I'm busy working on my blog posts. Watch this space!
Credit Freezes - Additional Thoughts (SSS file)
October 24, 2017
I published my post on this topic in the SSS ("Simple Security Screwups") file yesterday night, but followig a quick LinkedIn exchange with the most prominent thought leader on identity theft in the country and probably the world (Mr. Neal O'Farrell), had a few more thoughts to share.
First, I want to make sure everyone understands something: by the end of the post, I convince myself that it is not just important, but absolutely critical that everyone freeze their credit files... just for a different reason than normally stated. In my humble opinion, it is primarily to get "in there" before the identity thief does, so that at least you are in control of your own PINestiny. That's worth a minor hassle.
Second, I guess I wasn't clear enough about why this belongs in the SSS file, so let me explain.
In information security, we have a simple concept called "two-factor authentication". What it means is that, to decrease the chances that someone steals your access, we require that you perform authentication via two separate modes, for example, "what you know" (such as a password or PIN), and "what you are" (e.g. your thumbprint).
A third mode in the world of factors is "what you have" - which could be your cellphone - and the combination of passwords and single-use codes sent to registered phones has become an almost ubiquitous method for higher online security. It is a very effective way to dramatically increase the securtiy of your gmail account, for example.
Because it involves the entry of a password on your screen, and then "lifting" the code from the phone and entering it as a second step, this is also known as "two-step" or "two-channel" authentication.
The most important thing to keep in mind here is that the increased security comes from the fact that, in order to break a 2-factor authentication, you have to compromise two distinct "systems". That's why two passwords do not count as 2-factor authentication - both of them are something you know, which means that the only system that needs to be compromised is you. In a typical 2-channel, for example, one would have to both know your password and steal your phone.
Now that we know all of that that, let's get back to the credit reporting agencies (CRAs). The PIN idea is, superficially, a good one. It "feels" very similar to two-channel authentication, right? you have your "password" which is your private information you know and is used to authenticate, and then you have the PIN which is a separate item only you have. It's like the code sent to your phone.
Except it isn't.
See, by implementing it the way they did (with one very notable exception, as you will see below), they made the same basic error that leads to thinking that separate passwords are distinct factors. By using the same exact channel (your browser or phone depending on how you choose to effect the freeze) to allow the consumer to set or receive a PIN they have reduced the authentication to a single factor - and worse, the other piece of information is already compromised, courtesy of dear ol' Equifax.
The PIN is useless.
Or rather, it's worse than useless. As I described in the other post, it can now be used to hold your identity hostage!
This is really, really bad.
Oh, and to that notable exception: guess which of the three big CRAs did things the right way? it's a trick question, because the answer is "the fourth one".
Wait, there's a fourth CRA? yup. It's called Innovis, and they did something much simpler - they don't ask you for anything except your name and social security number (which can safely be assumed to be compromised), and then they send you a random PIN to your last know mailing address (which, of course, they have since they are a CRA).
Now there is a two-channel authentication method worthy of the name. It's just like the code to your phone, except in this case the thing you have is your residence.
Simple. Easy to understand. Actually effective to some degree.
On the strength of that one decision alone, I propose that we allow Innovis to replace Equifax as one of the big three CRAs - please, please, please, American businesses, stop using Equifax entirely. Let the company fail. Let is be erased from history in shame. We did it with Enron. We can do it with Equifax. Yes, what Equifax did is just as bad.
Just move your business to Innovis, and the rest will take care of itself.