Replacing Social Security Numbers

In the wake of the Equifax break, I've heard calls to replace Social Security numbers. Steve Bellovin explains why this is hard.

Posted on October 5, 2017 at 3:22 PM • 30 Comments

Comments

M. VerhartOctober 5, 2017 3:38 PM

I see nothing wrong with use SSN's as a UUID and database primary key. It is a great identifier.

The problem is that it is public information at this point and it is still being used for authentication.

SSN is a great username, it is a terrible password.

whitemuteOctober 5, 2017 4:04 PM

[Disclaimer: I'm not in the US]
Frankly speaking I don't understand all this noise about SSN being stolen. Almost in every country there is some form of SSN/ITIN and this number is used exactly for the same purpose - as database key. But this information has near to zero value for anybody who can wish to steal it.

If you wish to apply for a loan, credit card, open bank account together with this "SSN" you should provide your ID/passport, and clerk is supposed to check it and make a copy. If you want to identify yourself in the situation described in the article you should provide over the phone number + answer questions on bio data + secret word, etc. Or show ID in the office.
Number itself has no value and can be shared without any fear with anybody who want to see it. It can be lost, stolen and than you will just apply for another copy.

Just stop using SSN as the only password and you don't have to change anything.

Earl KillianOctober 5, 2017 4:18 PM

I think one component of the solution is to replace a single multi-use number with many single-use numbers. Imagine having a card that stores 16384 128-bit random numbers. Each time the card is queried, it gives out the next number. These numbers can be looked up in a database to get actual information (and then marked as not to be used again). To do a lookup, someone would have to have an account with the database provider (which might be the Federal government). Their account would be associated with access rights to the database, limiting what they can query. One query item might be a 128-bit random number to be used as an ID for credit inquiries, for example.

Stealing the credit inquiry ID number stored in a company DB wouldn't do the thief much good, since it necessary to start the lookup using one of the single-use numbers.

Ted LapisOctober 5, 2017 5:29 PM

Cyber security is as mythical as unicorns, and not as much fun. We are all burglar alarms for the financial industry, that we cannot opt out of, and locks are transient, and don’t automatically renew. This scheme to grow the economy, has gotten out of hand.

mark hutchinsonOctober 5, 2017 7:12 PM

Would be nice if our ID was entwined with some physical attribute.

Steve B. always says something meaningful.

Dr. I. Needtob AtheOctober 5, 2017 7:17 PM

Yes, it'd be nice if our ID was entwined with some physical attribute, like maybe a cryptographic hash of our DNA. Anybody working on that?

justina colmenaOctober 5, 2017 8:09 PM

"replace" social security numbers? seally?

how about scaling them back to where they belong? social security administration, internal revenue service, and no one else.

bank needs it to make required reports, 1099s, and such to irs, but that is all they need it for and they should not be using it for customer id.

car loan? let's not even go there.

put your foot down, and say "if you're not the ssa or the irs, you simply don't need my social security number!"

it's like that "physical mailing address" asshattery from folks who can't be satisfied with a billing address and a shipping address.

IggyOctober 5, 2017 10:12 PM

This subject touches on a life long peeve of mine. The reduction of my entire being to that of livestock. The SSN, while being pitched to the voting public, was advertised as private and secure and would NEVER be used as an identifier. Within minutes of its rollout that's exactly what it was used for. No one told the voters that they could refuse to give it to anyone who demanded it. But when a doctor implies he won't treat you unless you fork it over, then especially the uninformed and/or unsophisticated and needy would, did and do hand it over without a fight. Most people don't even realize that there is a medical care equivalent of a credit reporting agency that relies on your SSN. This collection entity/cooperative quietly shares your highly personal and readily monetized medical data with those who pay the fee. You are never told.

@M.Verhart: I can't be that cavalier about who knows what about me without me even knowing their names. I do all I can to keep them guessing.

@Bubba Mustafa, amen.

