With 40 million people having their SSN exposed during the T-Mobile hack, it's time to reconsider the usefulness of the Social Security number.
It has been a tough week for news, with a series of negative headlines on everything from a COVID resurgence to Afghanistan. In what might have been a more prominent story, mobile phone carrier T-Mobile acknowledged that nearly 50 million customers had personal data stolen, with more than 40 million customers having their name, address and Social Security numbers among the pilfered data.
SEE: Security Awareness and Training policy (TechRepublic Premium)
The unwitting key to the kingdom
Social Security numbers were initially intended to track individual accounts in the Social Security program, which is essentially a U.S. government-managed retirement program. Intriguingly, some of the early resistance to the Social Security scheme was due to the concern that the numbers would become a national identification number of sorts, and various rules were implemented to assuage these concerns. However, as most U.S. citizens and residents know, the SSN has indeed become a de facto identification number, and is required for everything from filing taxes to opening a bank account to getting mobile phone service.
From a technology perspective, a globally unique identification number is certainly beneficial, for example, allowing a company to quickly verify that an individual customer has credit by sharing an SSN with a credit bureau. This ease of information exchange about individuals made the SSN a necessary component of engaging in commerce, and the ease of exchanging data on individuals cemented its use as a key, both technically and literally, to accessing an individual's financial life.
SEE: Mobile device computing policy (TechRepublic Premium)
This has made the SSN a valuable tool for identity thieves and other nefarious actors, to the point that traditional bank robberies have been declining while cybercrime and identity theft are on the rise. You don't have to be a criminal mastermind to see the obvious benefit of sitting in a comfortable chair with a mobile phone, laptop and a bit of charm, and using stolen Social Security numbers to pilfer cash without putting yourself or others in any physical danger.
With the Social Security number, we've created a universal key to millions of peoples' assets, and one that we've become so reliant on it's the equivalent of keeping bank vault combinations on a post-it note near the vault and being shocked when money goes missing.
Throw away the key
Replacing the SSN with a more secure mechanism may seem like an intractable problem best left to politicians; however, companies that lose customer data are legitimately subject to harsh financial penalties. It's likely that the average company cannot ward off a sophisticated cyberattack, so rather than investing solely in security, why not get rid of the asset that's most likely to be stolen and eliminate your storage of Social Security numbers?
The obvious challenge to not requesting, gathering or storing SSNs is that they're used as a proxy for identification and access to financial information. However, other industries have solved this problem effectively and elegantly. Whenever I am required to verify my employment and salary, I can complete a simple online form specifying the data I want to share, and I'm instantly provided with a one-time key that I provide to someone to allow them to access my employment data for a limited period of time.
The SSN is a bug, not a feature
Most individuals who engage in the United States' economic life have received the dreaded letter that their personal information has been stolen and that they being provided "identity protection services" from whatever organization exposed their information through some combination of incompetence or bad luck. Your customers are likely frustrated and perhaps have been put through the wringer of resolving an identity theft due to one of these incidents.
Why not turn that frustration into a differentiator by telling your customers you're deleting all references to their SSN in your systems and are using a more secure method to identify and access their data? Make a show of the fact that you understand their concerns, and have created new tools and business processes to avoid storing and potentially losing the key to their financial kingdom. Rather than more marketing-speak about how much you care about your customers, put that purported care into action by avoiding data loss in the first place.
Not only might these strategies attract and retain customers, but they could ultimately reduce your costs should a breach occur, and perhaps even reduce your cybersecurity spending. After all, you don't need Fort Knox if you have nothing of value to steal.
- How to protect your T-Mobile account in light of the latest data breach (TechRepublic)
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)