If the major data breach Equifax acknowledged over the past week tell us anything, it’s that the U.S. system for protecting consumer financial information—and controlling consumer credit—is broken.
So says Al Gidari, the director of privacy at the Stanford Center for Internet and Society, who points to a criminal investigation into whether Equifax executives sold company stock on insider knowledge of the breaches, which may affect every adult American who has at least one credit card, and even some who have none.
Credit card issuers, which partner with credit bureaus Equifax, Experian, and TransUnion to control consumers’ buying power, may write off unauthorized charges, Gidari says, but individual consumers bear the major burden of the identity theft typically tied to breaches of personal data: With poor or blocked credit due to fraudulently opened accounts tied to their Social Security number, they can lose their ability to buy a home or car or even a phone.
“The current model of credit is broken. All the data that can be stolen has been stolen.”—Al Gidari, director of privacy, Stanford Center for Internet and Society
Consumers must also take on the burden of monitoring their credit. The Federal Trade Commission recommends checking credit reports annually at each of the credit bureaus. It also recommends considering a credit freeze, which can cost between $5 and $10 per bureau, depending on which state the consumer lives in, and prevent you from making major purchases. And “thawing” your credit after a freeze can cost up to $10 per credit bureau.
Rebuilding credit can also take time and considerable effort: Negative credit information such as a delinquent payment is automatically removed from credit reports after seven years. It can be removed faster, if the consumer is able to successfully contest it—and if the credit bureaus properly synchronize their data, which isn’t a given.
“The system needs to change, where the user has control of their credentials,” Gidari says. “The current model of credit is broken. All the data that can be stolen has been stolen.”
More than 15.4 million U.S. consumers were victims of identity fraud in 2016, 2 million more than last year and the highest number of victims ever recorded by Javelin Research’s annual Identity Fraud report, published most recently in February. Javelin, which has been conducting its survey since 2003, concludes that fraudsters stole more than $16 billion from their victims last year.
READ MORE ON DATA BREACHES
What to do when you’re caught in a data breach
Special report: How data brokers slice up your private life
Parallax Primer: How to protect your payment apps
Businesses can buy ‘cyberinsurance.’ Why can’t you?
New data breach notification bills favor businesses, critics say
Businesses to FTC: Get out of consumer data security
Al Pascual, one of the Javelin report’s authors, tells The Parallax that he sees a “definite correlation” between identity fraud cases and breaches of organizations such as Equifax, Target, Home Depot, J.P. Morgan, and the U.S. government’s Office of Personnel Management.
“One in three people notified in 2016 of a breach experienced fraud,” he says. “Last year was highest correlation on record.”
The trends in breaches and fraud aren’t likely to change any day soon, says Ashkan Soltani, former chief technologist for the FTC and senior adviser to the Obama White House’s chief technology officer. And neither is the American credit system, which relies on using Social Security numbers not just to identify people, but to verify their identities.
A nine-digit number such as an SSN is “a terrible authenticator,” Soltani says. “Adding additional security measures is critical…but a lot of these measures add friction that the banks and others don’t want to incur.”
Soltani points to so-called smart payment cards that use EMV chips. While most countries require consumers to enter a personal identification number, or PIN, to authenticate the chip card, the United States mandates only a signature with the chip—an easier hurdle for fraudsters to jump. U.S. financial institutions, which suspected that a PIN mandate would reduce purchase completions, successfully lobbied against it.
Pushes to adopt other types of so-called friction, such as the two-factor authentication that Norway has mandated with its BankID, aren’t likely to go far in the United States anytime soon, says Bob Gellman, a Washington, D.C.-based privacy and information policy consultant with more than 40 years of experience.
Gellman, whose personal information was stolen in the OPM breach, says that for now, consumers should push for incremental changes to the system, such as urging credit bureaus to provide credit monitoring, freezes, and thawing free of charge.
“Credit bureaus should pay for it,” Gellman says.
That would be a great change, says Soltani, who describes the practice of passing such costs on to consumers as a “protection racket.” He adds that he’d like to see “more focus on cyberinsurance and risk, where firms are incentivized to better handle risk.”
In a post outlining why she wasn’t surprised by the major breach at Equifax, or the company’s slow response, former Equifax Chief Privacy Officer Anna Slomovic said that from the financial institutions’ perspective, naturally, it all comes down to money.
The credit-reporting agencies view consumers as a “cost to be minimized,” she wrote. “Given the nature of credit reporting, only action by the Congress and diligent regulatory oversight will lead to a better balance for consumers in the long term.”
In the meantime, consumers should figure out whether their data has been compromised and take action, the FTC advises.
To check whether your personal information was involved in one of the Equifax breaches, the FTC recommends establishing a secure Internet connection through a virtual private network on a trusted computer, then visiting Equifax’s site, clicking on the Potential Impact tab, and following the instructions.
A simpler (yet still not foolproof) way to keep tabs on your credit is to file a fraud alert. This warns creditors that you may be an identity theft victim and prompts them to verify your identity before issuing you—or someone claiming to be you—more credit.
Updated on September 28 to better focus on the primary breach that Equifax recently acknowledged.