On September 7th, 2017, Equifax Incorporated publicly announced a major data breach of their systems. Equifax reported that data associated with approximately 143 million Americans were exposed, with records including addresses, date of birth (DOB), full name, Social Security Number (SSN), and some driver’s license numbers. Credit card numbers for approximately 209,000 Americans were also stolen, along with dispute documents for 182,000 consumers. The impact of the breach reaches beyond the United States as approximately 400,000 U.K. consumers and 100,000 Canadian consumers were also affected.
While much of the open source reporting has focused on the vulnerability that caused the breach, the more pressing issue may be the ramifications of such a prodigious breach of Personally Identifiable Information (PII). The loss in confidentiality for nearly half of the entire U.S. population has the potential to threaten the viability of the SSN system.
Security researchers identified a vulnerable version of Apache Struts as the cause of the breach. The vulnerability, registered as “CVE-2017-5638,” was issued a patch in March 2017 (which Equifax failed to apply). Another vulnerability, registered as “CVE-2017-9805,” was discovered in Struts in September 2017. As of this writing, researchers believe that the initial vector exploited to gain access to Equifax’s data was accomplished via CVE-2017-5638.
Similar data breaches and subsequent data theft have occurred before, although not on such an extensive scale. In 2015, the credit bureau “Experian” experienced a breach that exposed PII associated with approximately 15 million individuals, specifically, those who applied for financing via T-Mobile USA. The breach lasted from September 1, 2013 to September 16, 2015. The exposed data consisted of:
By October 2015, security researchers began to see data associated with the breach appear on underground markets offered for purchase. The data was packed into “Fullz,” which comprises a full package of PII needed to commit identity theft and fraud such as address, DOB, full name, among others.
A similar data breach affected the U.S. Office of Personnel Management (OPM) in June 2015. OPM confirmed that sensitive information associated with background investigation records of current, former, and potential federal employees and contractors was stolen. Individuals are believed to have been affected if he/she underwent a background investigation in 2000 or afterwards with the submission forms SF-86, SF-85, and SF-85P. The breach affected approximately 21.5 million individuals. The data consisted of PII such as:
As with the 2015Equifax breach, data associated OPM was soon found for sale on underground markets.
Access to this kind of data poses a significant risk. An individual’s SSN, combined with other sensitive information such as billing address, date of birth, and email address, can be used by threat actors to access and/or create other services. As the system is currently designed, it is difficult for a victim of identity theft to prove that they are not responsible for actions if:
With a SSN, billing address, and DOB, threat actors can engage in malicious activity in numerous ways, such as:
Brian Krebs provides a stark example of the types of abuse available to actors interested in identity theft in an article from 2016.
The images below provide examples of locations that threat actors could potentially abuse with the information exposed by this breach.
Figure 1 - Password Reset Example That Uses Last Five Digits of SSN as Verification
Figure 2 - Web Login Requesting SSN for Retrieval of Forgotten UserID
Figure 3 - Creating New Password With SSN
Figure 4 - Recovering User ID and Password
Figure 5 - Forgotten User ID / Password
Identity theft is, unfortunately, difficult to prove and even more challenging to fight, however, there are steps that individuals can take to mitigate damages. One of the simplest and most common scenarios an individual may face occurs when a threat actor uses an individual’s line of credit to receive new credit cards. If the threat actor was first able to change the individual’s account information, and could later provide seemingly verifiable information relating to their identity, the authentic account owner would struggle to prove that they did not make those changes. The most effective remediation tactic in this scenario is to apply for a credit freeze at all credit bureaus. Credit bureaus are governed at the state level, meaning that the fees and processes for freezing credit vary from state-to-state. Michigan is the only state that currently does not have a mandate regarding credit freezing.
While credit freezing is the recommended method of mitigation, it is far from a perfect solution. Depending on the laws in place, customers looking to freeze their credit may have to pay the company responsible for the breach in the first place. It is also possible for threat actors to obtain the pin for a credit freeze by providing an individual’s DOB, address, and social security number, eliminating the protection a credit freeze should provide.
Figure 6: Screenshot for recovering of freeze pin
Customers can also place an extended fraud alert on their credit files. This prevents financial service providers from granting credit in their name without first contacting them for approval. However, the extended fraud alert requires the applicant to have been a victim of identity theft and to have created an identity theft report. Consumers may also wish to discuss with their financial service the possibility of requiring physical presence to apply for new services or to make changes to an account. For mobile providers, a PIN can be added to the account that must be given for any transactions or changes to the account. This PIN should not be related to any of the data that is suspected to have been stolen.
Social Security numbers were never intended to be used as secure identifiers for banks, credit agencies, or anything outside of the Social Security Program. The private sector chose to use them because they were a way to identify an individual person in the U.S. (theoretically everyone has only one Social Security number). Now that malicious actors have access to the unique identifiers for approximately half of the U.S. population, the validity of this system as an identity tool is called into question. It is possible to receive a new SSN but only in fairly extreme circumstances involving harassment or abuse in regards to identity theft and/or fraud.
This breach provides the private industry with an opportunity to develop a better solution for identifying individual credit-consumers. Banks are in a good position to develop this type of solution as they can accomplish in-person verification and provide a cryptography-based digital verifier for online transactions. This would be similar to Estonia’s e-Residency program (https://e-resident.gov.ee/) where a cryptographic chip is provided to authorize transactions after verifying an individual’s identity. This type of solution would negate the need to leverage Social Security numbers for financial data (apart from the government agencies that may still use them). It is interesting, and worrisome, that in some cases there is better security for free services such as email clients. Some free email clients such as Gmail offer two-factor authentication (something you know, something you have, or something you are), but the SSN system does not apply this to an identifier that can impact numerous aspects of everyday life.
One other potential solution would be for the U.S. government to overhaul the Social Security number system and replace it with some kind of cryptographic system (again, similar to Estonia’s e-Residency cards). This would make breaches like what occurred with Equifax less worrisome and less burdensome to potential victims because SSNs would be far more difficult to crack. Many actors would not have the skills and resources needed to decrypt sensitive information protected with strong cryptography.
As long as SSNs are being used as passwords, they should be treated as passwords. For example, instead of storing SSNs in plaintext, organizations could store a salted cryptographic hash of the SSN, preferably Bcrypt, and compare the hashes. Bcrypt is based off the Blowfish block cipher, which relies heavily on accesses to an alternating table which is not able to be efficiently implemented on a GPU. In comparison to something like SHA-256 which uses 32-bit logic operations and therefore able to be handled by GPUs much more efficiently giving attackers and edge in calculating hashes. This will reduce the risk of plain text Social Security Numbers from being leaked in the case of a breach, and also makes it difficult for threat actors to brute force the hashes. Unfortunately, the recommended steps following a password breach are not applicable for a breach of PII. People cannot currently change their SSN in the same way as they can with passwords.
This issue gives rise to further questions. Do we need a law or policy mandating how SSNs should be stored? Should everyone be able to request a new SSN? Unless something changes, nearly half the U.S. population has had their individual identifying “password” breached, and face difficulties in changing it, or preventing someone else from using it. As it works today, the SSN system relies on privacy, which has now been denied to nearly half of Americans and countless others abroad. Of course, if citizens are allowed to change SSNs at will, this would break the current system of tracking credit. Some other uniquely identifiable method should be considered in lieu of SSNs for this purpose going forward.