While most people worry that the Equifax data breach will cause a spike in identity theft and other cyber fraud, maybe we should be more concerned if this does NOT happen.
Articles about Equifax and the breach headlined periodicals not just in the trade rags but also in the mainstream. Such coverage surprises no one given the vast number of records that were compromised. But what of the countless breaches not headlined, not fully disclosed, and not discovered at all?
What percentage of the data compromised via Equifax records were already stolen by all the under-reported and unknown breaches? Supposedly, there are ‘Dark Web’ service providers aggregating stolen data. If there’s no great spike following Equifax, that might suggest these data aggregators already had much of what was stolen.
So, if the data is already in their hands, what are we to do? Well, most articles and analysts recommend credit monitoring services and/or periodically reviewing them ourselves.
These and other options are lame. There is nothing preventative about them. One wonders how much these reactionary approaches are costing us. You can bet the financial institutions are not taking it on the chin. Why should they? But, their customers are. This is in the form of new and/or higher fees. But these are only the direct costs. The indirect or opportunity costs generally far exceed the direct ones.
The politicians are legislating all kinds of reactionary measures. They are also legislating what they think are preventative measures that call for organizations to implement cybersecurity best practices. These ultimately amount to least-effort checklists. They are better than nothing. But history has already shown that they are NOT good enough.
All this is strikingly similar to another ‘reactionary’ quagmire that has and is increasingly plaguing the enterprise. Cybersecurity costs to the enterprise go up year after year. Porous endpoint protection is one of the main roots to this pandemic. Vendors and their customers seem to have given up on prevention. Organizations are spending vast amounts on ‘detect and react’ tools and operations instead of nipping those costs at the endpoint. Vendors earn far more profits from products and services downstream from endpoint compromises than from preventing them in the first place.
A National Identity System would be the best means for the politicians to make a meaningful impact: one step for better security, one giant leap for cyber fraud prevention. The concept is simple. Make every significant financial transaction depend on an un spoofable possession factor, preferably public key infrastructure (PKI) based.
This alone would not eradicate cyber fraud. The Department of Defense (DoD) has long used such identity tools. Yet, it still suffered from fraudulent activities. I’m referring to incidents where the computers of DoD personnel had been compromised with malware. When an individual had used his/her identity card to logon, the malware would conduct its own transactions. Funny, how this ties back to that other quagmire.
A National Identity System might also take on other identity related problems. There have long been reports of individuals possessing different legal identities in different states. Binding biometrics could eliminate this. There is also concern over the aggregation of customer/individual data by corporations whereby comprehensive profiles are formed. In theory, such data can be used to determine the maximum amount businesses can charge for their goods and services. In short, we all pay higher prices. A National Identity System might employ a form of anonymized authentication. The concept is simple but the details are not. It envisions secure financial transactions without any one party able to piece together the many individual ones to form comprehensive profiles. Imagine a National Identity System that allows any employer to robustly authenticate its employees and others. Whatever they are spending and losing with regard to identity infrastructure would cease. And lastly, a national identity system would eliminate 100’s of billions in fraud annually, lost by the Federal government alone.
Will there ever be enough Equifax-like data breaches to move us from the quagmire of costly reactionary approaches to preventative solutions? There are practical answers to cyber fraud, as well as to exploding enterprise cybersecurity costs. The first step is difficult. It requires abandoning the presumption of failure.