This article originally appeared in TidBITS on 2017-09-13 at 1:21 p.m.
The permanent URL for this article is: http://tidbits.com/article/17457
Include images: Off

You Can’t Protect Yourself from the Equifax Breach

by Rich Mogull

Earlier this month, news broke of a massive data breach at Equifax [1], one of the three major credit rating agencies. Equifax may have lost private information, including Social Security numbers, for up to 143 million U.S. consumers, which would be over half of the adult, bank-account-participating population of the country. Some information from British and Canadian citizens may also have been exposed. In Equifax’s own words:

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents.

Equifax subsequently botched its response and communications with consumers, including unclear legal clauses when you check your exposure, failing to provide specific information or an effective way to determine if you are affected, and even hosting its response Web site on a non-Equifax domain name using an incorrect digital certificate.

Ignoring all that, the real issue is that one of the companies “trusted” with determining our financial future based on deep records of personal information was breached… and due to the current nature of our financial system, we can’t effectively protect ourselves. Our best options offer only limited protection and come at a hefty cost, due in large part to lobbying by the credit rating agencies themselves.

As a cybersecurity advisor, I have worked with companies in all the nooks and crannies of the financial system. While most take their responsibility very seriously, they are still businesses filled with humans working with a hodgepodge of a system that has developed over decades, if not centuries. Mistakes will happen, and our system is poorly designed to protect consumers.

Here is how to understand your risk and best live with the exposure.

Nine Digits to Rule Them All -- Banking and credit has always been a history- and reputation-based industry. Financial institutions provide credit but need some level of assurance they will get their money back. For hundreds of years, this was managed through personal relationships. Over the past few decades, however, society decided to prioritize faceless transactions and frictionless credit. Financial institutions no longer have direct relationships with their customers, and in many cases have never even met their customers. To manage their risk, these institutions started to rely on credit ratings developed by private companies dedicated to collecting and analyzing our financial histories.

Thus the emergence of credit rating agencies (CRAs) like Equifax, Experian, and Transunion. These companies collect everything from public records to your credit card payment history and use that information to determine those all-powerful credit scores. Credit scores are merely a single numeric risk rating that financial institutions can use to decide what type of credit to extend to you — from mortgages to credit cards — and for how much.

Since names aren’t unique, the CRAs rely heavily on Social Security numbers (SSNs) as the unique identifier for individuals, sometimes in combination with full name and date of birth. The problem is that our system treats an SSN as a secret key to our financial records, but an SSN is merely a nine-digit number that is most definitely not encrypted.

SSNs are nearly impossible to change, are prone to errors, and clearly cannot be kept secret. Some bad guys first stole mine from a database at the student healthcare clinic where I went to college, and then it was exposed again (probably to China, based on public reports) during the big breach of the Office of Personnel Management (OPM) in the U.S. federal government.

In each of these cases, I was offered a year of free credit monitoring, just as Equifax has done in this latest breach. However, the free credit monitoring lasts only for a year, yet the bad guys can use my SSN for the rest of my life.

That’s the real issue here. Once your SSN has been exposed, you can never be assured it will be secret or safe ever again. Data like your SSN and date of birth won’t change, even after your death. Credit monitoring will only alert you to some kinds of new account fraud, essentially throwing a notification when someone creates a new account that is reported to a CRA. Those alerts won’t necessarily notice when utilities or other services create accounts that also rely on your SSN.

Even if you can protect your financial records, loss of your SSN and other personal information could expose nearly any kind of account you have, not just financial accounts!

Think of all the situations where something is “protected” with the last four digits of your SSN or a credit card. Breaches of a credit agency like this expose the master key to recover or access more than a few of your accounts.

Once you’re exposed, you’re exposed for life, not just for the year of free credit monitoring. At least until the system changes.

