• Tech
  • Security

‘It Is Absurd.’ Data Breaches Show it’s Time to Rethink How We Use Social Security Numbers, Experts Say

8 minute read

Justin Rice is sick of being on the phone. After having his family’s personal information exposed after the 2017 Equifax breach, Rice had to cancel about $3,000 in fraudulent transactions, and, along with his wife, has spent dozens of hours on the phone disputing claims.

“The hours you have to put in talking to customer representatives is crazy,” says Rice, who has had to deal with over 10 fraud-related incidents in the two years since the breach. He also had to close his oldest line of credit, negatively affecting his credit score. “It just gets old after a while.”

Rice is just one of 148 million victims whose personal data was leaked in the Equifax breach. Other companies, like Capital One, Home Depot, and Marriott, have also suffered massive data breaches in recent years, putting millions of other people at risk of identity theft and more. But the data breach crisis goes deeper than any single credit bureau or other company. Unless we rethink how we verify our identities, experts say, we’ll just keep falling victim to breaches. That starts with Social Security numbers, which have turned into a vital — but vulnerable — method of authentication.

There were over 1,200 reported breaches in 2018 alone, according to the Identity Theft Resource Center. Those breaches exposed over 400 million records. Social Security numbers were the most commonly exposed piece of information, second only to medical information. And it only takes one or two pieces of personal information for a hacker or identity thief to make someone’s life hell — especially once they have a target’s Social Security number.

“If I have your name and your Social Security number, and you haven’t gotten a credit freeze yet, you’re easy pickings,” says security researcher Jim Stickley. Stickley is a “penetration tester,” meaning businesses pay him to infiltrate their systems in order to find flaws they can fix before the bad guys exploit them. “With that, you can do whatever you want,” he says. “You can become that person.”

The Social Security number — created in 1936 to track Americans’ social benefits — was never meant to be a form of identity verification. “It literally said it on the card,” says Stickley. “For Social Security purposes — not for identification.” But that line disappeared in the mid-1970s, and the single identifier proved convenient when it came time for the U.S. to handle information using computers. Since then, Americans have been using their “social” for everything from applying for a credit card to filing their taxes online. Proposed national ID programs fell to the wayside due to a lack of support and concerns related to privacy and potential abuse. According to testimony from economist and former Trump campaign advisor Stephen Moore, when the idea of a national ID card was proposed in 1981, former President Ronald Reagan remarked, “My god, that’s the mark of the beast.”

But we shouldn’t be using an unchangeable nine-digit code for verification, Stickley says. It’s a little like having a Facebook password that we can’t change even if we know somebody else has it. “It is absurd,” he says. “Your Social Security [number] is not supposed to be your ID.”

One potential solution comes from Estonia. In 2002, the high-tech northern European country launched eID, a program that gave residents smart ID cards containing encrypted digital keys that unlock with PIN codes known only to the cardholder, adding an extra layer of security and identity verification not present when using a Social Security number.

“There will never be a secure environment as long as there are people around,” says Kalev Pihl, CEO of SK ID, the company that manages Estonia’s eID card and related programs. From Pihl’s perspective, your data is already public. That makes it impossible to believe anyone is who they says they are based solely on memorized information. Instead, you need a second method of authentication, too. “This is the idea behind almost any secure electronic identity,” says Pihl.

Estonia’s eID system connects residents (and those doing business in the country) to nearly every government service available. The smart card is issued in person and has a picture of the holder on it. It allows Estonians to file their taxes, check their medical records and even vote in elections with minimal fear of fraudulent activity.

Estonians have an ID number similar to a Social Security number printed on their eID card, but that’s only one element of what they need to prove their identity. Cardholders also pick a pair of PIN codes that function as a password. For Estonians accessing government services through their smartphone, the recently released Smart-ID app generates a random, user-specific code similar to the two-factor authentication app you’re using to protect your email account from intruders (you’re using one, right?). “There is only one such device that generates such one-time passwords,” says Pihl. “And this device is in your pocket and not in your neighbor’s pocket.”

Because the eID card is securely tied to a person’s identity, it can be used for a wide variety of verification purposes. “You can actually use it to confirm transactions,” says Tobias Koch, speaker at the E-Estonia Briefing Centre, which advocates for adopting digital identification systems. “This means that you can give, with the help of this identity card, legally binding signatures. You can sign rental agreements, you can sign all sorts of contracts with the eID card.” The eID card also makes loyalty cards and key cards obsolete, handling those related services without forcing you to carry another, less secure form of identification.

Estonia hasn’t seen any major data breaches since the country’s eID program debut. But the system isn’t flawless. In 2017, Estonian officials temporarily disabled over half a million eID cards after a security vulnerability was discovered. But Koch argues even that hiccup demonstrated the relative security of the eID system. “As soon as it became public the government took action,” he says. “The crucial thing here is that this was actually very transparently and very publicly communicated. There was a way to remotely actually update the certificates and guarantee the same level of security.” Residents were able to update their eID cards in person or online and protect themselves from the flaw, which was quickly fixed.

The closest relative to a national ID program in the U.S. is the Real ID program, approved by Congress in 2005 with the passage of the Real ID Act. The law standardizes the information stored on driver’s licenses, and requires states to share their motor vehicle databases with one another. But it does nothing to protect anyone’s Social Security number. And Real ID Opponents, including civil rights organizations like the American Civil Liberties Union (ACLU), say the law fails to protect citizens from privacy violations. “Originally, the reason to have a driver’s license is to demonstrate that you had authorization to drive,” says Neema Singh Guliani, senior legislative counsel for the ACLU. “Now, roughly 15 to 20 states and their databases are routinely scanned by law enforcement for facial recognition.”

Using someone’s personal data without consent is more difficult under Estonia’s eID program. Its underlying blockchain technology maintains un-editable records of who accessed your data and when. “In that sense, you can control who has access to your data, and you can hold people accountable,” Koch says. “What people call it in Estonia is actually the so-called ‘reverse Big Brother principle.’”

Short of rethinking how we use Social Security numbers, the best Americans can do to protect their sensitive information is to be careful how and with whom we share it, and sign up for some form of credit monitoring. Still, even that won’t stop all fraudulent activity — and in many incidents, the fault lies with a company or other third party, not the victim. In Rice’s case, he and his family are trying to roll with the punches. But the unpredictable attacks and hours on the phone have taken a toll, both psychologically and financially. “When that stuff happens, we just deal with it and move on,” says Rice. “It’s kind of hard to fight back against Equifax or Capital One if you’re a regular guy.”

More Must-Reads From TIME

Write to Patrick Lucas Austin at patrick.austin@time.com