Social Security Numbers are Old!

Social Security Numbers are old. 87 years old to be exact. They were created in 1936, the same year the Hoover Dam and the San-Francisco-Oakland Bay Bridge¹ were built. SSNs predate the atom bomb, the ENIAC, the microwave oven, and even Barbie! They were invented well before the digital age, well before Frank Abagnale² was forging digital checks. Well, well before the Multics Relational Data Store revolutionized databases.

In those days, if you wanted to steal a few million social security numbers, that would have involved breaking into the Social Security Administration and wheeling dozens of file cabinets into a moving truck. Nowadays, Little Bobby Tables can wreck millions of records at a time! The Equifax breach alone exposed about 150 million social security numbers.

So...can we please stop using them for important things? Especially for things like, oh I don't know, your entire retirement savings!?!?!.

An Anecdote about IRAs

If you've ever switched jobs, one of the items on your TODO list is rolling over your old 401k. It's a stressful process on the best of days, and outright terrifying when the 401k provider plays fast and loose with your sensitive personal data.

Now, for security and libel reasons I'm not going to disclose the name of the company which held my previous 401k, but let's just say that it may or may not contain a certain 16th president of the United States.

When I called in to begin the process of transferring my 401k, after some obligatory disclaimers (such as your personal data may be recorded), I was greeted with what I considered to be a strange request:

Please say or enter your social security number

Now, the public switched telephone network is known for many things, but end-to-end encryption is not one of them. So fat chance that I'm disclosing my Social Security Number into the ether. With level-headed calmness, I immediately began mashing³ "0" while making sheep sounds to the automated operator.

It worked, and I was put through to a human. Who happily greeted me and said:

Hi! May I please have your Social Security number?

Now the astute reader may be asking, "What's the big deal? It's just one social security number..."

Oh, but it isn't just one banana. At this point, a few things are obvious to me:

• I'm about to expose my Social Security number to a random customer service agent.
• The agent is going to enter my SSN into their system to look up my account details. This is almost certainly a Relational DataBase Management System, i.e. a SQL database.
  • Which means my SSN likely serves as the primary key to the database.
  • This means the SSN is almost certainly stored in cleartext⁴
    • Meaning any attacker who manages to dump the database would get their hands on a lot of social security numbers...at least a couple thousand or so. Maybe even a few million.

Now, a single SSN goes for about four dollars on the dark web. Not a very lucrative enterprise. But consider that the average (non-presidential) IRA administrator has tens of thousands, if not millions, of Social Security Numbers. That's a pretty big pay day for our nefarious actors. And all they have to do is compromise this database, a task perfeclty suited for SQL Injection, Insider Threat, or the average ransomware threat actor.

I pointed out how absolutely awful it is to ask me for my Social Security Number to the customer service representative, which is not the correct strategy, and then proceeded with transferring my IRA funds⁵ while sweating bricks for the next week or so.

Anecdotes aside, why do attackers want to acquire Social Security Numbers? Well, they can be used for all sorts of nefarious things, and are usually the first step in commiting Identity Theft. Let's take a look at the problems with SSNs.

The Problem with Social Security Numbers

The primary function of a social security number is to act as an identifier. It's a de facto national identification number. They identify a unique human individual, primarily for tax purposes and, as the name implies, social security benefits.

In a cybesecurity realm, an identity claim requires authentication. In almost all traditional cases this is a password, something that only the valid owner of the account should know.

The really big issue with social security numbers is that it was assumed that only the owner would know the number. Thus, systems were built to use an SSN as an authentication factor. Basically, just knowing a SSN is akin to knowing the password.

Knowledge of a Social Security Number allows you to access a number of fairly sensitive workflows, including:

• Applying for credit cards
• Applying for a mortgage
• Applying for a bank account
• Applying (or transferring) a retirement account
• Receiving actual Social Security benefits - especially in the case of an older indivdual.
  • Or filing a tax return - ostensibly to receive a tax refund

Now most sites don't just ask for your social security number. They've wised up to the threat that just mere knowledge of a SSN can pose. They implemented safe guards, compensating controls as we call them in the industry.

