Telecommunications company T-Mobile confirmed last month that hackers gained access to 54 million users’ personal data, including names, addresses, dates of birth and—perhaps worst of all—social security numbers. The latter are a big score for identity thieves because they can be used to unlock financial services, government benefits and private medical information.
This is only the latest major data breach to expose such identifying information on a massive scale, rendering hundreds of millions of Americans more vulnerable to identity theft. To stem the problem, some experts are calling for an end to social security numbers, suggesting we should replace them with some other—and less inherently vulnerable—way of proving one’s identity. But security experts think the government does not need to entirely do away with them. Instead the organizations that use social security numbers as proof of identity must start requiring more than a single form of ID.
The Federal Trade Commission recorded 1.4 million reports of identity theft in 2020, and that year such fraud cost victims an estimated $56 billion, according to financial consulting firm Javelin Strategy & Research. Identity thieves might use a variety of information to impersonate individuals, but one of the best keys for accessing money is the social security number, or SSN. This string of nine digits, which the federal government started issuing in 1936, was originally assigned to people simply to determine their social security benefits.
“It was not set up to be this universal, unique identifier,” explains Eva Velasquez, president and CEO of the Identity Theft Resource Center, a nonprofit organization that supports victims of such crimes. But eventually, the lifetime number became a convenient way for people to apply for credit cards, student loans, mortgages and other lines of credit—among other services. “Often [SSNs can be used to] get medical goods or services, and that includes prescriptions, durable medical equipment and things of that nature,” Velasquez says. “And then, of course, [they are used to apply for] government benefits: things like unemployment, SNAP [Supplemental Nutrition Assistance Program] benefits, aid to families with dependent children.” Access to such a wide range of assets makes the numbers a prime target for hackers.
With tens of millions of SSNs now exposed by data breaches, a number of politicians and security experts have called for companies to phase out the use of these identifiers. In 2017 Rob Joyce, then cybersecurity coordinator at the White House and now director of cybersecurity at the National Security Agency, suggested replacing the social security number with a harder-to-crack option: a much longer string of characters known as a cryptographic key. But any lone number, whether it has nine digits or 100, could still be stolen from a repository and shared online. “As soon as you develop or create another static, unique identifier, it’s just going to be another number that you issue to everyone,” Velasquez says. “Then that becomes valuable to the thief, so they will target the systems that have that data.”
Modern technology has enabled other ways to verify identity: A password manager can generate a long, hard-to-guess password for each account, and this type of program often makes it easy to change those passwords in the event of a data breach. A USB key can be plugged into a computer to authenticate its owner. Biometric information, such as a fingerprint or face, can be scanned by a smartphone. But experts do not recommend replacing the social security number with any one of these methods alone; the most secure option is to protect identity with multiple factors. “Instead of focusing our security risks on this single data point, we need to develop these more holistic and multilayered approaches to identity management,” Velasquez says. “So if any one or two elements of that identity are compromised, it doesn’t compromise the entire identity.”
The practice of proving one’s identity by providing a fact one knows, such as a social security number, is called knowledge-based authentication, or KBA. And it is extremely vulnerable to hackers because all they need to impersonate someone is to steal that particular tidbit of knowledge, explains Rachel Tobac, an ethical hacker and CEO of SocialProof Security, an organization that helps companies spot potential vulnerabilities to cyberattacks. “For instance, it can be solicited out of you and stolen by a social engineer. It can be involved in a breach and dumped publicly online when a company that you trust with your KBA … [is] hit with a cyberattack,” she says. Some types of KBA, such as birthdays or mothers’ maiden names, may even appear on social media for anyone to find. Technically, a password is another form of KBA, Tobac adds—but if a password is stolen, it can be reset. “I can’t just go ahead and change my birthday, my social security number, my address every time a Web site or an institution that I trust with that information has a cybersecurity incident,” she points out.
For effective multifactor authentication, or MFA, it is not enough to simply require two or more pieces of knowledge. After all, breaches like the recent one at T-Mobile release a variety of data about each victim. Instead, Tobac says, the other factors should come from a different source: something you have or something you are. The former category might include a physical USB key or a even a phone, which can receive a text message with a unique one-time code. The latter category encompasses physical traits, which can be measured by biometric scans. For instance, a multifactor authentication process might require a person to enter their social security number and follow up with a code word texted to their phone. Another version might involve them entering a password and then scanning their fingerprint.
Not even multifactor authentication provides perfect security, though. A determined hacker might use a SIM-swapping technique to transfer your phone number to another device, allowing them to intercept the text message that was supposed to provide a second layer of security. A biometric scan can be fooled. But by requiring multiple forms of authentication, a system creates a lot more friction for malicious actors. “I can’t sit here and tell you that this method is going to be 100 percent fail-safe,” Tobac says. “But for most people, with most threat models, it’s going to stop the attackers.”
Despite its strength, multifactor authentication is far from being universally required. Some credit bureaus, customer support hotlines, government accounts and other services continue to rely on simple knowledge-based authentication such as a social security number. But the more secure approach is gradually becoming more popular. “We’re already on that track. We’re seeing movement in that direction,” Velasquez says, pointing out that the U.S. federal government, financial industry and tech companies are beginning to require multiple layers of authentication. Tobac agrees. “I can see that the wheels are turning. They’re not turning fast enough, but they are turning,” she says. “And I think we have to continue to put pressure on the companies that we all rely on to protect our data, our security, our privacy, to move from KBA to MFA flow.”