After the Equifax data breach and so many other data breaches in the past year alone, it’s enough to make you squeamish every time you use your social security number. Those digits are precious, and the prime target of identity thieves.
Identity theft is touching everybody, if not you, then somebody close to you. There are plenty of stories out there. The 2017 Identity Fraud study by Javelin Strategy & Research found that the identity theft fraud incidence rate increased by 16%, a record high since Javelin Strategy & Research began tracking identity fraud in 2003. The study found that despite the efforts of the industry, fraudsters successfully adapted to net two million more victims this year with the amount fraudsters took rising by nearly one billion dollars to $16 billion.
The stats are scary. Experts are debating doing away with social security numbers.
“Reducing use of SSNs of course makes identity theft less likely. It makes linking files of personal information in different databases more difficult. This is one reason consumer and privacy advocates endorse the idea. It gives dignity to individuals who want to be known as a person, not a number. I have researched and written for decades on this subject, also compiled descriptions of alternatives to SSNs – at a time when MasterCard is phasing out use of signatures! Many agencies are prohibited from using SSNs; they have found ways to do without it,” says Robert Ellis Smith, publisher of the Privacy Journal.
Getting rid of social security numbers is more than a notion though. “It is very easy to get deep into the weeds with this conversation. The social security number is so integrated into our identities, to completely remove it would at this point be almost impossible,” says Robert Siciliano, an identity theft expert with Hotspot Shield. What’s his solution? “Currently the social security number functions more as a password, than as a username. If we can shift the social security number more towards the username, which is a known, and the password ?being? a biometric (something the user i?s), or a smart card (something the user has), ? or both as multi-factor authentication, ? then social security numbers can effectively stay as-is, but repurposed.”
Greg Scott, an IT and security expert with Infrasupport, says the solution is not getting rid of social security numbers. “But we need to go back to using SSNs for their original intended purpose and stop pretending they’re private. Even though my SSN was always a bad authenticator, it still serves an important purpose – it identifies me,” he says.
He contends that the fundamental problem with the credit reporting system is not social security numbers. “The problem is, consumers are raw material to the credit reporting agencies (CRAs) and not customers. Creditors are CRA customers and CRAs are accountable to them. We need to change the system to work like a game of rock-paper-scissors, where all three parties are accountable to the others, creating natural checks and balances.”
How would this work? “Use public key cryptography, the same technology we use every day to buy goods and services over the internet. Public key cryptography uses an algorithm that encrypts with one key and decrypts with another key. Declare one key public, keep the other one private. When a creditor wants to send in a report on me, they encrypt it with my public key. CRAs keep this public key as another field about me. Anyone can look it up. It’s public. So, the creditor sends in the report on me, encrypted with my public key and the CRA stores it,” says Scott.
Later on, perhaps he decides to finance a nicer car and needs to borrow more money. “Naturally, the next creditor wants to find out if I’m a good credit risk. So, the creditor runs a credit report. The encrypted report comes back, and I have to decrypt it with my private key. Nobody but me has my private key. Which means, anyone who wants to decrypt my credit report needs me. Somebody pretending to be me will fail because they don’t have my private key.”
If you’re wondering about credit scores, after all, if that data is encrypted, the CRAs won’t know what’s in it. How do they calculate your credit score?
Scott has an answer for that. “Simple – they make me part of the process. It is my credit score, after all. I could say no. I could choose not to participate. And then I face the consequences. No credit score, probably no credit. The system is better for everyone when I’m part of it instead of a victim of it. When we give consumers more responsibility, that means consumers need to step up and accept it.”
Today’s cryptographic keys are 512 or even 1024 bits. A 1024-bit number has 304 digits. To make this work, Scott says, “to make this work, we need a tool for the average consumer to store this key and a means to retrieve it. The easiest choice – protect it and encrypt it with a passphrase. Memorize the passphrase – the key to the key – and not the key itself. There are lots of ways to make that happen. Note that a passphrase is different than a password. Passphrases are easier to remember than passwords and more secure.”
He's thought through what happens if you lose your passphrase or the private key it protects? “Well, then my credit history is gone. But, maybe I have a few bankruptcies and don’t pay my bills, maybe I want it gone. That’s not good. Who holds the consumer accountable? There are a few ways to handle this. Maybe as part of borrowing money, creditors demand a copy of my private key as collateral, until I pay off the loan. Or maybe banks could offer a private key guardian service as an add-on when I open an account. And maybe demand I have one in place before offering me credit.”
Or what about the scenario if the bank or creditor gets hacked and somebody steals your private key? Aren’t you in the same world of hurt as right now, after the Equifax breach? Says Scott, “Well, no, because we can always rekey and change passphrases. And in fact, as computers become more powerful, we probably will re-key. We can never change social security numbers, which was a big problem with them in the first place.”