Equifax and the Future of Identity Theft – October 2017

Something interesting has changed in the world recently. Overnight, 140 million people had their private information like addresses, SSNs, and birth dates stolen. I am, of course talking about the recent hack of Equifax.

Equifax, in its role as one of the three credit scoring agencies, stored all of this information on a little over half of all Americans in order to provide a necessary service in our society. Credit scoring has become central to the modern lender’s decision making process, and I find it unlikely that this will ever change. However, a compromise of this magnitude may force us to change how credit scoring, and even financial identity works in our country.

Consider the news that breaks when a few million credit cards are stolen from a major retailer. This is orders of magnitude larger. Over half of American adults are affected. And not only is the number of people larger- so is the duration of effect. Canceling a credit card is easy. Changing one’s Social Security number is not. Beyond all of this, the damage that can be done with a Social Security number is far beyond that of a stolen credit card.

There are 140 million Americans are at risk for identity theft forever, unless the system changes.

The most common piece of advice espoused in the wake of this breach has been to freeze your credit with all three credit reporting agencies. They charge you a nominal fee and give you a PIN that you can use to unfreeze your credit when you wish to do anything that you needed a social security number for before.

Since fixes need to be permanent, let’s consider what this means for the long term. To keep your identity from being stolen, your credit is almost always frozen. You use your PINs to unlock your credit right before applying for a loan or apartment lease, then immediately refreeze it right after the application goes through. Now the only secrets are these PINs that change every time you go through this process.

This doesn’t have the worst security properties on its face, but there are some problems when you look closer. Some PIN generation process used here have been shown to have significant flaws, making them easy to guess. Also, the usability of this solution is a nightmare. Imagine if every time you logged into your bank’s website, they gave you a new password to memorize. And now imagine logging into your bank’s website every time you want to make a transaction of more than $500.

While this is a bit of an overstatement, and people can certainly solve this with password managers and keeping PINs written down somewhere safe, it does add a layer of hassle and indirection, and PINs so infrequently used can easily be lost or forgotten.

Possibly the worst part of this is that Equifax profits every time you unfreeze and freeze your credit. A new line of income resulting from a massive data breach is not ideal in my book. Fortunately this can probably be legislated away, but until then I will remain sad.

Let’s consider other long term solutions that are less immediately actionable. Being a computer scientist, my first inclination is to replace social security numbers with a federal ID card, or federally standardized state ID card, with a chip. That chip would have a TPM that contains some secret key that could be used to sign requests where we currently use our social security number. This has the very nice property that we never share our secret with people who need to check our credit. We would only use that secret key to perform a cryptographic signature on our loan application. While an attacker could trick you into signing the wrong document, this is still a much better world than the one in which we live now.

That is not to say that there aren’t downsides to this solution. I would be remiss if I did not mention that Estonia issues similar IDs to its citizens, and that there is currently a recall of all such IDs in Estonia. The was an issue in generating the secret keys on these devices rendering them all breakable for tens of thousands of dollars each. This could have been mitigated by selecting larger key sizes, but alas it was not. Fortunately this seems to only be a logistic nightmare thus far. Of course the initial issuance of all of these ID cards would be a logistical nightmare as well, and potentially expensive. This is a very heavyweight solution.

Another long-term solution may be to punt on finding a solution and make it these credit reporting agencies’ problem to find a solution to identity. Social security numbers were never supposed to be secret identifiers used to track a person’s entire financial history. They were bastardized into that role. All we need is a way to shift the responsibility of checking a person’s identity onto the credit reporting agencies. And what better way than with legislation?

Punishment of a credit reporting agency for an instance of identity theft would force them to consider the identity of the person whose credit they are reporting much more closely. If they had to pay damages for loans taken out in my name by people who aren’t me, they would probably need a bit more than my social security number, that has a 50% chance of having been stolen, to say that the person requesting the loan is actually me. This is just a clever re-framing of credit reporting agencies’ job from “score credit-worthiness of the person whose information was provided on this loan application” to “score credit-worthiness of the person who provided the information on this loan application.

Of course the responsibility of authenticating could be another party than the credit reporting agency; I’m just feeling punitive toward them. Any party could take on the job of authenticating applicants and assume responsibility for identity theft. Lenders themselves may even be willing to take on this risk, and could even insure themselves against it. This requires encoding the responsibility of authenticating loan applicants into law strictly enough that companies have no choice but to require more information than what was stolen from Equifax.

These are a few ways I see the future going with respect to financial identity. I don’t know what is the best or most likely, but I find it interesting to explore this space.

20 October 2017

Website design stolen shamelessly from Zakir Durumeric.