Select Page

Week 2, Day 1: Our credit reporting system is an identity theft waiting to happen. Here’s how to fix it.

In part 1, I talked about how out credit reporting system is broken. Here is a link:

The credit reporting industry has 3 players. Consumers borrow money, creditors loan money, and credit reporting agencies help creditors assess risk. The system has two huge problems.

First, consumers aren’t customers in this system. We’re raw material. Credit reporting agencies keep all kinds of personal data about us, but we have no say-so about its integrity.

Second, it was dumb when the credit industry started using Social Security Numbers as authenticators, and it’s even dumber today. Whoever thought we could assign everyone a secret number, and then share that number with everyone and their cousin, and still keep it secret must have been drunk.

We need a system that encourages mutual accountability and gets rid of the Social Security Number problem. I call it the rock-paper-scissors solution.

First, we need some theory.

Encryption means applying a key and using an algorithm to convert plaintext into cyphertext. Decryption is the opposite: apply the key and an algorithm to convert cyphertext into plain text.

Encryption is a scary word, but don’t be intimidated. The Romans used encryption at least 2000 years ago. Encrypting the word, “HI” with a Ceaser cipher and a key of +1 generates a cyphertext of IJ. The key is +1, so just add one letter.

Modern cryptography is more complicated, but the concept is identical.

The next step is inventing encryption algorithms that encrypt with one key and decrypt with another key. We use these algorithms in public key cryptography by declaring one key public and the other one private. We call all the software we’ve built around this, public key infrastructure (PKI), and we use it every time we buy anything over the internet.

I propose using PKI technology to fix the credit reporting system.

Creditors would send data about my credit events to the credit reporting agencies as usual, but encrypted with my public key.

Anyone who wants to look at my credit history must decrypt it with my private key. I control my private key, which means I control who looks at my credit data. My Social Security Number is just another field about me; it’s no longer an authenticator.

One more piece to this puzzle – in 2019, my private key needs to be 512 bits to keep it safe with today’s technology. It will need to grow to 1024 bits soon. I don’t want to remember a number that big. We solve that problem by using a passphrase hash – not a password but a passphrase – for my private key.

Here’s a link with more detail:

Let’s make some noise about this. Write your representatives and push like mad. Let’s finally take some real steps to fight identity theft instead of trying to band-aid a system with more holes than a plastic roof in a hailstorm.

And finally, here’s one more presentation about the perils of passwords and why passphrases are better.