Using EMV to Secure Social Security

FullSizeRender

Identity thieves want Social Security numbers matched with names, addresses and birthdays.

And they have them. By the Millions!

On 90 Million Americans! Possibly 200 Million!

They used Experian to get information on 15 million T-Mobile customers – and threaten everyone in Experian’s databases. They stole information on 90 million people whos health insurance is provided by Anthem Blue Cross or Excellus Blue Cross.  And 22 Million current and former employees of the U. S. government, by hacking Office of Personnel Management (OPM). Plus 58 million customers of Home Depot and 70 million customers of Target.   The problem is growing. They are also targeting parking services such as Book 2 Park, Park N Fly, and One Stop Parking.

The sets intersect – it is likely many Home Depot customers also shop Target, work for the government and or have health insurance from Blue Cross Blue Shield.  But it’s also likely that very few of the 10 million customers of Excellus Blue Cross are also customers of Anthem Blue Cross so we are looking at a problem for at least 90 Million Americans, 28% of the country. That’s almost one out of three. And 200 million? That’s 2 out of 3.

The U.S. government must:

  1. Immediately issue new Social Security numbers for every American and new Tax IDs for every other tax-return filing entity.
  2. Add an EMV chip to Social Security cards and issue new Social Security cards with the new numbers and EMV cards.
  3. Require banks and other financial institutions to require these EMV enabled Social Security cards when people open or close accounts and apply for credit.
  4. Require tax preparers to use these EMV equipped cards when filing tax returns.
  5. Phase in over the next two (2) or three (3) years a three (3) to five (5) character alphanumeric prefix or suffix to the Social Security number with guidelines for banks, other financial institutions, the IRS and tax preparers in updating their databases.

Step 1 would render useless the data in the hands of the identity thieves. USELESS.

Steps 2 through 5 would add significant layers of security to the Social Security system.

The cost to the taxpayers? Possibly on the order of $500 Million: Less than $2.00 per person. The cost of doing nothing: the cost of Identity Theft? According to CreditSesame (here) $24.7 Billion in 2012.

Recent Hacks – The Extent of the Problem 
Vector Target Accounts News Date Links
Scott Trade Investors 4,600,000 10/02/15 Press Rel , NBC
Experian and T-Mobile Cell Phone Users 15,000,000 10/02/15 T Mobile , Yahoo
Excellus BCBS Americans 10,000,000 09/10/15 C Net , Wired
US OPM US Gvt Employees 22,000,000 07/09/15 OPM , ABC
Anthem BC BS More Americans 80,000,000 02/05/15 Z D Net
Home Depot Still More 58,000,000 09/03/14 Wall St Journal
Target Even More 70,000,000 01/16/14 BGR , Krebs
Table 1

While this adds up to 259.6 Americans, 80.6% of the estimated 321.9 million population of the USA, or 4 out of 5 Americans, it seems likely that there is some overlap. Assuming people insured by Anthem Blue Cross Blue Shield are not insured by Excellus BCBS those hacks exposed information on 90 million people, 28% of the population of the United States.

How can we secure the Social Security to make identity theft harder?

The fact is that personal information about anyone who works for the Federal Government, anyone who has shopped at Target or Home Depot, anyone who’s health insurance via Anthem Blue Cross or Excellus Blue Cross – at least 90 million people and more likely 150 to 200 million people – is available to criminals who would use it to commit identity theft. Given this fact the first thing the Social Security Administration should do – immediately – is issue all Americans a new and different Social Security number. 

FullSizeRender

The Social Security number – not shown above – is an effective identifier. However, it is unencrypted and is therefore insecure.

padlock-emv-cc

As the graphic illustrates, the chip in an “EMV” card works to secure credit card transactions by creating a unique code for every transaction. According to Visa, in “Introducing Visa chip technology – Confidence in a smarter world,”

Visa chip cards are not only more secure, they are also simple to use. Chip cards and terminals work together to protect in-store payments. A unique one-time code is generated behind-the-scenes that is needed for the transaction to be approved – a feature that is virtually impossible to replicate in a counterfeit card.

In addition to creating unique codes for every transaction, Visa also provides security by:

Protecting you from fraud losses with Visa Zero Liability

Requiring financial institutions to provide provisional credit to your account within 5 days in the event fraud does occur, ensuring you have quick access to your money.”

One strategy to secure the Social Security system would be to use the EMV chip in multi-factor authentication and shared key or public key cryptography. Use the current social security number – for now – but use it as the public key in shared key authentication protocol. Meanwhile send taxpayers EMV cards tied to their Social Security number or Tax ID. Then require banks and other institutions to use this card when a customer opens or closes an account.

Just as with their – our – credit cards taxpayers would use new EMV chip Social Security Card. Banks, credit card companies and tax preparers would need EMV card readers. These would be used when filing tax returns or opening accounts for new customers.

In addition, the Social Security Administration should also plan to phase in a 4 or 5 character alphanumeric prefix or suffix to the 9 digit social security number update in 3 to 5 years. This would be easy for employers, banks, and taxpayers to grasp, but would also render useless the data in possession of the criminals who perpetrated the various thefts of identifying information or bought the information. to cast the Social Security number as an alphanumeric 13 or 14 characters long.

