Why it is time to stop using Social Security Numbers for customer authentication!

12 September 2017 by mikevarian Security

Social security numbers, dates of birth, and driver’s license numbers were never designed to be used as universal passwords to authenticate consumer identities. Despite this, they’ve been widely adopted as a means of verifying your identity by banks, lending institutions, healthcare providers, credit card companies and just about any other company that stores your sensitive information.

Over the years, this sensitive data has fallen increasingly into malicious hands. The Equifax breach of 143 million Americans’ data is not the first large scale breach of consumer Personally Identifiable Information (PII) and it certainly won’t be the last. To get an idea of the scale and frequency of breaches we rarely even hear about, spend just a few minutes browsing this website: http://breachlevelindex.com

These tokens are inherently insecure and the very fact that they’ve been adopted as a universal consumer password is extremely damaging to consumer security and privacy. To further illustrate my point:

  • With the data breaches just over the past decade, these numbers cannot under any perspective be considered secret any longer. From the Equifax breach alone, 143 million consumers (about 44% of the US population) now have their effective “password” completely out in the open, forever. Short of a mass re-issue of social security numbers by the US Government, anybody will be able to look up one of these numbers to impersonate any one of the 143m victims from that one breach alone.

  • Social security numbers are easily guessable for any attacker who puts in a bit of effort: http://www.sciencemag.org/news/2009/07/social-security-numbers-are-easy-guess

  • Consider also that when social security numbers are displayed securely in many systems and on documents they are truncated. Meaning the number 111-222-3333 is displayed as --3333. Yet, many companies (cell phone providers especially) prompt you for these untruncated last 4 digits of your social security number as a way of proving you are who you say you are.

  • Dates of birth are even easier to find, check out Facebook, or just ask the target individual or their friends and family!

  • Social security numbers are excruciatingly difficult and inconvenient to change and almost never do. This violates fundamental security practices of regular password changes and changing passwords following a known or suspected compromise.

  • As we have mentioned in numerous past blog articles, password re-use is a bad practice. SSN’s and Drivers License numbers are inherently massively re-used passwords. Anyone with even legitimate access to your personal data at any other company, bank, hospital, or government agency holds the keys to your personal security - potentially dozens of organizations and thousands of their employees.

To those in any position to affect their company’s policies and procedures with regards to how you identify and authenticate your customers:

PLEASE - Do whatever you can to steer your organization to eliminate the use of Home Address, Date of Birth, Social Security Number, and Driver’s License Number as a means for a consumer to authenticate that they are who they say they are!

In an ideal world, I would even take this a step further and suggest eliminating these as a means for a consumer to identify themselves… (Unless you are actually the IRS or Social Security administration!)

Here are some alternative approaches to consider:

  • If you don’t already, create and provide customer identification numbers that are unique to your business for each customer.

  • Develop a thorough process of verifying multiple other data points about the consumer in order for them to recover a lost or forgotten ID or passphrase.

  • Consider using credit identification services provided by the major credit bureaus - these are the ones where they ask you questions like what kind of car you owned in 1996 and which of the following addresses aren’t yours.

  • Prompt your customers to create passphrases (pin codes only as a last resort) and use them universally for authentication whether on your website to login, over the phone, or when the customer is in-person.

  • If customers are calling inbound or visiting you in-person, add a procedure to confirm their request using the contact info you have on file for them. For example, if they call you purporting to be a certain person to open a loan - call the primary phone number in your files to confirm the request before approving it. (Bear in mind, caller ID is easily faked and should not be trusted.)

  • Explore modern technology to solve this problem. For example, to authenticate someone over the phone, push an authentication request to an app the customer has installed on their iPhone. Require them to log in with their username and password or their fingerprint, and then read a unique code number back to you. This confirms that the user is holding their physical phone which they have authenticated into using their username and (hopefully) strong password.

  • Red team your own authentication procedures. Develop an internal offensive security group or hire an outside specialized Penetration Testing firm to find ways that your policies, procedures, and defenses can be exploited, or perhaps are already being exploited by criminals.

  • Support and train your staff on the front lines who are authenticating your customers. Make sure they are aware of the risks of social engineering and train them appropriately. Talk about security often and share stories (good and bad) to keep the risks tangible in everyone’s mind.

  • Take steps to foster a positive culture of security awareness in your organization. Reward and recognize employees for reporting vulnerabilities. Encourage employees to report suspected breaches. Provide appropriate assurance of protection so that if they’ve made a mistake, they will report it right away rather than withholding for fear of the personal repercussions.

As businesses, customers trust us with their personal information, health records, finances, and credit cards. It is our responsibility to do everything we can to reasonably secure and protect that information, especially when big systems, industry best practices, and regulations fail to keep pace with the risks in our world today. Events like the Equifax breach are a reminder that not only can any company get hacked, but also that these legacy shortcuts, particularly using social security numbers like secret passcodes, have long become obsolete and ineffective - in fact it is tough to argue that they were ever effective at all!

For the sake of your business and livelihood, as well as the customers who trust their data to you, seek ways to eliminate these ancient practices from your operations and encourage others to do the same. If you’re not sure where to start, are stuck trying to find a viable alternative, or are ready to test your procedures with an offensive-minded security assessment - contact us! Improving and testing operational security in situations like these are exactly what we do as part of our NorthSky Security Services. We are here to help!

Related posts