A Dangerous Game - Reflecting On the Equifax Breach

A Dangerous Game - Reflecting ON the Equifax Breach.jpg

By Tin Zaw, Director of Security Solutions, Verizon Digital Media Services

Recent news about the cybersecurity incident at Equifax resulting in loss of confidential data of 143 million American consumers has made both mainstream media and Twittersphere gone wild with various opinions, debates, discussions and how-to’s. Although the immediate technical impact, of what and how much of it has been lost, is thought to be known, the real economic and social impact that American consumers suffer will be realized over the coming months and years.

From practical and technical perspective, most of these discussions revolve around 1) this could have been prevented if we had done x, y and z; and/or 2) this kind of breach is inevitable and could happen to any company.

However, most of these discussions miss the point in addressing the economic impact that we consumers will individually suffer. Moreover, they miss pointing out the fundamental flaw in how the entire system—the game—is set up. It is that flaw that causes economic pain.

The flaw is the confusion—or willful ignorance—between identifier and key for access to data. In computer terms, user ID and passwords are confused and user IDs are used as passwords.

A Social Security Number is a unique identifier to a flesh and blood person. Combining it with date of birth, street address, etc., makes it more accurately identify the person. SSNs, by themselves or in combination with other qualifiers, are not secrets, were not meant to be secrets and must be stopped being used as secrets. How can they be secrets when we are required to share them with strangers on a regular basis and the industry harvest them on a massive scale?

The fix is to stop using identifiers as key for access to data. Every access to collected data, such as credit history, must be authorized by the person in person. Merely presenting the person’s identifiers (such as SSN, DOB, etc.) must not not enough to access the data. In other words, all our credit files must be frozen by default unless and until we grant access to them, as one time access, in person.

It is simple in theory, but will have its consequences. As with any change, some (consumers I hope) will win, some will lose and there will be resistance. And it will not happen unless we initiate and take action. While I am usually wary of government regulations, consumer protection is one of the reasons that we have governments for. It is perhaps time to call your congressman/woman and senator.

The game must change and we need to act now.

More on the Equifax breach on ITSPmagazine


Now is not the time to point fingers, says Prevoty's Kunal Anand in response to the Equifax breach