Featured Savings Rates

Popular Posts

Featured Accounts

After Equifax, Is Getting Rid of Social Security Numbers a Good Idea?

POSTED ON BY

After Equifax, Is Getting Rid of Social Security Numbers a Good Idea?

After the Equifax data breach and so many other data breaches in the past year alone, it’s enough to make you squeamish every time you use your social security number. Those digits are precious, and the prime target of identity thieves.

Identity theft is touching everybody, if not you, then somebody close to you. There are plenty of stories out there. The 2017 Identity Fraud study by Javelin Strategy & Research found that the identity theft fraud incidence rate increased by 16%, a record high since Javelin Strategy & Research began tracking identity fraud in 2003. The study found that despite the efforts of the industry, fraudsters successfully adapted to net two million more victims this year with the amount fraudsters took rising by nearly one billion dollars to $16 billion.

The stats are scary. Experts are debating doing away with social security numbers.

“Reducing use of SSNs of course makes identity theft less likely.  It makes linking files of personal information in different databases more difficult.  This is one reason consumer and privacy advocates endorse the idea.  It gives dignity to individuals who want to be known as a person, not a number.  I have researched and written for decades on this subject, also compiled descriptions of alternatives to SSNs – at a time when MasterCard is phasing out use of signatures!  Many agencies are prohibited from using SSNs; they have found ways to do without it,” says Robert Ellis Smith, publisher of the Privacy Journal.

Getting rid of social security numbers is more than a notion though. “It is very easy to get deep into the weeds with this conversation. The social security number is so integrated into our identities, to completely remove it would at this point be almost impossible,” says Robert Siciliano, an identity theft expert with Hotspot Shield. What’s his solution? “Currently the social security number functions more as a password, than as a username. If we can shift the social security number more towards the username, which is a known, and the password ?being? a biometric (something the user i?s), or a smart card (something the user has), ? or both as multi-factor authentication, ? then social security numbers can effectively stay as-is, but repurposed.”

we need to go back to using social security numbers for their original intended purpose and stop pretending they’re private ‐Greg Scott, IT and Security Expert with Infrasupport

Greg Scott, an IT and security expert with Infrasupport, says the solution is not getting rid of social security numbers.  “But we need to go back to using SSNs for their original intended purpose and stop pretending they’re private.  Even though my SSN was always a bad authenticator, it still serves an important purpose – it identifies me,” he says.

He contends that the fundamental problem with the credit reporting system is not social security numbers. “The problem is, consumers are raw material to the credit reporting agencies (CRAs) and not customers. Creditors are CRA customers and CRAs are accountable to them.  We need to change the system to work like a game of rock-paper-scissors, where all three parties are accountable to the others, creating natural checks and balances.”

How would this work? “Use public key cryptography, the same technology we use every day to buy goods and services over the internet.  Public key cryptography uses an algorithm that encrypts with one key and decrypts with another key.  Declare one key public, keep the other one private.  When a creditor wants to send in a report on me, they encrypt it with my public key.  CRAs keep this public key as another field about me.  Anyone can look it up.  It’s public.  So, the creditor sends in the report on me, encrypted with my public key and the CRA stores it,” says Scott.

Later on, perhaps he decides to finance a nicer car and needs to borrow more money.  “Naturally, the next creditor wants to find out if I’m a good credit risk.  So, the creditor runs a credit report.  The encrypted report comes back, and I have to decrypt it with my private key.  Nobody but me has my private key.  Which means, anyone who wants to decrypt my credit report needs me.  Somebody pretending to be me will fail because they don’t have my private key.”

If you’re wondering about credit scores, after all, if that data is encrypted, the CRAs won’t know what’s in it.  How do they calculate your credit score?

Scott has an answer for that. “Simple – they make me part of the process.  It is my credit score, after all.  I could say no.  I could choose not to participate.  And then I face the consequences. No credit score, probably no credit.  The system is better for everyone when I’m part of it instead of a victim of it. When we give consumers more responsibility, that means consumers need to step up and accept it.”

