The Equifax breach and the cybersecurity silver bullet
Hacking is here to stay; manage risk by knowing—and using—methods to shield your data
By Adam Levin, Special to ThirdCertainty
Some time ago, the popular show “MythBusters” wanted to find out if the Lone Ranger was right about silver bullets being better than lead ones. Turns out silver bullets actually are slower and less accurate.
When it comes to cybersecurity, quick-fix silver bullets also are less effective than tried-and-true approaches. The most effective cybersecurity strategies begin with two certainties: Mistakes will be made, and breaches like the one that hit Equifax will keep happening.
The 143 million consumers exposed in the Equifax breach provide plenty of evidence that there’s still no effective “silver bullet” when it comes to both chronic and acute threats to our collective cybersecurity.
While the Equifax breach is by no means the largest hack to date (that distinction still belongs to Yahoo), it definitely stands out as the breach with the greatest potential to harm its victims.
The Equifax hackers got the most complete data dossiers possible on millions of people. Those dossiers are worth about $30 on the black market and include Social Security numbers, names, addresses, birth dates and, in some cases, driver’s license numbers. Additionally, the credit card numbers of 209,000 consumers were lifted.
What can be done with this information? Just about every sort of identity theft imaginable.
Credit lines and credit-worthiness can be destroyed overnight, health care records can be polluted with the information of thieves using your benefits illegally, and it can be nearly impossible to get medications filled in a timely manner. Crimes can even be committed in your name, since the thieves have all they need to create a driver’s license with your information and someone else’s photograph.
No easy fix
If there were any easy way to solve the data-breach problem, we’d be seeing fewer newsworthy compromises. But as yet, nothing works.
Take, for instance, biometrics. Fingerprints, retina scans, body weight, and shoe size—they offer a great addition to the various ways we authenticate ourselves to the systems storing our data. But they are not a true fix. If a security patch released by a software provider is not installed, as happened in the Equifax breach, it doesn’t matter how many body parts you scan.
Picture the mailboxes in the lobby of a city dwelling—the individual boxes can be opened with one master key so the letter carrier can slot the mail for all the apartments at the same time. It doesn’t matter how well you protect the key for your one apartment’s mailbox if a thief gets access to the master key. The same goes for individual cyber hygiene in the face of a breach.
One of the most promising solutions was once thought to be tokenization—a system of referents that create an impenetrable security trail—but it suffers from the same issue that was behind the Equifax hack: human beings messing up.
Tokenization systems have to be secured and validated using security best practices. That’s where the fallibility part creeps in. Those best practices still need to be implemented by fallible humans with busy lives who have not been told—and consistently reminded—that they are the only solution to the data breach problem.
Data breaches and the identity-related crimes that flow from them are the third certainty in life—right after death and taxes—because there will always be that fallible human element. Education can help mitigate the risks, but even the savviest populace will make mistakes.
Sen. Elizabeth Warren has set her sights on the three credit reporting bureaus, specifically demanding that they offer credit freezes for free. The looming threat of credit hijacking is made possible by the hoarding of information—the credit reporting bureaus’ daily bread. It seems logical, then, that the bureaus should have to pay for the most common crime that data can lead to: credit fraud.
While new laws are good, education is the only real solution.
For many years now I have been advocating a system called the Three Ms, which are the centerpiece of my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.
Practicing the Three Ms continues to be the best way to keep your personally identifiable information from being used in identity-related crimes.
- Minimize your exposure. Don’t click on suspicious or unfamiliar links; don’t authenticate yourself to anyone unless you are in control of the interaction; don’t overshare on social media; be a good steward of your passwords; opt for two-factor authentication whenever it’s offered; safeguard any documents that can be used to hijack your identity; and freeze your credit.
- Monitor your accounts. Check your credit reports religiously (you can check your credit report for free on Credit.com); keep track of your credit scores; review major financial accounts daily if possible (better yet, sign up for free transaction alerts from financial services institutions and credit card companies); read the Explanation of Benefits statements you receive from your health insurer; and seriously consider purchasing a sophisticated credit- and identity-monitoring program.
- Manage the damage. Make sure you get on top of any incursion into your identity quickly and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and employers.
The odds of President Trump giving his entire fortune to the NAACP are probably better than the chances that we’ll be experiencing fewer big breaches in the future. An individual’s security protocol is only so useful, but an individual’s actions make all the difference.
Full disclosure: CyberScout sponsors ThirdCertainty. This story originated as an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.
More on identity theft:
3 Dumb Things You Can Do With Email
How Can You Tell If Your Identity Has Been Stolen?