On September 7, 2017, Equifax announced that it had suffered a data breach lasting from mid-May through the end of July. As a result of that breach, personally identifiable information (PII)—including names, addresses, birth dates, and Social Security numbers—for 143 million consumers was exposed. Credit card information for about 200,000 consumers may also have been exposed, along with account history information that often provides the basis for Knowledge-based Answers (KBA) authentication.
While the number of records exposed makes this breach smaller that some recent breaches—such as the Yahoo! breach of 2016, which exposed user names and passwords for over 1 billion accounts—the nature of the exposed data by Equifax could make this breach “one of the most significant data breaches in history.”
To get a sense of the ramifications of this breach, we recently talked to Ms. Jodi Pratt, who is a fraud and risk management professional in the financial services industry, and a member of the DSi Board of Advisors.
Here’s our interview.
DSI: What does this breach mean for consumers? Are there specific actions concerned consumers should take now?
Pratt: Not to lessen the impact of 143 million records being exposed at one time, but we need to remember this is by no means the first large data breach. Large data breaches have been occurring with some regularly dating back at least to 2005. It’s very possible that this breach exposed information that has already been exposed. The victims just may not know it yet. A good portion of this data may also have been compromised in other ways, such as through phishing and indiscreet posts on social media.
The most valuable lesson from this breach is the reminder for all us consumers that we should assume our most basic pieces of Personally Identifiable Information (PII)–name, address, date of birth, Social Security number (SSN) or Tax Identification Number (TIN) and driver’s license (DL) number–are now exposed, if they were not exposed long before. Therefore, they are not reliable pieces of information to be used by others to identify you. We should add Mother’s Maiden Name and Birth Place on that list, as well. That being the case, we should not allow them to be used as sole identification for anything involving financial or medical issues.
As consumers, we should take the reins and demand better security.
Especially for financial accounts, ensure that any company you are doing business with has some uncompromised ways of verifying that it is really you who is taking action on your account, even for actions as simple as changing your mailing address, email address, or phone number. Be diligent about checking your bank and other activity statements each month to identify any changes to your existing accounts or suspicious transactions of any kind.
Check your credit files regularly for free. Look for unrecognized additions to your files or changes in your credit history. (You can request a report from any of the three major agencies once a year, so if you stagger your requests, you can get a free copy of your report every four months. See https://www.ftc.gov/faq/consumer-protection/get-my-free-credit-report.) Check all your social media accounts and remove any PII from your profiles.
And sign up for all the alerts your trusted “vendors” offer regarding transactions; they can make you aware immediately if someone is using compromised information to get into your legitimate accounts (known as “account takeover”).
DSi: What does the breach mean for organizations like banks that previously might have used a Social Security number as a screening feature for opening an account or verifying an ID over the phone?
Pratt: Few financial institutions use the TIN/SSN as a sole–or even primary–data point for authentication or verification purposes. Financial institutions will continue to be required to collect SSN/TIN for regulatory and IRS purposes. In the short term, they may continue to use that data, secondarily, in conjunction with other data in a Multi-Factor Authentication (MFA) process that reduces the risks of misidentifying consumers.
The MFA concept requires companies to use a combination of factors, including data points from not only “what you know” (which is the category into which the data from this breach falls), but also from “what you have” (e.g., the many devices – and components within them - you may use to connect to your relationships; the delivery channels used) and “what you are” (e.g., biometrics, which are only now coming into more common usage).
Other types of businesses, who may have used SNN/TIN as primary identifiers, should use this opportunity to abandon that practice. This is what many organizations in the health care industry are doing now. For a long time, it was common practice to use SSN/TINs as medical identification numbers, but over the past few years, payers and providers alike have been working to create a different method of identification for healthcare to protect patients from medical as well as financial fraud. I’ve recently heard that Medicare is also looking to replace SSN/TINs as identification data.
DSi: Does this breach make other security measures, such as ID authentication, more important?
Pratt: For the foreseeable future, identity document authentication will be very helpful to assist all businesses who remotely engage with its customers to begin moving into a more robust MFA verification process. As images, IDs can be hashed and encrypted to make it much more difficult for unintended recipients to reconstruct the document even if it is compromised in flight or at rest. ID documents will also bring “what you are” factors into the authentication process. Using smart mobile device features, the ID document provides an opportunity to compare “something you have” with “something you are” digitally.
DSi: How do you think ID verification and ID authentication will evolve in response to this breach?
Pratt: Having been in the fraud management industry for over two decades, I can vouch for the fact that MFA has long been viewed as close to a panacea as we have been able to envision, for the online security and fraud loss issues, for both businesses and individuals. But we’ve been delayed by the speed in which the technology to support it has progressed; ideas travel at the speed of light, but the fulfillment is slower than the speed of sound.
With the advancement of digital technology into everyday consumer activity, the puzzle pieces for MFA are finally all on the table, and vendors, enterprises, and consumers should be actively filling in the picture.
Did this breach have an impact? I’m hoping it was the straw that broke the camel’s back, pushing MFA to the forefront, just as 9/11 pushed electronic check clearing to center stage.
And in the next 10-20 years, hopefully we’ll have something even more brilliantly effective to further advance individual security and stymie criminal activity. Nonetheless, we must not forget that whatever good humankind can create, humankind will eventually abuse; ID verification and authentication must continually evolve.
Ms. Pratt serves as a consultant for financial institutions, trade associations, and vendors, helping them develop and implement fraud and operations risk-management solutions. From 2001 to 2005, Ms. Pratt was Risk Management Practice Managing Principal with Carreker Corporation, responsible for developing, implementing and supporting many of the market’s leading risk-management products. Before Carreker, Ms. Pratt worked for nearly twenty years at Bank of America in a variety of roles encompassing risk management, fraud detection, branch operations and call center management.