Special counselor Robert Mueller recently indicted 13 Russians for using stolen identities to illegally open U.S. bank accounts and meddle in the 2016 election. Given SSNs’ history of vulnerability and compromise, they have “outlived their usefulness,” says Ross Rustici, senior director of intelligence services for cybersecurity firm Cybereason. Rustici explains why a national ID system based on a cryptograph-based alternative makes sense, in the latest Digital Identity Tracker.
Several players have already been swept up in a federal investigation into election meddling by a foreign power. It now appears the most recent developments are putting renewed focus on the trustworthiness and integrity of digital identity in the U.S.
In mid-February, special counsel Robert Mueller issued a series of indictments against a group of Russian nationals and companies for their intervening role in the 2016 presidential election. Among those charged were four Russian nationals who opened U.S. bank and PayPal accounts with the stolen Social Security numbers, home addresses and birthdays of U.S. citizens. The accused went on to purchase political ads on social media platforms to stoke political divisions.
Amid the fallout from the special counsel’s investigation, these recent indictments have cast a spotlight on the role of identity theft — particularly how bad actors can use stolen data to perpetuate elaborate schemes against foreign powers. They have also raise an important question for institutions in the U.S. financial system: What more could have been done to detect the perpetrators who were using real information to create fake accounts?
Part of the problem, according to Ross Rustici, senior director of intelligence services for cyber security firm Cybereason, is that U.S. banks and financial institutions (FIs) typically activate accounts remotely using personal information like Social Security numbers — identifiers with a long history of being easily compromised. In a recent discussion with PYMNTS, Rustici said an overreliance on Social Security numbers for identification limits early options for FIs to detect frauds or threats. As such, it might be time to consider a new national identification system.
End of the Social Security ID?
The information presented in the recent indictments highlights a “systemic” problem with identity theft in the financial sector, Rustici said. Specifically, the problem is that banks and FIs are often forced to react to identity theft developments after they are discovered, but struggle to detect them early.
Last year’s Equifax data breach, which compromised the personal information of 145.5 million American consumers — including names, dates of birth, Social Security numbers, addresses and drivers’ license numbers — has only made remote verification increasingly difficult for banks. Once data has been compromised, FIs can only hope they’re dealing with the rightful owner of the data and not a fraudster who managed to gain access to it.
“There’s really no safeguard left for the financial industry to do remote activation and guard against fraud,” Rustici explained.
With so many Social Security numbers compromised, the very concept of using them as personal identifiers is a seemingly outdated idea.
“Social Security numbers have outlived their usefulness,” according to Rustici. “They’re not a secure [identifier] in the cyber age with the amount of transactions that happen based off of them.”
A cryptographic-based solution is a more modern alternative to using the 80-year-old Social Security number as an identity verification tool, he added. Cryptographic ID solutions are already being implemented around the world — albeit in smaller countries.
Estonia, for one, is already using a cryptographic form of identification for digital signatures and voting, and the system is gaining popularity in Latvia and Lithuania as well. In addition, U.S. national cybersecurity czar Rob Joyce has also expressed positive opinions of cryptographic identifiers as a potential replacement for Social Security numbers, an encouraging sign that alternatives to the Social Security number are being taken seriously, Rustici said.
“We need to get away from Social Security numbers as a lynchpin of identity,” he added.
New bank verification options
While banks have tools that can help them detect fraudulent activities and raise potential red flags, Rustici noted the solutions are only put to work after accounts are created. In other words, banks have little recourse to prevent a fraudster from remotely opening an account if the personal information presented checks out. As such, FIs are usually forced to be reactive to potential fraud cases.
“On the front end, there’s a certain level of implicit trust that the information they’re getting is true and reliable,” Rustici said. “If the identity has been stolen and [the fraudsters] have enough details, it’s almost impossible to do the level of verification that’s necessary to really stop this type of behavior.”
Though banks’ options are limited, institutions can take steps to crack down on suspicious banking activity, he explained. They can, for example, use geolocating features in the case of remote account openings, allowing an FI to note the primary internet service provider (ISP) information registered to the prospective account holder. If the registered ISP information does not align with the customer’s account information, Rustici said, FIs may have a reason to be suspicious before authorizing the account to open.
“Those types of things are harder to spoof and would cut back on a lot of the fraud,” he said.
Allowing banks greater access to consumers’ information will raise concerns about balancing consumer privacy and financial security, however.
“We need to look at how comfortable [consumers would be] letting institutions look at [their] overall cyber-footprint to do more identity verification on the front end,” noted Rustici.
Changing verification options
With so many Social Security numbers already compromised, the time has come to seriously consider replacing the system, he added. The scope of last year’s Equifax breach means replacing these numbers should be a top priority for policymakers.
Rustici pointed to Estonia’s work with cryptograph-based solutions as a model for replacing the national ID system in the U.S., but he acknowledged that that type of change could take some time to implement. In fact, it would likely require a mandate initiated either by legislation or executive action. But, he added, based on the number of Americans with already-compromised personal data, it makes little sense to continue to rely on Social Security numbers for identity security.
“This needs to change to bring security back to the financial sector,” Rustici said. “Somebody within the government needs to take a serious look at this and implement a solution to get us away from the Social Security number for identification number purposes.”
In the meantime, someone in the government — the special counselor, to be exact — is continuing to take a serious look at the potential foreign interference in the 2016 election. While the probe is well underway, the debate over Social Security as a verification tool is only just beginning.
About the Tracker
The Digital Identity Tracker™, powered by Socure, is a forum for framing and addressing key issues and trends facing the entities charged with efficiently and securely identifying and granting permission to individuals to access, purchase, transact or otherwise confirm their identities.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More