Security Blog
Friday, 06 October 2017 09:31

Why We All Had A Role In The Equifax Fail

Written by

Rather that keep calling Equifax and their likes names, which I’ve done so often, let’s call this breach for what it really is. Just the latest example and result of a universal and unrelenting conspiracy of failures.

Breaches like Equifax have happened and will continue to happen because all of us, in big and little ways, have failed to do what we could to help avoid the collision.

If encrypting that monstrous trove of highly sensitive data was technically and financially feasible, then failure to do so was a damning failure. Encryption isn’t a guarantee or a cure, and in many cases can be too clumsy to implement, but I’m pretty sure it would have been an option for a resourceful company like Equifax.

And if this breach could have been entirely avoided with a security precaution as simple as a routine patch, maybe Equifax should never be forgiven.

Congress has failed – by repeatedly resisting enforcing stronger security and privacy regulations that would take many of these crucial decisions out of the hands of businesses that have a clear track record of putting revenues and convenience over security and privacy.

Congress continues to fail, as even now it eyes removing the teethe and perhaps even the balls of the Consumer Financial Protection Bureau and one of the few cops left on the block. The goal of their effort seems to be to further erode the regulatory oversight that’s so badly needed to persuade businesses like Equifax to truly, madly and deeply put consumers first.

Congress has also failed to address a host of other issues, from exploring alternatives to the use and demand of Social Security Numbers, to allowing a universal, national, and by-default freeze on the Social Security Numbers of kids. And all in an effort to bow deeply to financial industry lobbyists.

And let’s not forget all those businesses and professionals, from banks and credit unions to doctors, dentists, and even schools that routinely demand a Social Security Number as identification with the threat of denial of essential service if refused.

We as consumers have failed too. Servers are crashing in the rush to freeze credit files because for years consumers just haven’t even bothered to explore this most rudimentary security measure. And in spite of an average of 2-4 data breaches every single day for the last five years, we’ve failed to protest, failed to complain, failed to lobby, failed to demand change.

We still fail, with crappy passwords, click-happy index fingers, a complete lack of vigilance (the business end of awareness), a comfortable numbness to breach after breach, a contagious apathy and a convenient choice to always blame others without ever looking closely at what we might have done, even in the smallest way, to stop this (these) from happening.

Recognizing that there’s no such thing as absolute security and there are no easy fixes, there are lots of things we can and must do to even slightly restore consumer confidence, including improving resistance to data breaches in the first place, a much broader use of encryption (even if it’s a little inconvenient), making stolen data harder to exploit and of much less value, and demonstrating to consumers that all is not lost and hopeless. Because in this economy more than most others, consumer confidence is the heartbeat.

So let’s talk about credit freezes. Not just because everyone else is and often in the wrong context, but because if used properly they offer the consumer the greatest protection against the most common form of identity theft.

But first some background. When data breaches first started spreading across the nation, state by state, more than a decade ago, the credit bureaus furiously opposed them. They spent millions of dollars on lobbyists who followed the debate from state chamber to state chamber pitching all kinds of “sky falling in” arguments.

And the identity protection industry seemed very comfortably aligned with the bureaus. In 2015 a CBS reporter showed me a press release from a well-known id protection and insurance company urging consumers to not consider a credit freeze even in the event of identity theft.

I’m quoting their press release verbatim:

“During a freeze, all credit cards are frozen”

“Your debit card may also be impacted”

“Consumers may need to go to a cash lifestyle even to pay bills”

And scaremongering like this has worked. Tens of millions of consumers pay billions of dollars every year for identity protection services of questionable value, yet possibly fewer than a million have frozen their credit.

In spite of the confusion and misrepresentation, the credit freeze is an essential tool in fighting some types of identity theft. That’s why I’m suggesting:

  • Credit freezes should be free for all consumers, even if they’re not a victim of identity theft. My colleagues at the Identity Theft Resource Center just proposed the same thing and I wholeheartedly support them.
  • Thawing fees should be waived too, because they’re an essential part of security and consumer credit.
  • Consumers should be actively educated about the benefits and process of the credit freeze so they don’t themselves freeze.
  • The freeze process should be as simple, flawless, and swift as possible, both to make security easier and not to impact the appetite for credit. It’s disappointing that while the servers managing the enrollment in identity or credit monitoring services rarely seem to fail, the servers handling freezes seem less than stable. Even before the latest breach and rush.

But if we go that route, we have to prepared for some significant consequences:

  • If millions of consumers freeze their credit, and do so free of charge, bureaus will lose substantial income from both freeze fees and credit monitoring/identity protection. If your credit is frozen, there’s nothing to monitor.
  • If the bureaus, or CRAs, start to lose money because of credit freezes, will consumers pay the price with higher fees on other things like credit scores and reports?
  • If millions of consumers freeze their credit, you can bet the universal hacker collective will focus its attention and resources, relentlessly, on cracking the mechanics of the freeze and especially the storage of PINs.
  • In my experience, from counseling thousands of victims of identity theft, confusion about freezes leads to apathy. Consumers mistakenly assume that a freeze is a cure-all, and protection against all kinds of identity theft, and so drop their guard and return to the comfort of complacency.
  • One solution might be to charge consumers a modest annual fee, akin to what they might pay for a good antivirus product, and that fee could include freezing and thawing as often as they choose, and perhaps even a frequent update on their credit score.

A better protected and educated consumer, and without forcing the still-essential bureaus to take a massive financial hit? I could live with that. Because none of us can live with the alternatives.

Whether it’s your customers or your clients, security education matters now more than ever. Because an informed and vigilant user is less likely to make critical mistakes that will cost them and you.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.