Cyber Researchers Propose a ‘Smart’ Social Security Card
Instead of ditching the SSN as an identifier, the government could take steps to modernize it.
As cyberattacks and data breaches make Social Security numbers increasingly insecure, the government needs to explore new ways to verify people’s identities, according to a recent report.
“This nine-digit number has become the core credential for government and commercial purposes—things for which it was never designed,” cybersecurity researchers at McAfee and the Center for Strategic and International Studies wrote in a report published Wednesday. “The [Social Security number] faces significant problems as an identifier, and after 80 years, it is time to modernize it.”
In 2015, experts estimated between 60 and 80 percent of Social Security numbers had at some point been stolen by hackers, and that was before the massive breach at Equifax exposed information on 143 million Americans last year. As a result, for most people, the number “is no longer a secret,” researchers said.
Still, the government needs some mechanism to authenticate identity and connect records to a specific individual, they said. Instead of exploring brand new authentication system, researchers argued for modernizing the Social Security number to make it harder to steal and easier to secure if it does get compromised.
They concluded creating a “smart” Social Security card would be the best strategy.
Like a credit card, the modernized Social Security card could be embedded with a readable chip that connects to an external account. The chip itself would carry a proxy number that links to someone’s encrypted Social Security number, creating a second layer of security that reduces the risk of fraud. If that proxy number is stolen, the government could generate a new one without changing the actual Social Security number, they said.
The report explores different strategies for linking encrypted Social Security numbers to such proxies—like blockchain, public key infrastructure, mobile authenticator apps or biometric identifiers—but they said the private sector would likely play a role in designing the new system.
“Modernization should change the SSN from its current form and replace it with a dynamic credential that relies on online processes for confirmation and provides a path forward for the adoption of new technologies,” researchers wrote. “We recommend smart cards as the best path.”
Lawmakers and industry experts have long agreed Social Security numbers could use an upgrade for the digital age. At a hearing in May, cyber advocates detailed the risks of bundling so many valuable assets into a single nine-digit number before a House panel.
“Social Security numbers are so deeply compromised and so widely available to the public...that they can no longer be used as an authenticator,” said Paul Rosenzweig, a cybersecurity expert at the R Street Institute. “Using my Social Security number as an authenticator is as stupid as using the last four letters as my last name as authenticator, or the last four digits of my phone number.”