To an identity thief, somebody else’s Social Security number is money in the bank. These nine digits unlock a world of phony credit and create a huge hassle for the poor person who actually holds that number. “The SSN remains the key that opens your life,” says Ed Mierzwinski, consumer advocate at U.S.-PIRG. “It’s the easiest way for a bad guy to pretend to be you.” So why are banks still using SSNs as a major form of customer identification?
According to a recent study by Javelin Strategy & Research, 70 percent of the biggest credit card issuers in the U.S. use them in at least some cases as a way to verify a customer’s identity when he or she contacts the company. “It’s easy and they haven’t changed their systems,” says Phil Blanks, the study’s author and head security and risk analyst at Javelin. “My guess is they’d tell you they’ve done it this way for years.” Plus, financial institutions collect your Social Security number when you fill out a credit card application (or open a bank account), so they already have the numbers on hand.
In a pre-PC era, using SSNs might not have been such a risk, says Mierzwinski. But today, it’s simply too easy for a cybercrook to track down those numbers, and data breaches like the recent one at Citi’s credit card unit that led to $2.7 million in fraudulent charges prove that even big financial institutions aren’t immune from the work of motivated hackers. Mierzwinski blasts banks for potentially putting consumers‘ most valuable personal identifier at risk for the sake of convenience.
“Consumers should not presume that their bank is protecting their Social Security number adequately,” he says. “It may be available for hacking and some banks may be inappropriately using it as a password verification.” Think about it: a cache of Social Security numbers, especially if they were connected to other personal or financial information, would be a veritable treasure trove for cybercrooks.
Even if the bank’s digital security is rock-solid, though, using your Social Security number to identify you makes that information vulnerable. Think about how many times you’ve been asked by a customer service employee at your credit card company to recite all or part of your number. That’s a lot of people who now know your number, along with your name and address. “Just exposing it to the customer service rep, that’s a weakness in itself,” says Tim Rohrbaugh, vice president of information security at Intersections, a risk management company for the financial services industry. “By introducing another pair of eyes being able to view that data, that in and of itself is an unnecessary weakness.”
Unfortunately, it’s not much safer for financial institutions to use truncated versions of customers’ SSNs. The last four digits are the hardest for thieves to guess, so that’s the part of the number they really want anyway. The Social Security Administration only began randomizing the first part of SSNs last week; for anyone issued their number prior to that, the agency used a combination of where and when you were born to generate the first three and middle two numbers. “It makes it very easy for people to guess what the Social Security number is,” says Rohrbaugh. Especially with the proliferation of social media, it’s gotten much easier to figure out where someone is from and how old they are.
Social media is also to blame for another wrinkle in the process of correctly identifying credit cardholders and weeding out would-be fraudsters. Issuers used to use security questions like, “When did you graduate high school?” or “What’s your pet’s name?” to try to verify that a customer was who he or she claimed to be. Now, that sort of data is available to anyone with a Facebook account and a few free minutes. Now, banks are beginning to ask trickier questions, like which bank you got your last auto loan from and how much your mortgage payment is. These kinds of questions, while not foolproof, do a better job of stumping identity thieves.
Javelin’s Blank says there’s no good reason for card-issuing banks to use Social Security numbers as all as a means of authenticating cardholders’ identity. “There can be out-of-band signaling, where they might send a text to a preregistered phone number they have with a temporary code. They can do voice authentication. There are lots of other ways they could do this,” he says.
The Federal Trade Commission, which produced a report on this topic in 2008, has a similar viewpoint about the use of SSNs. “It has a lot of beneficial uses because it’s unique and ubiquitous. As an authenticator, that’s where problems start,” says Rebecca Kuehn, assistant director in the FTC’s division of privacy and identity protection. “If it’s the thing that’s used to prove you are you, it can contribute to or lead to identity theft,” she says.
But all this may be changing. Earlier this year, the agency testified in front of a Congressional subcommittee about the problem and recommended legislation (not limited to the financial services industry) to limit over-reliance on Social Security numbers.