On Equifax, and the Futility of Authentication via Social Security Numbers

Equifax, one of the three major credit bureaus of the United States, recently announced their systems had been breached in a colossal way. The net result is the Social Security Numbers (SSN) for 143 million U.S. citizens have been stolen.

Until we know the exact details of the breach, it is a reasonable assumption that if you have an established credit history, anyone who wants to obtain your SSN and is willing to pay for it, can now do so.

This breach was possible due to a failure by Equifax to patch a well known security vulnerability in the software stack used by some of their systems. You can assign well-deserved blame all day, but it was only a matter of time (not a matter of if) before something of this scale occurred. If not by Equifax, then by someone else; there are so many copies of your SSN floating around in various lists used by banks, credit card companies, loan providers, state and local governments, payroll processing companies, tax return services, and so on, that it is truly baffling that we continue to use the SSN as a form of authentication.

In other words, to this day, having knowledge of one’s SSN (and a few other semi-permanent details, most of which were also stolen) is sufficient to prove to a credit provider that you are you!

A while back I wrote a post about implementing a Federal ID system that includes a randomly generated public key as part of the necessary information needed to prove your identity. At the time, much of the focus was on creating a strong system to prevent voter fraud, but that ID system would also make a breach like Equifax’s no more than a minor hassle for most people, rather than the permanent risk of their identity being stolen and wrecked that it is now.

Such a system would not have to be implemented exactly as I described, but if we want to mitigate the effects of the Equifax breach, identity authentication systems in the future must require two types of information:

  1. Static information, such as your SSN and physical address
  2. Ephemeral information, such as a randomly generated number/key/PIN that can be replaced at any time by the user, but requires physical proof of the user’s identity in order to do so

The ephemeral information should be centrally managed (whether public or private is another discussion) and implemented as part of a system that serves no other function than being a broker between you and another party attempting to verify your identity.

We can’t continue to do important security with static information alone!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s