Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« Cramming and bill-to-mobile payments: Managing the risk | Main | The new consumer protection agency looks at prepaid cards »

May 29, 2012

Are social security numbers still secure enough for payments?

Identity authentication is becoming increasingly important today as consumers conduct more and more social interactions, commerce, and financial transactions online. Many emerging payment methods are conducted electronically today and will no longer involve the face-to-face interactions that have provided an additional layer of security for our traditional retail payments environment. Unfortunately, our primary means of personal identification is the social security number, and it is becoming more vulnerable to compromise. How do we mitigate the risks in innovative payments going forward with traditional identification methods?

A well-intended system
The social security number was created in 1936 as a way to track workers' benefits for the new pension program. At the time, no other use for the number was envisioned. In 1943, however, President Roosevelt signed an executive order allowing other government agencies to use social security numbers. Today, the numbers are the primary identifiers for many government functions, including filing taxes, receiving all manner of benefits, and enlisting in the military. Social security numbers are also widely used in the private sector, especially in the healthcare and financial industries. They have become the default identifier used by healthcare providers, insurers, credit bureaus, banks, and others when signing up new customers.

Social security numbers—not so secure
You probably believe that your social security number is private. You probably assume that it's kept private by those who use it to verify your identity. But how many different people have seen your number, or some part of it, in the past decade? It's out there every time you've gone to a new healthcare provider, signed up for a new insurance plan, or applied for a credit card, bank account, or cell phone plan. Researchers have even developed an algorithm for guessing a person's number using just their place and date of birth.

The problem with such widespread use of social security numbers is that they are easily exposed and vulnerable to use in identity theft and related crimes, including various types of payment fraud. It goes without saying that new identification and authentication methods will be needed in the future to ensure that the personal information accessible via social security numbers can be protected and kept secure.

Mitigating compromise and improving personal authentication
In 2008, the Federal Trade Commission (FTC) developed recommendations on preventing the misuse of social security numbers for identity theft. First, they recommend using multifactor authentication, including additional processes in addition to the social security number. The FTC recommends further that, whenever possible, users should restrict the public display and transmission of social security numbers from applications, identity cards, and other documents. As crimes in electronic networks grow more prevalent, it will be increasingly important that the industry use multifactor authentication practices to combat the threat of outmoded personal identification methods.

Jennifer WindhBy Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

May 29, 2012 in identity theft , payments , privacy | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Are social security numbers still secure enough for payments? :


FFIEC came up with guidelines for 2FA around seven years ago and followed it up with some more guidelines this year. Despite the passage of so much time and the fact that virtually all other large nations have adopted 2FA, banks and e-commerce merchants in the US are conspicuous by their absence of following even the basics of strong authentication like VbV, etc. Is this because 2FA introduces additional friction and / or false positives that result in greater revenue losses than potential loss by fraud? Given where US is, is there any evidence that fraud loss as a percentage of transaction value is higher in the USA than elsewhere in the world?

Posted by: Ketharaman Swaminathan | May 31, 2012 at 06:49 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad