This week saw the biggest public breach in the history of credit reporting, as Equifax reported a hack affecting as many as 143 million customers. The hack exposed Social Security numbers, birthdays, and, in some cases, even credit cards. The attackers gained access as early as May, so the data has now been circulating for months. For years, experts have said you should assume your Social Security number and birthday are already available on criminal marketplaces — and with more than half of the adult US population implicated, that logic is now hard to avoid.
Beyond the immediate damage, the breach reveals some deep absurdities in Equifax’s business model. The company was one of the central stores of personal data, the place you checked to make sure you weren’t writing a mortgage to an impostor. But now the impostors have the same data as everyone else. If you can’t keep it secure, why stockpile the data in the first place?
The same questions come up when you look at the data itself. It’s bad to have your Social Security number and birthday stolen because criminals can use that information to apply for credit in your name. Why make that data so useful in the first place? There’s nothing magical about a Social Security number. We only use them for credit reporting because every US citizen has one, and they’re all supposedly secret. But those numbers haven’t been truly secret for a long time. Before the Equifax breach, there was the Experian breach, the Anthem breach, and the OPM breach. For millions of people, authentication by Social Security number no longer works. So why are we still using a credit system that relies on breachable data?
The credit bureau system is broken, and it’s been broken for a long time. The entire concept of a breach — hackers stealing corporate-held data for identity theft — is the result of a failed identity model that’s long outlived its usefulness. It’s easy to point to Equifax as the problem, and its poor handling of the breach (and possible insider trading) certainly doesn’t help. But the problem is bigger than any single company. In a world flooded with information, we’re still relying on a tiny set of sensitive data to protect us from fraud, and putting the burden on the average consumer when that data leaks out. We treat data as private when it’s already been exposed in breach after breach. This system has reached its breaking point. It’s time to burn it all down and start over.
In the most basic terms, credit bureaus work as a reputation service. You submit someone’s name and get back a report on all the money they’ve borrowed over the years and how it’s been repaid. That’s valuable information if you’re deciding whether to lend someone money, so businesses (or their customers) are often willing to pay for it. In that situation, the biggest risk to the lender is an impostor who runs up someone else’s tab and then skips town. So along the way, credit bureaus have become an identity service, too. Along with the potential client’s name, they ask for a Social Security number, and if those things don’t match, they know they’re dealing with fraud.
This is a terrible way to manage identity. From afar, a Social Security number looks kind of like a password. But you can change a password, and you shouldn’t use the same one with every service. To get slightly more technical, you can hash passwords, which lets services verify your identity without keeping your exact password easily available. Right now, I could count the number of places my Gmail password exists anywhere on one hand, whereas I’ve been writing my Social Security number on forms since I was 12. By now, hundreds of organizations have it, from old jobs to old dentists. That number was never going to be safe from scammers. The system was set up for failure from the very beginning.
Even worse, all this information is generally being shared without your consent. The three big credit bureaus — Equifax, TransUnion, and Experian — see their customers as the businesses checking people out, not the people themselves. They’re worried about keeping banks and car dealers happy, but the targets themselves are an afterthought. As a result, even basic inaccuracies can persist for years, bouncing between the three major bureaus. (Convincing credit bureaus that you’re not dead, for instance, is much harder than you think.) There have been a few regulations aimed at fixing that — most notably the Fair Credit Reporting Act — but it’s still an extremely clunky system, and the average consumer has little awareness or control over their own profile.
None of these are easy problems to fix, but there are lots of better methods out there. For example, making it easier to freeze your credit would be a good start. Credit-specific PIN numbers are the closest thing the industry has to two-factor authentication, but they’re still rare, even after a major breach like this one. Beyond that, the internet is full of more robust login systems, whether it’s through hardware tokens or biometrics. Because of credit-reporting agencies’ incumbent stranglehold, we haven’t applied any of those methods to the process of signing up for a credit card. It remains one of the easiest avenues for fraud, and one of the driving forces behind low-level cybercrime.
I don’t know what the answer is. I’m sure Facebook, Google, and PayPal would all love to take over from the credit bureaus, and there are real reasons to be wary of that. Some people will tell you we should put it all on a blockchain, decentralizing the system and querying discrete pieces of information as needed. New solutions bring new problems, and there’s no perfect answer to any of it. But Thursday’s breach should wake us up to how fundamentally broken this system is, and how urgently we need to replace it. Breaches aren’t simply security failures; they’re the inevitable result of a broken identity system. It’s time to rip it up and start again.