In terms of impact, the OPM data breach involving security clearance information is almost certainly the most severe data breach in American history. The media has focused too much on social security numbers in its reporting, but is slowly starting to understand the bigger issues for anyone who has a clearance, or is a relative or neighbor or friend of someone with a clearance.
But the news got me thinking about the issue of SSNs, and how widespread they are. The risks of SSNs as both authentication and identifier are well known, and over the past decade, many organizations have tried to reduce their use of and reliance on SSNs, to minimize the damage done if (or maybe I should say “when”) a breach occurs.
In this blog post, I’m going to describe three recent cases involving SSNs that happened to me, and draw some lessons.
Like many suburbanites, I belong to Costco (a warehouse shopping club ideal for buying industrial quantities of toilet paper and guacamole, for those not familiar with the chain). A few months ago I lost my Costco membership card, so I went to get a new one, as a card is required for shopping in the store. The clerk looked up my driver’s license number (DL#) and couldn’t find me in the system; searching by address found me – but with my SSN as my DL#. When Costco first opened in my area, SSNs were still in use as DL#s, and so even though my DL# changed 20 years ago, Costco had no reason to know that, and still had my SSN. Hence, if there were a Costco breach, it’s quite possible that in addition to my name & address, an attacker would also get my SSN, along with some unknown number of other SSNs from long-term members. Does Costco even know that they have SSNs in their systems? Perhaps not, unless their IT staff includes old-timers!
A recent doctor’s visit had a similar result. The forms I was asked to fill out asked for my insurance ID (but not my SSN), however the receipt helpfully provided at the end of my visit included my SSN, which I had provided the first time I saw that doctor 25 years ago. Does the doctor know that his systems still have SSNs for countless patients?
Last fall I did a TV interview; because of my schedule, the interview was taped in my home, and the cameraman’s equipment accidentally did some minor damage to my house (*). In order to collect payment for the damage, the TV station insisted on having my SSN for a tax form 1099 (**), which they helpfully suggested I email in. I had to make a decision – should I email it, send it via US mail, or forgo the $200 payment? (Ultimately I sent it via US mail; whether they then copied it down and emailed it, I have no idea.) I got the check – but I suspect my SSN is permanently in the TV station’s records, and most likely accessible to far too many people.
These cases got me thinking where else my SSN is floating around, perhaps in organizations that don’t even realize they have SSNs that need to be protected. The grocery store probably got my DL# decades ago when it was still my SSN so I could get a check cashing card, and that number is probably still on file somewhere even though I haven’t written a check in a grocery store for 10 or 20 years. The car dealer that sold me my car five years ago has my SSN as part of the paperwork to file for a title with the Department of Motor Vehicles, even if they don’t have it from my DL#. Did they destroy their copy once they sent the paperwork to DMV? I’m not betting on it. I cosigned an apartment lease for my daughter before she had her own credit history close to 10 years ago, and that required my SSN, which is probably still in their files. I met a sales person 20 years ago who had his SSN on his business card, to make it easier for his customers in the classified world to look him up and verify his clearance. (I probably have his business card somewhere, but luckily for him I’m not very organized so I can’t find it.) Many potential employers require an SSN as part of a job application; who knows how many of those records are floating around. Luckily, many of these files are paper records in a file cabinet, and so mass breaches are unlikely, but it’s hard to know. Did any of them scan all of their old files and post them on a file server, before destroying the paper copies?
As many people have suggested, it’s time to permanently retire SSNs as an authenticator, and make them just an identifier. Unfortunately, that’s much easier said than done. Todd Davis, CEO of Lifelock, famously put his SSN on his company’s advertising, and was then the victim of identity theft. We all know that the “last four” of your SSN has become a less intrusive (and even less secure!) substitute authenticator.
So what should we do? If you’re a CIO or in a corporate IT department, think about all the places where SSNs may be hiding. They’re not always obvious, like personnel records, but may be in legacy systems that have never been cleaned up, as is probably the case for Costco and my doctor. And once you get finished with your electronic records, think about where they’re hiding in paper records. Those are certainly lower risk for a bulk theft, but they’re at some risk of insider theft. Can the old (paper) records simply get shredded? Does it really matter if you have records of who applied for a job or a check cashing card 15 years ago?
I’m not optimistic, but I’ll keep my eyes open for other places where SSNs are still hiding, but shouldn’t be.
(*) Since you insist: one of the high intensity lights blew up, and the glass went flying, narrowly missing the producer. Two pieces melted into the carpet, ruining small sections. The staff were very apologetic, and there was no argument about their obligation to reimburse me for the damage. The bigger damage was that I spent an hour being interviewed on camera, and they used about 10 seconds in the TV piece.
