Your Secrets Are Wearing Emperor’s Clothes

With every reported breach, we continually recognize that our information is for sale. In particular, in the aftermath of the Equifax breach, we can no longer think of SSN, Date of Birth (DOB), Name, and even account numbers as secret information. We have come to a time when we must consider this data as generally “publicly available for purchase.”

Institutions which rely on customer identify-proofing and authentication need to shift their thinking on what constitutes identity – and you, as a consumer, need to hold your institutions accountable. If the companies providing you financial, health, or other private services don’t meet the bar for verifying your identity, you need to consider moving your business to other institutions.

Are Your Institutions Protecting Your Accounts?

Think of the places you hold your money—banks, investment accounts, credit unions. Think of places that hold your most private information, such as your health care provider or a credit bureau.

These institutions need to immediately verify:

  • They offer Multi-Factor Authentication (MFA) so that logging in requires a combination of “something you know”, “something you have”, and/or “something you are”. This is not new — many institutions have been moving to MFA over the last two decades, and hopefully your most important institutions are already there.
  • SSN, DOB, Name, and account number are not used as “something you know” as if they were secret; this emerging reality is that these may be public information, and many organizations are not prepared for the shift.

Put Your Institution to the Test

How can you test your institutions? Try this experiment with your favorite institutions:

  1. Go to a new computer or browser and navigate to a few of your most important websites.
  2. Click on “forgot username” and see what secrets are required to recover a username.
  3. Then continue on with “forgot password.”

What did you have to “know” do get through these hurdles? Is it possible that those “secrets” are now available for purchase? In particular, what other verifications were required? If you had to open an email, that adds some protection—although you also need to understand how vulnerable your email account may be. If you received a text message, that is slightly better—while SMS messages can be intercepted, that is a much higher technical hurdle. If you received an application message in a secure app, that is a great situation. In the most secure examples, you will have a dedicated piece of secure MFA hardware or software issued by your institution.

Call Out the Emperor’s (Lack of) Clothes

If the “secrets” and the “thing you have” seem weak or potentially already exposed, let the institutions providing you financial, health, and other private services know. And if they don’t act quickly, you need to think about moving your assets and business elsewhere.

While you’re at it, contact your senators and congressperson and let them know the IRS needs to take these same steps. Your SSN is not secret anymore, if it ever was. It simply should not be the basis of identity-proofing for a tax filing.

As a society, we urgently need to better address identity-proofing and identity verification. The federal government was working on such an initiative but it is unclear what the current status is. More recently, NIST is working to create standards for identity management. Meanwhile, a number of businesses and start-ups see this as an opportunity to create something new.

For now, in this post-breach world in which we live, your Personally Identifiable Information (PII) is wearing the emperor’s new clothes. If these verification steps are not in place, it’s time to take your business elsewhere.