Last week, the White House announced $9 million in funding for five pilot projects as part of its National Strategy for Trusted Identities in Cyberspace initiative, a federal effort to establish a secure, universal online identity ecosystem led by the private sector.

Critics say any kind of top-down identification system would be a security risk and an encroachment on civil rights. But the fact is that the United States already has a universal ID: the unique nine-digit number issued to US citizens and residents by the Social Security Administration, which has turned out to be no less than a gift to identity thieves. While Social Security numbers work pretty well for tracking Social Security, they weren't designed to be secure.

Americans are reluctant to institute a national ID. But in the absence of one, the market adopted a poor substitute — and the millions of Social Security numbers for sale online for cheaper than a cup of coffee is one of the consequences of that disastrous indecision.

"NOT TO BE USED FOR IDENTIFICATION"

Social Security numbers were poorly understood from the beginning. In 1938, a leather factory in Lockport, New York attempted to capitalize on the excitement around the country’s newly-formed social insurance program by tucking duplicate Social Security cards into its wallets. Company vice president and treasurer Douglas Patterson thought it would be cute to use the actual Social Security number of his secretary, Hilda Schrader Whitcher.

Real Social Security cards had just begun circulating the year before, so many Americans were confused. Even though the display card was marked "specimen" and sold at Woolworth’s, more than 40,000 people adopted Hilda’s number as their own. According to the Social Security Administration, no fewer than 12 people were still using their Woolworth’s-issued SSN in 1977.

The SSN was originally intended for one purpose: tracking a worker’s lifetime earnings

The SSN was originally intended for one purpose: tracking a worker’s lifetime earnings in order to calculate retirement benefits after age 65. But birth certificates are issued state-by-state and not everyone has a passport, making the SSN the closest thing we have to a national ID number. As a result, the SSN is now widely used within the government and private sector — and most people are no less confused about it than they were 75 years ago.

Only a very narrow set of government agencies and financial organizations are required to ask for a customer’s SSN by law. That list does not include landlords, cable companies, cell phone providers, or even credit reporting agencies, which all habitually request SSNs simply because a number is more precise than a name. Americans have repeatedly rejected the idea of instituting a formal national identification system when it was proposed for use in health care or to prevent illegal immigration. As a result, the SSN has become the national ID by default.

Unfortunately, SSNs are also appealing to identity thieves, who can use the numbers to open new bank accounts and credit cards. An SSN is also typically the first piece in building an identity profile that can be used for more elaborate crimes like insurance fraud. In addition to being unique and widely available, the vast majority of SSNs were assigned according to a publicly-available formula. Because it was never intended to be used for identification — the SSA added the disclaimer "FOR SOCIAL SECURITY PURPOSES NOT FOR IDENTIFICATION" to the card in 1946, then removed it in 1972 during a redesign — this was never anticipated as being a problem.

Insecurity

In 2009, researchers developed an algorithm that could guess an individual’s SSN with up to ten percent accuracy depending on the size of the population in the state it was issued. Combined with phishing attacks that trick people into giving up their last four digits, malevolent hackers have become pretty adept at cracking any individual’s number. Algorithms aren’t necessary anymore, though. SSNs have become available through data resellers, security breaches at various companies and government agencies, unsuspecting customer service representatives, and even public records, if you know where to look. SSNs can be bought in bulk for $1 each on private online forums, and a specific person’s SSN can reportedly be had for as little as $3.80.

Scanlab_rsa_560

A screenshot of an underground forum where identity thieves do business. Source: RSA

Social Security numbers are the most common starting point for identity thieves, said Angel Grant, a senior manager at the information security firm RSA, which monitors the black markets where identity thieves traffic. In the last five years, SSNs have become so easy to obtain that thieves now usually bundle the number with extra identifying information like birth dates and even medical records in order to get the price up. "A Social Security number is good, and it’s very easy for a fraudster to obtain," she said. "Social Security numbers are a commodity in the underground right now."

"Social Security numbers are a commodity in the underground right now."

The pitfalls of using SSNs for identification have been known for years, but there has been a recent push by state and local governments to make the number more secure. Last year, the SSA dropped the formula it had been using to assign new numbers in favor of a randomized method. The Social Security Protection Act of 2010 prohibits government agencies at all levels from displaying the number on checks. At least 20 states have enacted laws restricting the use of SSNs. Even private companies are starting to roll back their reliance on the SSN due to security concerns, Grant said.

In August, the state of New York passed a law that will prohibit most types of companies from refusing service to customers without an SSN, and subjects violators to a $500 fine. Jeffrey Dinowitz, the New York assemblyman who sponsored the law, said he gets complaints from his Bronx constituents who are constantly asked to give up their SSNs. Tellingly, the complaints come mostly from older people who remember a time before the SSN became a US resident’s de facto ID.

