Update Sept. 26, 2017
I put together three video presentations about what went wrong with the Equifax fiasco and what to do about it.
Here is a video presentation about what went wrong.
Here is a video presentation with a structural approach to fixing the system.
Here is a video presentation about killing passwords in favor of passphrases.
Original post from Sept. 19, 2017
Heads are starting to roll after the Equifax fiasco, while its PR agency pretends to offer timely communication and churns out CYA updates. Follow the saga right here. In the Sept. 15 update, Equifax announced its CIO and CSO are retiring, effective immediately. Uh-huh.
Here is one question of many I would love to ask Equifax execs – why did you wait until Sept. 15 to present a bulleted list of what happened back at the end of July? I have a host of other non-question questions I want to ask, but let’s take a collective deep breath and learn self control. Beyond eviscerating the execs at Equifax, how do we move forward?
Here are some thoughts.
Should everyone freeze their credit?
A few days ago, I would have said yes. But now, I’m not so sure. Brian Krebs in his Krebs on Security blog popularized the idea back in 2015 – and it’s a good idea, but there are tradeoffs. When you freeze your credit, it’s frozen until you un-freeze it. At least, that’s how it’s supposed to work, assuming the CRAs do their jobs. (CRA – Credit Reporting Agency). If anyone tries to take out a loan in your name, presumably, the lender will check with the CRA, find out your credit is frozen, and turn down the loan. Which is why you do it. But if you try to take out a loan, the same thing happens. And now you might have pay to unfreeze it, do your transaction, and then freeze it again, times four CRAs, apparently at $10 or so each.
One of many aspects about this whole breach incident is, if CRAs charge for credit freezes, incompetent behavior turns into a windfall with millions of consumers parting with hard-earned money to freeze their credit with agencies who collected data about us without our consent. Equifax is offering free credit freezes for a limited time – I’m not sure about the others.
Besides money, the challenge to freezing credit right now is, the CRAs are swamped with freeze requests. CNN did a video a few days ago of somebody trying to freeze her credit with Equifax. She tried doing it from that equifaxSecurity2017.com website and it referred her to a toll free phone number. She called the phone number and heard a recorded message to call back during normal business hours – the graphic on the story said she called around 10 am on a weekday.
I wish I could offer an easy answer to all this, but I don’t see one. Keeping a close eye on bank and credit card transactions is always good, but if somebody uses my Social Security number to borrow a $zillion in my name, I won’t find out about it until it’s already happened. And then I’m guilty until proven innocent and, at minimum, will spend hours unraveling the mess.
Reality bites sometimes. Thanks Equifax.
Is the EquifaxSecurity2017 website tool any good?
That tool is… well, it needs improvement. It’s supposed to make it easy for me to find out if I’m exposed, and then help me sign up for free credit monitoring. I fed it my SSN with a bogus name last week and it said I may be affected. I fed it a bogus SSN and name and it said it doesn’t appear that I’m affected. With either choice, it presented a button to sign up for a free year of credit monitoring. Oh joy. Now I can feel secure that the company that let all my horses out of the barn will tell me when somebody steals my horse.
Is one year of Equifax credit monitoring false security?
Yes – false security indeed. The main problem is, by the time you find out somebody borrowed $zillions in your name, it’s too late. They’ve already stolen the money and they’re gone, leaving you holding the bag. Every breach victim company offers credit monitoring because they’re nothing else they can do. The horses are already out the barn door. Freezing credit is one way to cope with a broken system, but it’s really just a workaround.
How do we fix the system?
Today’s system is fundamentally broken and something like this was bound to happen sooner or later. And the bad news is, it’s not over yet. But today’s broken system, which is bigger than Equifax, does not take Equifax off the hook and the law needs to hold Equifax execs accountable for their negligence. In fact, since Equifax helped build today’s broken system, Equifax execs are even more culpable. Heads need to roll.
But there is a solution. Here are some rough first draft thoughts.
First – who are the stakeholders? Consumers need access to credit. Creditors need a way to assess risk and authenticate consumers. The more efficient this process, the better for society. That’s why we need CRAs – to match consumers with creditors. CRAs play an important role.
One problem – consumers are CRA raw material and not CRA customers. So CRAs have no incentive to care about the confidentiality, integrity, and availability of consumer data. Which means consumers have no power and no recourse when CRAs fail in their duty.
Another problem – CRAs adopted SSNs for authentication because every American has one, and that started a ticking time-bomb because SSNs never change. The bomb went off years ago when many SSNs became public. The public found out about it last week when 143 million of us were exposed. When I provide an SSN, I don’t prove I’m me, I only prove I know the SSN that belongs to Daniel Gregory Scott. Same for my driver’s license number, date of birth, mother’s maiden name, and anything else I might know that’s public knowledge. The shorthand way to say this is, my SSN identifies me, but does not authenticate me.
A private passphrase could authenticate me. Not a password, but a passphrase. Passphrases are more secure than passwords because they have more characters and they’re easier to remember than passwords filled with random characters. The passphrase, “Your mom wears army boots” is more secure and easier to remember than a password, say, “@rMyb00ts!”
