For quite some time, banks and financial institutions have been using people’s Social Security Numbers (SSNs) to verify their identities. Suppose you want to access your bank account to check your balance, change addresses, or close out the account. You call the bank, but how does the bank know it’s really you? For a while, banks were asking you for your SSN. Your SSN was used akin to a password. If you knew this “secret” number, then it must be you. Of course, as I have written about at length, a SSN is one of the dumbest choices for a password. Not only is it a password that can readily be found out, but it is a password that’s very hard to change. Not a wise combination. People’s SSNs are widely available, and the data security breaches in the past two years exacerbated the exposure. A lot of legislative attention has focused on the leakers of the data, and rightly so, but not enough attention has been focused on the businesses that use people’s SSNs as passwords. If SSNs weren’t used in this way, leaking them wouldn’t cause the harm it does.
But now, it seems, banks are starting to rethink the use of SSNs. According to a USA Today story:
A growing number of banks and retailers are moving beyond Social Security numbers to verify your identity. They’re relying on such personal details as your car color, your father-in-law’s name and the city you lived in five years ago.
No, you never gave them this information; rather, they pulled it from public and private databases. These private details are increasingly being used to approve you for credit at a store, give you access to your account online or to verify that you — rather than an impostor — are making a purchase.
It’s the latest effort by financial institutions to fight a growing threat of identity theft from online “phishing” and other scams. Chase, HSBC, Vanguard, American Express and Barclaycard US use this customer-verification technique. Mellon Financial is testing it. In the past two years, the technology has been adopted by six of the top 10 U.S. banks and thrifts, says Verid, a provider of the technology.
The problem with using this method is that the information in public databases is often riddled with errors. Why do banks need to go behind your back to snoop out information about you? Banks and financial institutions already have a relationship with you — after all, you established an account with them. They can use some of the information they gathered at that time to establish your identity and then ask you to supply additional information to help identify you. But going behind people’s backs and trolling public records for data does not strike me as a particularly effective method given the possibility for errors in those records.
The story continues:
Frank Lapiano, a sales rep in New York, got a taste of this technology when he and his fiancée bought a wedding ring at a department store in September.
To verify his identity, his credit card issuer, Chase, asked about the last four digits of his Social Security number, his mother’s maiden name and charges he’d made in the past 48 hours. Then the bank dug deeper: It asked multiple-choice questions about which age range reflected his father’s age and also about the city his mother lived in.
The problem here is that the last four digits of the SSN are not a good password. Neither is one’s mother’s maiden name, since it readily appears in public records such as birth certificates. Charges made in the past 48 hours might not be ideal to use either, since a thief who stole a person’s credit card might be the one who made such charges. And the details about his father’s age and whereabouts of his mother come from public records, which may not be reliable and which can readily be found out by a fraudster too. All a fraudster needs to do is buy a public records report about a victim from a database company, and the fraudster will have all the information he needs to circumvent this security tool. Moreover, asking numerous questions can slow down the identification process and make it less efficient. What we want isn’t perfect security; it is smart security using passwords that do not contain information anybody can readily find out and that can be changed easily if they fall into the hands of a frauster.
So it’s a good thing that banks are moving past the SSN, but I’m not sure they’re moving to something much wiser.
Originally Posted at Concurring Opinions
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.