Heads are starting to roll after the Equifax fiasco, while its PR agency pretends to offer timely communication and churns out CYA updates. Follow the saga right here. In the Sept. 15 update, Equifax announced its CIO and CSO are retiring, effective immediately. Uh-huh.
Here is one question of many I would love to ask Equifax execs – why did you wait until Sept. 15 to present a bulleted list of what happened back at the end of July? I have a host of other non-question questions I want to ask, but let’s take a collective deep breath and learn self control. Beyond eviscerating the execs at Equifax, how do we move forward?
Here are some thoughts.
Should everyone freeze their credit?
A few days ago, I would have said yes. But now, I’m not so sure. Brian Krebs in his Krebs on Security blog popularized the idea back in 2015 – and it’s a good idea, but there are tradeoffs. When you freeze your credit, it’s frozen until you un-freeze it. At least, that’s how it’s supposed to work, assuming the CRAs do their jobs. (CRA – Credit Reporting Agency). If anyone tries to take out a loan in your name, presumably, the lender will check with the CRA, find out your credit is frozen, and turn down the loan. Which is why you do it. But if you try to take out a loan, the same thing happens. And now you might have pay to unfreeze it, do your transaction, and then freeze it again, times four CRAs, apparently at $10 or so each.
One of many aspects about this whole breach incident is, if CRAs charge for credit freezes, incompetent behavior turns into a windfall with millions of consumers parting with hard-earned money to freeze their credit with agencies who collected data about us without our consent. Equifax is offering free credit freezes for a limited time – I’m not sure about the others.
Besides money, the challenge to freezing credit right now is, the CRAs are swamped with freeze requests. CNN did a video a few days ago of somebody trying to freeze her credit with Equifax. She tried doing it from that equifaxSecurity2017.com website and it referred her to a toll free phone number. She called the phone number and heard a recorded message to call back during normal business hours – the graphic on the story said she called around 10 am on a weekday.
I wish I could offer an easy answer to all this, but I don’t see one. Keeping a close eye on bank and credit card transactions is always good, but if somebody uses my Social Security number to borrow a $zillion in my name, I won’t find out about it until it’s already happened. And then I’m guilty until proven innocent and, at minimum, will spend hours unraveling the mess.
Reality bites sometimes. Thanks Equifax.
Is the EquifaxSecurity2017 website tool any good?
That tool is… well, it needs improvement. It’s supposed to make it easy for me to find out if I’m exposed, and then help me sign up for free credit monitoring. I fed it my SSN with a bogus name last week and it said I may be affected. I fed it a bogus SSN and name and it said it doesn’t appear that I’m affected. With either choice, it presented a button to sign up for a free year of credit monitoring. Oh joy. Now I can feel secure that the company that let all my horses out of the barn will tell me when somebody steals my horse.
Is one year of Equifax credit monitoring false security?
Yes – false security indeed. The main problem is, by the time you find out somebody borrowed $zillions in your name, it’s too late. They’ve already stolen the money and they’re gone, leaving you holding the bag. Every breach victim company offers credit monitoring because they’re nothing else they can do. The horses are already out the barn door. Freezing credit is one way to cope with a broken system, but it’s really just a workaround.
How do we fix the system?
Today’s system is fundamentally broken and something like this was bound to happen sooner or later. And the bad news is, it’s not over yet. But today’s broken system, which is bigger than Equifax, does not take Equifax off the hook and the law needs to hold Equifax execs accountable for their negligence. In fact, since Equifax helped build today’s broken system, Equifax execs are even more culpable. Heads need to roll.
But there is a solution. Here are some rough first draft thoughts.
First – who are the stakeholders? Consumers need access to credit. Creditors need a way to assess risk and authenticate consumers. The more efficient this process, the better for society. That’s why we need CRAs – to match consumers with creditors. CRAs play an important role.
One problem – consumers are CRA raw material and not CRA customers. So CRAs have no incentive to care about the confidentiality, integrity, and availability of consumer data. Which means consumers have no power and no recourse when CRAs fail in their duty.
Another problem – CRAs adopted SSNs for authentication because every American has one, and that started a ticking time-bomb because SSNs never change. The bomb went off years ago when many SSNs became public. The public found out about it last week when 143 million of us were exposed. When I provide an SSN, I don’t prove I’m me, I only prove I know the SSN that belongs to Daniel Gregory Scott. Same for my driver’s license number, date of birth, mother’s maiden name, and anything else I might know that’s public knowledge. The shorthand way to say this is, my SSN identifies me, but does not authenticate me.
A private passphrase could authenticate me. Not a password, but a passphrase. Passphrases are more secure than passwords because they have more characters and they’re easier to remember than passwords filled with random characters. The passphrase, “Your mom wears army boots” is more secure and easier to remember than a password, say, “@rMyb00ts!”
A passphrase also has an advantage that I control it and I can change it any time I want.
So, for starters, let’s encrypt all that data CRAs hold about me with a passphrase I control. Anyone who wants to look at my data goes through me first. Which gives me all the advantages of a credit freeze with fewer hassles. Nobody can borrow money in my name, because nobody can check up on me with a CRA unless they know my passphrase. CRAs don’t know the plaintext contents of my data – they only know the encrypted contents. I control the key, which means I control the access.
That’s radical surgery. CRAs will scream about how much work it will require to educate consumers and set all this up. They’ll also scream because this idea takes away much of their power.
Many consumers will also scream about taking on the responsibility to remember a passphrase. And what happens if a consumer forgets their passphrase? The easy answer – Banks or other institutions can offer a passphrase storage service.
And creditors will scream about how it complicates the system and makes offering credit more difficult than before.
I plead guilty on all charges. But we have 143 million reasons to change the system, and either we do it in the private sector or the government will force something down everyone’s throat. And, as a consumer, I should have control over data about me. Millions of us should have demanded it 30 years ago.
Longer term, let’s task an industry group with all stakeholders represented to come up with standards for how all this stuff should work, and put it through the gauntlet of peer scrutiny, similarly to how other open standards are designed. This group doesn’t need legal power, just credibility. Enough credibility that everyone will listen and follow the standards it sets.
The system today is opaque and broken. Let’s use this fiasco as an opportunity to open it up and redesign it for everyone’s benefit, including CRAs.
I want to thank Kim Insley with KARE-11 TV in Minneapolis for providing the questions to organize all these thoughts.