U.S. Markets close in 4 hrs 52 mins

Expert: 'Anyone who uses Social Security Numbers for security is crazy'

Ethan Wolff-Mann
Senior Writer

The Equifax hack that compromised 143 million Social Security numbers didn’t just destroy the country’s trust in credit bureaus; it also most certainly killed the use of SSNs for security and identity authentication.

The nine-digit SSN has been used for this purpose for years. Typically, the last six digits of a SSN are used because the first three digits correspond to where in the U.S. you were born.

For a security mechanism, it was an easy default, “but that number is now, thanks to Equifax, pretty much obsolete to things other than [receiving] Social Security [payments],” said Ira Rheingold, executive director of National Association of Consumer Advocates. To consumer advocates like Rheingold, that’s probably not a bad thing, since it probably should never have been used for that purpose. “Anyone who uses that for security is crazy,” he said.

The Social Security Administration told Yahoo Finance that the purpose of the number is to report earnings and track benefits. “It was not intended to serve as a personal identification document,” said Darren Lutz, an agency spokesperson. The Administration does not endorse any other use of SSNs.

Social Security numbers are everywhere and extremely unsecured

Thinking about the 143 million SSNs floating around on a hacker’s server reminds us of how easily these numbers can be surfaced. SSNs have been widely accessible for a number of years, mostly because so many companies and organizations request the number, or at least a part of it.

“Think about how many times you’ve had to provide your SSN,” said Alex Hamerstone, governance, risk, and compliance practice lead at TrustedSec. “Every time you go to a new doctor or start a new job, when you apply for a home, car or student loan, when you set up utility services — the list goes on and on.“

Furthermore, some Departments of Motor Vehicles would use SSNs as driver’s license numbers. Colleges sometimes used SSNs as student IDs, and would even post them publicly. Hamerstone recalls his university doing this.

“We’ve been really bad at securing SSNs for decades, and now that all of this data is being stored online, the problem is becoming significantly worse,” he said. The bottom line is that the authentication-by-SSN model that we’ve relied upon since the 1940s is essentially broken.”

It’s easy to buy Social Security numbers on the dark web

“Many people would be surprised at just how easy it is to purchase SSNs online,“ said Hamerstone. 

According to Hamerstone, many of these sites even offer customer service. “With just a little know-how, anyone can go to the dark web and buy SSNs and other personal information just as easily as they would order a toaster from Amazon.com,” he said.

The level of stolen data that can be pinched and put up for sale is massive and can lead to elaborate fraud schemes such as someone claiming a tax refund for someone they have no relationship to. It’s not just SSNs that are available on the dark net; many sites offer “fullz” packages that bundle complete dossiers of personal information including birth dates, credit card and banking account numbers, and mailing addresses. Sometimes they even package the SSNs of all members of a family, Hamerstone said.

Don’t give out your SSN just because someone asks

According to the Social Security Administration, you are not required to give out your SSN except to employers and financial institutions, which use them for tax reporting purposes.

“Giving the number is voluntary even when asked for the number directly,” the SSA’s Lutz said. He noted that if requested, the Administration suggests that consumers ask why and how the number is needed, what happens if they refuse to provide it, and whether there’s a law requiring them to give it.

“The answers to these questions can help people decide if they want to give out their SSN,” Lutz said. “The decision is theirs. However, they should know that refusing to give the number might mean doing without the purchase or service for which the number was requested.”

The obvious problem with this, however, is that now another identification system needs to be put in place to replace the SSN. That new system would also need to be secured and will likely face similar challenges.

But new technology like blockchain could provide a solution. Estonia, for instance, has established a digital identity system for its citizens. For now, though, it is important to practice good credit hygiene and utilize AnnualCreditReport.com on a regular basis. Experts recommend pulling one credit report every four months to make sure nothing fishy is going on.