In the annals of data breaches, the Equifax hacking stands alone due to its sheer scale: Digital thieves traipsed through the personal information of 143 million Americans for several months to do with it as they pleased. “It is quite possibly the most serious data breach we’ve ever had in terms of its potential cost,” says Gerald Faulhaber, Wharton professor emeritus of business economics and public policy. “Whoever hacked it, wherever these things end up, this could be costing U.S. consumers billions of dollars over the next decade. It’s terrible.”
What makes the breach especially risky for consumers is that Equifax — one of three national credit bureaus — held in one place crucial personal information regularly accessed by lenders, banks, credit card companies and other entities to assess one’s creditworthiness and do things like assign applicable interest rates. At the center of this data is the Social Security number (SSN), which consumers need in order to take out loans, get a job and perform other key activities. “If someone gets my Social Security number, there’s a lot of things they can do,” Faulhaber says. “That’s one of the things that make this a very dangerous hack.”
The Social Security number’s uniqueness makes it a convenient tool to identify people. But over time, its role as identifier has also become that of authenticator — if you have that number, you must be who you say you are. “The SSN was not designed for verification,” says Prasanna Tambe, Wharton professor of operations, information and decisions. “Using the SSN for both identification and verification has very significant weaknesses, and large scale, high-profile data breaches just serve as dramatic reminders of the problems that we have with using the SSN for verification. It’s pretty clear that we need a better system.”
Exposing one’s Social Security number is particularly risky because unlike user names, passwords, driver’s licenses and many other types of information, it is difficult to change. You must have a valid reason for asking for a new number, such as being a victim of identity theft or your life is in danger, according to the Social Security Administration. And even if one manages to change his or her Social Security number, the new number remains linked to the old one. This would not have been problematic if the Social Security number were used as it was intended. Started in 1936, it was created to track an individual’s earnings over a lifetime to calculate Social Security benefits upon retirement.
“It is quite possibly the most serious data breach we’ve ever had in terms of its potential cost.” –Gerald Faulhaber
Indeed, it was a “historical accident” that the Social Security number became a default identity number for Americans, says Kevin Werbach, Wharton professor of legal studies and business ethics. “The problem is that there are so many contexts, both governmental and private, that require unique identifiers for individuals. Appropriating the Social Security number is easier and often more effective than creating a new number for every situation. But it becomes a problem when the barriers to obtaining someone’s Social Security number are so low, and the ways those numbers can be exploited are so great.”
With relatively easy access to Social Security numbers and other private data, it is no wonder that the number of identity theft incidents are soaring. According to the Identity Theft Resource Center, a nonprofit, the number of U.S. data breaches hit a half-year record high of 791 in 2017. That figure is up 29% from the same period a year before. At this pace, the year is on track to hit a new high of 1,500 breaches, which would be 37% more than 2016. Hacking — including ‘phishing’ messages and malicious software unleashed by bad actors who demand ransoms to unblock access to data — caused 63% of the data breaches.
As cyber-thefts mounted, lawmakers stepped up regulations on the use of Social Security numbers and data security. The Social Security Number Privacy and Identity Theft Prevention Act of 2007 bans federal, state and local government agencies from publicly displaying the numbers, such as on IDs, as well as selling them, with limited exceptions. Several states also restrict the use of Social Security numbers, such as Alaska, Pennsylvania, New Jersey, California, New York, Texas and Illinois. And all states have installed cybersecurity measures to protect data and systems, according to the National Conference of State Legislatures.
Self-sovereign Identity
Should Americans get a new national ID? “Countries such as India that have tried to create a new national identifier have struggled with a variety of operational, privacy and technical challenges,” Werbach says. “It’s really difficult to implement this kind of system without opening up huge privacy and security risks for individuals. After all the revelations about government surveillance in recent years, Americans are probably not going to be too eager to get a special new unique identifier that potentially gives the government access to everything about them.
“Ultimately, the solution is what’s called self-sovereign identity,” Werbach continues. “It’s possible to build identity systems today that are decentralized yet secure and verifiable, based on cryptography. So, my bank can verify that I’m the customer who showed up with a picture ID, and that I have a certain balance in my account, but can’t get access to my college transcripts. It puts the power back with the individuals to control their data, while making everything much more secure.”
With self-sovereign identity, people control their own data rather than a central authority such as the federal government. Individuals choose to provide this data to businesses, agencies and others for verification. This data, for example, could reside in a virtual wallet, unlocked by the individual’s public ID number and a “private key.” The private key could be a sequence of random numbers generated by the user. One could choose to organize this personal data into bundles with varying levels of disclosure. For instance, if a wine shop needs to know you’re over 21 but not necessarily your birthdate, it could get access to a statement attesting adulthood signed by an authorized agency.
“[Large] scale, high-profile data breaches just serve as dramatic reminders of the problems that we have with using the SSN for verification.” –Prasanna Tambe
Werbach points to Hyperledger Indy, one of several initiatives afoot to create a self-sovereign identity, from the Sovrin Foundation and Hyperledger Foundation. The project recognizes that online identities are “broken” — individuals in society have too much personal information on the internet that is exposed to hackers as a result of numerous data breaches. It uses the blockchain’s distributed ledger technology as a platform for these identities. Importantly, personal information is never written to the ledger; rather, parties exchange data through encrypted, peer-to-peer connections. The platform uses open standards so it can work with other distributed ledgers.
But technology can only provide one piece of the solution, says Gad Allon, Wharton professor of operations, information and decisions and director of the Jerome Fisher Program in Management and Technology. Government and business have to get involved as well, whether it is passing tougher cybersecurity laws and penalties, or companies ensuring they protect customer data more securely. “It has to be a combination of things.”
