Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Tweaking Social Security to Combat Fraud
Tim Mullen, 2008-02-13

Americans lost over 45 billion dollars in identity-related fraud in 2007. Reports are so commonplace that we've actually become de-sensitized to them. "200,000 victims reported..." "500,000 victims reported..." Even figures into the millions don't seem to faze us anymore. And that is a Bad Thing.

But identity fraud is not just about money. The pervasive use of Social Security numbers (SSNs) as an identification mechanism gives an attacker many options. California, for instance, requires a birth certificate (or many other types of documents) and a valid SSN to get driver's license or identification card. With a little effort, one can acquire a state issued identification that can be used for unrestricted travel throughout the country, including air travel. A criminal, terrorist, or general bad guy can leverage stolen credentials in this manner for extended periods of time without the original owner ever knowing about it.

The problem is the permanent nature of an SSN: It can’t easily change without special assistance or circumstances and are good forever, even after you die. It is this trait of permanence that has dictated its use as a unique identifier in so many systems. As a result, we have provided attackers with an ever growing source of vectors where the stolen ID data can be leveraged, as well as an ever growing number of potential targets from which to steal the data. It is this permanence that gives the SSN its core value.

Our current system perpetuates fraud and, by its very design, affords criminals whatever time they need to exploit it. It is a system that exposes us to a number of threats without giving us any power or capacity to manage the associated risks.

So, what’s the solution?

Currently, there are many proposed solutions to the problem of identity theft—all of them dealing with things like punishing those who steal data, punishing those who let the data be stolen, enforcing strict protection mechanisms for systems housing the data, and even the limitation of who can collect what data, and for what purpose. All of these mechanisms will ultimately be ineffective because they do not address the core issue of ID theft: They do nothing to impact the value of the SSN.

Laws that provide for harsher punishment will not stop criminal organizations. And laws that punish those with lax security will not stop the data from being stolen. Those measures only come into play when the criminal gets caught or when the data is already gone. They may provide after-the-fact retribution, but they don’t protect the data.

Forcing companies to have minimum standards of security will help, but it will not stop the data from being stolen. It will make the data harder to get, which will actually increase its value, making the data a more attractive target for criminals who will most certainly find ways of getting it. If something has value, and can be stolen and sold for a profit, then criminals will get to it somehow.

To impact identity theft, the U.S. must implement measures that directly affect the inherent value of the SSN itself. A system that allows a victim of identity theft to change -- or have changed -- their SSN and voiding the "old" number should work. This would allow for SSNs to be verified before a transaction is executed much like a credit card number is validated for purchases. Such a system would have rules to enforce the voiding and expiration of compromised numbers, while maintaining a change log that prevents abuse of the system from a credit history standpoint.

To be successful:

  • The process must pay for itself.
  • Changes in the Social Security Administration process do not necessarily require commercial applications that use the SSN as a unique identifier to change. Legacy support for business applications must be maintained without change if they so choose.
  • Credit history and auditing must be maintained.
  • The system must be developed in a way that will guarantee voluntary adoption by the credit agencies.
  • The validation process must be paid for by business entities, however, government agencies (like the DMV) must be able to utilize the service for free. In this way, pass-through fees can go to the Social Security Administration for commercial use while authentication bodies can validate data without cost.

Currently, if a breach exposes individuals' data, the company responsible is usually fined. But where do these fines go? What are the funds used for? We may never know. I propose that when a breach occurs (and is verified, of course) that rather than being fined, the responsible company or entity would pay for the process required to void and change the SSNs of the victims.

The voids and reissued SSNs would then be propagated into the credit tracking processes. The current "Big Three" credit bureaus are already in the business of tracking your personal financial activities. And, because it is their source of income, they do it well. Since they maintain your history and give it to others for a fee, they should be the ones responsible for ensuring that their internal change logs are maintained -- after all, it is in their best interest to do so. If their procedures allow for one to delete past credit history by acquiring a new SSN, the value of their services to their customers would be greatly diminished.

Story continued on Page 2 

SecurityFocus columnist Timothy M. Mullen is Vice President of Consulting Services for NGSSoftware.
    Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus