Capital One hack exposed thousands of Social Security numbers. Why are we still using them as ID?

Posted at 3:14 PM, Jul 30, 2019
and last updated 2019-07-30 17:14:08-04

It’s a familiar story: A massive hack, millions impacted, Social Security numbers stolen.

Capital One is the latest company subject to a major breach, in which a hacker gained access to more than 100 million customers’ accounts and credit card applications, including 140,000 Social Security numbers.

Bad actors can use Social Security numbers to steal your identity, open bank accounts, apply for a loan or receive medical care under your name. Many of the biggest hacks in recent years, including those targeting Equifax, insurance company Anthem and the US Postal Service, have left Social Security numbers exposed.

Because these numbers are so closely tied to our identities, it raises the question: Why are we still using Social Security numbers as ID?

In 1936, the Social Security number was introduced to track a worker’s earnings history for benefits, according to the Social Security Administration. Until 1972, the bottom of the card said: “For Social Security purposes — not for identification.”

Social Security numbers have since become one of the only unique, irreplaceable pieces of information that can identify individuals.

“Not everybody has a passport. Addresses change,” said Bob Rudis, chief data scientist at cloud and security firm Rapid7. “There is no central ID, apart from a Social Security number, that is official or can be thought of as the government saying this is actually you.”

Some smaller countries are opting for digital identifiers. Estonia has a unique 11-digit ID number from the government, along with a physical identification card and pin codes for added security, starting at age 15. The so-called “eID” can be used for electronic identification and securely transferring data. It also allows Estonian citizens to do tasks such as file taxes and fill prescriptions online.

“Everyone in the United States could be assigned a digital certificate … that identifies you and helps you authenticate into a bunch of places,” Rudis said.

However, Estonia is a much smaller country than the US. “I just don’t see us having the infrastructure, the will or the impetus as a nation to do something like that,” he added.

Tim Mackey, principal security strategist at Synopsys’ cybersecurity research center, said it’s important for a personal identifier to be replaceable.

“The [SSN] system was never designed around ‘I need to revoke mine and introduce a new one,'” he said. “One of the first attributes [to a new system] would be that we have some sort of method to revoke or replace that digital identifier.”

In Estonia, if a digital identifier is stolen, it can be reported missing and will be immediately suspended, according to Rudis. There are also processes for reissuing a new digital ID.

Biometrics, such as fingerprints, iris scans and facial recognition to identify ourselves are other potential alternatives to Social Security numbers. This type of technology has become more common in recent years, with users regularly unlocking smartphones with fingerprints or facial recognition.

However, Monique Becenti, product and channel specialist at cybersecurity software company SiteLock, also said biometric technology is “not advanced enough” yet.

“You can still exploit fingerprints, someone’s facial recognition, and someone’s iris scan,” she said. “You can mimic the data. It’s not impossible to copy someone’s fingerprints.”

And if biometric information is obtained by someone else, it’s not replaceable.

“Biometrics could make things better. The problem is how we end up implementing it,” said Rudis. “If you have a system that’s not that well designed for security … I’d be afraid of the loss of that biometric data to someone else.”