Today’s cryptographic keys are 512 or even 1024 bits.  A 1024-bit number has 304 digits.  To make this work, Scott says, “to make this work, we need a tool for the average consumer to store this key and a means to retrieve it. The easiest choice – protect it and encrypt it with a passphrase.  Memorize the passphrase – the key to the key – and not the key itself. There are lots of ways to make that happen. Note that a passphrase is different than a password. Passphrases are easier to remember than passwords and more secure.”

He's thought through what happens if you lose your passphrase or the private key it protects? “Well, then my credit history is gone.  But, maybe I have a few bankruptcies and don’t pay my bills, maybe I want it gone.  That’s not good. Who holds the consumer accountable? There are a few ways to handle this.  Maybe as part of borrowing money, creditors demand a copy of my private key as collateral, until I pay off the loan.  Or maybe banks could offer a private key guardian service as an add-on when I open an account.  And maybe demand I have one in place before offering me credit.”

Or what about the scenario if the bank or creditor gets hacked and somebody steals your private key?  Aren’t you in the same world of hurt as right now, after the Equifax breach?  Says Scott, “Well, no, because we can always rekey and change passphrases.  And in fact, as computers become more powerful, we probably will re-key.  We can never change social security numbers, which was a big problem with them in the first place.”

Comments
MadameX
MadameX   |     |   Comment #1
Once you give out your private key, it's not private anymore. In order for this three-party scheme to work, the ability to change the private key is necessary.

That's why I don't unfreeze my credit for a specific party. In order to do that I have to provide my credit agency PIN.

Once you give that to a third-party, you've lost control of where it goes. So, when I unfreeze my credit, I just do it for the shortest time period possible.

I used to worry about entering my SS# for opening new accounts online. Well, thanks to Equifax, you can just assume that your SS# is public information.

What me worry?

PS

To stick it to these credit agencies everyone should freeze their credit and opt-out of everything possible.

To stick it to the banks, join a credit union!
CommonCents
CommonCents   |     |   Comment #2
Actually, I think getting rid of Equifax would be a better idea.
Att
Att   |     |   Comment #3
If you currently have a security freeze on your credit file and would like to temporarily lift it for a creditor there are two options:

You may request a temporary lift for a specific credit grantor, or
You may request a date range lift for a specific period of time, ranging from 1 day to 1 year.
The easiest and fastest way to lift a security freeze on your Equifax credit file is via our online process found at the following link:

https://www.freeze.equifax.com
Att
Att   |     |   Comment #4
You don't have to release your pin to anyone accessing your credit report.
george
george   |     |   Comment #5
Personal info should be treated as if they were public info. We also need to bring back notaries for proper id checks. Also, "Ink on paper" signatures are difficult to forge exactly.
slovokia
slovokia   |     |   Comment #6
There is a much simpler way to do this. Establish a central web site that all credit reporting agencies must use. Let each American establish a single account at that central web site that they will use to control access to their credit. When a person wants to apply for credit they can request a one time use access code from the website and in turn give that one time use code to the lender / bank they wish to do business with. The lender can use that code to obtain credit information on that consumer once from the credit reporting agency of their choice. If the lender decides to grant credit, that code gives them permission to send credit data for that consumer back to the credit reporting agency. These one time use codes could be set up to automatically expire after a certain amount of time - i.e. they cannot be used to grant credit after their expiration date.

A lender would not be able to legally claim a debt against a consumer without proving that the consumer provided them a valid credit access security code at the time of the loan.