@whitemute. I am a native US citizen, same disclosure. I think it's long overdue for us to throw off the yoke of being assigned an eartag number for the convenience, protection and wealth guarantee of others who proceed to use our info against us. Not for us, but against us. "Just stop using SSN as the only password and you don't have to change anything." Bingo. Add a password or phrase to your accounts of any kind that also use your SSN, one that only you know, unique for each and every account and you will have added a dead-bolt to your financial kingdom's front door. Perfect, no, but much better than now. Of course, many banks who want it to be as easy to "secure" your account as you want it to be easy--rather than hard for everyone (and really, not that hard), as it should be--will resist, complain, and fail to cooperate or do as they promised to. You will have to make them sorry when they fail to ask for the password/phrase without prompting.

@Earl Killian, you are on to something even better.

@Ted Lapis, exactly.

@Mark Hutchinson, no, it would not. That's a human barcode. Not just no, but hell no.

@Justine Colmena, exactly. "it's like that "physical mailing address" asshattery from folks who can't be satisfied with a billing address and a shipping address." They think it's a magical security blanket to match all the addresses and names, so if one isn't exactly like the others, DENIED, FRAUD!, he's UBL!, OMG!!. It's ridiculous and stupid.

I'm just encouraged to see some press-like news item writers to start noticing and writing publicly about it.

We MUST demand and get the electronic equivalent of cash. That way, interrogating us to "verify" who we are will no longer matter and life will be simpler for everyone. Let's see what actually improves....

tyrOctober 5, 2017 10:21 PM


The trouble is that every country has an
invisible population of non-citizens and
system dropouts who are manipulated by
commerce and used and abused in various
ways. If those folk were being included
then the various fixes might work. As it
is the identity theft that you need to
get a job involves the SSN and some other
evidence. Without that you are just a
bracero who can be starved cheated and
abused. The federal government knows this
but is happy to get the revenue into their
pockets in most cases to keep without being
paid back.

If you fix this the build a wall gang will
crap in their pants. If you do a half fix
the problem remains.

Clive RobinsonOctober 5, 2017 11:11 PM

@ M. Verhart,

SSN is a great username, it is a terrible password.

Actually it's not a good username, it's a very bad username as well as a very bad password.

Unique "universal or common" identifiers should not be used as it assists in linking up PII that should be maintained separately.

After all would you want your bank account information known to all?
How about a list of medications you are on, do you want it known to everyone?

But it's not just PII, it's also that we have multiple roles in life, father, son, mother, daughter, sister, brother, are a few of the obvious ones. But how about who you work for, clubs you have membership of hobbies you carry out in your spare time.

You don't want things from one role in your life effecting another. For instance your boss might hate line dancing, but you love it and have membership of a couple of line dancing clubs. Do you want some data broker telling your boss that you've been hiding your line dancing from them?, because you feel it might prejudice their view/treatment of you?

People are petty, spiteful, etc, it's why racism is such a problem.

For the sake of peoples sanity others should not be able to see parts of their private lives laid out like a lab rat about to get disected in biology class.

That's the danger of unique universal identifiers, it puts power over you into the hands of people that should not have it.

justina colmenaOctober 6, 2017 1:50 AM

@Iggy

@Justine Colmena, exactly.

"exactly." uppercased and translated somehow from an assumed Spanish to French....

@Clive Robinson

we have multiple roles in life ... You don't want things from one role in your life effecting another.

ever get on Google+ and try "circles?" — that luxury of the separation of privileges of social circles simply does not exist in modern times — everybody knows everybody and all are forced to submit to the same high california lifestyle even if that is most expressly not what they want....

Clive RobinsonOctober 6, 2017 2:02 AM

@ tyr,

The trouble is that every country has an invisible population of non-citizens and system dropouts who are manipulated by commerce and used and abused in various ways.

It's not just those at the very bottom or fringes of society, it effects all those up to the point where they have their own legal staff working for them who's interests are aligned with theres.

