You Can’t Protect Yourself from the Equifax Breach
Earlier this month, news broke of a massive data breach at Equifax, one of the three major credit rating agencies. Equifax may have lost private information, including Social Security numbers, for up to 143 million U.S. consumers, which would be over half of the adult, bank-account-participating population of the country. Some information from British and Canadian citizens may also have been exposed. In Equifax’s own words:
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents.
Equifax subsequently botched its response and communications with consumers, including unclear legal clauses when you check your exposure, failing to provide specific information or an effective way to determine if you are affected, and even hosting its response Web site on a non-Equifax domain name using an incorrect digital certificate.
Ignoring all that, the real issue is that one of the companies “trusted” with determining our financial future based on deep records of personal information was breached… and due to the current nature of our financial system, we can’t effectively protect ourselves. Our best options offer only limited protection and come at a hefty cost, due in large part to lobbying by the credit rating agencies themselves.
As a cybersecurity advisor, I have worked with companies in all the nooks and crannies of the financial system. While most take their responsibility very seriously, they are still businesses filled with humans working with a hodgepodge of a system that has developed over decades, if not centuries. Mistakes will happen, and our system is poorly designed to protect consumers.
Here is how to understand your risk and best live with the exposure.
Nine Digits to Rule Them All — Banking and credit has always been a history- and reputation-based industry. Financial institutions provide credit but need some level of assurance they will get their money back. For hundreds of years, this was managed through personal relationships. Over the past few decades, however, society decided to prioritize faceless transactions and frictionless credit. Financial institutions no longer have direct relationships with their customers, and in many cases have never even met their customers. To manage their risk, these institutions started to rely on credit ratings developed by private companies dedicated to collecting and analyzing
our financial histories.
Thus the emergence of credit rating agencies (CRAs) like Equifax, Experian, and Transunion. These companies collect everything from public records to your credit card payment history and use that information to determine those all-powerful credit scores. Credit scores are merely a single numeric risk rating that financial institutions can use to decide what type of credit to extend to you — from mortgages to credit cards — and for how much.
Since names aren’t unique, the CRAs rely heavily on Social Security numbers (SSNs) as the unique identifier for individuals, sometimes in combination with full name and date of birth. The problem is that our system treats an SSN as a secret key to our financial records, but an SSN is merely a nine-digit number that is most definitely not encrypted.
SSNs are nearly impossible to change, are prone to errors, and clearly cannot be kept secret. Some bad guys first stole mine from a database at the student healthcare clinic where I went to college, and then it was exposed again (probably to China, based on public reports) during the big breach of the Office of Personnel Management (OPM) in the U.S. federal government.
In each of these cases, I was offered a year of free credit monitoring, just as Equifax has done in this latest breach. However, the free credit monitoring lasts only for a year, yet the bad guys can use my SSN for the rest of my life.
That’s the real issue here. Once your SSN has been exposed, you can never be assured it will be secret or safe ever again. Data like your SSN and date of birth won’t change, even after your death. Credit monitoring will only alert you to some kinds of new account fraud, essentially throwing a notification when someone creates a new account that is reported to a CRA. Those alerts won’t necessarily notice when utilities or other services create accounts that also rely on your SSN.
Even if you can protect your financial records, loss of your SSN and other personal information could expose nearly any kind of account you have, not just financial accounts!
Think of all the situations where something is “protected” with the last four digits of your SSN or a credit card. Breaches of a credit agency like this expose the master key to recover or access more than a few of your accounts.
Once you’re exposed, you’re exposed for life, not just for the year of free credit monitoring. At least until the system changes.
Your Best Financial Defense — Although you can get, by law, a free copy of your credit report every year from each agency, doing so doesn’t offer much protection. You would need to be diligent about checking annually and then go through the process of cleaning up any new account fraud that occurs. (“Hey Siri, remind me to check my credit report every year.”) Doing so can be a difficult process since the system is built to protect the financial institutions, and CRAs are historically reticent to respond to consumer issues. Remember, the CRA’s customers are banks, not you. You’re the product.
The first step is to make things harder for a criminal to create new accounts in your name. There are two tools to do this, fraud alerts and credit freezes, but only one actually works. You can find information, phone numbers, and links on the U.S. Federal Trade Commission’s Identity Theft Web site:
A fraud alert places a flag on your account for 90 days. During that time a business needs to verify your identity before it can create a new account in your name. There used to be companies that could automatically renew your 90-day alerts for you, but the credit agencies sued them out of existence, which was a travesty. So, if you want an indefinite fraud alert, you need to repeat the process yourself every time it expires.