A social Security number that is now “123-45-6789” would become something like “777-AB 123-45-6789” or “123-45-6789 AB-777″, or “AB 123-45-6789 777”.

The database problems which arise from this protocol would be trivial. Assuming the existence of a table called “employees” in the human resources database. This table could to be modified, according to the following SQL code:

ALTER TABLE employees
( ADD ssn_extension char (5) )

or 

ALTER TABLE employees
( ADD ssn_prefix char (5)  )

or 

ALTER TABLE employees
( ADD ssn_prefix char (2) , ssn_extension char (3) )

A better alternative, however, would be to add an additional HR table with a foreign key constraint into to the existing HR database schema.

In My SQL:

CREATE TABLE emp_ext_ssn
(
ssn char (9) not null,
ssn_ext char (5) not null,
primary key (ssn_ext),
foreign key (ssn) references employee (ssn)
)

in MS SQL, or Oracle:

CREATE TABLE emp_ext_ssn
(
ssn_ext char (5) not null primary key
ssn char (9) foreign key references Employees (SSN)
)

As stated above, the U.S. government must:

  1. Immediately issue new Social Security numbers for every American and new Tax IDs for every other tax-return filing entity.
  2. Add an EMV chip to Social Security cards and issue new Social Security cards with the new numbers.
  3. Require banks and other financial institutions to require these EMV enabled Social Security cards when people open or close accounts and apply for credit.
  4. Require tax preparers to use these EMV equipped cards when filing tax returns.
  5. Phase in over the next two (2) or three (3) years a three (3) to five (5) character alphanumeric prefix or suffix to the Social Security number with guidelines for banks, other financial institutions, the IRS and tax preparers in updating their databases.

Step 1 would render useless the data in the hands of the identity thieves.

Steps 2 through 5 would transform Social Security, adding significant layers of security to the system.

About The Cost

The cost of Identity Theft was estimated at $76.6 Billion: $24.7 Billion to individuals in 2012, (Credit Sesame, here) and another $40 Billion to $52 Billion ($150 to $200) per user record for the businesses hacked (USA Today, here) as estimated in Table 2, below.

Estimated Costs to Hacked Companies
Company Magnitude Cost Cost
  millions Billions Billions
    at $150 per at $200 per
Scott Trade 4.6 $0.69 $0.92
Experian 15 $2.25 $3.00
Excellus BCBS 10 $1.50 $2.00
US OPM 22 $3.30 $4.40
Anthem BCBS 80 $12.00 $16.00
Home Depot 58 $8.70 $11.60
Target 70 $10.50 $14.00
total 259.6 $38.94 $51.92
Table 2

The costs for securing the system?

Estimated Costs to Secure Social Security
Entities Items Units Cost Per Total
    Millions Dollars $Millions
US Government New Cards & Numbers 400 $1 $400
Tax Payers New Cards & Numbers 400 $0 $0
Tax Preparers EMV Readers 1.2 $200 $240
IRS and SS Admin – Software Development $44
Businesses HR Software unknown
Table 2

The cost for generating new Social Security numbers and issuing cards should be on the order of $1.00 per tax paying entity. That’s less than $400,000,000. Step 4 would cost tax preparers $200 to $300 per EMV reader (the price of one or two tax returns). With 1.2 million tax preparers (US News, here) in the U.S. in 2012, that’s another $240 to $360 Million. I am ballparking Software Development costs at the IRS and Social Security Administration at $44 million. That adds up to $684 million to address a $76.6 Billion problem. 

Step 5 requires employers to revise the human resources and payroll processing software they use.  I cannot estimate the cost or amount added to GDP for systems engineers and computer programmers to update all the HR systems, but this represents an opportunity for ADP, IBM, KPMG, Oracle, SAP and other players in the software & services industry.But I imagine it’s less than the cost of $76.6 Billion cost of identity theft.

This addresses logical security, not fiscal security. The answer to that seems simple too: eliminate the ceiling. Currently we pay 7.5% of the first $117,000 of earned income, excluding income from rents, capital gains, and distributions from retirement plans. As detailed on Schwab, here, and Zackshere, earned income above $117,000 are free of Social Security tax. So a person earning $117,000 in 2015 must pay $8,775 in Social Security tax. And a person earning $117 million must pay $8,775 in Social Security tax. Of course if they earn $50,000 as “wages, salaries and tips” and collect $116.95 Million as rents, royalties or capital gains, their Social Security tax liability is on the $50,000 so it’s $3,500.

But if everyone paid 7.5% of their income, regardless of whether they made $117 thousand or $117 million there would be a whole lot more money in the Social Security fund – possibly enough to lower the rate to 4.5% or less.

Think about it. People making $1.0 million would pay $75,000 in social security taxes, not $8,775. People making $10.0 million would pay 7.5%, $750,000, not $8,775. As noted above there, could be enough money in the Social Security fund to cut the nominal rate from 7.5% to 4.5%, or less.


An analyst with Popular Logistics, I hold a BS and an MBA in “Managing for Sustainability” from Marlboro College, and over 20 years experience in Information Technology. Available as a speaker and consultant, I can be reached at “Larry” at “Furman Group . net”.