Basically justice has become to expensive, thus those with money lawyers and a way to hide behind a corporate face, can and do get away with murder.

If you take on a "corporate" you will get bled dry and thrown on the streets with if you are lucky the cloths on your back. To be further used and abused via a tame press as an example to keep the other surfs in line.

This is what happens when the resources start to run out on which the "Great American Dream" amongst other dreams are founded. It can only exist when there is "plenty for all for the asking" the equivalent of the biblical "rivers of milk and honey", or "streets paved with gold". Those who got there first decided to grab it all and use the wealth to take money from everyone else to aquire more wealth. Money is an abstraction of the sweat on your brow from labour, it is not wealth it's assets that give you that.

If used in one way assets such as property can be used to aquire money from those who rent. These rents go on to buy more property and so it goes on. The wealthy accruing assets the poor forced to handing over the fruits of their labours to just maintain a small shred of humanity. The wealthy force up the price of both property and rents, as long as they end up with the same ratio their profit percentage and thus game is unchanged. But for those without rentable assets the increasing price puts them ever further from owning assets.

The fly in the ointment for the wealthy is that property is finite, as Mark Twain observed "Buy land, they're not making it anymore". Supply and demand push up the price, but that largely does not effect the wealthy, but the shortage of land does. They have two choices better utilize the land you have and steal it from others. High rise accomodation not only does the first it makes you dependent on rent seeking in other ways, look at lease agreements to see a direct one, or the fact you have no land means you have to buy not grow food. But land stealing is also a great game as many Americans found out yet again in the first decade of this century. There are many ways the wealthy steal land but you will note that they will always have the legislation thus national guard labour on their side. To the wealthy buying legislation is just part of doing business, it's the mechanics of it they give to others to do.

But even if you are wealth and have lots of assets you are in effect building a prison for yourself. People see not just themselves but their children living in a "family house" and they develop not just a financial but emotional link to those assets. Thus they can be a "ball and chain" around peoples ankles tying them down thus making them easy targets.

That's why you need to not own any hard assets directly but companies trusts etc that own assets, and have lawyers that are good at looking after your interests, because their interests are tied to your continued well being.

In essence that's how the select 1% of the 1% of the 1% live their parasitic lives off of everyone else.

IonOctober 6, 2017 2:16 AM

A wordy, yet useless argument. So the SSN is relevant. Why? Because his wife has lost every piece of identification in one case of theft. And she identified with the SSN. The shallow reasoning forgets the case of the recent data breaches which gave impersonators all this data, hence they will be able to do quite a lot of things IN YOUR NAME and virtually in perpetuity, meaning even after you die.

I know the guy is a scholar paid to waste time with arguments like the linked article: it is "hard" and not how. But the recent breaches spell: no SSN is as good as having one at this precise moment in history.

justina colmenaOctober 6, 2017 3:02 AM

lol...

That's why you need to not own any hard assets directly

that's called poverty

but companies trusts etc that own assets,

that entails some sort of legal finding of mental incompetence to manage your own affairs...

... and have lawyers that are good at looking after your interests, because their interests are tied to your continued well being.

right...lawyers looking after a professional psychiatrist's professional opinion of your best interests, which means that both lawyers and shrinks line their pockets with a fair portion of "your" cash, which "you" suddenly no longer have direct access to....

oh yes it really could happen to you or anyone else ... people are so incredibly complicit about this kind of thievery in law

DroneOctober 6, 2017 5:33 AM

Replacing SSN's with a secure and trustworthy form of ID is not an issue today. Biometrics makes it is fairly easy to do, and it's getting easier every day.

The REAL issue is whether the political-will exists to issue a secure and trustworthy national ID.

Republicans are mixed on the issue. Those for a strong ID see it as a way to limit job losses, increasing entitlement fraud, and voter fraud perpetrated through illegal immigration. Others side with the Libertarians and see a national ID as an unwanted expansion of government control.

