I’ve always said ID theft is basically a marketing ploy. We stick with an outdated system that hurts people all so cashiers can try to upsell credit cards (“Do you want to save 20% today?”). And I’ve often said one of the best things that could happen would be publication of all SSNs, to once and for all end the fantasy that the number is some kind of secret. Today The New York Times let me say that. Here’s an abstract of my just-published New York Times op-ed. Click the image above to read the whole piece.
Back when ID theft was mainly credit card fraud and a 100,000-record leak was a big deal — the good old days, around 2004 — my hacker friends and I would sit around and brainstorm ways to slow down the “fastest growing crime of the century.” One came up again and again: Someone should steal the entire database of Social Security numbers and publish it online somewhere. (No one tried, that would be a crime!) Why do something so crazy? Once and for all, it would eliminate the fantasy that an SSN is both a unique identifier and a secret to be used as an authenticator.
America’s identification system relies on the fantasy that an SSN is a secret. Publication of the full SSN list would shatter that fantasy, and force the banking industry to invent new and genuinely effective ways to protect consumers from identity thieves.
It seems that’s finally occurred. Equifax is being terribly, dangerously vague about its stunning loss of “potentially” 143 million Social Security numbers. The data “outs” roughly three-quarters of Americans with a credit report. Might as well be everyone.
Whatever the firm finally cops to, this much is certain: Social Security numbers are no longer a secret.
This Equifax hack could, and should, be another Target moment. It should spur industry into action and upgrade. No one technology is going to replace SSNs as an identifier and a secret, and that’s a good thing. There is security in diversity.
Whatever the fallout from Equifax, it should be clear, finally, that SSNs were never designed to be a security tool, and their usefulness for that purpose has run its course. Just publish the whole list and be done with it. Then, get on to the business of keeping our secrets a secret.
If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, click on an advertisement, or just share the story.