Every day, it seems, another data security disaster puts our personal information at risk. If it’s not a major hotel or restaurant chain getting hacked, it’s a financial institution.
Following breaches at Capital One, Equifax and a slew of other financial and healthcare organizations, there’s little doubt that your social security number has been compromised, say cybersecurity experts. Not just yours. Mine, too, as well as those of our spouses, neighbors, friends and colleagues.
“Your social security number is somewhere out there on the dark web,” says Charles Henderson, who heads up X-Force Red, a team of hackers at IBM Security that companies hire to break into their computer systems to expose vulnerabilities.
“It’s totally reasonable to assume that your social security number has been compromised at least once, if not many times,” says Mike Chapple, associate teaching professor of information technology, analytics and operations at the University of Notre Dame’s Mendoza College of Business.
A compromised social security number is much more problematic than when other types of personal data hacked. If your credit card number is stolen, your bank can issue a new one within days. If your passport or driver’s license is stolen, you can get a replacement issued with brand new numbers.
“With Marriott and the other hotel breaches, all of those credit cards got revoked and re-issued,” points out Henderson.
Not only is your social security number designed to stay with you for life, but it’s interknitted with your banking and credit history. If a cyberthief has your name, address and SSN, he is not far from being able to steal your identity.
“If the login credentials for your online banking are compromised, they don’t make you change your username — they make you change your password. But in the case of social security, the number is your username, and there’s no password to change,” says Henderson. “That leaves you high and dry.”
Fortunately, there’s something you can do to protect yourself from ID theft.
1. Freeze your credit.
“The most important thing you can do is put a freeze on your credit,” says Chapple. This is the strongest way to protect the sensitive data in your credit reports and, as of last September, the process is completely free.
Freezing your credit effectively blocks anyone from applying for new credit in your name, and it stays in place until you lift it. This preemptive step can save you the substantial hassle and cost involved with dealing with an identity theft.
To freeze your credit, you need to contact each of the three major credit bureaus individually, either online or by phone – Equifax (800-685-1111) Experian (888‑397‑3742) and TransUnion (888-909-8872). Once a freeze is in place, your credit is protected until you lift the freeze. This won’t affect your credit score, and you’ll need to lift the freeze temporarily if you want to apply for new credit.
2. Stop giving out your SSN.
There’s no reason you should carry your social security card in your wallet. No travel agent needs your social security number. No travel loyalty card or rewards program requires that number. Do not give your social security number to a car rental agency.
“You should be very cautious about who you provide your social security number to,” says Chapple. “You’re just creating less exposure for yourself. You’re limiting the number of places where your social security number is stored and could potentially be compromised.”
“If somebody asks you for your social security number, your response should be to ask why,” says Henderson, who balks when he comes across an online form asking for his social security number. “Usually there’s an 800 number that I call and I ask why they need it. You’d be surprised how many organizations will say, ‘Just put nine zeroes.’ It turns out, a lot of them really don’t really need that information.”
That goes for paper forms, too. “It’s routine to walk into a doctor’s office and they’re asking for your social security number on a form, but for years I’ve just always left those blank, and nobody really ever argues with it,” says Chapple.
We’re in this mess because financial institutions have systematically misused social security numbers, which were first introduced in the 1930s. “Social security numbers were not designed to be secret. Furthermore, they were not intended as a form of authentication. They are merely identifiers,” says Henderson. “But how many times have you seen it, where the last four digits of your social security number is a form of verification?”
Chapple has repeatedly called for a radical fix. He suggests that Congress should direct the Social Security Administration to publish all active SSNs, thus rendering them useless as authenticators.
Until that happens, save yourself a huge potential headache. Take matters into your own hands and freeze your credit.