Your Best Financial Defense -- Although you can get, by law, a free copy of your credit report every year from each agency, doing so doesn’t offer much protection. You would need to be diligent about checking annually and then go through the process of cleaning up any new account fraud that occurs. (“Hey Siri, remind me to check my credit report every year.”) Doing so can be a difficult process since the system is built to protect the financial institutions, and CRAs are historically reticent to respond to consumer issues. Remember, the CRA’s customers are banks, not you. You’re the product.

The first step is to make things harder for a criminal to create new accounts in your name. There are two tools to do this, fraud alerts and credit freezes, but only one actually works. You can find information, phone numbers, and links on the U.S. Federal Trade Commission’s Identity Theft Web site [2]:

A fraud alert places a flag on your account for 90 days. During that time a business needs to verify your identity before it can create a new account in your name. There used to be companies that could automatically renew your 90-day alerts for you, but the credit agencies sued them out of existence, which was a travesty. So, if you want an indefinite fraud alert, you need to repeat the process yourself every time it expires.

Another option is a credit freeze, which locks your account completely. The CRAs may charge for this service, and you will have to enter a PIN code to unlock your account. A credit freeze prevents all access to your account, including credit checks, and thus may have unintended consequences (for example, background checks for employment). It’s your best option for long-term security and doesn’t expire, but it isn’t ideal.

There is one more option, an extended fraud alert that lasts for 7 years but is generally available — thanks to federal law! — only if you have already been a victim of identity theft.

These techniques can help, a bit, but at a cost. Worse, they do nothing to protect non-financial accounts secured with your private information.

Living with Long-term Risk -- Until the system changes, there isn’t much you can do beyond a credit freeze, and that comes with some negatives, especially if you need to apply for credit or a job. Perhaps this incident will spur some legislative changes. The odds are high that more than a few politicians are also now exposed, and self-interest is a powerful motivator.

We normal consumers must be hyper-aware of when our SSNs are used as a security control. Does your healthcare provider use your SSN to decide when to release medical data? Does your school system use it to release transcripts? Does your bank use it as an account recovery passcode?

In my experience, most of these organizations, even if they use the infamous “last four digits,” also offer alternative PIN or verification options. Try to use those alternatives whenever possible, or at least understand and accept your risk.

The average person isn’t necessarily at risk of having someone impersonate them to get medical records, but there are plenty of occupations and situations where that might be a concern, including politicians, journalists, and anyone in a divorce or child custody fight.

I first learned to live with this risk personally thanks to the OPM breach that exposed more than just my SSN. The real lesson came as part of a second breach, which revealed a wealth of personal history that I had submitted as part of a standard security form. It included every place I have ever lived, every country I had visited in the preceding 7 years, and the personal information of all my immediate family members.

Knowing this information is out there is… disconcerting. There’s no way for me to know who has it now: likely some Chinese intelligence agency or underground criminal information exchange. It’s not an everyday source of stress, but more of a low-level buzzing in the back of my head.

I have to assume anyone who really wanted to could get my SSN and possibly a bunch of other private information. So I do my best to protect myself and my family by enabling multi-factor authentication on accounts whenever possible, creating account recovery questions that are pseudo-passwords, and changing PIN codes so they aren’t the last four digits of my SSN.

I write this as a so-called security expert who makes my living in this industry, and I know I still have plenty of vulnerable accounts and financial risk. Practically speaking, the vast majority of consumers, or even TidBITS readers, don’t have the time, knowledge, or security diligence to protect themselves indefinitely.

Since Equifax is one of the primary sources of credit reports and knows exactly how fraud occurs and how our information is used, it is unconscionable that the company offers only a year of free credit protection to the people it has harmed through its negligence. It’s equally offensive that Equifax continues to prevent the use of tools like persistent fraud alerts that could help reduce our risk.

As much as I hate to end on a sour note, the reality is that, until the system changes, until our financial lives are governed by something stronger than some short strings of plain text that never change, we have to keep our guard up and hope for the best. And hope is never part of security best practices.

[1]: https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628
[2]: https://identitytheft.gov/Steps