The nine most protected numbers that you probably have memorized and try not to give out too often aren’t as secure as you might think.
The data breach in September of Equifax, one of the three major credit bureaus, led to Social Security numbers, or SSN, and other personal information of millions of Americans to be compromised and possibly used by identity thieves.
Less than a month later, a White House cybersecurity coordinator said that the federal government was looking into more secure replacements for Social Security numbers and that “the Social Security number has outlived its usefulness,” according to the CBS-owned website TechRepublic.
The numbers are widely used for identification, though only the last four digits are often provided by their owners. Still, from housing and job applications to credit inquiries, consumers often provide at least part of their SSN to companies that may not keep them as secure as consumers would hope.
They can be hacked
The numbering system started in1936 as a way to identify people to the Social Security system but hasn’t evolved since.
Criminals can use stolen SSNs to open fraudulent bank accounts and credit cards in people’s names or to get access to their existing accounts. The numbers can be hacked even without getting a SSN from a hacked computer file.
The first three digits are from a geographic code based on where you live when you first registered for your number — something your parents may have done within hours of your birth at a hospital. Wikipedia has a list of Social Security area numbers, from 001 in New Hampshire to 649 in New Mexico.
Those SSN were issued before June 2011, when the Social Security Administration changed to a randomization process to select numbers.
Contrary to myth, the two middle digits of a SSN do not use the person’s date of birth, place of birth or race, according to the SSA.
The last four numbers, called the serial number, are often used by a bank, for example, to confirm that you are who you say you are. You gave the bank your full SSN when you opened the account.
But even without having those last four digits, which are commonly given to companies and easiest for criminals to find, a person’s SSN can be figured out. An algorithm created by researchers in 2009 could predict a SSN correctly 44 percent of the time in the U.S. overall and up to 90 percent of the time in smaller, individual states.
The first SSN option isn’t easy
Immediately after a data breach of credit card information, for example, consumers are often told to get a new credit card with a new number. If a SSN is stolen, or at least possibly compromised, it’s almost impossible to get a new number issued by the government.
Fraud is a big reason why the SSA doesn’t want people applying for new numbers. Preventing a crime isn’t a big enough reason, though the agency says a different number can be assigned if a “victim of identity theft continues to be disadvantaged by using the original number.” In other words, it must be a continuing problem.
Security experts are seeking alternatives to SSNs that are easy to use, more secure and that can be replaced if exposed in a breach.
One option is a blockchain, which uses a person’s biometric data such as a fingerprint or iris scan, to unlock the blockchain technology and create a legal ID. This is already used by banks and 1.1 billion people worldwide to identify refugees.
The personally identifiable information, such as an iris scan, always exists “off chain” and isn’t stored in a centralized system. Refugees use their biometric information to access their information and choose when to share it, preventing the governments they’re fleeing from using it.
If your number is used in a blockchain, you would be notified and you could block the transaction.
Blockchain is used in cryptocurrencies such as Bitcoin. The country of Estonia is using blockchain to give each citizen a secure digital identity card to access public, financial, medical and emergency services, as well as to dive, pay taxes online, e-vote, provide digital signatures and travel with the European Union without a passport.
Blockchain is similar to a Biometric Exit, a facial recognition technology used by the U.S. to track visa holders. You may have used it when returning to the U.S. from a foreign country and going through Customs.
These methods have their critics over privacy concerns and accuracy. Sen. Al Franken of Minnesota has asked Apple how the facial-recognition program on its new iPhone X will protect users’ privacy and if the data will be shared with law enforcement.
Touch ID scanners on Apple’s older phones that use fingerprints to open a phone can be hacked by someone stealing a fingerprint a user leaves somewhere else.
If your fingerprint or face scan are hacked, you can’t replace them.
Unique ID number
A unique health-care identification number is used in the United Kingdom and Japan for national health services or central identification.
The universal patient identifiers, or UPIs, could be an efficient way to connect patients to their medical data. But they could be just as prone to security fears as SSNs.
If nothing else, UPIs could be used only for medical data. Using them for anything other than that specific purpose could be prohibited as a way to giver consumers more control over their personal data.
Originally, getting a SSN was supposed to do the same type of thing — only be used to identify you to the Social Security Administration. It has since turned into an informal national ID number that is getting hacked more and more.