Another option is a credit freeze, which locks your account completely. The CRAs may charge for this service, and you will have to enter a PIN code to unlock your account. A credit freeze prevents all access to your account, including credit checks, and thus may have unintended consequences (for example, background checks for employment). It’s your best option for long-term security and doesn’t expire, but it isn’t ideal.
There is one more option, an extended fraud alert that lasts for 7 years but is generally available — thanks to federal law! — only if you have already been a victim of identity theft.
These techniques can help, a bit, but at a cost. Worse, they do nothing to protect non-financial accounts secured with your private information.
Living with Long-term Risk — Until the system changes, there isn’t much you can do beyond a credit freeze, and that comes with some negatives, especially if you need to apply for credit or a job. Perhaps this incident will spur some legislative changes. The odds are high that more than a few politicians are also now exposed, and self-interest is a powerful motivator.
We normal consumers must be hyper-aware of when our SSNs are used as a security control. Does your healthcare provider use your SSN to decide when to release medical data? Does your school system use it to release transcripts? Does your bank use it as an account recovery passcode?
In my experience, most of these organizations, even if they use the infamous “last four digits,” also offer alternative PIN or verification options. Try to use those alternatives whenever possible, or at least understand and accept your risk.
The average person isn’t necessarily at risk of having someone impersonate them to get medical records, but there are plenty of occupations and situations where that might be a concern, including politicians, journalists, and anyone in a divorce or child custody fight.
I first learned to live with this risk personally thanks to the OPM breach that exposed more than just my SSN. The real lesson came as part of a second breach, which revealed a wealth of personal history that I had submitted as part of a standard security form. It included every place I have ever lived, every country I had visited in the preceding 7 years, and the personal information of all my immediate family members.
Knowing this information is out there is… disconcerting. There’s no way for me to know who has it now: likely some Chinese intelligence agency or underground criminal information exchange. It’s not an everyday source of stress, but more of a low-level buzzing in the back of my head.
I have to assume anyone who really wanted to could get my SSN and possibly a bunch of other private information. So I do my best to protect myself and my family by enabling multi-factor authentication on accounts whenever possible, creating account recovery questions that are pseudo-passwords, and changing PIN codes so they aren’t the last four digits of my SSN.
I write this as a so-called security expert who makes my living in this industry, and I know I still have plenty of vulnerable accounts and financial risk. Practically speaking, the vast majority of consumers, or even TidBITS readers, don’t have the time, knowledge, or security diligence to protect themselves indefinitely.
Since Equifax is one of the primary sources of credit reports and knows exactly how fraud occurs and how our information is used, it is unconscionable that the company offers only a year of free credit protection to the people it has harmed through its negligence. It’s equally offensive that Equifax continues to prevent the use of tools like persistent fraud alerts that could help reduce our risk.
As much as I hate to end on a sour note, the reality is that, until the system changes, until our financial lives are governed by something stronger than some short strings of plain text that never change, we have to keep our guard up and hope for the best. And hope is never part of security best practices.
I have been attempting to place a credit freeze on my credit at TransUnion since Saturday (it's Wednesday today) without success. I've tried calling but after an interminable menu of options they just hang up the line. I had no problem at the other agencies. As others have pointed out the chances are that there will be no serious consequences for any of these reporting agencies.
You can do it at their website.
Thanks for your interesting thoughts, Rich.
From my understanding the problem is basically two-fold. One is that the SSN is used by all kinds of private businesses and hence at risk of being compromised. The other is that it is a unique identifier which in practice is used across many businesses (and the government) to do all kind of things, regardless if it's in our own interest or not.
To address these two issues I would like to see law passed that would prohibit any business from offering a service under the condition of providing them with a SSN. If somebody wants to give it to them, fine. But if instead I chose not to, they cannot refuse their business on those grounds. Secondly, I would like ensured that instead of supplying them with my SSN as a unique identifier, I have the right to supply them with an identifier of my choice thus enabling consumers to use different IDs for different businesses (limiting the effect when one gets compromised).
What about the reverse: a law that says your SSN must be assumed public (though cannot be revealed except with your consent), so cannot be used to verify your identity. Any company that accepts your SSN as proof of identity in an account recovery call is liable for any losses that occur, plus a penalty.
