The Cranky Admin

How the Cloud Can Prevent Another Equifax Breach

The technology exists. We just have to put it to use.

• By Trevor Pott
• 10/19/2017

The recent Equifax breach has revealed Personally Identifiable Information (PII) of more than half of Americans, as well as millions of Britons and Canadians. There's no putting the genie back in the bottle, so what now?

The Equifax breach is far worse that previous breaches. This is not the sort of security incident where you go through the yearly parade of canceling your credit card and getting a new one issued with a new number. The Equifax breach compromised the most critical PII available: the Social Security Number (SSN).

With someone's SSN and a few other bits of PII readily available on the black market, the bad guys can take out mortgages, loans or credit cards in the victim's name. The victim is legally liable for these debts.

In the cases where the victim can definitively prove they were defrauded, and lives in a legal environment where they can get these debts reversed, the process is time consuming. For some, the legal fees associated with trying to recover from identity theft are crippling. Lives have been ruined by this sort of identity theft because, in many ways, the system is designed to presume that you are guilty unless you can prove yourself innocent.

The recommended solutions to the Equifax data breach are remarkably analogue. We are being told to check our bank statements weekly, and to regularly obtain credit reports from the three main credit reporting agencies.

There are other suggestions, but they all boil down to every single citizen putting a great deal of manual effort into not only ensuring that our existing bank accounts and credit cards haven't been compromised, but that new ones haven't been opened in our name without our permission. As the credit agencies, banks and governments see it, the burden is on us, as citizens, to make sure that we haven't been defrauded. And we're expected to do this for the rest of our lives.

That it can take days or weeks to get information from relevant institutions -- institutions that will see a massive spike in requests thanks to the Equifax breach -- is considered irrelevant. The burden of proof is on us. There is no incentive for the credit agencies, banks or governments to change how things are done.

But with the power of the cloud, this could all be changed!

Ripe for Disruption
What's infuriating about the Equifax situation is that today's technology companies have all the technology necessary to solve this problem. A single Google engineer could knock out a nearly feature-complete beta in about a month's time using publicly available tools and cloud services. Let's see what that would that look like.

There are two key components to focus on here: notification of the citizen and obtaining that citizen’s permission. Both of these should be doable without attempting to change anything about how credit bureaus work, or their interaction with banks, governments or the businesses that are the credit bureau's customers.

Credit bureaus already make information available to, for example, tax and revenue agencies at various levels. These organizations access data via API calls to services provided by the credit bureaus. One such -- that which is provided by Equifax -- recently came to public attention as the IRS cancelled a large contract based on the service.

This means that there exists a simple means to access data that could inform a citizen that a new credit event had occurred. These credit events could range from someone performing a credit check on them to someone opening an account in their name. This could be provided to citizens as a smartphone app, instantly changing everything for victims of data breaches.

With the simplest of smartphone apps, information about one's credit could change from being a massively manual "pull" to a mundane and simple "push." Citizens would be alerted in real time to unexpected behavior relating to their credit and, with a minor bit of additional coding, calling the organization that granted credit or allowed a bank account to be opened in one's name could be as simple as pushing a button on the alert.

The real life-changer comes from advancing said application beyond notification. Right now, if a citizen wants to protect their credit, they need to place a "freeze" on their name with the major credit agencies. Then, when they want to apply for credit or open a bank account, they would have to manually notify each of the credit agencies they want it unfrozen, apply for credit, then re-freeze the account.

This is tedious, and we have the technology to do better. We could freeze all credit accounts by default, and only unfreeze them when specifically allowed by the smartphone app. It could unfreeze the accounts for a pre-set period of time and then re-freeze them. The smartphone app could easily be a multi-factor authentication system requiring not only possession of the smartphone, but a remembered password and biometrics such as a fingerprint.

This Shouldn't Be Hard
All of these authentication methods exist as pre-canned code for any of the major technology companies. Indeed, most of them have been working on strong identity services for years, and given the levels of identity theft that are occurring, I'd wager they're better at it than the credit agencies. Already, cloud services from various providers have solutions that look for non-standard access patterns, such as two sign-ins from different geographic regions.

I'm absolutely positive that if we put an authentication nerd from Google in a room with relevant nerds from banks, credit bureaus and tax and revenue agencies, they could nail down how to determine that the individual in possession of the phone was legitimately allowed to unfreeze a credit account long enough for a bank to process a credit card application. In turn, this could not only generate an alert on that individual's apps, but send that person an e-mail and maybe even autocall a trusted third-party contact, just to make sure that the individual in question was fully aware that a credit event was occurring.

This is what cloud computing is supposed to be about. It is supposed to make it easy for a nerd to slap a nice UI on top of a bunch of code libraries Google already possesses, connect it to public-facing APIs provided by the credit bureaus, and make life better for hundreds of millions of people.

We have the technology. The question is: will the credit bureaus consent to us putting it to use?