Calls to stop relying on Social Security numbers as unique and secure identifiers are nothing new. But at least until this week, the convenience and simplicity these numbers offered and the lack of any readily available alternative has made the habit difficult to kick for businesses and government.
Social Security numbers were introduced in 1936 as a way to keep track of the earnings of U.S. workers for purposes of determining their entitlement to Social Security benefits. As recounted on the web site of the Social Security Administration, computing benefit levels was "the sole purpose" for which these numbers were created; and the Social Security card was "never intended to serve as a personal identification document."
The failings of the Social Security number as a unique identifier began to be apparent as far back as 1938, when a sample Social Security card included in wallets sold at Woolworth's and other department stores ultimately resulted in as many as 40,000 people using the Social Security number of a secretary of a senior executive at the wallet's manufacturer. The secretary at issue was given a new number, but for the estimated 60 to 80 percent of Americans nowadays (even before the Equifax breach) whose Social Security number has been compromised, there can be years of anxiety and hassle with little recourse.
In the era of massive data breaches, these widely distributed numbers can no longer be regarded as in any way private or secret — meaning systems that store and rely on Social Security numbers as a method of authentication are inherently insecure. Coming up with alternatives will require up-front investment, creativity, and a change in customer expectations. Approaches built around two-factor authentication and biometrics present their own challenges and tradeoffs. But continuing to depend on a method of authentication predicated on a single insecure, hard-to-change, and easy-to-predict nine-digit number is folly.
Equifax may be an improbable messenger for reform, having built a multi-billion dollar business out of trafficking in sensitive information tied to Social Security numbers. And past reports of the death of the Social Security number have been greatly exaggerated. But if the fallout from the Equifax incident leads to real changes, at least one good news story will emerge from an incident that has otherwise brought only bad headlines for both the company and U.S. consumers.
Commentary by John P. Carlin and David Newman. Carlin was the assistant attorney general for the U.S. Department of Justice's National Security Division (NSD) and served as chief of staff and senior counsel to former FBI Director Robert S. Mueller, III, where he helped lead the FBI's evolution to meet growing and changing national security threats, including cyber threats. He currently chairs Morrison & Foerster's global risk and crisis management group and co-chairs its national security group. He is also the chair of the Aspen Institute's Cybersecurity & Technology Program and a CNBC contributor.
Newman is a former special assistant to the president, associate White House counsel, and director on the National Security Council staff. He is currently counsel at Morrison & Foerster LLP, where he represents clients in a wide variety of national security and global risk and crisis management issues.
For more insight from CNBC contributors, follow