Social Insecurity: The Unintended Consequences of Identity Fraud Prevention Policies
Designed as identifiers of accounts tracking US residents ' earnings, Social Security numbers (SSNs) have become over time sensitive authenticators for private sector services. Since their abuse is a major vector of identity theft, numerous initiatives have attempted to reduce their public availability. However, recent research has shown that unavailable SSNs may still be accurately predicted from publicly available data. Such predictability may undermine the effectiveness of current strategies aimed at curtailing identity theft. This manuscript examines the policy initiatives that made SSNs predictable, the extent to which their predictability heightens the risks of identity theft for US residents, and the effectiveness of current identity theft prevention strategies in light of said predictability. We find that, surprisingly, a number of past policy initiatives designed to combat identity fraud actually created the conditions for the predictability of SSNs. We also find that current policies aimed at enhancing privacy and security of SSNs, while well-meaning, may too prove counter effective. Our results support alternative identity management solutions, such as banning the usage of SSNs for authentication and replacing them with credential systems based on usable cryptographic protocols.
Presented at The Eighth Workshop on the Economics of Information Security (WEIS 2009) University College London, England, 24-25 June 2009