Even putting aside the point the SSN was never meant to be an ID number, the reason this has become an issue in our modern digitally-connected global world is that our user name
is the same as our password. And unlike the password for your email or netflix account, you're not allowed to change your SSN, ever. Even in the event of a breach, the onus is on
you to initiate the few half-hearted protection measures the laws afford you, and the credit bureaus really don't want you to know about (pardon the clickbait-y phrasing).
Let's compare this to my primary email account: I have to log in with a user name, which is fixed, and a passphrase, which I can change whenever I damn well want to. Because my email provider is unusually very good about security, they salt and hash the password I give them, I can generate a 50+ character password made with upper and lowercase letters, numbers, and symbols, and store that sucker in an encrypted file the password manager of my choice can open and use. Additionally, my account is set up to require me to provide a six-digit code whenever I try to login from a new computer. That 2nd Factor code generated on my phone and changed every thirty seconds, and I also have a couple copies of hard backup codes stored elsewhere (like in my lockbox) in the event something happens to my phone. Finally, my specific account carrier will automatically send an alert to both my phone and a trusted secondary email
anyway every time a successful login occurs from a new system to verify it was me who logged in. If I was even more paranoid, I could trade out the phone 2FA for
a physical usb stick instead.
I can do
none of this with my SSN. It can't be changed ever, you are not automatically alerted when it's used to open an account or applied for a job, you have to pay through the damn nose just to prevent that shit with a security freeze and get a code for selectively unlocking it, and worst of all in the event of actual identity theft you are the one who automatically under suspicion and have to jump through endless complicated hoops to prove you're not. My email is almost as important to verifying my identity in the modern world as my SSN, and yet the way the two are handled is practically night and day.
Hell, even the credit card companies have a better system for dealing with fraud: if they detect any unusual account activity
at all on your credit or debit card, they will freeze that card number, and either they call you or you call them to verify the activity, and if it's determined to have not come from you, they will terminate that old card and number stone dead and issue you a shiny new one, for free.
Because the law was changed so they're on the hook for more damages when that shit happens, so they are incentivized to make it easy for you to ditch the compromised number.
I would say any verification system that replaces the SSN should, at the very least, break it into an unchangeable ID number (the username) and a very changeable verification code (the password). As in, I can change every year/six months at my discretion, if I want to. That way, when (not if, because sooner or later these systems
will get owned) my information gets compromised, I can just change the number and make the credentials useless to the attacker. Or better yet, emulate the credit card example and have the ID issuer (be that the government or a private entity) automatically void and reissue new verification codes to all affected individuals. And make sure the law makes it clear that
they are the ones on the hook when this shit happens, not the individual ID holders.
Add in a system (maybe opt-in, I'm not sure on the nitty-gritty details for this one) to set up automatic
free alerts to your phone and/or email address whenever such new account events occur. Like my bank has, for example.
Point is, none of this is "too hard". We have examples in the private sector
right now that the financial verification system can be improved. We just need to hold the governments and financial institutions feet to the fire to actually get it implemented. Because shit like the Equifax breach isn't a one time thing: it's going to happen again and again, for as long as our Internet-integrated financial world exists.
"Old World Blues.' It refers to those so obsessed with the past they can't see the present, much less the future, for what it is. They stare into the what-was...as the realities of their world continue on around them." -Fallout New Vegas