Modernizing the Social Security number system could help tackle one of the most daunting challenges in online security: authenticating the identity of who — or what — is actually trying to access services or buy products.
That may sound counterintuitive since fraud involving these numbers is spiraling upward so quickly that the Social Security Administration recently opened three new units to deal with the issue.
The Federal Trade Commission and regulators in California, which now has the nation’s toughest data privacy and security rule, have put added weight on cyber crimes involving Social Security numbers. That hasn’t really translated into new security, as experts say a majority of the numbers are now floating around the “Dark Web,” ready for illicit uses.
But a report, “Modernizing the Social Security Number” written by the Center for Strategic and International Studies’ James Lewis, asserts that “Modernizing the SSN gives the U.S. an opportunity to fix one of the Internet’s most pressing problems: authentication.”
“Modernizing the SSN may require new legislation and funding, but it is the step towards better authentication most likely to succeed,” the report states.
Any legislation seems a ways off, although House Ways and Means Social Security subcommittee Chairman Sam Johnson, R-Texas, embraced the report at a CSIS event last week that featured Lewis and McAfee vice president and chief technical strategist Candace Worley.
“Given all the ways we use Social Security numbers, it’s no wonder they are a valuable target for identity thieves. But if we want to keep up with identity thieves, we also need to make these numbers less useful to fraudsters in the first place,” Johnson said in a statement.
“That starts by changing how we use them,” he added. “These numbers are valuable because they’re used to both identify someone and to prove their identity. This practice doesn’t make sense, but it’s been going on for years. We need to break this link between identification and authentication.”
Some parties in the online security dialogue want to eliminate the Social Security number as a central form of identification, but the new CSIS-McAfee report attempts to take advantage of the ubiquity of the SSN and turn it into a strength rather than a vulnerability.
CSIS’s Lewis is a leading national voice on cybersecurity strategic issues and noted author of playbooks on cyber policy drafted for incoming presidents. McAfee develops cybersecurity products and services for government and private-sector customers, and has been closely involved in numerous government-industry cyber collaborations.
Worley said in an interview that the report envisions “leveraging something people know, their Social Security card, and something they are getting used to in ‘smart cards’ in a way that allows them to move to a new approach.”
She said this would involve “significant government involvement,” best carried out in a collaborative process with the private sector. “Bringing together government and industry in a consortium may be the best way to get it done and get the best outcome.”
Implementation would also probably require legislation in some areas, she said.
Overall, she said, the new approach has to be consumer- and commerce-friendly, protect privacy, be scalable, and able to adjust to new technologies.
The report discusses opportunities presented by blockchain technology, mobile apps and biometric identifiers, among other possibilities.
“The goal for modernization should be to rebuild the SSN system as the foundation for online authentication of identity and to create a path for the private sector to develop authentication apps that are anchored in a modernized, digital SSN,” according to the report. “The first step is to replace the paper social security card with a ‘smart card,’ a plastic card with an embedded chip, like the credit cards most of us carry.
“We can identify four core principles to guide SSN modernization: It must preserve the SSN’s ability to link multiple records to the same individual. It should allow for replacement when a SSN has been compromised. It should be a first step towards stronger online authentication in the United States and take advantage of advances in technologies for data storage, processing, and connectivity. It should be done in a way that minimizes costs (including transition costs) and complexity for taxpayers.”
The CSIS-McAfee report stresses, “Focusing on the SSN as a core component of online identity, rather than trying to build some new overarching system for identity management, can help avoid some of the problems that undercut previous federal attempts to improve online identity.”
The report writers said they did not consider a national ID as an option. “While a national ID is the preferred solution of almost all other countries for online digital authentication of identity, we have discounted it for the United States given the vociferous opposition from privacy groups that has greeted this idea in the past.”
Many objections to “a national ID are frivolous,” the report says, pointing out “that the SSN is already a database of all Americans. … But the fundamental objection is that a national ID leads to the ‘slippery slope of surveillance.’”
Policymakers for years have tiptoed around the fact that Social Security numbers are a key tool being employed by hackers, mindful in some cases that the discussion could become politicized quickly and move away from the critically important issue of security.
And even getting past that political threshold question, Worley asked, “Will it be difficult for consumers? Will it ‘break’ what we’re doing now? We need to consider who would be responsible for fraudulent uses — but we need to consider that today anyway.”
The key, she said, “is how do we engage the populace that this transition to a Social Security ‘smart card’ will help you sleep better?”
