Equifax ordered to seek alternatives to Social Security numbers to verify identities — this is what could be used next

Equifax’s data-breach settlement will pay out at least $650 million in restitution to consumers and government fines, but it could also help usher in a new era in identity verification — one that doesn’t include Social Security numbers.

The settlement comes after a 2017 security breach that exposed the personal data of more than 146 million people. The leaked data included Social Security numbers, and the settlement requires Equifax to research identity verification methods that do not use Social Security numbers.

“Equifax is required to limit the collection of consumer Social Security numbers and look into different ways” to verify identity, Josh Shapiro, Pennsylvania’s Attorney General, said on Monday.

Your Social Security number was never meant to be your ID

The U.S. Social Security Administration began issuing Social Security numbers in the 1930s “for the sole purpose of tracking the earnings histories of U.S. workers,” according to the Administration. The earnings histories, in turn, help the agency determine “benefit entitlement and benefit levels.”

“The Social Security number was never meant to be a secret identifier,” Neal O’Farrell, executive director of The Identity Theft Council, told MarketWatch. In fact, until 1972, Social Security cards had the words “not for identification” written on them.

“But the financial industry hijacked it,” O’Farrell said. In the 60s and 70s, banks started using Social Security numbers to grant credit, and other companies followed suit, deciding to use the nine digits as a form of identification.

Your Social Security Number has already been exposed

“Today, your name acts as your user name, and your Social Security number acts as your password,” Robert Siciliano, a privacy expert and the founder and CEO of Safr.me, told MarketWatch.

Over 95% of major credit card companies and 80% of the top 25 banks allow people to access accounts if they can provide the correct Social Security number, a 2014 study by Javelin Strategy & Research found.

“The problem is that everyone knows your password,” Siciliano said.

Besides the Equifax breach that leaked the personal information of nearly half the people living in America, there have been countless other breaches in the past two decades that have exposed personal data. Hotel chain Marriott MAR, -1.21% big-box retailer Target TGT, -0.90% and the early internet search engine Yahoo! AABA, +0.41%  are among the companies that have suffered breaches in the past several years. An estimated 1,300 data breaches occurred in 2017, up from 200 in 2005, according to the Identity Theft Resource Center.

“If you count the number of breaches, your Social Security [number] is already out there. It’s not a secret,” O’Farrell said.

Why are Social Security numbers still being used as a piece of identifying information?

Credit reporting agencies like Equifax EFX, +0.39%   use a variety of information to verify their customers’ identities, including an address, name, date of birth, and Social Security number.

(Equifax did not respond to a request for comment on the company’s plans to limit the use of Social Security numbers.)

Part of the reason financial institutions are still using Social Security numbers to identify individuals is that a switch to a different system would come with a hefty price tag, O’Farrell said. But another reason is that these “institutions don’t know which way to jump. They don’t know what new system will be best” for verifying identity.

There are other options, some more than two decades old

One security feature that could replace the Social Security number in identifying individuals is “Voice ID.”

“It’s a print of your voice,” O’Farrell said. “When you want to verify yourself to apply for a loan, the bank will send you, say, six new numbers and you repeat those numbers with your voice.” This technology has been available for the past 25 years.

Newer methods of identification include biometrics. An individual’s iris or your thumbprint could serve as a form of ID. But the problem with using that alone is that “a thumbprint could be compromised,” O’Farrell told MarketWatch, because thieves or hackers can copy it.

He thinks of the future of verification is in “real-time” personal information. “A bank could ask what was the last number you called on this phone or what was the last purchase you made.” This information would be hard for thieves to use because it’s constantly changing.

Other potential identification methods include your phone or laptop’s IP addresses and even a blockchain-created digital ID.

Banks and other financial institutions could also look to the Department of Motor Vehicles for better methods of identity verification, Siciliano told MarketWatch.

The Real ID Act, passed in 2005, changed security standards for state driver’s licenses. Beginning in October 2020, individuals will need a “Real ID” driver’s license — or a passport — to board a domestic flight.

“Registries of motor vehicles have been setting up verification methods for at least a decade,” Siciliano said. “They set the standard. It’s really hard to get a driver’s license in someone else’s name.” To obtain a driver’s license, one needs to present multiple pieces of identifying information.

“I don’t think there’s a problem with the continued use of the Social Security number. It just needs to be used with a lot of other methods like at a registry of motor vehicles,” Siciliano said.

Even a heartbeat can be an identifier

With new methods of identification come new privacy concerns for consumers.

At least one company is working on technology that will be able to identify a specific individual’s heartbeat and turn that information into a unique identifier, O’Farrell said.

But not everyone may want to give their heartbeat to their bank, and for good reason. “Consumers are skeptical about giving away any information,” O’Farrell told MarketWatch. “In this case, they may be afraid the heartbeat will be sold to an insurance company, which could find something wrong with you and use it against you.”

Still, he believes consumers will get on board with a new method if they believe their data won’t be breached.

A White House proposal

After the Equifax breach, Rob Joyce, a former cybersecurity coordinator in the White House who has now gone back to the National Security Agency, said the White House was looking into new methods of identifying consumers.

The Social Security number “has outlived its usefulness,” Joyce said in 2017. “I personally know my Social Security number has been compromised at least four times in my lifetime. That’s just untenable.” The current status of that proposal is unclear. The White House eliminated Joyce’s position in 2018. The National Security Council did not respond immediately to a request for comment.

Equifax shares are up 48.6% from the start of the year. The Dow Jones Industrial Average DJIA, +0.07%  is up more than 16% in that same time, while the S&P 500 Index SPX, +0.28%  has seen a 19% gain.

This post was originally posted at http://www.marketwatch.com/news/story.asp?guid=%7B2FCA216E-ACAC-11E9-AAD1-6816FA4736EF%7D&siteid=rss&rss=1.