Unintended Consequences: The Impact of SSN Randomization on Risk Management
Originally designed to track individual contributions to the Social Security Program, a person’s Social Security Number (SSN) has evolved to unintentionally become a near universal identifier synonymous with a person’s identity. SSNs never expire, are never reclaimed, seldom reissued, and with a few rare exceptions are unique and issued to a single individual.1
It can be nearly impossible to engage in daily life without an SSN, and despite its many vulnerabilities, the SSN is generally the primary consumer identifier that public and private institutions trust. For example, the Internal Revenue Service requires all corporations to collect SSN data from their employees and contractors for tax reporting purposes. Parents are required to submit a SSN for any dependent children they claim. Individuals are also often asked to submit their SSN when opening bank accounts, applying for credit and receiving medical care. In both the private and public sector, SSN’s are the nucleus of identity management, driving policies for authentication and compliance activities.
The ubiquity of the SSN and its use in identity management makes it a treasure for fraudsters and criminals. In the mid-1990s, the growth of online new-account applications and customer self-service options fueled a dramatic increase in identity-related fraud. While these electronic channels drove an improved customer experience, their inherent anonymity had the unintended consequence of making it easier for fraudsters to misrepresent identity information. Enterprises and public agencies began to voice concerns that the structured nature of the SSN was facilitating this behavior, inadvertently allowing criminals to use publicly available information to predict an individual’s SSN.
To mitigate this problem, the Social Security Administration (SSA) instituted a major change to the way it issues new SSNs. This change however has not only caused problems for fraudsters; it has created significant, inadvertent issues for companies that rely on SSNs to determine identity risk. The old ways of using SSNs to find fraud are no longer accurate or viable and organizations must now consider new techniques for identifying risk that account for this change.1
The original system for issuing SSN’s relied on chronology and geography to assign significance to the numeration and order of the nine-digit identifiers. The first three digits, known as the area number, corresponded to a particular geographic region of an individual’s mailing address. The next two digits, known as the group number, were assigned in a nonconsecutive yet predictable order within each distinct area number. The final four digits were determined serially and issued in order of application.1
The SSA regularly published the highest group number that had been issued for a given area number. Publishing the group numbers provided risk managers with a way to divide the set of total possible numbers into issued and unissued ranges. That is, prior to SSN randomization, firms could use public information to determine whether an asserted SSN had been issued. Assertions of an SSN that fell outside of the issued range appeared highly suspect and were typically either typos or indicative of misuse. This structured nature of the SSA’s issuing logic allowed fraudsters some ability to predict an individual’s SSN given knowledge of his or her date and location of birth2, allowing fraudsters to represent the number as their own.
In July 2011, this system was abandoned for a new scheme where SSNs began to be issued using fully randomized digits. SSNs issued since then no longer reflect any of the significance that allowed fraudsters to abuse the number. While this change appears to have succeeded in reducing the opportunity for fraudsters to predict a victim’s SSN, the policy change has inadvertently compromised a series of traditional identity-management practices. Because most risk managers rely on the previous structure to determine SSN validity, the policy change has created a new set of vulnerabilities for fraudsters to exploit. It is now extremely difficult for risk managers to distinguish between SSNs that were legitimately issued and those numbers that are being illegitimately asserted.2
Prior to randomization, a SSN in the unissued range sent a strong and explicit signal to risk managers. Whether the individual asserted the invalid credential with malicious intent, as a benign attempt to escape a bad payment behavior in the past, or as typographical error, it was clear that something was not right with the stated information. Organizations realized that SSNs in the unissued range were often associated with high risk, and required investigation. The tools and policies they developed to prevent identity fraud reflected these learnings and often applied more stringent, yet warranted, scrutiny towards individuals asserting SSNs from the unissued range.
Six Steps to a Solution
SSN randomization presents substantial challenges for any organization that relies on SSN structure to assess the validity of the asserted SSN as part of an identity risk assessment, particularly as the risk for exposure to attacks is expected to grow as more randomized SSNs are issued.3 The proper response will require a concerted, cross-organizational investigation. Risk managers should evaluate the severity of the problem in their own environments, identify areas of strength and vulnerability, and respond with an updated approach.
The first step for risk managers should be to consider how SSNs are used across their organization, and the degree to which current policies and processes are impacted by randomization. They should undertake an initiative to evaluate the tools and processes currently in operation. Moreover, these investigations should revisit any policy updates made in response to SSN randomization. Consider the following six questions during the review process:
- How does the current identity-proofing process depend on SSNs? Has the process been updated to accommodate the SSA’s policy change?
- How has randomization affected remediation procedures as part of the new-account onboarding process?
- Who developed the identity verification tools and policies? Were they created internally or via an external vendor? Who is responsible for maintaining these solutions?
- On what data does the process rely? Who provides this data and where does it come from?
- What have vendors done to respond to SSN randomization?
- What solutions are there to distinguish between new, legitimately issued SSNs; benign errors; and malicious assertions of SSNs that have never been assigned by the SSA?
The challenges posed by SSN randomization cannot be solved with a simple fix. They require significant resources and expertise. In an environment where risk managers are consistently asked to do more with less, determining next steps can be both difficult and confusing. Many organizations may simply lack the ability to respond to SSN randomization internally and within a timely manner. After evaluating the severity of the impact of SSN randomization on the business, companies should look for partners thatunderstand the impact of randomization across public and private sectors and have developed solutions to directly address the challenges of SSN randomization. Risk managers cannot afford to ignore the issues created by randomization.
Ken Meiser is the Vice President of Identity Solutions at ID Analytics
1. Acquisti, Alessandro and Ralph Gross (2009). Predicting Social Security Numbers from Public Data
2. Bert Kestenbaum, Social Security Administration (2012). Consequences of Social Security Number Randomization, 2012
3. Electronic Privacy Information Center (2014) Social Security Numbers