equifax

New Technologies, Standardization & Education are All Vital Components

While we’re focused on the upcoming holiday season, we can’t forget about a very large shadow hanging over the festivities: Equifax.

The biggest data hack in history compromised the identities of 145 million Americans; nearly half of the country’s population. The thieves gained access to consumers’ Social Security numbers, home addresses, birth dates, and more. Now that we’re a couple of months removed from the initial event, though, it’s time to start asking the important questions: how did it happen, how could it have been prevented, and most importantly, what can we do now?

There are three specific points I’d like to address that will be essential if we mean to get serious about protecting consumers’ identities.

#1. Ditch the Social Security Number

Our permanent, legal identities in the US are rooted to our Social Security number, or SSN. It’s an extremely difficult and time-consuming process to mitigate the damage if that number is compromised, and some consequences may stick with you for the rest of your life.

Many tech and security experts—myself included—argue that the Social Security number has outlived its viability as an ID form. It’s high time that we explore alternate methods of validating a person’s ID; for example, we could replace SSNs with a physical token like an EMV chip card. The card can be PIN-authorized, and is easy to replace if an individual’s identity is compromised.

We could explore new, more innovative ideas for ID verification as well. Some have suggested blockchain technology can be used to create “digital fingerprints” that would be near-impossible to duplicate.

#2. Standardized Rules & Compliance

Companies are required by law to notify consumers following a data breach…at least in 48 of the 50 states. Alabama and South Dakota do not have any such requirements which, given South Dakota’s prominence as a business and finance hub, substantially weakens the spirit of those protections.

This is just one example of inconsistent regulation. I’ve been an advocate for more standardized rules and practices governing online data and commerce for years. In my eyes, any regulation that’s not imposed consistently is going to be inherently ineffective. Thus, consumers will continue to be vulnerable without standardized policies and implementation.

In the same way the Payment Disputes Standards & Compliance Council advocates for standardization of chargeback policy, we need more focus on standardizing data protection rules.

#3. More Education About Data

With the passage of the GDPR, the European Council gave EU citizens the “right to be forgotten;” consumers could control which data different parties have access to and how it is managed. While that sounds great in concept, it may lead to unintended problems.

The average consumer isn’t a data or security expert. They don’t know which data is valuable for what reason. Consumers can request their data be destroyed, which would interfere with the kind of open data analysis that prevents fraud.

Remember: with great power comes great responsibility. If consumers are going to have that degree of power, it absolutely needs to come together with a push for consumer education. We can look at chargebacks once again as an example of what happens when consumer empowerment doesn’t come alongside education; online merchants have been hit with a flood of friendly fraud as a result.

Perfect Storm for Fraud

So overall, we now finds ourselves with:

  • Empowered consumers who have little knowledge of data science.
  • Widespread anxiety about fraud, with no understanding of fraud trends.
  • Inconsistent rules and regulations.
  • Outdated, vulnerable security infrastructure.

This all leads to a perfect storm for fraud and greater security vulnerability. Until we address the broader vulnerabilities and weaknesses in our approach to online fraud and data security, more Equifax-scale hacks are going to happen.

We need to get serious about fraud…before it’s too late.

Monica Cardone