While the above system is not perfect, it is far better than what we have now. A refinement to the system would be to have a credit report access code and then a separate credit granting code.
rav
rav   |     |   Comment #7
I like Greg Scott's suggestion. Another simpler option if we can't get that is to add a separate PIN for our SSNs that only we know and only the Social Security Administration (SSA) can authenticate/change. It won't be as good as Scott's suggestion, but at least it would no longer allow anyone to access nearly all of our financial accounts without a code that we can control ourselves. Anyway, if you want more security over your information, please let your elected federal representatives know! You can just tell them that, or also provide suggestion like Scott's or an SSN PIN. Thanks.
Martin
Martin   |     |   Comment #8
I did read all of the suggestions, however, you are all forgetting uncle Sam and his brothers (NSA, IRS, FBI, CIA, and so on), they need 24/7 surveillance on all of us and live (instant) reports updated to the last second. If a rogue employee accesses your file and wants some info, your keys, passwords, freezes, controlled access and so on are irrelevant.
Our credit files belong to higher authorities and what we are trying to do is put a see through veil and pretending we are saved from hackers, it is not going to happen. The government will never let us control our personal info, that info became public and then becomes confiscated by the people we pay their salaries.
I said this, because I have seen what is inside a credit file on a person pulled from a local police station, it contains a dossier on all of our activities, from birth to the last minute, including, purchases, salaries, commissions, travel, real estate, property, utility and other taxes, current and paid for, automobiles present and all past owned, traffic tickets, arrests, civil and criminal lawsuits and the list can go on to 50 or more tightly printed pages and at the bottom line is your score as grade of your achievements or failures in our life.

The wishes of the people are irrelevant, we are just a number in a file. Presently the SS# is used for tracking and with the suggestions in progress, it will just be cross referenced to any other number or password or key and it will make no difference to them, they can just punch the SS# and your own file will just pop up on their screens together with your supposedly saved secure keys and passwords.
The suggestion by others and the credit bureaus are just a PR stunt to make the breach go away without consequences to them.
The people who have absolute right to our credit files, will never relinquish their power.
Bogie
Bogie   |     |   Comment #9
Well stated, Martin.

Our social security numbers have become national I.D. numbers which allows our government agencies to track all our financial and business transactions along with practically all our movements and everything else you stated. We all know how trustworthy the people are that comprise these agencies..................

Credit bureaus should be held more accountable for breaches to the own systems with painful consequences for them. Hit them where it hurts, in their pocket book with monies to paid to those individuals affected by the breach, not just fines to be lost somewhere in our governments various coffers.
Rosedala
Rosedala   |     |   Comment #17
You're SO right however....your post reads more like a TOTAL SURRENDER than trying to see what's the next step to follow to improve this situation... :)
Ann
Ann   |     |   Comment #21
"I have seen what is inside a credit file on a person pulled from a local police station, it contains a dossier on all of our activities, from birth to the last minute, including, purchases, salaries, commissions, travel, real estate, property, utility and other taxes, current and paid for, automobiles present and all past owned, traffic tickets, arrests, civil and criminal lawsuits and the list can go on to 50 or more tightly printed pages"

That's called a background check, not a credit report/file.
Martin
Martin   |     |   Comment #23
Ann #21, there are different credit reports coming from a same d-base, depending on the clearance the department or the business is allowed or is accessing it from. The banks are allowed the same file except for the details enumerated above.
There is only ONE d-base (credit file) per person per SS#, what you get out of it depends on the clearances assigned to you. All credit bureaus share the same info. Some sell the data, some must provide it free to the government.
Bogie
Bogie   |     |   Comment #24
That is another sore point with me. Credit bureaus should NOT be allowed to SELL personal data of individuals. Why should they be allowed to make a profit from our personal data?

Only a few specific government agencies should have clearances and access to such personal data without our consent.
Luvcd
Luvcd   |     |   Comment #10
New/replacement SS numbers is an option...especially for those that like to negotiate CD rates! Push for a new number!!!! Collect the costs and send a bill to Equifax...and for sure don't use any financial institution that is still using Equifax!
Martin
Martin   |     |   Comment #11
You can have million new SS#s if you want, but they all will be connected and referenced to the original SS#, unless you want to become nobody without past and no earned SS credits and no new loans or credit cards or bank accounts or travel documents and nobody will employ you without the past records of your life. In other words, you become outlaw and thrown out of the society.
Bogie
Bogie   |     |   Comment #14
And have difficulty collecting on old pensions if you were entitled to one. Granted though, pensions plans have become a thing of the past.
Luvcd
Luvcd   |     |   Comment #15
Linking is done but bad guys don't do the linking unless/until the next Equifax moment
Rosedala
Rosedala   |     |   Comment #18
Oh wow how scary and it's all true!!! You've just gave the gist of a Twilight Zone-like episode, lol!
Mario
Mario   |     |   Comment #12
I wish we could just use SSNs for their intended purpose only: To track individuals' social security earnings.

