Quantcast
Internet Insecurity

More Like Social Insecurity Number, Amirite?

BURN THE SSN.

Image: Shutterstock / Composition: Jason Koebler

We've all known Social Security numbers were pointless as security devices ever since the LifeLock guy was brutally owned over and over for putting his own social on a damn drive-around billboard, but now they're dead forever. Rest in peace! Also, why did you exist?

This is where we're supposed to go into the long history of how, in 1936, the US government decided that every American would be assigned a nine-digit number "for the sole purpose" of tracking their earning history. In the absence of a national ID system, the SSN became a de-facto identifier, even though it was never designed as such. Blah, blah, blah. Thursday, Equifax, a credit monitoring and security company got hacked (who will protect the protectors?) 143 million SSN numbers were exposed, which is nearly half of Americans if you're keeping count. This must be—it has to be—the final nail in a coffin that should have been burned or buried years ago.

"I believe that legislation to limit the collection and use of the SSN is appropriate, necessary, and fully consistent with US law. I also believe that if Congress fails to act, the problems that consumers will face in the next few years are likely to increase significantly.

It is important to emphasize the unique status of the Social Security Number in the world of privacy. There is no other form of individual identification that plays a more significant role in record-linkage and no other form of personal identification that poses a greater risk to personal privacy."

This is testimony given to Congress sixteen years ago by Marc Rotenberg, the executive director of the Electronic Privacy Information Center. Since 2001, Rotenberg and other privacy experts have been shouting about the SSN-pocalypse. Shoulda listened to Marc!

Reached by email today, 16 years after his testimony, Rotenberg told us: "SSN. The eternal privacy issue."

"Too many organizations continue to rely on the SSN as an identifier," he said. "And the fact that Experian—a company that advises consumers and companies on how to deal with ID theft—got hacked is beyond belief."

Huge numbers of SSNs have been hacked, leaked, or otherwise mishandled in major data breaches at Equifax, Experian, the Office of Personnel Management, the Kansas Department of Commerce and others.

Read more: The Motherboard Guide to Not Getting Hacked

Given that half of all Americans SSNs are not secret anymore, what's the point of treating SSNs as secret, unique identifiers? As former Motherboard managing editor Adrianne Jeffries explained after her SSN was hacked in the Experian breach in 2015, the way we use SSNs for identification purposes is stupid:

"It's possible to set up a fraud alert or credit freeze with the three credit bureaus to prevent the first two scenarios, and you can call the IRS and file early to guard against the second.

I'm worried about all the companies that use my Social Security number as authentication. You know, like when you call the bank, and they say is this really you, and you say yes of course, and they say what's your address (included in the breach) and what are the last four digits of your Social (included in the breach), and then they say, fantastic, how may I help you? Except this time it's a thief."

SSNs were never designed to be secure, we should stop pretending they are, because they're not and haven't ever been. Burn the SSN.

"With [the Equifax] compromise, and the OPM one, at this point it's easier for attackers to prove they're 'you' than you can," a security consultant that goes by the name Munin, wrote in a Tweet.

You may think it doesn't matter that your SSN could be floating around out there. Let's check in with our man Todd:

Screengrab: Wired.com