The headlines about Equifax keep coming. The latest is the CEO is “retiring”. The fact that he was allowed to retire, instead of being fired has stirred yet more ire. It’s one thing to read about the breach and quite another when you’re a victim.
Sandra Davis (not her real name), shares her story. “I checked the Equifax site after the breach was FINALLY announced to the public, I was informed that my information was at risk. At that time (and after they removed the "you can't sue us" clause), I signed up for the Trusted ID monitoring service and checked my credit reports. Nothing seemed out of the ordinary. Two weeks later, I got a letter in the mail from Radius Bank in Boston, welcoming me to an account I did not open. It's been downhill since.”
She says it has been impossible to communicate with Equifax. “I call at various hours on various days and get nothing. The website is useless. TrustedID sent an email suggesting there's an alert that requires a response but I can't get through to them, either. It's been 10 days of nonstop busy signals. I have checked all my reports and again nothing, put fraud alerts on all, contacted my bank to flag my accounts, contacted all creditors as well. I check all my accounts in the morning and evening. I filed an ID theft report with the LAPD and reported all this to at the FTC identitytheft.gov and followed the recommended plan.”
‐Sarah Clark, VP of product and customer success at Mitek
But with all that, she still had troubling news. “I have now been notified by Stubhub, Netflix, and my bank that there has been a flurry of login activity on my accounts that required me to close out and start again. All I've learned is that nothing is safe, the credit bureaus are NIGHTMARES to communicate with (even the websites are absurdly complex), and constant pro-actively reviewing all your financials will be the only way you'll get immediate information.”
She adds, “The FTC site has been helpful, but I'm the type of person who needs to speak with someone to ask questions and feel informed and empowered. Since no living human exists at Equifax or TrustedID, I can't get help or info from the source which is unnerving and infuriating.”
There are likely plenty more stories like hers and some worse. All this makes you wonder what banks and credit unions require to initiate wire transfers or other types of transfers out of accounts? Do they require info that wouldn't be contained in the Equifax data breach? Do they have an additional verification step?
“Every financial institution varies the method of authentication but the one thing I see most often is the requirement for the customer to come into the branch, pass authentication and then be provided with a remote wire PIN that can be used in tandem with other verification methods selected at random by the institution. Money movement would then mean a variety of security layers, plus PIN,” says John Buzzard, Industry Fraud Specialist at CO-OP Financial Services, a financial technology company that serves 3,500 credit unions nationwide and their 60 million members.
Mitek, inventors of Mobile Deposit and a leader in digital identity verification, works with nearly all the leading financial institutions in the U.S. Sarah Clark, VP of product and customer success at Mitek, shares what they’ve been hearing from their bank and credit union customers in the wake of the breach.
“Many of our customers have expressed that this breach is finally convincing them that relying on personally identifiable information (PII) and knowledge-based authentication (KBA) to verify consumers’ identities is no longer a viable option. We fully expect to see an increase in identity theft cases and a higher risk of synthetic identity fraud because the type of PII exposed in the Equifax breach (social security numbers, driver’s license numbers, etc.) are traditionally the foundation of this type of fraud.”
‐Sarah Clark, VP of product and customer success at Mitek
However, she adds, asking consumers to travel to the branch to show their ID is simply not a viable option in this day and age. “Instead, many financial institutions are moving toward digital identity verification techniques and relying on new mobile technologies to help them. With digital identity verification technology, banks can have customers snap a picture of the front and back of their ID using their smartphone camera. Using computer vision and advanced machine-learning algorithms, the technology is able to instantly determine whether the ID is an authentic, government-issued ID and that it has not been tampered with. The bank can also go a step further by having the consumer snap a selfie. Using biometric facial comparison technology, it can verify that the individual in the selfie is in fact the same person pictured on the ID. This creates strong identity assurance through two factors of authentication: something you have (the ID) and something you are (biometric facial recognition).”
Greg Scott, an IT and security expert with Infrasupport, shared his blog posts with DepositAccounts. He thinks one way to attack the problem is passphrases. “When I provide a social security number, I don’t prove I’m me, I only prove I know the SSN that belongs to Daniel Gregory Scott. Same for my driver’s license number, date of birth, mother’s maiden name, and anything else I might know that’s public knowledge. The shorthand way to say this is, my SSN identifies me, but does not authenticate me.”
That’s the issue. “A private passphrase could authenticate me. Not a password, but a passphrase. Passphrases are more secure than passwords because they have more characters and they’re easier to remember than passwords filled with random characters. The passphrase, “Your mom wears army boots” is more secure and easier to remember than a password, say, “@rMyb00ts!” A passphrase also has an advantage, you control it and can change it any time. “So, for starters, let’s encrypt all that data credit reporting agencies hold about me with a passphrase I control. Anyone who wants to look at my data goes through me first. Which gives me all the advantages of a credit freeze with fewer hassles. Nobody can borrow money in my name, because nobody can check up on me with a CRA unless they know my passphrase. CRAs don’t know the plaintext contents of my data – they only know the encrypted contents. I control the key, which means I control the access.”
While it sounds good, it may be tough to adapt. Says Scott, “That’s radical surgery. CRAs will scream about how much work it will require to educate consumers and set all this up. They’ll also scream because this idea takes away much of their power. Many consumers will also scream about taking on the responsibility to remember a passphrase. And what happens if a consumer forgets their passphrase? The easy answer – Banks or other institutions can offer a passphrase storage service. And creditors will scream about how it complicates the system and makes offering credit more difficult than before. I plead guilty on all charges. But we have 143 million reasons to change the system, and either we do it in the private sector or the government will force something down everyone’s throat. And, as a consumer, I should have control over data about me. Millions of us should have demanded it 30 years ago.”
Editor's Note: For more information and discussion of the Equifax data breach, please refer to Sheryl's article, Why You Should Think Twice About Freezing Your Credit, and these DA forum threads: