Uses of Social Security Numbers in the Private Sector: Why SSNs are Not Appropriate for Authentication

Uses of Social Security Numbers in the Private Sector: Why SSNs are Not Appropriate for Authentication

Federal Trade Commission Workshop
“Security in Numbers: SSNs and ID Theft”
December 10-11, 2007, Washington, D.C.
Agenda: http://www.ftc.gov/bcp/workshops/ssn/agenda.pdf
FTC Staff Report: http://www.ftc.gov/bcp/workshops/ssn/staffsummary.pdf

UPDATE: The FTC has issued its final report on this issue "Security in Numbers-SSNs and ID Theft" (December 2008). www.ftc.gov/os/2008/12/P075414ssnreport.pdf

The Privacy Rights Clearinghouse (PRC) is a nonprofit consumer advocacy organization, based in San Diego, California, and established in 1992. The PRC invites individuals’ questions and complaints via e-mail and telephone, and we operate much like a “Dear Abby” of privacy.

The top issues for which individuals have contacted us in our 15-year history include: identity theft, credit reporting, employment background checks, medical records, and the topic of today’s workshop, Social Security numbers (SSNs). If you think about it, each of these topics incorporates the issue of SSNs. For example, the crime of identity theft is perpetrated by an imposter, primarily because he or she knows the SSN of the victim and is able to provide it when filling out applications for credit.

This morning, we heard from a panel of experts on the use of the Social Security number as an identifier.  As an identifier, the SSN is provided by individuals to answer the question, “Who are you?” As an authenticator, the topic of this panel, the SSN is provided by individuals in response to a challenge: “Prove who you are.”

And herein lies a great deal of the discomfort and anger that the Privacy Rights Clearinghouse hears from those who have contacted us over the years. The SSN has evolved since its establishment in 1935 and implementation in 1936 to be used as both an identifier and an authenticator.  (For a chronology of the SSN, visit the Social Security Administration web page, http://www.ssa.gov/history/ssn/ssnchron.html.)

As Bruce Schneier says in his excellent book on security, Beyond Fear, conflating these uses as identifier and authenticator, and failing to distinguish one from the other, can lead to serious problems. We see and experience these problems today in a range of fraud schemes:

  • Financial identity theft
  • Criminal identity theft
  • And medical identity theft.

The Federal Trade Commission staff report explains that authentication is dependent on individuals presenting an authentication factor to prove their identity before they can, for example, gain access to a financial account, or sign onto a computer network. http://www.ftc.gov/bcp/workshops/ssn/staffsummary.pdf

Experts state that such factors should be something not generally accessible.  An authentication factor can be:

  • Something a person knows, like a password or PIN.
  • Something a person has, like a physical device or token.
  • Something a person is – a physical characteristic like a fingerprint or the unique pattern of veins in one’s eyes – the field of biometrics.

This trio of factors – something a person knows, has, or is – is a standard scheme in the field of authentication. Unlike identifiers, authenticators are supposed to be secret and not widely known, or entirely unique to the individual.

Social Security numbers fall into the category of something one knows. The problem is that one’s SSN is widely known. It’s not all that difficult to obtain if you are a criminal engaged in the types of identity-related fraud that I mentioned earlier.

The strongest authentication systems are multi-factored, and the FTC staff report discusses this approach. It is an understatement that the SSN is not appropriate as a sole authenticator, as the identity theft epidemic has all too painfully taught us.  

But the SSN can be useful in initial identity verification to facilitate other forms of authentication, like developing knowledge-based authentication questions, an approach taken by some financial institutions.

In preparing for this panel, I read a report by the Federal Financial Institutions Examination Council, titled “Authentication in an Internet Banking Environment.” http://www.ffiec.gov/pdf/authentication_guidance.pdf   The phrase “Social Security number” was not used once in the report. This publication does, however, discuss multi-factor authentication, as follows:

Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multi-factor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

In closing, I would like to point out that the debate about uses of the SSN is not new. The Privacy Protection Study Commission of 1977 devoted a chapter to the SSN and its use by government entities. But it sidestepped the topic of private sector uses of the SSN, and, instead, recommended that the issue be monitored and further studied in the future.
http://aspe.hhs.gov/datacncl/1977privacy/c16.htm

Here we are in 2007, 30 years hence, doing just that. The President’s Task Force on Identity Theft and the Federal Trade Commission should be commended for discussing these critical issues.

To summarize and conclude: The Social Security number should not be used as an authenticator.