OK, just to keep things simple, let's also keep using them for tax returns.

But let's stop all the other uses of SSNs that they were never intended to be used for! Credit, health care, schools, utility accounts, etc. etc.!!!
Lrdx
Lrdx   |     |   Comment #13
There is already a tax ID system exists that is different from SSNs: The IRS issues ITINs as tax identifiers for aliens, immigrants with F1 or H4 visas, etc.

(Granted, it's just a designated range of possible SSN numbers, but that's not hard to change.)
Rosedala
Rosedala   |     |   Comment #19
You're right Mario, but...how do you propose for us all to make online purchases and all other uses as you described and more??? Perhaps if we ALL as a single mass refused to use our SS#s for anything whatsoever except for what it was originally intended - tax returns - perhaps there would be a correct amendment?
Ann
Ann   |     |   Comment #22
"Perhaps if we ALL as a single mass"

Hundreds of millions of Americans aren't going to be doing anything "as a single mass". Especially not something that disrupts the status quo of their day-to-day lives.
Mario
Mario   |     |   Comment #25
Yes, what I propose is basically not to provide the SSN unless required by law. Some uses of the SSN cannot be avoided - for example, when opening interest-bearing bank accounts, the bank asks for it because it is required to report the interest to the IRS.

Children's SSNs are especially valuable to identity thieves because their misuse can go unnoticed for many years, so I would especially guard a child's SSN. I would even consider not getting a SSN for a child at birth, so you can legitimately claim "N/A" when you are asked to provide your child's SSN (e.g. school, health insurance, your employer). But of course, then you can't file for a personal exemption on your tax return for your child ...
jennifer
jennifer   |     |   Comment #16
I simply adore having a unique number that is just mine.
muthuk
muthuk   |     |   Comment #20
The question is whether commercial interests outweigh prudent practices...technology or innovation is not a problem...its the commercial/political will that determines how we go from here.
Martin
Martin   |     |   Comment #26
muthuk #20, well, I will point something to you of why we as Americans are irrelevant and are made collateral and part of the national debt to serve the government only and all our rights as sovereign citizens have been nullified. Please read these facts:

On March 9, 1933, House Joint Resolution No. 192-10 by the 73rd Congress, was voted into law, which is the Emergency Banking Act. This Act declared the Treasury of the United States, ‘Bankrupt’, which is an impossible feat since the U. S. Treasury was secretly closed by the Congress twelve years earlier in 1921. The Emergency Banking Act succeeded in abrogating America’s gold standard and pledged all property found within the United States to the Board of Governors of the Federal Reserve Bank.

All Sovereign American Citizens residing within the Republic of States suddenly and falsely were expatriated from their Sovereign American status without their knowledge or consent and their labor, souls, children, property, sweat equity and credit became the financial collateral for the public debt, which had then been converted into a Public Trust, which had been scripted after the ancient Roman Trusts.
I will not go into details, but you get the picture of why we are considered enemy of the state and can not be listen to as real people.
Via your state issued Birth Certificate in the name of your all-caps person you are considered to be a slave or indentured servant to the various Federal, State and local governments. This legal maneuver is compounded further when one obtains a driver’s license, marriage license or a Social Security Number. You have no Rights in state-approved birth, marriage, or even death. The state claims the sovereign right to all legal fiction titles it creates.
TechKnow
TechKnow   |     |   Comment #27
Blockchain identification