Equifax is answerable to its customers, the lending institutions — not the people of the United States. And that’s a real problem.
Two problems have emerged. The first is safeguarding consumers’ private information. The second is coming up with processes to allow consumers to quickly restore or repair their private information when, not if, it is compromised.
Equifax has allowed the personally identifiable information of 145.5 million consumers, up from the initially reported 143 million, to be accessed by hackers, putting all those consumers’ credit-worthiness and finances at risk. Equifax reportedly knew that its software was vulnerable and that patches were available to fix the problem as early as March 7 of this year. According to many accounts, including that of Wired Magazine, hackers exploited these vulnerabilities from mid-May through the end of July before Equifax became aware of the penetration. The company took six weeks to investigate the break-in and assess the extent of its damage. It’s not clear when patches were applied, but Equifax did not report the incident to the public until the end of those six weeks.
According to testimony from Tuesday’s hearing, the Department of Homeland Security first alerted Equifax to a potential software vulnerability in early March. Richard Smith, Equifax’s former CEO, testified that information failed to reach the right people, delaying the company’s response. Smith blamed one Equifax staffer for not making sure that the patch was installed. A fundamental problem is that it can be difficult to detect a hacker who has compromised a computer. Some software flaws can, inadvertently, give the hacker “root access,” giving him or her full control of a computer. A novice hacker can be detected quickly. Sophisticated hackers can cover their tracks, making detection and repair very difficult, and can give the hacker long-term access to the computer.
Software is imperfect. When bugs are discovered, software developers work to fix them. After their fixes are tested, updates to the software, called patches, are released. It is then up to the software deployers, Equifax in this case, to apply and test the patches. According to Ars Technica,
“The flaw in the Apache Struts framework [website software for allowing data to be viewed from different perspectives] was fixed by its developers on March 7. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on Web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.”
We know that Equifax’s security was breached. How are other credit agencies certain that they haven’t also been hacked by this or some other exploit? What’s the likelihood that Equifax was the only target and only agency that was hacked?
There’s an elephant in the room that everyone’s ignoring. When your credit card is lost or stolen, the credit card company cancels your old credit card number and issues you a new one; questionable charges to your card can be challenged and reversed quickly. But there is no comparable process for Social Security numbers (SSNs).
At the very least, there needs to be a process for issuing a new SSN to a person whose personally identifiable information has been compromised. Fundamentally, there need to be more SSNs to accommodate a person having multiple SSNs over his/her lifetime. Social Security doesn’t re-use SSNs. The population of the US is 323 million, or roughly one-third of the total number of SSNs, given the current limit of nine digits for single-person SSNs.
I’ve had my credit card numbers replaced a number of times, because my numbers were, as best the credit card companies and I could guess, stolen from the trash at some place where I bought something. As hacks like that at Equifax proliferate and the private info that was stolen propagates through the various dark channels, we can expect thousands and perhaps millions of SSNs to be compromised. The government should not wait: steps must be taken now to protect this crucial piece of an individual’s identity. There is currently no plan for what to do when the number of SSNs is exhausted. Due to identity theft, the government would need to revamp the SSN numbering system, likely significantly increasing the number of SSNs. Given the magnitude of the Equifax breach, this must be done soon. The Social Security Administration needs to issue and keep track of all the SSNs associated with each person. There needs to be a transparent process to help consumers when their private info, including SSNs, is stolen.
Issuing new SSNs is more complicated than credit card numbers, because your SSN is used by many companies and agencies. If we relegate this to the courts, the judicial system will be inundated with, potentially, millions of cases of fraud to deal with, so remediation has to be much quicker, and will have security and privacy issues of its own.
Adding more digits is a big deal, but not unlike challenges we’ve encountered before. When telephone numbers went from five digits to seven, a gradual process that took place from 1958 to the 1970s, the outcry was, Who can remember all those digits? Now with the area code, we have 10 digits to remember, more with international calling. We have dealt with it. Next was the Y2K problem that we had to deal with just prior to the year 2000, with dates changing from two digits (YY) to four digits (YYYY). Software needed to change. Paper forms had to be reformatted and replaced. People were cautious when the calendar changed from 1999 to 2000, not wanting to be exposed to some piece of hardware or software that hadn’t been updated properly.
In May of this year — four months before the Equifax hack was disclosed — the Federal Trade Commision (FTC) reported that it had received “nearly 500,000 identity theft complaints” in 2014.
According to the Department of Justice (DOJ), “[In 2014] 17.6 million individuals — 7% of all US residents age 16 and older — were victims of one or more incidents of identity theft. … Identity theft can have ramifications beyond financial harm. For example, consumers may be denied access to crucial services or medical care. Identity theft can also pose a threat to public safety, particularly when used [by hackers and their customers] to create fraudulent identity documents that facilitate criminal activity or enable individuals to hide from law enforcement.”
Keith B. Anderson, in the Bureau of Economics of the Federal Trade Commission said “Victims must spend time resolving problems resulting from having their ID stolen … 55% of victims of new account or other misuse ID theft said that they had experienced either moderate or severe emotional distress as a result.”
What can an individual do? Remedying credit card fraud is relatively easy, depending on the individual credit card. Some credit card companies call you if a suspicious purchase is made. This works well … until someone uses your PII to change your address and phone number.
Misuses of your SSN are harder to detect. WhoWhatWhy’s blog posting, How to Keep Safe after the Equifax Cybersecurity Breach, gives guidance on how to check if you were one of the 145.5 million consumers whose PII was stolen. Most significantly, the burden falls on you to perform a credit check. The three major credit agencies, Equifax, TransUnion, and Experian, allow you to perform a free check once per year. If you stagger those checks, you can get a free check every four months, cycling through those three agencies. If you’re one of the unfortunate 145.5 million, you probably want to check your credit every month, but the onus is still on you. If you’re really unfortunate, you’ll have to challenge what’s been done to your identity and, possibly, your financial state.
Imagine the enormity of the loss of productivity, not to mention the otherwise unnecessary anger and frustration, when 44% of our population has to be this vigilant and responsive. Most will not have the wherewithal to secure their identity, either in terms of time, money, enduring frustration, or understanding of what has to be done — so identity theft and related crimes will continue, undetected by most people until it’s too late.
We need centralized (not the current every person for himself) revamping of the Social Security numbers and means for repairing people’s personal credit and financial information! We can’t continue to pretend that this doesn’t affect every person in the US. In light of the magnitude of the Equifax hack, we need to do the right thing, right away.
This is the time to act to protect the US consumers from current and future identity theft.
The author holds a Ph.D. in Computer Science.