The Equifax data breach didn't have to be this bad
(Bloomberg View) -- If your personal information is ever compromised in a data breach, the hacked company might send you an apology letter with an offer of free identity theft protection from a credit-reporting agency. But what happens when the reporting agency is the one that gets breached?
This week, Equifax said that its systems had been accessed by intruders, potentially affecting 143 million U.S. consumers. Equifax Chief Executive Richard Smith called the event "disappointing," which seems like an understatement for a company whose core business is collecting people's credit information. The stolen information includes names, Social Security numbers, birth dates, addresses and driver’s license numbers. Get ready to see a lot of credit card fraud.
Once Social Security numbers are exposed, they can be circulated and misused with ease. A company called LifeLock demonstrated this back in the 2000s, when it advertised its CEO's Social Security number to display confidence in its identity protection services. His identity was reportedly misappropriated 13 times. Here's that ad:
Before the digital age, a stash of nine-digit numbers could be kept reasonably secure in a locked filing cabinet behind closed doors. So long as consumers volunteered the numbers judiciously, most people could make it through life without ever suffering a theft of identity. But as business moved to the internet, greater amounts of personal information became accessible to intruders. In 2008, the Federal Trade Commission created the Red Flags Rule, which required businesses and organizations to collect personally identifying information from their customers, even if not necessary for service. This put Social Security numbers into the hands of utility companies, telecom providers, doctors and countless other unreliable custodians.
One paradox of digital security is that combating fraud typically requires collecting even more sensitive data. If Social Security numbers have been hacked, then we'll need more personal information to be sure people are who they claim to be. Legislators have proposed a biometric Social Security card that could contain fingerprints or retinal scans. Beyond that, who knows: Once hackers figure out how to replicate biometric data, maybe we'll have to consider digital DNA samples or virtual cavity searches.
The problem with Social Security numbers is that businesses and financial services treat them as authenticators, meaning that the mere possession of the number is enough to verify a person’s identity. In practice, identification and authentication should be two different things. For example, a driver’s license is a form of identification. A person’s face, which corroborates with the photo on the license, provides the authentication. One is useless without the other.
The Republic of Estonia uses such a system to identify members of its e-Residency program, even with no physical presence. Each e-resident has a public numerical key that serves as a unique identifier, and a corresponding private key that is never revealed. During the authentication process, the private key is used to generate an irreversible digital signature. The signature is shared and verified by the public key without ever exposing the private key.
That’s the basic idea behind public-key cryptography. It’s how computers authenticate themselves over the internet, and how Bitcoin transactions are created on the blockchain. While an individual could still accidentally reveal a private key, no single entity needs to have custody of 143 million of them.
The idea of having a universal identification number is outdated, especially when far better technology has been available for decades. The only thing Social Security numbers should be used for is to pay our taxes, which identity thieves are welcome to do.