The Equifax breach compromised the personal data of as many as 143 million Americans. Among the data exposed: Social Security numbers.
Criminals can use your Social Security number to steal your identity. They can open bank accounts and credit cards or apply for a loan. Hackers can also get ahold of your tax refund or get medical treatment under your name.
In recent years, SSNs were exposed when fraudsters hacked the U.S. Postal Service, a hospital network and Anthem health insurance.
The data breaches beg the question: Why are we still using Social Security numbers to identify ourselves?
Social Security numbers were first issued in 1936 — “for the sole purpose” of tracking the earnings history of workers for benefits, according to the Social Security Administration.
Until 1972, the bottom of the card said: “FOR SOCIAL SECURITY PURPOSES — NOT FOR IDENTIFICATION.”
But Social Security numbers have since become a key method of ID.
“It was the one unique piece of information that would identify every consumer individually,” Neal O’Farrell, executive director of the Identity Theft Council, told CNN Tech.
So if not Social Security numbers, what are the alternatives?
A national identification number is one idea that’s been floated. However, this would be a huge undertaking for the U.S. government — and that number could get hacked as well, according to experts.
“It doesn’t matter if it’s a new Social Security number or a new national identification system — whatever that identifier is, it’s still going to be the thing that attackers are going after,” said Russel Van Tuyl, managing consultant of security assessments at Sword & Shield Enterprise Security.
Biometric identifiers — such as fingerprints, iris scans, voice and facial recognition — are potential alternatives. The technology has become more mainstream in recent years: We regularly use our fingerprints to unlock our smartphones. Meanwhile, iris scans and facial recognition are also available on some phones, and many consumers talk to voice assistants like Alexa and Siri.
“Biometrics is much more viable than it was five to 10 years ago because of mobile,” said Justin Oberman, a former Transportation Security Administration executive and former VP of identity strategy at SureID.
“If everyone was using fingerprints, no one would care about Social Security numbers anymore … [But] all of this is going to take time,” he said.
Some companies — and countries — are already using biometrics like voice for identification.
For example, the global bank HSBC launched a security technology called Voice ID last year. Customers who use banking services over the phone can register their voice with the company. The technology analyzes more than 100 behavioral and physical voice characteristics to identify and authenticate the customer. It’s available in English, Spanish, Cantonese and Mandarin.
Meanwhile, Australia’s Department of Human Services and Taxation Office allows people to create a “voiceprint” to identify themselves when they call. The U.K.’s tax and customs authority also introduced tech this year that recognizes a person’s voice over the phone.
But a disadvantage of biometrics is that if this information is compromised, you can’t replace it.
“If someone hacks your account and takes your password or username, you can just get rid of it and get another one. You can’t do that with your finger or your eyeball,” Van Tuyl said.
And you can also get a new Social Security number — if you can prove you’re being harassed, being abused or in grave danger, or that someone stole your number and is using it.
Although you can’t replace your biometrics, sophisticated tech called “anti-spoofing” can detect whether someone is using them fraudulently, such as playing a computer simulation of your voice, according to Brett Beranek, director of strategy and go-to-market for biometrics and security at Nuance.
For its part, HSBC said its Voice ID technology is advanced enough to determine if someone is pretending to be you or playing a recording. It can also recognize your voice even if you are sick or have a sore throat.
As for whether we should get rid of the Social Security number as a form of ID, Beranek said: “The number can stay, but we shouldn’t rely on it to prove who you are. … You should just assume anybody could have that number.”