After the Equifax breach, we need to change our online behaviors

Tuesday , September 26, 2017 - 4:00 AM

DAVID FERRO, special to the Standard-Examiner

Ever had your identity stolen? It is a pain to fix, isn’t it? Unfortunately, identity theft is occurring more frequently. The latest hacked data of Equifax — the names, birthdates, and Social Security Numbers of almost half the people in the country — means worse things are coming. Fortunately, with our prodding, we can effect change in how our credit profile is managed and how our banks and retirement accounts determine our identity. But it also means we must change our own behavior.

In terms of customer relations, Equifax seems to have done everything wrong. They waited five months to reveal the break. Their customer websites and phone lines were jammed. The program they set up to determine if a person was hacked seems to have given out the same information to everyone, even bogus entries, and they required a great deal of personal information to make that determination. Equifax seemed so tone deaf, a rumor floated that the hack and free year of protection they offered were part of a scheme. Last week it was revealed that Equifax linked to a bogus website about the problem after being warned it could easily lead to scams.

Part of the problem is, we are not the true customers. The true customers of the collectors of consumer data — the three big credit-reporting agencies — are banks. Equifax, Experian and TransUnion collect your information without your consent. Private organizations have always served this role, but the globally accessible FICO credit score has made us vulnerable.

Optimally, this incident is a clear call to Congress, the Federal Trade Commission, state attorneys general and the Consumer Financial Protection Bureau to regulate these agencies, perhaps in a way similar to utilities.

Of course, any data connected to the internet is hard to protect. As the old saying goes, “information wants to be free.” With all the banking, shopping and carrying on we do on the internet, we leave digital traces of our identity everywhere we go online, which greatly exacerbates vulnerability to hacking.

Security experts talk about three types of identification proofs: what you know, what you have and what you are. For example, what you know is a password, your SSN or birth date. What you have could be your cell phone or a key of some kind. What you are is called biometric, and it could be a fingerprint, voiceprint or something else unique to your body.

Most security systems at this point rely on the first type: what you know. Unfortunately, most people create the same lousy passwords for all their accounts. In lieu of creating a mnemonic device, you should use a password generator or manager like Lastpass.

Better would be a system that uses a secondary identifier such as a texted code to your cell phone. Weber State University just implemented a system called DUO that requires a second approval from another device to login to any secure information. It is a little bit more trouble to log in, but far more secure than just a password. If your money is in an entity that doesn’t do this, you probably should complain.

One of the biggest problems is when entities use secondary identifiers in case you lose your password. For example, a firm might ask for your birth date or SSN. This does two things wrong. One, it uses something you know but also something that others could easily find out. Two, in the case of an SSN, it confuses an identifier with a password. The SSN was never intended as a secret password, and security experts have been complaining about this for decades.

The first five digits reference where you were born, and anyone can use the internet to decode them. It’s not possible to look up someone directly, but you can do a lot by knowing when and where they were born (likely public information). That leaves only the last four digits which are sequentially generated. Four digits are approximately 10,000 combinations. That is no more secure than the four -digit pin you use to get into your ATM. But to get into your ATM, you at least need that four-digit code and something you have, such as your bank card or phone.

This latest crisis is a reminder that we all need to work to make our online lives more robust. A word to those who can effect change is needed. And we need to change our own behaviors as well.

Dr. David Ferro is dean of the College of Engineering, Applied Science & Technology at Weber State University. Twitter: @DavidFerro9.

Sign up for e-mail news updates.