(**) Yes, I know they shouldn’t need an SSN for reimbursement, but I unsuccessfully tilted at that windmill.
Of course we also have to remember that nearly every educational organization in the country used SSN’s as student ID numbers and how many of those old records are still laying around?
Further, most modern copiers which also function as system printers have hard drives in them that contain an image of EVERY page printed…. How many of those hard drives are removed and properly disposed of at the end of the lease or end of service life?
And why are there so few digits in a number as important as the SSN, while software packages have unlock codes up to 35 characters long?
Think about it!
Great point, Tom. In the early 1990s, I remember a conversation with a professor (of computer security, no less!) who announced that for privacy reasons he would post grades on his office door using SSNs rather than names! I suggested this wasn’t a good idea, and he agreed with my explanation, and stopped doing that. However, it was the norm when I was an undergraduate in the 1970s.
As for your last point, why there are so few digits in an SSN, I suspect it was a tradeoff between memorability and uniqueness in the 1936s when they were “invented”. Would you want to write down a 35 character code on forms? I suspect there would be a lot more errors and rework! There’s an interesting article about the history at http://www.ssa.gov/policy/docs/ssb/v69n2/v69n2p55.html
Why Write It? I haven’t in many years. A very few online gov’t forms get the cut and paste treatment. Only special occasions get it out of it’s hiding place to use.. Of course I still remember my US Army S/N — We had to bark it out enough (That was ’67-’69)
I like some of the European Identity cards. Encrypted electronic data, three factor identification, PC’s with card slots, etc. US security is waaaaaay behind. We have driver’s licenses, some with Star ID, as a very much de facto ID necessary for voting, cashing checks, etc. Why not a national ID system which could preclude having the doc’s office make a copy of my Medicare Card on one of the aforementioned copiers?
Lately I’ve been wondering what legal options exist to hold companies liable for negligence if they use SSNs for authentication. I don’t see any way to get companies to spend time changing their practices until there’s a perceived cost which presumably a regulator or lawsuit could provide.
I agree – where liability does not mean “we pay for a credit monitoring service” in case of a breach. The use of an SSN as an authenticator should be prima facie evidence of risk.
I just changed insurance companies, for the first time in more than 20 years. I didn’t want to give my SSN initially, and the quote came back way higher than I expected. Giving my SSN and thereby allowing them to check my credit lowered my homeowners insurance by 50%! (I didn’t bother checking the difference for auto.) In this case, I can’t afford _not_ to give my SSN. Although it is not clear to me why my credit history should be related to my insurance risk, the insurance company clearly believes there is a correlation.
On the other hand, my wife (a university professor) has recently successfully fought two different institutions that insisted they had to have her SSN for an accountable travel reimbursement (not an honorarium or anything to do with a 1099). It took literally several months of insisting to progressively higher levels of bureaucrats that they really didn’t need it. Basically, it was a field on their forms, and everyone was simply insisting it had to be filled in, without question. In one case, she held a tenure review for one of the institution’s faculty hostage, which motivated the department chair to get it resolved.
It’s time to stop this madness of expecting SSNs to be secret and knowledge of them to be an authentication proof. Just as with things like Bank account numbers or Passport numbers, it should identify you but not authenticate you. This always was broken, but the OPM breach means that it’s broken for a significant portion of the US population. Like 50% or higher.
So what’s it going to take to fix all the systems that still treat this information as an authentication secret? Because that’s the real problem. Perhaps instead of the gov offering free ID theft monitoring and insurance to some of the people affected, they should support law suits against the systems that facilitate that ID theft. So If somebody uses OPM data to get access to your bank account, make the bank pay for having a broken inadequate system.
Having changed telephone services recently, I’ve been reminded that all the wireless carriers demand SSNs to open a new account, but the landline carriers do not.
In fact, my first wireless carrier (now defunct) assured me that my SSN would be used only to run a credit check. Then they issued me an account number that included six consecutive digits from my SSN. Coincidence? Maybe.
Great point. When I moved 12 years ago, the gas company wanted my SSN to run a credit check. I suggested that the fact I had paid my bill on time for the previous 16 years should be adequate. I was put on hold for a while, and when I came back the person withdrew the demand for my SSN. Whether they found it lying around somewhere and ran the credit check without my permission, or if they decided my argument was reasonable, is another question.
And yes, wireless carries do demand an SSN, for reasons that are unclear to me.