They put a prospective applicant through a rigorous, exhaustive knowledge gauntlet of intricate details only the proper holder of an SSN could possibly know.

Such unknowable details as:

• The person's birthday
• The last four digits of their phone number
• The person's zip code
• A previous address associated with the person

Items that certainly aren't available on social media, Internet search engines⁶, or heck, stolen from the same database that coughed up the Social Security Number in the first place.

Okay, so accept the facts. You're screwed. Your SSN is stolen. Certainly it's easy to change it? Right?? Right!?!?.

Changing a Social Security Number

I've written in the past about credit card breaches. While that definitely isn't a good day at the office for anyone affected, at least a credit card can be cancelled. A new card can be issued, money can be refunded, and you can go on living your life.

Changing a Social Security Number? It requires, as they say, extenuating cirumstances:

We can assign a different number only if:

• Sequential numbers assigned to members of the same family are causing problems.

• More than one person is assigned or using the same number.

• A victim of identity theft, who has attempted to fix problems resulting from the misuse but continues to be disadvantaged by using the original number.

• There is a situation of harassment, abuse or life endangerment.

• An individual has religious or cultural objections to certain numbers or digits in the original number. (We require written documentation in support of the objection from a religious group with which the number holder has an established relationship.)

I especially love the line about attempted to fix the problems resulting from misuse. Just how much misuse must an individual endure before finally being granted the right to change their Social Security Number? Again, think back to a password. If your password is stolen, it's a bad day, but you can change it!!. Changing your Social Security Number apparently requires nine forms of ID and a sob story.

So we've clearly established that Social Security Numbers are used in a non-secure way by pretty critical systems, and that in the event of a breach, changing one is non-trivial. So what can we do about this. Frankly, it doesn't have to be this way. We can rebuild him. We have the technology. And barring that, like, maybe we can protect Social Security Numbers just a teensy bit better?

It doesn't have to be this way

Did you know that Mexico, and many Latin America countries, utilize digital certificates for tax declaration, receipts, and contract signing? While the system is far from perfect and has a few weak points, it's certainly a fair bit more advanced than using a 9-digit number, which are predictable from public data or can be guessed in less than 1000 attempts.

There's actually a bill - S.884 - Improving Digital Identity Act of 2023 which aims "To establish a Government-wide approach to improving digital identiy." While it has been passed by the US Senate Homeland Security and Governmental Affairs Committee, it has not yet been taken up for a vote by the U.S. Senate. Wonder why they haven't voted on it? It's not like they have anything else going on right now...

What can I do?

Outside of a national effort to replace the SSN as we know it in society, there are steps you can take as an individual or as anyone who may come across SSNs or other sensitive personal information in your day job:

• Always think twice before handing over a Social Security Number. If on the phone, ask why they need it. If online, make sure the site has a legitimate reason for asking for this information.
• Always be wary of responding to any unsolicited communications with your SSN. Never give your SSN in response to an email, phone call, or text message.

For system administrators, software developers, database administrators, and other professionals who may have access to SSNs:

• If you don't need to store sensitive personal information, don't store it!
• If you do need to store sensitive personal information, by the briny beard of Neptune⁷, encrypt it. Maybe use something like Format-Perserving Encryption. Or use tokenization. Or an approved cryptographic hash function.
• Always mask or use pseudonymisation of sensitive data in test and development environments.
• Always purge sensitive information when no longer required.
• Ensure that you follow the relevant privacy laws for the locality of the individual for which you are storing sensitive personal information. This includes data breach notification laws.
  • In the EU, this is the General Data Protection Regulation.
  • In the state of California, this is the California Consumer Privacy Act.
  • In other countries and/or states this is a hodge podge of various laws and industry regulations.
• Maybe write your Senator or Congress Person and ask them to vote on S.884.

Footnotes