After the Equifax Breach-Addressing Identity Fraud
October 8, 2017
Four Congressional hearings on the Equifax data breach allowed us to learn more about the theft of personal information of 145.5 million people. However, as I wrote here and here, many proposed solutions do not address the most important problem created by this breach. The Equifax breach is so much more severe than other breaches because it undermines the system by which we verify individual identity.
During the hearings, Equifax’s now-retired CEO Richard Smith said over and over that the suite of credit monitoring services offered to consumers for the next year, followed by the “free lock of the Equifax file for life,” will address the issues faced by people whose data was stolen. In fact, Equifax’s offer is essentially the same as the offers of free credit monitoring that followed other data breaches at commercial and government entities.
Unfortunately, the nature and scope of the data stolen in this particular breach make credit monitoring much less useful than it was when thieves got email addresses, credit card numbers and similar financial information. Let me explain why.
Placing either a state-regulated freeze or a “lock” offered in some form by each of the nationwide credit reporting agencies (CRAs) would reduce new account fraud. If lenders cannot check credit files, they are unlikely to approve loans to fraudsters. However, credit file freezes and locks do not address the types of fraud that occur without access to a credit file, including takeover of existing financial or tax accounts and medical identity fraud.
These types of fraud rely on the ability to impersonate someone. Monitoring your bank accounts or your medical records can tell you that someone stole your money or received healthcare in your name. One reason such fraud happens is failure of identity verification. Credit header data stolen in the Equifax breach forms the core of our identity verification systems, and fraudsters now have credit header data for a significant portion of the population.
In the simplest terms, identity verification—confirming that an identity is real and that the person claiming it has a right to it—is necessary whenever there is a risk in dealing with the wrong person. Identity verification is difficult because it relies on documents and data that are subject to inaccuracy and potential fraud. To reduce fraud risks, those who face identity-related risk often confirm identity claims provided by an individual with an independent trusted party. CRAs are such trusted parties because they acquire data from financial institutions that have incentives (and are sometimes required by law) to know their customers and maintain accurate records.
CRAs are in the business of identity verification and fraud prevention themselves. They also sell credit header data to other organizations for these purposes. Credit header data is particularly valuable for identity verification because it has several characteristics that other data sources don’t have.
Credit header databases at nationwide CRAs are population registers. Data that covers the entire population is necessary for identity verification at scale because people move from community to community, because some commercial and government services are offered nationwide, and because online transactions can be conducted even when individuals and businesses are far away from each other. Without a population register, it would be difficult, if not impossible, to determine whether an individual in one part of the country is the same person as the individual with the same name in a different part of the country. Social Security numbers (SSNs) are particularly valuable because they are issued by a trusted government agency and are supposed to be unique to each individual.
Credit header databases also contain deep and broad identity information necessary for detecting identity fraud. As I wrote before, identity verification is more sophisticated than simply matching data provided by the individual with data found in databases. Identity verifiers also examine the “structure” of an identity and search for anomalies, such as multiple SSNs belonging to the same identity or an excessive number of identities associated with a single address. Credit header data includes current and former names, current and former addresses, and other data that enables structural checks that lower the risk of identity fraud. Identity verifiers, including CRAs, supplement credit header data with data from public records and other sources, but credit header data remains at the core. Identities derived from various databases are matched on multiple elements, and SSNs play an important role in this matching because of their uniqueness.
Even systems that use other identity verification methods, such as biometrics, rely on trusted sources of identity data. All biometric systems require some form of “enrollment,” i.e., the creation of a reference to which each future instance of the biometric will be compared. If a biometric is used only to allow the same person to lock and unlock a phone, for example, identity verification is not necessary for enrollment. The only thing that matters is that the individual who unlocks the phone is the one who set up the biometric lock.
However, when biometrics are used to decide whether someone should be allowed to cross a border or receive a government benefit, the reference biometric must be tightly bound to a specific individual whose identity has been verified. Binding the biometric to the right person is particularly important because changing a biometric is difficult or impossible. Identity verification systems that use data from trusted sources, including CRAs, are essential to properly bind a biometric to an identity.
With the large number of data breaches in the past several years, the work on new identity systems has grown. This work ranges from the introduction of new types of identity tokens controlled by the individual to the use of blockchain identity ledgers. As noted by several people who work in the space, it is no longer feasible to do identity verification in high-risk applications by relying on static data. Instead, identity verifiers must track the evolution of an identity and look for possible anomalies in both data and behavior. This approach to identity verification necessarily involves collection and storage of a large amount of transactional data, increasing commercial and government surveillance in the name of fraud prevention. We are already moving in this direction, and the Equifax breach accelerated the movement by making our current identity verification system even less effective.
The bad news is that our current identity verification system doesn’t work as well as it used to, increasing the risk of fraud based on impersonation. The worse news is that we don’t yet have another system that is both effective and respectful of privacy and individual rights.