Democrats on the other hand are for the most part unified against any sort of national ID, or anything in general that may limit illegal immigration. Illegal immigration is the path that progressively leads to an undefeatable super-majority voting bloc for the Democrats. But watch out, once the Democrats attain their permanent single-party rule, expect them to issue a national ID that will track and tax everything you do.

I conclude that there is currently not enough support for any sort of movement away from SSN's toward a secure and trustworthy national ID.

Replacing Social Security Numbers Is Harder Than You ThinkOctober 6, 2017 7:10 AM

Good luck with that department- can Trump administration tick all the vital requirements for such an onerous enterprise, does anyone trust those sorts of folks to be even one percent capable? Backwards compatibility is just the least of the problems. Small government mentality plus beliefs in unchecked privileges to arbitrarily cut corners does not instill confidence in the folks who are making these proposals.

https://news.ycombinator.com/item?id=15414275

https://motherboard.vice.com/en_us/article/pakwnb/replacing-social-security-numbers-is-harder-than-you-think

Who Goes There? Authentication Through the Lens of Privacy
https://www.nap.edu/catalog/10656/who-goes-there-authentication-through-the-lens-of-privacy

IDs Not Easy: Questions About Nationwide Identity Systems
https://www.nap.edu/catalog/10346/ids-not-that-easy-questions-about-nationwide-identity-systems

mark hutchinsonOctober 6, 2017 8:41 AM

Arthur C. Clarke had much larger IDs for characters in his novel, 3001: A Final Odyssey. I'm pretty sure they were on the order of a GUID, but more human ready.

Clive RobinsonOctober 6, 2017 9:11 AM

@ justina colmena,

Not having hard assets in no way makes you poor, that's a myth that's been around since the mid sixties atleast.

The point is there are other assets you can own that are not hard and thus easily transportable, excessive jewelry and gold coin collecting being just two.

The point about "owning owners" is that companies get way way better tax breaks on those than individuals do.

that entails some sort of legal finding of mental incompetence to manage your own affairs...

No it does not and has not since companies have been recognised as "legal entities". I'm guessing you do not know the implications of corporate vehicles like LLPs.

Jonathan WilsonOctober 6, 2017 9:12 AM

I am not an expert on the requirements for a "national ID" but to me it seems like public key cryptography could be the solution here. Something similar to the hardware/protocols used for u2f would be a good place to start.

Basically everyone would get a smart card that has sufficient identifying information that it can be verified as belonging to the individual who has the card (e.g. if someone is showing up with a drivers license that says they are "bob xyz" and then present their smart card, there would be a way to tell that the card really is the one issued to "bob xyz").

The card would contain a hidden secret (difficult to extract or clone without physical destructor of the card). The hidden secret would be generated on the card at manufacture time and never known outside of the card.

Each agency that needs to verify your identity (say, a credit reporting entity such as Equifax) would be assigned a unique identifier by a central agency.

When you need to provide an initial identity proof to the agency, you would visit a bank or wherever is appropriate and provide proof that the card really does belong to you. Then you would put the card into a machine. The machine sends the card the identifier for that agency. The card then uses an algorithm that combines the agency identifier and the shared secret to produce a public and private key pair. The private key never leaves the card and the algorithm would be designed in such a way that its not possible to use the public key to recover either the private key or the shared secret.

Then the smart card sends the public key to the machine who sends it along with whatever other information the agency needs to store through to that agency.

When you do something that requires the agency to verify your identity (e.g. if you are applying for a loan and a credit reporting agency needs to find the correct credit file to verify that you are creditworthy) a challenge would be generated and sent to the card to be signed by the private key matched to that agency with the response being sent back by the card. That response can then be verified as having been signed by the private half of the public key they have on file which means they have the file belonging to the owner of that particular card (which again could be verified as its legitimate owner via other means)

Nothing secret ever leaves the card and if the public keys are stolen from the database of the agency, its not going to compromise anything. Should your card become lost or stolen, you get a new card and give the entities holding public keys new public keys matching your new card, preventing whoever may have your old card from using it for anything bad and allowing you to continue verifying your identity with your new card.