The bill was introduced a few years ago, Dinowitz said, but for some reason it failed to gain traction with other state lawmakers until now. "I think the dissemination of Social Security numbers should be done sparingly," he said. "There are so many ways to take advantage of or steal people’s identity, but the most important number is the Social Security number. I don’t give it out."

Hacker_dump_rsa_560

Hackers now frequently bundle SSNs with harder-to-get information. Source: RSA.

After year of warnings from groups like the Privacy Rights Clearinghouse and the Electronic Privacy Information Center, the public may be waking up to the dangers of systemic reliance on the SSN. High profile data leaks at companies like Sony and LinkedIn in the last year have increased general awareness of the underground market in personal information and the danger of losing control of one’s data. The SSN is the ultimate password because it’s always the same, whether you’re talking to your bank or your doctor, and so many companies use it to authenticate customers over the phone.

"Can you verify your Social for me?"

It’s unclear when private companies first had the bright idea of using SSNs to identify their customers. The evolution of laws that required the use of SSNs for various government purposes like food stamps is well-documented, and the government does require that SSNs be collected by certain financial institutions. In fact, the Social Security Administration is one of the most nostalgic agencies in government and maintains extensive historical records. It has its own (modest) history museum, its own historian’s office, and a history of the historian’s office on its website along with a thorough archive of historical documents.

But when asked about the proliferation of the SSN in the private sector, the historians were stumped. "Over the decades, the uses of the number have expanded greatly beyond that original idea for it and it’s become, for many private purposes, an identification thing," said Jane Zanca, a spokesperson for the agency. "There really isn’t a timeline or anything. It seems it's pretty early on that the issue must have come up."

Cc_and_ssn_dump_rsa_560

A screenshot of a hacker selling identity information. Source: RSA

Similarly, the Government Accountability Office issued a report in 2004 that acknowledged that the private sector entities "routinely" obtain and use SSNs, but does not say how the practice started.

The use of the number by the three credit reporting agencies, which are privately owned, would have encouraged the practice by other companies because having the number makes it easy to run a credit check on a new customer.

But Chris Hibbert, who published a widely-disseminated SSN explainer on Usenet and maintained it for 20 years, says the credit bureaus weren’t even early adopters. "They didn't take off until SSNs had been in use for quite a while," he said in an email. "There has long been a confusion over whether the SSN is a secret (and so would be useful for verifying someone's identity) or a public identifier (and thus should be treated as well known)." He hypothesized that local utilities may have been the first to use SSNs, or that it might have spontaneously occurred to companies throughout the private sector.

Some privacy rights diehards prefer to give out Richard Nixon’s SSN as their own

The SSN is still awkwardly short of being as public an identifier as a name, but perhaps it should be treated as such. For now, most consumers who try to withhold their SSN from private companies are in for an uphill battle. A resistant customer usually has to talk to a manager and may be asked to plunk down a deposit in exchange, and it’s legal in most states for companies to refuse to do business without the number. Some privacy rights diehards prefer to give a fake SSN or one belonging to a dead person (Richard Nixon's is a favorite). This often works but is technically illegal.

"It's the only thing that's really unique," said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse. But given the popularity of SSNs with legitimate service providers and identity thieves alike, it's become increasingly tough to protect. "We tell people, 'if a private business wants your Social Security number... you should just say no."

Still, the vast majority of customers don’t realize that in many situations, including at the doctor’s office, a SSN is not legally required. Until the problem of public perception is corrected, SSNs will continue to function as the national ID system that Americans on both sides of the political spectrum have said they do not want.

What's next?

The National Strategy for Trusted Identities in Cyberspace is not really a push for a national ID, either. Each of the pilot projects has a specific focus, including healthcare, ecommerce, and senior citizens, with the hope that the government’s investment will lead to multiple systems. "The government will not require that you get a trusted ID," says NSTIC’s website. "If you want to get one, you will be able to choose among multiple identity providers — both private and public — and among multiple digital credentials. Such a marketplace will ensure that no single credential or centralized database can emerge."

The National Strategy for Trusted Identities in Cyberspace is not really a push for a national ID

The projects will test solutions that rely on mobile phones, biometrics, encryption, and other cutting-edge security technology that lets consumers browse anonymously but also validate their identities when needed. If one or more of the privately-developed online identity systems commissioned by the Obama administration proves effective, it may end up creeping into daily use the same way the SSN did — that is, through common practice instead of federal mandate. Unlike the SSN system, these systems are being designed for use as an identifier. If implemented, one of these systems could easily substitute for many less secure verification methods in place today, including typing in your mother’s maiden name or reciting the last four digits of your SSN.

Making any identification system secure yet usable and universal yet private is a challenge, to say the least, and must be handled delicately in order to avoid comparisons to 1984. But even if the idea of a government-funded online identity system creeps you out, the existence of such alternatives would mean the private sector could give SSNs a rest.