Fingerprints, Passwords, SSNs—There’s Got to be a Better Way
Whether it’s fingerprints or Social Security numbers, permanent credentials are just waiting to be stolen by identity thieves. Those thieves will use them to defraud everyone from banks to governments, all while causing untold havoc on the financial wellbeing of the individual victims—like you and me.
We learned this past week that hackers had stolen the fingerprints of 5.6 million federal employees from the U.S. Office of Personnel Management. Should those 5.6 million people be concerned? Yes, but in some ways, no more so than the 80 million who had their personally identifiable information—including Social Security numbers—taken in the cyber attack on Anthem, one of the nation’s largest health insurers.
The underlying problem here is single-factor identification. Sure, a bank or other lender is going to ask for more than your Social Security number (SSN) when you apply for a loan. But that nine-digit, U.S. government-issued number is the most critical information you’ll provide in the application process. It’s so critical that when it’s stolen or otherwise exposed, fraudsters can open new accounts in your name indefinitely—using your SSN and other relatively easily available information such as your birthdate (from social media, perhaps?) and street address.
By the way, even if compromised, your Social Security number is likely to be the one you carry with you to the grave. Obtaining a new one is far from a simple process and very rarely done.
Much like an SSN, biometric characteristics, including fingerprints, are also permanent. And since they’re less often exposed in breaches, they’re more often assumed to be true—or less likely to have been compromised. Still, once stolen, as in the OPM situation, they can be used indefinitely. A criminal could theoretically use electronic files of your fingerprints to impersonate you in whatever application or identity verification process required them.
And the use of biometrics systems—no longer cost-prohibitive to implement—is quickly expanding. In fact, if you happen to be reading this article on a smartphone, there’s a good chance you used biometrics—a thumb or fingerprint, rather than a conventional passcode—to access your phone. You might even use biometrics to enter your office building or to pass through immigration when returning to the U.S. from abroad.
As we see more breaches of biometric characteristics, everything from voice patterns to hand geometry, the importance of those characteristics for identity verification may be eroded. We’ve seen the same issue with passwords, SSNs and other “things that you know,” such as your mother’s maiden name.
And it doesn’t take a hacker breaking into a computer network to steal biometric characteristics. Take fingerprints, for instance. We leave them on everything we touch. They’re what police officers scan for at crime scenes. When you think about it, biometrics is a futuristic-sounding word that includes technology that’s decades old.
So if biometrics, like Social Security numbers, isn’t the be-all, end-all of verifying a person’s identity, what should we use? I’ve long called for retiring SSNs as an identifier and verifier of people’s identities. And I’d argue that while using biometrics could be an improvement, it’s not a comprehensive solution. What we need is a broader discussion about identity protection, involving the government, consumer groups, and business. While finding an improved solution won’t be easy, we need to keep innovating.
The end result would likely involve multi-factor authentication, in particular, a blend of what you know (e.g., SSN, birthdate, and passwords), plus what you have (e.g., secure identification cards, biometric characteristics), plus what you do (e.g., behavioral algorithms, looking at your behavior on the site along with past behavior). Much more complicated than touching your finger to a smartphone, yes, but worth the effort when you consider what’s at stake.
Until we identify a solution, the breaches that continue to occur—whether they involve biometric characteristics or SSNs, foreign governments or homeland hackers—will affect more and more of us, constantly putting our bank accounts, tax returns and good names at risk.
Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.