This card could also be used anywhere else where secure access is required (e.g. banks could hold a public key in their database based on your card and then the private half could be used via the same challenge-response to verify that you are allowed to log in as a more secure alternative to solutions like SMS 2 factor or those horridly broken RSA keyfob things some banks use)

So the primary difference between this and a bog standard U2F type key is that there would be a way for an entity to verify that the holder of the card is actually the person who the card was issued to rather than a fraudster trying to use a stolen card for their own ends)

TatütataOctober 6, 2017 10:32 AM

Before discussing how SSNs ought to be replaced, it would be a good to create a system definition. Should there be segregation between domains (Federal, State, International)? For voter registration? (Sounds ugly, but there would be less of an excuse for voter suppression on alleged double registration or by imposing onerous ID requirements)? Should the same number be used for all types of gains and benefits?

I saw in the US media ads for an opportunistic company called "Lifelock" purporting to protect personal data. The registration asks for both DOB and SSN and other details, so it is yet another potential source of data breach. But you can feel safe, on the right handside of the data entry page you have the following hollow assurances:

We care about your privacy
We do not sell your information.
Your SSN is encrypted
For any questions, please contact 1-800-xxx-xxxx.
Why we need your SSN?
In order for us to help protect your credit and identity, we will need your Social Security Number.

The terms of service state:

Depending upon the Services you enroll in, register for, or otherwise sign up for or subscribe to use (collectively, "enroll"), we may permit you to be enrolled (i) by telephone, (ii) on our Site, (iii) by some other method we expressly permit, or (iv) by a third party who is authorized to provide your Personal Information to enroll you on your behalf (collectively, the "Enrollment Process"). In order to enroll in, register for and receive one or more Services, you must provide us with the full and accurate Personal Information that we require for the applicable Services, which may include without limitation your name, address, telephone number, email address, date of birth, driver's license number, Social Security number, and other personal information to verify your identity, as well as financial information such as your credit card number (collectively, "Personal Information"). You agree to keep all Personal Information updated and accurate. In the event we do not receive all the required Personal Information during your Enrollment Process, you agree that we may, in our sole discretion, use our data base, the data base of our affiliates, or other resources to attempt to complete the required Personal Information on your behalf. [...]

Then there is section 13, limitation of liability, which screams the following in uppercase (converted to gentler lowercase):

Without limiting the foregoing [broad and sweeping] limitation of liability, in the event we are found liable for damages to you in a competent legal proceeding our aggregate liability for all claims arising out of or related to these service terms is limited to the lesser of (a) one thousand u.s. dollars ($1,000) or (b) the amounts paid to us for the services that are the basis of the claim in the twelve (12) months preceding the date of the claim.

We're here to "protect" you, but if we bungle, then that's it...

John DBOctober 6, 2017 12:06 PM

@M. Verhart:

Social Security Number is an awful, awful, awful unique identifier in a database. One could say it's uniquely awful.

First, it's possible to change your SSN. Updating unique keys in a database is a pain at best, since you have to find all referring tables and change the foreign keys there as well. The SSA has also issued the same number to different people at various times. Uh-oh.

Second, the SSN is customer-provided data. People can and do often use other people's SSN. If someone else has given you my SSN, and that's the unique key in your database, how do I get into your database with my SSN? It's a unique key violation and I'm at a dead stop until somebody can resolve this situation. Much better to give an arbitrary identifier and resolve SSN duplicates as a back-end business process.

Oh, and since SSN has no check digit (such as a Luhn digit on credit card numbers), it's almost impossible to detect fat-fingered SSNs, allowing for completely innocent duplicated SSNs as well as malicious ones as in the case of identity theft.