That's smart because it creates a very strong incentive for businesses to find alternate authentication forms.
I don't understand why financial institutions in the States are so extremely archaic when it comes to authentication. Using a ZIP code? Laughable. And chip/PIN is still being treated like some kind of novelty here while the rest of the developed world started (and in some cases already finished) to kill off swipe/signature a long time ago. Two-factor authentication or chip card readers with challenge/response schemes are widespread in Europe/Asia. I simply cannot understand why the US is behaving like a third-world country when it comes to banking. If the banks fail to improve/innovate I'd say force them through legislation. But obviously there's way too much lobby money involved so consumer interests are purposely being blatantly ignored.
Principally, it's because we're a FIRST world country with regard to adoption of "capable" technologies. Too much existing, mostly-debugged infrastructure dominates. Why is broadband so expensive? Because to us it's still an evolutionary tecjnology, "good enough" for business to promote and already there. Basic cell phone technology caught on the in the developing world with more momentum because it wasn't replacing land lines, it was implementing telecommunications. And why has CDMA lasted so long in the face of GSM? Early adopter entrenchamnt.... (somewhat ironic given the above).
We need a class action lawsuit. Not one that seeks financial compensation since we'd all get maybe $100 out of this at best. Rather, we need one that forces them to provide free, lifetime coverage for their screwup.
Include a financial settlement that would pay the lawyers what they went to do this action. They can keep all of that. The rest of the settlement is, as noted, coverage for all of us.
And start voting against these politicians who serve only their corporate masters. Especially, please, vote in midterm elections. Too few people do that.
Amen.
Equifax must immediately 1) Provide insurance against financial loss due to their breach (bank theft, id theft, credit cards, damages), and 2) provide free credit monitoring and legal assistance FOR LIFE. This is their negligence not ours, so they should indemnify all of those affected against all harm for as long as it can happen to us. LIFE.
https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html
Great piece that agrees with Rich. I especially like his term "surveillance capitalism."
Social Security (USA, that is) suggests (this probably isn't new) that one create a "my Social Security" account at their web site so that no one else can create one in your name.
Seems like a good idea (I already had one). They're also now doing two factor authentication. Not in the best way though (SMS or email). I switched from SMS to email.
They're also still on the change password every 6 months train...sooner or later they will read the NIST's current suggestions.
Good article. Do you have any recommendations re: Identity Protection, the value of LifeLock, etc.?
If you freeze your credit at all 5 agencies, then there’s no need for any of those, really.
5 Agencies ?? : What others exist besides Equifax, Transunion, and Experian?
Innovis & ChexSystems
And it turns out there was ANOTHER breach at Equifax back in March.
http://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed
TRUSTEDID is a company owned by Equifax. To obtain their one year of "protection," I am asked to re-enter a substantial amount of sensitive, private data. I'm not doing it! Why would I think daughter TRUSTED ID was any more competent than Equifax. What's more, the whole thing smells like phishing, when you fill those forms! It's crazy!
this nonsense, not patching a known security breach, will continue until the federal government provides for substantial penalties for this kind of behavior. And I mean substantial like several thousand dollars for each individual account jeopardized
plus jail time for those responsible.
This kind of irresponsible behavior has got to be penalized or it will never stop
Personally, I think the penalty money should go straight to the consumers who were harmed.
If I'm not a customer of Equifax - instead their "product" - then how did Equifax get all my sensitive information? From my bank(s), right? THe banks are going to be the ones liable for losses accrued due to these security breaches, if they are the ones who gave my information to Equifax. It is not my fault!!
I have had my credit frozen on all three majors for years. In late January someone obtained my SSN, CC, personal info, and tried to purchase phones and service from T-Mobile. Thankfully Chase identified the purchase as fraudulent, but that wasn't before T-Mobile successfully did a credit check on TransUnion.
I thought I knew what a credit freeze is supposed to be, it didn't prevent that.
After the Equifax news I froze my info on all three majors. I have the page prints and emails to prove that all three of them verified the reports were frozen. A few days ago I checked back and found that Experian had unfrozen my report!
The more I hear these stories, the more I think we need some new legislation to rein in these credit agencies. I can't see any other way to ensure that they won't be evil, given that we're the product, not the customers.
Well, maybe non-stop lawsuits would do it.