The Equifax breach and the cybersecurity silver bullet

Hacking is here to stay; manage risk by knowing—and using—methods to shield your data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Some time ago, the pop­u­lar show Myth­Busters” want­ed to find out if the Lone Ranger was right about sil­ver bul­lets being bet­ter than lead ones. Turns out sil­ver bul­lets actu­al­ly are slow­er and less accurate.

When it comes to cyber­se­cu­ri­ty, quick-fix sil­ver bul­lets also are less effec­tive than tried-and-true approach­es. The most effec­tive cyber­se­cu­ri­ty strate­gies begin with two cer­tain­ties: Mis­takes will be made, and breach­es like the one that hit Equifax will keep happening.

Adam Levin, chair­man and co-founder of Credit.com and Cyber­Scout (for­mer­ly IDT911)

The 143 mil­lion con­sumers exposed in the Equifax breach pro­vide plen­ty of evi­dence that there’s still no effec­tive “sil­ver bul­let” when it comes to both chron­ic and acute threats to our col­lec­tive cybersecurity.

While the Equifax breach is by no means the largest hack to date (that dis­tinc­tion still belongs to Yahoo), it def­i­nite­ly stands out as the breach with the great­est poten­tial to harm its victims.

The Equifax hack­ers got the most com­plete data dossiers pos­si­ble on mil­lions of peo­ple. Those dossiers are worth about $30 on the black mar­ket and include Social Secu­ri­ty num­bers, names, address­es, birth dates and, in some cas­es, driver’s license num­bers. Addi­tion­al­ly, the cred­it card num­bers of 209,000 con­sumers were lifted.

What can be done with this infor­ma­tion? Just about every sort of iden­ti­ty theft imaginable.

Cred­it lines and cred­it-wor­thi­ness can be destroyed overnight, health care records can be pol­lut­ed with the infor­ma­tion of thieves using your ben­e­fits ille­gal­ly, and it can be near­ly impos­si­ble to get med­ica­tions filled in a time­ly man­ner. Crimes can even be com­mit­ted in your name, since the thieves have all they need to cre­ate a driver’s license with your infor­ma­tion and some­one else’s photograph.

No easy fix

If there were any easy way to solve the data-breach prob­lem, we’d be see­ing few­er news­wor­thy com­pro­mis­es. But as yet, noth­ing works.

Take, for instance, bio­met­rics. Fin­ger­prints, reti­na scans, body weight, and shoe size—they offer a great addi­tion to the var­i­ous ways we authen­ti­cate our­selves to the sys­tems stor­ing our data. But they are not a true fix. If a secu­ri­ty patch released by a soft­ware provider is not installed, as hap­pened in the Equifax breach, it doesn’t mat­ter how many body parts you scan.

Pic­ture the mail­box­es in the lob­by of a city dwelling—the indi­vid­ual box­es can be opened with one mas­ter key so the let­ter car­ri­er can slot the mail for all the apart­ments at the same time. It doesn’t mat­ter how well you pro­tect the key for your one apartment’s mail­box if a thief gets access to the mas­ter key. The same goes for indi­vid­ual cyber hygiene in the face of a breach.

One of the most promis­ing solu­tions was once thought to be tok­eniza­tion—a sys­tem of ref­er­ents that cre­ate an impen­e­tra­ble secu­ri­ty trail—but it suf­fers from the same issue that was behind the Equifax hack: human beings mess­ing up.

Tok­eniza­tion sys­tems have to be secured and val­i­dat­ed using secu­ri­ty best prac­tices. That’s where the fal­li­bil­i­ty part creeps in. Those best prac­tices still need to be imple­ment­ed by fal­li­ble humans with busy lives who have not been told—and con­sis­tent­ly reminded—that they are the only solu­tion to the data breach problem.

Data breach­es and the iden­ti­ty-relat­ed crimes that flow from them are the third cer­tain­ty in life—right after death and taxes—because there will always be that fal­li­ble human ele­ment. Edu­ca­tion can help mit­i­gate the risks, but even the savvi­est pop­u­lace will make mistakes.

Real solu­tions

Sen. Eliz­a­beth War­ren has set her sights on the three cred­it report­ing bureaus, specif­i­cal­ly demand­ing that they offer cred­it freezes for free. The loom­ing threat of cred­it hijack­ing is made pos­si­ble by the hoard­ing of information—the cred­it report­ing bureaus’ dai­ly bread. It seems log­i­cal, then, that the bureaus should have to pay for the most com­mon crime that data can lead to: cred­it fraud.

While new laws are good, edu­ca­tion is the only real solution.

For many years now I have been advo­cat­ing a sys­tem called the Three Ms, which are the cen­ter­piece of my book, Swiped: How to Pro­tect Your­self in a World Full of Scam­mers, Phish­ers and Iden­ti­ty Thieves.

Prac­tic­ing the Three Ms con­tin­ues to be the best way to keep your per­son­al­ly iden­ti­fi­able infor­ma­tion from being used in iden­ti­ty-relat­ed crimes. 

  1. Min­i­mize your expo­sure. Don’t click on sus­pi­cious or unfa­mil­iar links; don’t authen­ti­cate your­self to any­one unless you are in con­trol of the inter­ac­tion; don’t over­share on social media; be a good stew­ard of your pass­words; opt for two-fac­tor authen­ti­ca­tion when­ev­er it’s offered; safe­guard any doc­u­ments that can be used to hijack your iden­ti­ty; and freeze your credit.
  2. Mon­i­tor your accounts. Check your cred­it reports reli­gious­ly (you can check your cred­it report for free on Credit.com); keep track of your cred­it scores; review major finan­cial accounts dai­ly if pos­si­ble (bet­ter yet, sign up for free trans­ac­tion alerts from finan­cial ser­vices insti­tu­tions and cred­it card com­pa­nies); read the Expla­na­tion of Ben­e­fits state­ments you receive from your health insur­er; and seri­ous­ly con­sid­er pur­chas­ing a sophis­ti­cat­ed cred­it- and iden­ti­ty-mon­i­tor­ing pro­gram.
  3. Man­age the dam­age. Make sure you get on top of any incur­sion into your iden­ti­ty quick­ly and enroll in a pro­gram where pro­fes­sion­als help you nav­i­gate and resolve iden­ti­ty compromises—oftentimes avail­able for free, or at min­i­mal cost, through insur­ance com­pa­nies, finan­cial ser­vices insti­tu­tions, and employers.

The odds of Pres­i­dent Trump giv­ing his entire for­tune to the NAACP are prob­a­bly bet­ter than the chances that we’ll be expe­ri­enc­ing few­er big breach­es in the future. An individual’s secu­ri­ty pro­to­col is only so use­ful, but an individual’s actions make all the dif­fer­ence.

Full dis­clo­sure: Cyber­Scout spon­sors Third­Cer­tain­ty. This sto­ry orig­i­nat­ed as an Op/Ed con­tri­bu­tion to Credit.com and does not nec­es­sar­i­ly rep­re­sent the views of the com­pa­ny or its partners.

More on iden­ti­ty theft:
3 Dumb Things You Can Do With Email
How Can You Tell If Your Iden­ti­ty Has Been Stolen?