Third, only people who have applied for SSNs have SSNs. This excludes large numbers of foreign nationals who are ineligible for an SSN, and some US citizens who have never applied for one for whatever reason. Have you decided that none of those people will ever be your customers? Why? (Note: some foreign nationals are eligible for SSNs, so the presence of an SSN does not imply a person is a US citizen or national.)

Fourth, and most germane to this blog, whether we like it or not, an SSN is personally identifiable information, useful for things like identity theft and other kinds of other general nastiness. Using an SSN as a unique identifier means you're going to scatter it far and wide across reference tables (as a foreign key), and likely as a cross-database key. That makes securing it almost impossible. Isolating SSN in one place with a lookup to match SSN to your company's customer ID is a much more securable solution.

Please, please, please don't ever use SSN as a unique identifier in a database. And remember that the cheapest and most reliable way to prevent a data breach is not to have the data in the first place. If you don't really, really need SSN, don't ask for it. And if you don't need to keep it after you use it, don't keep it.

-John

nanoOctober 6, 2017 12:17 PM

"Oh, and since SSN has no check digit (such as a Luhn digit on credit card numbers),"

The 9-digit Canadian SIN (Social Insurance Number) includes one.

The first digit kind of identifies the province where the number was first issued. From my guesstimate, if the numbers are not exhausted already, they should be soon.

Anon Y. MouseOctober 6, 2017 1:02 PM

@Clive Robinson

"But it's not just PII, it's also that we have multiple roles in life, father, son, mother, daughter, sister, brother, are a few of the obvious ones. But how about who you work for, clubs you have membership of hobbies you carry out in your spare time.

"You don't want things from one role in your life effecting another."


Someone should tell Mark Zuckerberg. It's his explicit philosophy that everyone
should have but one online identity to be used for all purposes. That's one of
the foundational reasons why I don't use that facepage thingy everybody's talking
about these days.

tyrOctober 6, 2017 4:22 PM


@Clive, et al

There's a very informative video on YTube
called 'Who controls the Children' an
advocate who tracked down the Pennsylvania
compiled dossier and its implementing by
26 other US states is quite revaling.

The process has been around since the
1960s and it's the Dangan of chinese fame.
Under the innocuous title of outcome based
education this mad scheme has tossed the
idea of children learning things like
math and literacy aside in favour of the
children becoming nicely compliant tools
of those in charge. People in higher ed
have noticed that their classes seem to
be waiting for someone to tell them what
to do. This is what happens with outcome
based victims. They make great consumers
and cannon fodder but have been trained out
of their own volition as a government/corp
policy.

The SSN is just a tag on top of the program.
It is also why previous generations only
got an SSN before going to work but now it
is routinely tacked onto children.

The real danger is the dis-connect from a
human past that becomes increasingly alien
to the young. That loses all of the hard won
lessons that got us to this brave new world
and its crappy simulation of 1984.

The reason the rest of the world looks at
americans with horror can be traced directly
to the education system that produces them.
We're exceptional all right.

JimOctober 11, 2017 2:40 PM

"make credit providers liable for the full damages, including ongoing inconvenience, suffered by victims of identity theft" -- This will go a long way toward solving information security problems.

PPOctober 14, 2017 10:44 AM

"We are clearly giving new meaning to words". Social Security Number: it's not social (because i am not expected to post it on social networking sites); it's not secure (because i am expected to post it in clear text on a form); it's NaN(because i do not know how to count with it). National ID Card: makes me think about the meaning of the word states in United States. Our liberty is protected by our ability to move to a different state; a National ID Card changes the meaning of the word state by taking away the reason for moving: a different state. This lack of incentive is not utopia, it's an attack on liberty because it destroys the reason to move, and eventually the reason to write.
Social security numbers used as identifiers: we don't need leaders for this one, we need administrators.

David SpeltsOctober 15, 2017 6:43 AM

SSN's are not unique in any way... the SSN administration re-issues them.

More than 27,000 Social Security numbers are associated with 10 or more people.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.