Key flaw in authorization process: Social Security Numbers are no secret!

3 KEY TAKEAWAYS FROM THE EQUIFAX BREACH

1 The Breach Barrage

Data breaches are nothing new. In fact, they’re almost becoming commonplace. In the first half of 2017 alone, the number of data breaches jumped 29 percent, according to a report from Identity Theft Resource Center and CyberScout. From the Republican National Committee contractor whose breach exposed voting data on nearly 200 million Americans, to Verizon’s breach that affected more than 14 million customers, data hacks are increasing at a breakneck speed across all industries.

The recent massive breach of credit reporting giant, Equifax, is the latest example of this. Reported by the Wall Street Journal as the largest social security breach in history, approximately 143 million U.S. consumers’ confidential data, including social security numbers, names, birthdates and addresses were compromised. What’s more, they reported that more than 200,000 consumers’ credit card numbers were accessed and more than 180,000 consumers’ sensitive documents were accessed.

2 The Identity Authentication Challenge

The social security number is stuck in the past as it is not tied to modern identifiers (i.e. email, phone or IP address) that travel with us wherever we go.

While the scale of the hack is eye opening, perhaps what’s most startling is the depth of data that the criminal hackers accessed, including social security numbers and other critical identifying data. It also raises questions about identity and authentication processes in the digital environment. With a few—or even just one—piece of key information (i.e. a social security number), a person’s total identity is essentially up for grabs in the digital marketplace. Shuman Ghosemajumder, Chief Technology Officer of Shape Security pointed this out. “This appears to be the single largest breach of Social Security Numbers in history… it also has a profound implication for how we use SSNs throughout the country, as it is possible that as a result of this breach, the majority of adults’ SSNs are now compromised.”

Tracing the social security number back to its origins, it was created solely as a way to keep track of an individual’s earnings for social security and benefits purposes. Over time, however, it has taken an outsized role and become a key identifier for Americans, as well as a major way businesses and organizations fight fraud and verify identity. What’s more, some would argue that the social security number is stuck in the past as it is not tied to modern identifiers (i.e. email, phone or IP address) that travel with us wherever we go.

The breach has revealed a key flaw in the authorization process of the digital environment, which relies too heavily on using the social security number as a national form of identification. “So many of our accounts and authorization processes use the idea of our SSN only being known to us (and not a criminal) as an identifier and authentication mechanism…”* said Ghosemajumder.

3 Approaching authentication by layering of identity solutions

Many fraud experts agree. Seth Ruden, Senior Fraud Consultant at ACI Worldwide was quoted by MarketWatch as saying about the social security number, “We are now at a point where our hands are tied: We can no longer conscientiously use this as an authentication and be taken seriously by consumers.”

As businesses and consumers prepare to move forward, leaders in all industries are now faced with a key question: is it time to reconsider the way we use the social security number? As privacy and security become more of a priority in the digital landscape, the way we think about identity authentication must adapt to meet our needs.

Is it time to reconsider the way we use the social security number? As privacy and security become more of a priority in the digital landscape, the way we think about identity authentication must adapt to meet our needs.

According to a recent report by Gartner, it is recommended that businesses operating in the modern digital landscape adopt a layered cross-channel fraud prevention strategy. The report advises that “while many organizations are applying fraud detection methods to individual channels (e.g., website, call center) as though they are isolated silos, fraudsters are seamlessly moving between channels to exploit gaps. Organizations need to find a balance between tightening fraud prevention practices without adding unnecessary friction into the customer experience journey of legitimate customers.” In essence, applying multiple layers of data verification are now more vital to cyber protection and thwarting fraudsters than ever before.

While we may not have a clear solution to completely fix the problem, the Equifax breach has sent a clear signal to us all: we must be more vigilant with data security to protect our customers and businesses.

Share this page as a .pdf

DOWNLOAD

* Rosenbush, Steve. “The Morning Download: Equifax Breach Puts Social Security Number at Center of Digital Identity Crisis.” The Wall Street Journal, Dow Jones & Company, 8 Sept. 2017, blogs.wsj.com/cio/2017/09/08/the-morning-download-equifax-bre-ach-puts-social-security-number-at-center-of-digital-identity-crisis/