Telecommunications firm T-Mobile confirmed final month that hackers gained entry to 54 million customers’ private information, together with names, addresses, dates of beginning and—maybe worst of all—social safety numbers. The latter are a giant rating for id thieves as a result of they can be utilized to unlock monetary companies, authorities advantages and personal medical data.
This is simply the most recent main information breach to show such figuring out data on an enormous scale, rendering tons of of tens of millions of Americans extra susceptible to id theft. To stem the issue, some specialists are calling for an finish to social safety numbers, suggesting we should always exchange them with another—and fewer inherently susceptible—method of proving one’s id. But safety specialists assume the federal government doesn’t want to completely dispose of them. Instead the organizations that use social safety numbers as proof of id should begin requiring greater than a single type of ID.
The Federal Trade Commission recorded 1.4 million experiences of id theft in 2020, and that yr such fraud value victims an estimated $56 billion, according to financial consulting firm Javelin Strategy & Research. Identity thieves would possibly use a wide range of data to impersonate people, however probably the greatest keys for accessing cash is the social safety quantity, or SSN. This string of 9 digits, which the federal authorities began issuing in 1936, was initially assigned to folks merely to find out their social safety advantages.
“It was not set up to be this universal, unique identifier,” explains Eva Velasquez, president and CEO of the Identity Theft Resource Center, a nonprofit group that helps victims of such crimes. But finally, the lifetime quantity grew to become a handy method for folks to use for bank cards, scholar loans, mortgages and different strains of credit score—amongst different companies. “Often [SSNs can be used to] get medical goods or services, and that includes prescriptions, durable medical equipment and things of that nature,” Velasquez says. “And then, of course, [they are used to apply for] government benefits: things like unemployment, SNAP [Supplemental Nutrition Assistance Program] benefits, aid to families with dependent children.” Access to such a variety of belongings makes the numbers a main goal for hackers.
With tens of tens of millions of SSNs now uncovered by information breaches, quite a lot of politicians and safety specialists have known as for firms to section out using these identifiers. In 2017 Rob Joyce, then cybersecurity coordinator on the White House and now director of cybersecurity on the National Security Agency, suggested replacing the social security number with a harder-to-crack possibility: a for much longer string of characters generally known as a cryptographic key. But any lone quantity, whether or not it has 9 digits or 100, may nonetheless be stolen from a repository and shared on-line. “As soon as you develop or create another static, unique identifier, it’s just going to be another number that you issue to everyone,” Velasquez says. “Then that becomes valuable to the thief, so they will target the systems that have that data.”
Modern expertise has enabled different methods to confirm id: A password supervisor can generate a protracted, hard-to-guess password for every account, and this kind of program usually makes it simple to alter these passwords within the occasion of a knowledge breach. A USB key could be plugged into a pc to authenticate its proprietor. Biometric data, equivalent to a fingerprint or face, could be scanned by a smartphone. But specialists don’t suggest changing the social safety quantity with any certainly one of these strategies alone; probably the most safe possibility is to guard id with a number of elements. “Instead of focusing our security risks on this single data point, we need to develop these more holistic and multilayered approaches to identity management,” Velasquez says. “So if any one or two elements of that identity are compromised, it doesn’t compromise the entire identity.”
The observe of proving one’s id by offering a truth one is aware of, equivalent to a social safety quantity, known as knowledge-based authentication, or KBA. And this can be very susceptible to hackers as a result of all they should impersonate somebody is to steal that exact tidbit of information, explains Rachel Tobac, an moral hacker and CEO of SocialProof Security, a corporation that helps firms spot potential vulnerabilities to cyberattacks. “For instance, it can be solicited out of you and stolen by a social engineer. It can be involved in a breach and dumped publicly online when a company that you trust with your KBA … [is] hit with a cyberattack,” she says. Some varieties of KBA, equivalent to birthdays or moms’ maiden names, could even seem on social media for anybody to search out. Technically, a password is one other type of KBA, Tobac provides—but when a password is stolen, it may be reset. “I can’t just go ahead and change my birthday, my social security number, my address every time a Web site or an institution that I trust with that information has a cybersecurity incident,” she factors out.
For efficient multifactor authentication, or MFA, it isn’t sufficient to easily require two or extra items of information. After all, breaches just like the current one at T-Mobile launch a wide range of information about every sufferer. Instead, Tobac says, the opposite elements ought to come from a special supply: one thing you have or one thing you are. The former class would possibly embrace a bodily USB key or a even a telephone, which might obtain a textual content message with a novel one-time code. The latter class encompasses bodily traits, which could be measured by biometric scans. For occasion, a multifactor authentication course of would possibly require an individual to enter their social safety quantity and observe up with a code phrase texted to their telephone. Another model would possibly contain them coming into a password after which scanning their fingerprint.
Not even multifactor authentication gives good safety, although. A decided hacker would possibly use a SIM-swapping approach to switch your telephone quantity to a different system, permitting them to intercept the textual content message that was supposed to supply a second layer of safety. A biometric scan can be fooled. But by requiring a number of types of authentication, a system creates much more friction for malicious actors. “I can’t sit here and tell you that this method is going to be 100 percent fail-safe,” Tobac says. “But for most people, with most threat models, it’s going to stop the attackers.”
Despite its energy, multifactor authentication is much from being universally required. Some credit score bureaus, buyer help hotlines, authorities accounts and different companies proceed to depend on easy knowledge-based authentication equivalent to a social safety quantity. But the safer strategy is step by step rising in popularity. “We’re already on that track. We’re seeing movement in that direction,” Velasquez says, declaring that the U.S. federal authorities, monetary trade and tech firms are starting to require a number of layers of authentication. Tobac agrees. “I can see that the wheels are turning. They’re not turning fast enough, but they are turning,” she says. “And I think we have to continue to put pressure on the companies that we all rely on to protect our data, our security, our privacy, to move from KBA to MFA flow.”