can take significant time and money to replace legacy systems. So our view is that we need to promote new best practices and strategies for data security, such as better authentication techniques that don't rely solely on the SSN."
In fact, the Social Security Administration has been warning about this issue for years. "The root of the problem," notes Shannon L. Kellogg, director of Information Security Policy at EMC's Office of Government Relations, "is that while the Social Security number is commonly employed for identification and authentication purposes, that was never its intended use. But because different organizations and agencies need to share information about people, it became a convenient identifier. Then it became a common authenticator, and that's where the challenges started. Today, with the growth of social networks in which people willingly reveal personal information to unknown lurkers, SSNs are more valuable than ever, but for all the wrong reasons."
The 411 on SSN
The first SSNs were issued by the Social Security Administration in November 1936 as part of President Franklin Roosevelt's New Deal. Roosevelt created the agency when he signed the Social Security Act into law on August 15, 1935. The goal of the measure was to prevent the suffering that retirees experienced during the Great Depression from recurring in the future. Payroll contributions in the form of a mandatory tax would be collected by the government and disbursed to workers upon their retirement
The original purpose of the number itself, therefore, was to track individuals' accounts within the Social Security program. Back then, the numbers were only needed when a person began earning wages, but because they have come to be used for identification purposes, today SSNs are routinely assigned at birth. Yet Social Security cards were never meant to be used for personal identification purposes and, until the 1980s, the cards explicitly stated, "NOT FOR IDENTIFICATION."
For many years, though, SSNs have been widely used both for identification and authentication by financial institutions, hospitals, schools, and government agencies. Their pervasive use, in fact, has only increased their value to identity thieves. Another problem is that the Social Security card itself, though rarely required to be physically presented, has no photograph, signature, or biometric identifiers to match it with the person trying to use it.
But the real issue lies within the very structure of the number itself, which is what the Carnegie Mellon researchers were able to exploit. Each SSN is a nine-digit value divided into three parts. The first three digits comprise the area number, which is assigned by geographic region. Generally, numbers assigned in the Northeast are the lowest and those assigned in the West are the highest. This means that knowing a person's birthplace or longtime place of residence provides a valuable clue into part of the number. The next two digits are known as the group number, and the last four digits, which are issued sequentially, are the serial number.
Most Americans born since 1989 were issued SSNs shortly after birth so it's easier to predict their numbers based on geography and chronology. In fact, what the Carnegie Mellon researchers found was that, in many cases, an individual's date and state of birth were sufficient to guess his or her SSN. Testing their prediction method using records of people who died between 1973 and 2003, they were able to accurately identify the first five digits for 44% of the individuals in a single attempt. Further, they were able to successfully guess all nine digits for 8.5% of those individuals in fewer than 1,000 attempts. This led them to conclude that an SSN "is no more secure than a three-digit PIN."
Guidance for banks
Perhaps no sector has been so historically reliant on SSNs as the financial industry, where they have long been required on bank accounts. This is due, in part, to the high-risk nature of the financial transactions. "There are many Dave Smiths," notes Jeff Kopchik, senior policy analyst at the Federal Deposit Insurance Corporation's (FDIC) Technology Supervision Branch, Division of Supervision and Consumer Protection, "but only one unique number to identify each. So if Dave Smith wants to transfer money, a banker wants to make sure that only the correct Dave Smith can do so."
According to Kopchik, the concern over protecting SSNs is just another play in an ongoing game of cat and mouse with fraudsters. "It's a constant back and forth battle," he says. "And it's not some teenage hacker doing this for fun anymore. These are professional criminals who are highly trained, well-organized, and well-funded."
That's why the Federal Financial Institutions Examination Council (FFIEC)-a body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System, the FDIC, and three other agencies-issued a guidance to the industry called "Authentication in an Internet Banking Environment" in 2005. The guidance, which falls short of regulation, explicitly states that for any high-risk, web-based banking system-defined as one that allows transfer of funds to another party or access to private information-a simple logon ID and password authentication system is insufficient. Without mandating a specific type of technology, the guidance is clear that strong authentication is required to protect sensitive information from theft.
To quote from the guidance: "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks."
Kopchik, who was the FDIC's primary representative on the FFIEC working group that drafted the 2005 guidance, understands that 2005 was a long time ago in hacker years. "What was good yesterday is not necessarily good today," he says, "and one of the things we're discussing right now is whether those authentication guidelines should be updated to account for advances, both in hacker techniques and in authentication technology." The 2005 guidance was itself an update of an earlier document issued by the FFIEC in 2001.
Recommendations for organizations
The FTC issued its own report on the matter, "Security in Numbers: SSNs and ID Theft," in December 2008. An outgrowth of the FTC's participation in the President's Identity Theft Task Force, the report was intended to explore the relationship between SSNs and identity theft and recommend "approaches that would preserve the SSN's beneficial uses while curtailing its availability and value to identity thieves." Of the former, the report notes that "criminals obtain the SSNs of victims they impersonate and use them to facilitate the opening of new accounts, gain access to existing accounts, commit medical identity theft, seek employment, and obtain government benefits."
This description of the scope of the risk, according to Kellogg, underscores the seriousness of the problem. "With a person's SSN, criminals can not only steal the victim's money but also defraud businesses and government agencies," he says. "It's much more troublesome than having someone steal your PIN."
Of the five recommendations in the report, the first is "Improve Consumer Authentication." Reasons Lefkovitz, "If we can move away from using SSNs as authenticators, they will have less value to criminals." The second recommendation is "Restrict the Public Display and the Transmission of SSNs." This means that organizations should discontinue the practice of putting employees' or customers' SSNs on ID badges, statements, pay stubs, applications, or documents sent through the mail. (It's worth noting that, since December 2005, it has been illegal for states to print a person's SSN on driver's licenses, state ID cards, or motor-vehicle registrations).
Taken together, the first two recommendations seek to restrict both the supply of and demand for SSNs by criminals. The next three cover the need for establishing national standards for data protection and notification of data breaches, conducting outreach to businesses and consumers, and sharing information and best practices on the safe use and secure storage of SSNs.
Rising awareness prompts gradual change
Thanks to the FFIEC guidance, the FTC report, and the publicity generated by the Carnegie Mellon research, there has been broader awareness of the misuse and overuse of SSNs - and with this awareness is coming change, according to Lefkovitz. "We talk to a lot of businesses and many of them are trying to either use randomly generated numbers or other workarounds," she says. "Health insurers and universities are changing their policies to reduce their reliance on SSNs, and the Department of Defense no longer uses them as a military ID."
Kopchik concurs. "It was common several years ago for consumers to be required to use their Social Security number as the logon ID for an Internet banking system," he says. "Today, that is quite uncommon, and a vast majority of financial institutions not only have been complying with the FFIEC guidance, but also have told us that they believe the guidance ultimately is good for them because it levels the playing field while also protecting their customers."
Because of the size of some organizations, institutions, and government agencies, and the presence of large legacy systems, it will be a costly and lengthy process for them to change, and the move away from SSNs may never be universal. But in the meantime, how can consumers protect themselves? Lefkovitz recommends they be inquisitive when asked for their SSNs. "Some forms require it but on others, it's optional," she says. "Given a choice, don't provide it. Some agencies, such as the IRS, are mandated by law to obtain SSNs, but other organizations may accept a customer's refusal."
The best advice would seem to be to ask questions and to be aware of how and when you're using it and who you're giving it to. No two people in the U.S. have the same SSN, so it's incumbent on everyone to protect theirs as best they can.
Prev