By now most financially or technically savvy people are aware of the breach disclosed by Equifax on September 7th. Equifax reports that the incident affected 143 million Americans, which is well over half of the estimated 250 million adults in the United States. The data accessed is as sensitive as the scope is broad, including names, Social Security numbers, birth dates, addresses and in some cases even more sensitive data. Equifax has since clarified the extent of the impact in the UK to the tune of 44 million more affected people.
Equifax’s response to this incident has been lukewarm at best, and they’ve been rightly panned by political and technology pundits. Brian Krebs, in particular, has been at the forefront of reporting on the issue and has done an admirable job holding feet to the fire on the problems with this response.
As an infosec professional, I often give advice to friends and family about how to best defend themselves against cybersecurity threats or what to do in the wake of an incident like this. But recommending a strategy for dealing with the fallout of this breach is non-trivial. Equifax’s offer of 1 year of free credit monitoring is suboptimal and self-serving. While monitoring certainly has value, it’s a reactive solution where you’re still mopping up. And Equifax stands to benefit greatly from renewed business of many people who sign up for free now and then renew at cost in a year’s time.
Conventional wisdom instead says that the safest approach is to freeze your credit, and while true, this also introduces significant friction that not everyone will anticipate. First, freezing and thawing your credit has a small fee from each agency (though Equifax recently caved to public pressure and is waiving their freeze fee for 30 days). Worse yet, thawing your credit is not instantaneous and also must be done manually for every agency. The impact of suggesting that millions of Americans freeze their credit, while arguably financially responsible, will have a significant effect on the many business that rely on consumers’ easy access to credit. Beyond obvious things like car loans and mortgage applications are many other retail impacts such as 0% financing incentives and even opening a new account with a utility provider or switching from satellite to cable TV. Given that credit bureau security breaches are not a new thing, it would be fair to wonder why the available mechanisms for protecting your credit are still so lacking.
In my opinion, the mechanisms provided by the credit bureaus to consumers that allow us to protect our private and sensitive data are inadequate due to a fundamental flaw in the existing credit system. All US consumers who have any credit history or want to participate in the credit market (CC, mortgage, auto loan, etc.) have no choice that their most confidential data is provided to these companies. We are not customers of the credit bureaus, and we have no means by which to “take our business elsewhere” if we believe they are inadequately protecting our data. As a result, the companies have no incentive to improve their security and will likely continue to maintain a poor security posture and rely on outdated, unpatched and vulnerable software.
What can we do about it? Oversight should be provided by the Consumer Financial Protection Bureau. Are you unhappy with the Equifax response and the security posture of the credit reporting bureaus in general? Here’s where you can file a complaint.
Chief among the things I have requested is the ability to own my relationship with the credit bureaus (i.e., create an account that I can personally manage and close if I choose to do so). Also, I need the ability to secure that account to control access to my credit report. All of this nonsense about calling three (or four) different companies hours or days in advance of allowing someone access to your frozen credit report is bafflingly stupid. I want Multi-Factor Authentication. Even push notifications via Duo or Yubikey. Imagine getting a push MFA request while applying for a mortgage. Confidence inspiring that I was notified about this credit lookup request; I’ll click the approve button. Now imagine getting one while sitting by the pool on vacation. Great alert, and I have the ability to not only decline the request but also respond immediately.
Perfect, no. But it would be far better than where we are today.