A passphrase also has an advantage that I control it and I can change it any time I want.
So, for starters, let’s encrypt all that data CRAs hold about me with a passphrase I control. Anyone who wants to look at my data goes through me first. Which gives me all the advantages of a credit freeze with fewer hassles. Nobody can borrow money in my name, because nobody can check up on me with a CRA unless they know my passphrase. CRAs don’t know the plaintext contents of my data – they only know the encrypted contents. I control the key, which means I control the access.
That’s radical surgery. CRAs will scream about how much work it will require to educate consumers and set all this up. They’ll also scream because this idea takes away much of their power.
Many consumers will also scream about taking on the responsibility to remember a passphrase. And what happens if a consumer forgets their passphrase? The easy answer – Banks or other institutions can offer a passphrase storage service.
And creditors will scream about how it complicates the system and makes offering credit more difficult than before.
I plead guilty on all charges. But we have 143 million reasons to change the system, and either we do it in the private sector or the government will force something down everyone’s throat. And, as a consumer, I should have control over data about me. Millions of us should have demanded it 30 years ago.
Longer term, let’s task an industry group with all stakeholders represented to come up with standards for how all this stuff should work, and put it through the gauntlet of peer scrutiny, similarly to how other open standards are designed. This group doesn’t need legal power, just credibility. Enough credibility that everyone will listen and follow the standards it sets.
The system today is opaque and broken. Let’s use this fiasco as an opportunity to open it up and redesign it for everyone’s benefit, including CRAs.
I want to thank Kim Insley with KARE-11 TV in Minneapolis for providing the questions to organize all these thoughts.
I agree with you conceptually, but our economy is based on credit and the credit approval system. What you propose would not just impact the CRAs, but rather has the potential to tank our economy if implemented incorrectly.
So let’s say you have control of your credit with a passphrase and you owe me money that you do not pay back timely. Naturally, you don’t want me to provide that derogatory data I have about our financial relationship and you will not let me. That is the key problem and an example of where I disagree with you. You should not be able to control the information collected about you. That is factual information about your financial performance when issued credit. The next person thinking about loaning you money should know that you didn’t pay me back according to our agreement when they make their decision. You should, however, retain your right to dispute the information I provide and have it removed if I provide inaccurate data etc. Make sense?
Who can request your credit report and the reasons they can request it are already regulated by the Fair Credit Reporting Act. It isn’t like just anyone (hackers and dark forces aside) can go out there and buy it legally. There is something called permissible purpose and the CRAs cannot sell your information to anyone who doesn’t have a permissible purpose.
Many segments of our economy are reliant upon credit reports and credit scores. For example, insurance companies and employers use them to determine your viability and if you turn out to be a good risk, you will pay lower insurance rates and be able to work in tightly regulated financial industries. You could even work in the information security field! 😛
The other problem is the government already has entier dumps of this data from CFPB examinations and FTC investigations of the CRAs. They also were given authority to collect and update this information by the Dodd-Frank Act. So who is going to protect us from them losing the data?
This discussion is great!
> but rather has the potential to tank our economy if implemented incorrectly.
Absolutely. So let’s implement it correctly.
I was thinking about your other objection all day today. It’s a good one – I borrow money from you, I don’t pay it back, you properly report it, but I control everything with my passphrase so nobody finds out. It brings up a good point – as a consumer, right now, I have zero power and CRAs have 100 percent power and no accountability. We want a system that balances power and accountability appropriately among all parties. So, if I have the de-facto ability to block the report I never paid you back, you’re right, I have too much power. This should be easy to handle.
Here’s one idea – let’s say I block your ability to report my nonpayment. You report that I blocked it and the CRA records that report. That should raise some questions with other creditors.
Here’s another idea – when you loan me money, you make me share my passphrase with you, the creditor. It’s a record keeping burden on you, but now you can hold me accountable to keep my promise to pay. What if I change my passphrase later? Not a big deal – maybe the passphrase belongs to the specific transaction and not to all my transactions. Wonderful; now every transaction in every CRA has its own individual passphrase. How does, say, Fair Isaac calculate FICO scores? What if I want to buy a car next week and the car dealer needs a credit report on me? The only way this works is, if the CRAs become a clearinghouse. The car dealer asks the CRA about me and the CRA queries all the other creditors I’ve done business with for the passphrases to generate the report. That’s more complex than today’s system and depends on lots of communication, but it also distributes everyone’s power and levels the playing field.
I talked with some people today and we solved the reporting problem. I should have thought of this earlier – use public key cryptography. Encrypt with a public key, decrypt with a private key. Creditors use the public key to submit data, I use my private key when anyone wants to read it. There are plenty of ways to generate key pairs – and CRAs might also use that public key as the unique identifier. We still need a way for consumers to keep their private keys and a means to deal with lost keys. There are lots of ways to handle that, we just need to think through what makes the most sense.