It’ll cost you a buck. Just like everyone else’s. The use of a Social Security Number (SSN) as unique identifiers has long been a contentious subject. SSNs were never intended to be used for identification, and their ubiquitous abuse for identification and authentication has lead me to call them “Social Insecurity Numbers,” or SINs.
There was a time when my response to a breach that leaked SSNs was “the horror, the horror.” Now my cynical reaction is “big deal, they stole my public information… again.” Yes, I know it’s improper for a security expert to feel this way, but an improper response is sometimes still the correct response.
Let me walk you through both sides of the issue: the horror and the dispassion.
The Horror
When aliens visit our lifeless planet in 2525, they will run DNA tests on our remains and they will catalog or index us by our SINs. That’s one of the things that makes the theft of SSNs worrisome. SSNs do not expire. A person may expire, their SSN does not. Social security numbers are not reused. They just stop being used. Funds may be paid to surviving spouses and children, but after that the SSNs are a permanent entry in a database.
Let’s put this into perspective. Of all of the credit cards issued between 1946 and 2012, virtually none are valid. Of all of the compromised credit cards issued between 2012 and 2018, very few remain valid. Sometimes the cards are replaced before they’re fraudulently used, and other times fraudulent use results in the cancellation of the cards. In either case, the cards are simply replaced with new account numbers.
Compare this to SSNs. Of all of the SSNs issued since 1934, well… Have you ever see an expiration date on a Social Security card? You can change your credit card number. You can change bank. You can change your career, your doctor, your vet, your clothes, or your mind. But unless you enter the United States Federal Witness Protection Program, your SSN isn’t changing. (Actually, that’s a bit overstated. Under certain circumstances you can get a new SSN, but your SSN simply being compromised does not qualify you to change SSNs.)
According to a study published by Javelin, more social security numbers were involved in breaches in 2017 than credit cards. Think about that for a moment. Do you know anyone who has had a fraudulent purchase made on their credit card? Here’s where the problem becomes insidious. Credit card fraud is loud. You can hear it coming. I have alerts set up on my bank accounts so that I know each time a charge is made. I am alerted through text and email. One fraudulent charge and I know. I can act.
But SSNs are quiet. Multiple applications for credit cards can be made simultaneously, but you’re not likely to find out very quickly. Pair this with a compromised email account, and you could be in big trouble. For me, it’s of serious concern.
The Dispassion
Why don’t I worry about my SSN being leaked? Because it’s already been leaked multiple times in multiple breaches.
How do I know that?
I don’t, I just assume it has been. Why? Because my SSN has been vulnerable to theft for decades, and there are so many compromised SSNs stocking the dark web that they’re a cheap commodity. You might even expect to encounter a “buy five credit card numbers get two SSNs free” deal, or to see them sold by the dozen, like Kleenex at Costo.
According to Brian Stack, the Vice President of Dark Web Intelligence at Experian, Social Security numbers sell for only $1 on the dark web. In the massive Marriot breach, it wasn’t my SSN I was worried about, it was my loyalty program information. My loyalty program information is worth 20 times more than my SSN on the dark web. Loyalty program points can be used to buy travel or merchandise in airline shopping malls.
For several years, “assume the breach” has been the mindset of many security professionals, meaning that we should assume a company will be breached, or already has been breached, and we should be clear-eyed about it. It is a call to action. Put mitigations and remediation processes in place. Have an action plan.
For the public, and I cannot emphasize this enough, this means you should assume it was your data that was compromised in the breach, and put a remediation plan in place. If the businesses holding your data assumes your data is toast, then you should too.
What You Can Do
So, if we’re adopting the fatalist position on SSN theft, but still want to protect ourselves, what’s a person to do?
- Credit freezes and fraud alerts. Both are good proactive defenses. The Federal Trade Commission (FTC) is a good place to start if you don’t know how. For information about credit freezes, check here. For information about fraud alerts and extended fraud alerts, take a look here and here.
- Use two-factor authentication. Gmail, Facebook, Twitter, and other sites offer two-factor authentication. Typically, this means you’ll need to respond to a text or email in order to log into your account. This makes it harder for the bad guys to hijack it. Not impossible, but significantly more difficult.
- Take advantage of alerts offered by financial institutions. If someone tries to log into my bank account or make a charge on my credit or debit card, I will know it immediately.
- Be Prepared for Identity Theft. Once again, the FTC consumer information page on identity theft is a great resource for consumers, security evangelists, and businesses alike on how to build a strong defensive posture.
Identity theft is real, it can be devastating, and you need to be prepared for it. But reports of breaches that include SSNs tell me what I already know; my SSN is in the hands of cybercriminals. It has been for years.
So no, I’m not going to tell you my SSN. You’ll have to pay your dollar for it, just like everyone else.