The news of the massive Equifax data breach broke last week, and the collective shrug of yet-another-data-breach was deafening. The fact that it happened to a credit reporting service that is known for offering identity protection in the wake of other people’s data breaches is ironic, but beyond that, it’s just another in a string of data breaches that have impacted every American by this point.
At its core, credit reporting is a reputation service: The three credit agencies (Equifax, TransUnion, and Experian) collect a lot of data about people and then compute a score that indicates their credit-worthiness (reputation). But as the problem of identity theft and data breaches proliferated in the early days of e-commerce, credit reporting services shifted from reputation services to identity systems — their job was split between serving up a reputation score, and asserting that a given person was, in fact, who they claimed to be.
However, there is a huge flaw in their method, which is to verify identity based on a person’s Social Security number (SSN). SSNs have one thing going for them: they are unique. Each U.S. citizen and resident is assigned a unique SSN for tax collection and assignment of benefits through the Social Security program. The problem is, they are not private. In fact, we have been conditioned to provide this unique identifier to anyone who asks for it, from employers to doctors and dentists and, yes, anything that looks like an application for something official. SSNs aren’t even typically hashed or encrypted. I guarantee you that every single SSN can be acquired through a dark web storefront.
Building the foundation for an identity system on an easily discovered 12-digit number is not just a bad idea. It is destined to fail.
In fact, the security world has come to recognize that any identity system built on a single identifier is far too weak. That’s why so many organizations have already moved beyond the basic username/password combination and on to multifactor authentication (MFA), which relies on additional checks, ranging from simplistic knowledge-based answers to sophisticated biometric methods.
How effective is MFA? Well, the post-mortem reports from major data breaches have shown, time after time, that the attackers gained access to the network through that one lone system without MFA that no one worried about.
While MFA is a better approach to authentication, it is not without its own flaws. For example, one-time passcodes (OTPs) sent to users’ smartphones seem like a good idea, but hackers are now using illicit phone porting to hijack mobile number and intercept OTPs.
What we need is to move beyond identity verification to identify proofing: modern identity systems need to be able to prove that someone attempting to access a system is in fact who they say they are. Fortunately, this has never been more possible. We can now calculate the risk associated with an identity transaction using a wide array of methods, such as location, device recognition, and user behavior, and require a proportional measure of authentication — in other words, the more things don’t add up about the user, the more the system will require from them for authentication. For example, a user who’s in the expected location, using the right device, and exhibiting the keystroke behavior normal for them can be passed through, but users who fail on multiple counts might be required to provide more proof that they are who they say they are. In addition, the risk threshold can be higher or lower depending on what the user would be able to access if they were allowed in — people with higher privileges merit more scrutiny.
Better identity systems will not fix a broken credit reporting system that is being asked to do something it was not designed to do using an easily discoverable identifier. And it won’t change the fact that criminals now have an even bigger arsenal of personal information that they will use to try to impersonate people. But better identity systems will help slash the value of that stolen information by enabling us to spot and block imposters, no matter how well-armed they are with data. And forcing criminals to expend more effort for diminishing returns is an effective crime prevention strategy.