Identity Theft and Business: Move Away From Using Social Security Numbers

One of the recommendations from the President’s Identity Theft Task Force: Decrease the unnecessary use of social security numbers in the public sector by developing alternative strategies for identity management.

Deborah Platt Majoras, Chairman of the Federal Trade Commission and co-chair of the Identity Theft Task Force gave this example why this recommendation is at the top of the list of 31 recommendations from the Task Force. “We [at the FTC] recently received an identity theft complaint from a young consumer who recounted his experience of going with his mother to open his first checking account before he headed off to college. At the bank, he learned that a woman using his social security number had already opened a checking account which has been subsequently closed for default. When he contacted us, this young man was still working to clear his record. It is hard to regain trust in a system that allows that kind of a breach. So if you multiplied this consumer’s story by the thousands of consumers we’re hearing from each week you would have an instant calculation on the scope of the problem.”

Majoras stressed that this move away from the use of social security numbers is needed, “With the benefit of hindsight we have much to learn about our past use of social security numbers, often the most valuable piece of consumer information for a thief who plans on assuming another’s identity.” Originally the social security number was created to track worker’s earnings for social security benefit purposes. “This number has evolved into a widely used identifier adopted by the public and the private sectors to identify consumers and match information to them and it has been very useful in doing that,” Majoras noted. But identity theft happens when it is assumed that the social security number was actually secret and it could be accepted as proof of identity.

“Of course, we realize now that it is not possible to use something so widely and so openly and expect it to remain a secret. Thus both public and private sectors have begun to take precautions regarding the use of social security numbers and many government agencies, universities, and businesses are moving away from using it as the only authenticator,” she said.

The task force’s recommendation included finding alternative strategies for identity management, and Majoras said there are lessons to be heeded when developing new identification/authentication systems. “What if we consider the impact of the social security number before its use became so widespread, would we have built in greater protections or better authentication measures? Fortunately we learn from experience. I sure hope we do. And we know that we must do better in anticipating the ramifications of any new identification and authentication systems that we’re beginning to build today.”

The financial services sector is being looked to for leadership in this alternative strategies for identity management effort, said Betsy Broder, Assistant Director in FTC’s Division of Privacy and Identity Protection. The success that financial institutions have seen in implementing the strong authentication guidance from the FFIEC and thereby reducing online fraud, Broder said, “is the floor, and we want to see what works in authentication to develop consumer trust.”

Businesses that are still using social security numbers for identification purposes need to move away from them and find alternative ways to identify customers. “People who are now moving over from social security numbers to other identifiers are not ahead of the curve, they’re catching up. It’s been well known for a while that the use of social security numbers, while they are a convenient identifier, the use of them compromises consumer safety,” Broder said.

There are some cases, where a social security number must be used, Broder noted, “For example, say for a credit check, or for a specific transaction, including taxes, employment, and other required government uses of it. But in other cases, another random number could be used and would be just as good or better, and eliminate the chance of the social security number falling into the wrong hands.” She added as long as that number can’t be used to bring up account information, “Otherwise then it will end up being the next social security number, and that’s not good either.”


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network