Personal Identity and security must evolve beyond trying to keep our information “secret” – one’s Social Security Number is a great example of this flawed strategy. We have to assume that our SSN is publicly known (or easily found out) – or revealed through no fault of our own. Therefore, how can we prevent misuse?
Just this morning, the Los Angeles Times published “College Door Ajar for Online Criminals” documenting how identity theives can gain sensitive personal data easily from colleges:
“Computer systems at universities across the nation are becoming favorite targets of hackers, and rising numbers of security breaches have exposed the personal information of thousands of students, alumni, employees and even college applicants.
Since January, at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges nationwide. In these incidents, compiled by identity theft experts who monitor media reports, hackers have gained access to Social Security numbers and, in some cases, medical records.”
SSN’s are used primarily for identification, to link together financial records of the taxes we pay, bank accounts we own and credit we owe, as well as to track the government pensions we presumably become entitled to in 25 years or so. No question it’s an important element of our identity.
Right now, anyone with my SSN and other basic information, like my address and phone number, can apply for credit, open a bank account or phone number. Perhaps they might also need a fake photo id – also easily available.
What I’d like to see, is a system which assumes that “bad” people know my SSN, but they cannot do anything meaningful with that information alone. There should be a mechanism to prevent changes or new activity unless it can be proven that I, in fact, desire the change. Issuing a driver’s license or changing one’s permanent address would be in the same category. The system should not require me to memorize something like an 18-digit secret code, either. I can barely memorize the various phone numbers connected to me, let alone PIN codes for my video rentals, ATM cards and voicemail.
Is the answer in fingerprints, or retinal scans or DNA-stamps, or other multi-factor authentications?? I would actually feel more secure knowing that my “secret” information is free – and that it could not be used against me. Ultimately, the issue is accountability — is someone who claims to be me, actually me?