Post Equifax Breach: Can we prevent identity theft?
Last Saturday night a friend called me as he was sitting at a restaurant where his credit card had been declined. Perhaps he forgot to pay the bill or the bank blocked the card due to fraud detection, he thought. After trying all his cards, he realized something else was happening: his identity had been stolen. A thief had gotten a hold of my friend’s information and requested his credit report online. With the credit report in hand, the thief called each bank to change the address and issue a new card, stating that he had lost his wallet. The thief then proceeded to purchase gift cards online before the credit cards were disabled.
While the example above is mostly covered by insurance, there are many instances of identity theft that can cause great financial harm and take many hours to correct. In today’s connected world, almost every personal service is available online or over the phone and many of these services use our personal information to grant us access to information or perform operations such as transfer funds, request new loans, file taxes, get medical records and more.
Identity theft is not a new phenomenon, in the 11th century Pseudo-Constantine Diogenes was a famously unsuccessful identity thief who was captured and later blinded for pretending to be an heir to the Byzantine throne. While there is no record of the first identity theft, Oxford notes that the phrase was coined in 1964. With the shift to online systems and cyber-attacks, the magnitude and frequency of these attacks has dramatically changed.
In 2003, thousands of Social Security numbers were exposed when a thief stole a computer from a financial analyst who was consulting for Wells Fargo. In the years since that incident, the breaches got larger and the impact more well-known, yet the response to such incidents hasn’t changed. After each breach, the typical response from the company is, “you should monitor your credit report and bank accounts.” Sometimes they even offer free monitoring, but the suggestion is that the burden of security is on the consumer instead of the company. Customers need to constantly look over their shoulders and make sure no one is impersonating them stealing their money, or worse, selling drugs with a fake driver’s license in their name.
After the recent Equifax breach, many are asking, “what did Equifax do wrong?” The New York Attorney General is investigating the breach, Equifax announced that their CIO and CSO are “retiring”, followed by the board forcing the CEO to resign. While there is plenty to blame Equifax for, such as a single web vulnerability giving the attackers access to so much data, the bigger question is whether this could have been prevented. Is it possible to keep Social Security numbers safe given how they are used today?
To demonstrate the chances of a Social Security number being compromised by hackers, let’s look at an example. Assume you have a single nine-digit password, you never change it, and you use it to log in to a few dozen websites. Chances of that password being leaked are extremely high. Add on top of that if 1) you use the password on high-profile websites, 2) the websites can be used by the thief for significant financial gain, and 3) the website has a very large user base. It is fair to assume that such high value data would be in the cross hairs of criminals worldwide. Based on recent breach history, it is also fair to assume that they would be successful at gaining access to at least one of the dozens of websites you use this password on and then reuse it to gain access to all the others.
In terms of Social Security numbers, the risks are similar to the example above, if not worse. You don’t get the option to choose your password and you can’t change it. If you add up the government entities, medical facilities, utility companies, bank and credit card companies, employers, housing, education and more, you likely have a few dozen companies that have this information. On top of that, each of these companies likely outsources to at least a handful of sub-contracting companies and consultants, and you end up with hundreds of companies, locations and systems storing or accessing your personal information. When any one of these systems is breached, your ability to protect your identity is lost.
Using personal information to authenticate ourselves was doomed to fail decades ago, not from when Equifax failed with their security. There is a good chance that our sensitive information was available to hackers before this incident, but now we know it is and should operate under this assumption.
So, how do we move forward? Should Social Security numbers, birthdates and street addresses really be used for identity verification and authentication? In reality, most of this information (besides maybe addresses) shouldn’t be so sensitive. It is how we use them that makes it sensitive. Social Security numbers are no more than database row numbers. No harm should be caused by a criminal knowing the row number where your personal information is stored at the Social Security Administration. Obviously, it represents much more than a row number, but it could have been treated that way had we not used it for identity verification.
What should we use then when we want to prove our identity and open a bank account or a mortgage loan? There could be many solutions better than what we have today, but to be more concrete I would recommend one solution.
Let’s assume each person has a chip-enabled passport card (Can you imagine? No more need for a passport book or stamps). This card, similar to your chip-enabled credit card, works with cryptography to securely identify you. Additionally, it can securely provide your name, address, and even picture to the bank trying to verify your identity before opening that loan in your name. So when you sit there in front of the mortgage banker they know that the passport card is authentic and is yours. No one, not even the government, would be able to spoof transactions and identify as you.
Taking this a step further, we would even be able to use such a card as a global single authentication card. You would be able to log in to any site as yourself without a password, simply using your Social Security number as your username and your card would prove that you are who you claim to be. No more usernames and passwords to be stolen.
I can already hear the critics jumping out of their seats and pointing at the weaknesses of this solution. True, there will be some weaknesses (establishing trust when granting the card in the first place, making changes to the information, reissuing in case of lost cards, etc.), but I believe most of those issues already exist today and can be better solved in the digital cryptography world. It won’t be perfect, but we will be significantly better than we are today. Let’s not let allow the fantasy of a perfect solution slow us down from making progress on such an important problem.