A radical identity solution – publish all SSN eliminate the ‘secret’:
It’s time to eliminate the SSN faÃ§ade. The solution to the problem of identity theft is a “cold turkey” one: publish all SSNs to ensure that no organization has the opportunity to suggest that their secrecy can be maintained. The Social Security Administration should pick a date 2-3 years in the future and announce that on that day it will publish the SSNs to the world.
The most obvious objection here is also the point: What about all the companies, and perhaps most importantly the Social Security Administration, that rely on the SSN as a secret? Won’t that really change the way they do business today? I sincerely hope not (because they should have stronger controls today), but I suspect so (because they don’t). There is a big difference (in controls) between the initial use of the SSN as validation of identity for a financial transaction (say, to get a credit card or purchase a car) and the ongoing relationship between an individual and an organization that retains the SSN.
The organizations currently using SSNs have other information available to them from their existing customer base – mutually-agreed upon “secrets” and transaction histories among others – and methods of “out-of-band” verification like sending verifying mail to the address-of-record. These techniques are more useful with the history of a relationship; often, setting up an account relies on information being provided by the consumer (or prospective fraudster).
A government mandate is the only way to build out a much stronger program for identity protection – one built on mathematics rather than on 150 thousand people keeping a secret. Otherwise, the laws for protecting the SSN will continue to grow in volume and complexity, organizations will continue to build in more controls, and we will continue to have our identities compromised.
What’s your social?” How many times have you heard that question, from credit card companies, doctors’ offices, and just about every other type of organization? Perhaps you were confident that all these organizations are keeping your “social” completely confidential.
Security experts held a contest this month to show just how quick and effective Google hacking can be. During a technology security-industry meeting in Seattle, contestants using only Google for less than an hour turned up sensitive information — potentially useful for financial fraud — on about 25 million people. They dug up various combinations of people’s names, dates of birth, Social Security numbers, and credit-card information, including some card numbers apparently left exposed by the U.S. Department of Justice.
The big problem is that so many organizations collect too much such information and then don’t bother to secure it.
I think it would be most useful if some organization were to organize a reputation system that made it its business to discover which entities had the most such information visible via the Internet and findable via google or Yahoo! Such an organization could report first to the affected entities, with a time limit before it would make the information public. I don’t know how potential liability would be handled in such a case, but once over that little hurdle, such an organization would be doing a great public service and could probably make a bundle advising organizations on what not to publish.
And of course the biggest identity leaks don’t come through web search engines, anyway. They come through companies mailing unencrypted tapes or keeping back data on disks that are then stolen.