The Trump administration is exploring ways to replace the use of Social Security numbers as the main method of assuring people’s identities in the wake of consumer credit agency Equifax Inc.’s massive data breach.
The administration has called on federal departments and agencies to look into the vulnerabilities of employing the identifier tied to retirement benefits, as well as how to replace the existing system, according to Rob Joyce, special assistant to the president and White House cybersecurity coordinator.
“I feel very strongly that the Social Security number has outlived its usefulness,” Joyce said Tuesday at a cyber conference in Washington organized by the Washington Post. “Every time we use the Social Security number, you put it at risk.”
Joyce’s comments came as former Equifax CEO Richard Smith testified before the House Energy and Commerce Committee, the first of four hearings this week on Capitol Hill. Lawmakers from both parties expressed outrage over the size of the breach as well as the company’s response and grilled Smith on the timeline of the incident, including when top executives learned about it.
Smith said the rising number of hacks involving Social Security numbers have eroded its security value.
“The concept of a Social Security number in this environment being private and secure -- I think it’s time as a country to think beyond that,” Smith said. “What is a better way to identify consumers in our country in a very secure way? I think that way is something different than an SSN, a date of birth and a name.”
Joyce said officials are looking into “what would be a better system” that utilizes the latest technologies, including a “modern cryptographic identifier,” such as public and private keys.
‘Flawed System’
“It’s a flawed system that we can’t roll back that risk after we know we’ve had a compromise,” he said. “I personally know my Social Security number has been compromised at least four times in my lifetime. That’s just untenable.”
Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology in Washington, said one possibility could be giving individuals a private key, essentially a long cryptographic number that’s embedded in a “physical token” that then requires users to verify that the number belongs to them. It could work like the chip in a credit card that requires the owner to enter a pin allowing use. He pointed to Estonia where they have deployed such cards that people use to validate their identity.