What We Can Do Now
Three assumptions are important to acknowledge in the digital age. “Everything that can be connected, will be connected,” Allon says. For instance, biometric identification such as retinas could be linked to the passport system, bank accounts and others. The second assumption is, “if I have data, the way to make it more valuable is to get more data,” he adds. The more one knows about people, the easier it is to reach or mimic them. Third, “whatever can be hacked is going to be hacked. Once you realize that, it doesn’t really matter what type of identifier you use” be it a Social Security number or something else.
Solutions already in use include multi-factor authentication — the consumer has to provide several pieces of information to prove their identities such as fingerprints and a password, Faulhaber says. He is in favor of requiring that credit agencies contact the consumer in real time if someone is asking for a credit report, although it could be inconvenient. “You have to say, ‘Yes I approve of you sending this data to such and such a person.’ That will limit the ability to do this kind of damage,” he adds. “If [the consumer is] not contacted directly, the information does not move.”
Tambe says multi-factor authentication is experiencing major growth, noting that it’s “beneficial to move away from using a single verification process used across so many domains.” While changing legacy systems that rely on Social Security numbers will take time and effort, “technology advances are rapidly making other identification methods, such as biometrics, more widely accessible, which could make rolling out some of these alternatives more feasible in the near term.” Saikat Chaudhuri, Wharton adjunct management professor and executive director of the school’s Mack Institute for Innovation Management, also believes in the promise of biometrics as the key because each individual is unique. However, he notes that “no technology will be completely secure, as crooks will always find ways to hack it.”
“[Whatever] can be hacked is going to be hacked. Once you realize that, it doesn’t really matter what type of identifier you use.” –Gad Allon
Another growing area is authenticating through behavioral patterns. “If you always log into your system at 6 p.m. to check your bank account and today, the request is coming from Russia and it’s … 3 p.m., maybe it’s not you. Maybe I need to send a text to you and ask if it’s really you,” Allon says. He compares cybersecurity to a high-stakes game. “You’re competing with people who are constantly trying to overthink and outsmart the systems,” Allon points out. “That’s why, to some extent, the solution has to be one that is attacking things from multiple directions and uses both physical … and digital elements.”
People also have to be vigilant about protecting their information. It’s not unusual to have more than 100 passwords in use at any time, such as for bank accounts, airlines, clubs, emails, and others, Allon says. Use different passwords for various places and decentralize where you store them so if hackers get a hold of one, they can’t get the rest. Monitor your credit reports regularly for unauthorized entries. “It’s just good practice overall.”
Allon calls for tougher punishment for companies that are careless about securing their customers’ personal information. “The penalty for firms has to be heavier,” he says. “We should also have specific regulations about who has the liability in these cases and how quickly firms should admit [they have been hacked]. We see more and more situations where firms only acknowledge these things months after they happen.… This is why people have to go to jail for these things.”
Perfect Crime
What about going after the hackers themselves? It’s not that easy. These are individuals — some with links to organized crime or supported by hostile nations — that typically operate in areas that do not have extradition laws, says David Lawrence, founder of Risk Assistance Network + Exchange (RANE), an information and advisory services firm with expertise in critical risk management. “These are in some respects perfect crimes,” he says. Hackers often are anonymous, well protected and their job has low barriers to entry — open to anyone in the world with a computer, internet connection and hacking skills and tools.
Business, government and consumers have to work together to protect against hackers. “There has to be clear standards for corporations, not just in terms of security, but also safe harbors from liability,” says Lawrence, a former Goldman Sachs executive. “There has to be a clear reconciliation within the military and defense community about their responsibilities in defending our digital borders versus maintaining their offensive capabilities. There has to be a fundamental rethinking about how we identify ourselves and verify our own personal information. From Social Security numbers to driver’s licenses, what we have been using for decades has not kept up with the digital world.”
“From Social Security numbers to driver’s licenses, what we have been using for decades has not kept up with the digital world.” –David Lawrence
Wharton management professor David Hsu says he is struck by the contrast between old-fashioned authentication using Social Security numbers and Apple’s new iPhone X. “They’re claiming a one-in-a-million probability in defeating their [facial recognition] system — and that’s a big improvement on their fingerprint technology that’s 1-in-50,000.” He adds that “we need to have a 21st century idea of authentication rather than relying on a piece of paper … with nine digits that we use as the unique identifier.”
The know-how is there, in Silicon Valley. The trick is to get these skilled programmers to work in cybersecurity. “That gets to the human capital issue. If I’m a really talented programmer, how excited am I to work at Google or Facebook versus the FBI? They have very different compensation packages and incentives.… As a very talented programmer, do I want to go into public service, or do I want to go after the millions in stock options?” While the two paths are not mutually exclusive, Hsu says, it does underscore the need for the private and public sectors to cooperate.
“What I’d love to see is some cross-talk and building of tools because the private sector doesn’t have access to the trove of underlying data and even fundamental skills [that] you need to catch bad guys” that the government has in droves, Hsu adds. To fight crime, you don’t just need “a better algorithm, [or] just good data. You need good investigative skills. Get behind the minds of bad guys. What are their motives? Is it money? Is it a political ideology? Is it trying to undermine the state itself? These [call for] very traditional investigative techniques.” Those crime-fighting skills, paired with 21st century software, AI, algorithms and other digital tools are needed to combat cyber-crimes.
In the end, perhaps the most pragmatic path is to erect the strongest defense possible and hope that it will deter most breaches. “There’s no way to totally solve this. Is there any way to stop people from stealing your car? No, but you can make it harder for people to steal your car. You can use locks and alarms, but you haven’t eliminated the possibility that someone is going to steal your car. You just made it more costly for them to do it,” Faulhaber says. “I think that’s the best we can hope for.”