Moving forward – and backwards – from the Equifax breach

By now, most financially or technically savvy people are aware of the breach disclosed by Equifax on September 7. Equifax reports that the incident affected 143 million Americans. The data accessed is as sensitive as the scope is broad, including names, social security numbers, birth dates, addresses and in some cases even more sensitive data.

Equifax has since clarified the extent of the impact in the UK to the tune of 44 million more affected people.

Equifax’s response to this incident has been lukewarm at best, and they’ve been rightly panned by political and technology pundits. Investigative journalist Brian Krebs, in particular, has been at the forefront of reporting on the issue and has done an admirable job holding feet to the fire on the problems with this response.

As an infosec professional, I often give advice to friends and family about how to best defend themselves against cyber security threats, or what to do in the wake of an incident like this. But recommending a strategy for dealing with the fallout of this breach is non-trivial.

Equifax’s offer of a year of free credit monitoring is suboptimal and self-serving. While monitoring certainly has value, it’s a reactive solution where you’re still mopping up. And Equifax stands to benefit greatly from renewed business of many people who sign up for free now and then renew at cost in a year’s time.

Conventional wisdom instead says that the safest approach is to freeze our credit, and while  true, this also introduces significant friction that not everyone will anticipate. First, freezing and thawing credit has a small fee from each agency (though Equifax recently caved to public pressure and is waiving their freeze fee for 30 days).

Worse yet, thawing credit is not instantaneous and must be done manually for every agency. The impact of suggesting that millions of people freeze their credit, while arguably financially responsible, will have a significant effect on the many business that rely on consumers’ easy access to credit.

Beyond obvious things like car loans and mortgage applications are many other retail impacts such as zero per cent financing incentives and even opening a new account with a utility provider or switching from satellite to cable TV. Given that credit bureau security breaches are not a new thing, it would be fair to wonder why the available mechanisms for protecting credit are still so lacking.

In my opinion, the mechanisms provided by the credit bureaus to consumers that allow us to protect our private and sensitive data are inadequate due to a fundamental flaw in the existing credit system. All consumers who have any credit history or want to participate in the credit market (CC, mortgage, auto loan, etc.) have no choice that their most confidential data is provided to these companies.

We are not customers of the credit bureaus, and we have no means by which to ‘take our business elsewhere’ if we believe they are inadequately protecting our data. As a result, the companies have no incentive to improve their security and will likely continue to maintain a poor security posture and rely on outdated, unpatched and vulnerable software.

What can we do about it? Oversight should be provided by the Consumer Financial Protection Bureau. Chief among my requests is the ability to own my relationship with the credit bureaus (i.e., create an account that I can personally manage and close if I choose to do so). Also, I need the ability to secure that account to control access to my credit report.  

All of the nonsense about calling three or four different companies hours or days in advance of allowing someone access to your frozen credit report is bafflingly stupid. I want multi-factor authentication. Even push notifications via Duo or Yubikey. Imagine getting a push MFA request while applying for a mortgage.

Confidence inspiring that I was notified about this credit lookup request; I’ll click the approve button. Now imagine getting one while sitting by the pool on vacation. Great alert, and I have the ability to not only decline the request but also respond immediately.

Perfect, no. But it would be far better than where we are today.