You Can’t Outrun the Security Bear

The September 7 Equifax hack is a hugely emotional and hyped event that continues to generate congressional and media attention.  If there is any good news, its likely that the impact of this breach on the individual consumer is only incremental.  Most of this information had already ‘leaked’. After all, our names, addresses, and dates of birth are public record. As individuals, we are forced to provide countless entities with our social security numbers—this data just cannot be considered as anything like a secret quantity.

The awkward reality of our greater national system is that we pretend that ‘shared secret’ is not oxymoronic. Identifiers can never reliably serve as authentication factors, because confidentiality cannot be maintained.   Whatever the relative quality of Equifax’ security program, ultimately, Equifax, like their competitors, like all financial service firms, like all medical providers, and like all of our employers, has made a deal with the devil of data.  Doing business in the USA today means agreeing to protect quantities that are inherently unprotectable.  Certainly no individual has any choice in the matter–we all have to agree to share our sensitive data in order to be employed, to use a credit card, to buy a house, or to receive medical care.

The credit providers overload Social Security Numbers and other identification quantities with an inherently flawed level of significance, making security failure virtually inevitable. Routine personal identification data must be widely and frequently referred to in a constant stream of routine transactions, yet names, addresses, personal history and numbers are treated as more than just identifiers–they are treated as authentication factors, the possession of which can enable financial fraud.  The more widely used and shared this information is, the more likely it is that motivated cybercriminals will find a way to access it.  If it hadn’t been Equifax, it would have been a major hack of some other organization holding huge amounts of personal records. And it will be again in the future, and again, and again.

Like the old joke about two guys running away from a deadly grizzly bear, you can’t outrun the security implications of a poorly designed financial transaction environment.  What you can do is outrun your competitors, making it much more likely that they will be hacked by the security bear, before it ever gets close to your vulnerabilities.

No organization holding large volumes of PII or PCI can hope to be invulnerable to incidents like this, and it is almost naïve, if not disingenuous, to blame one of them for failing to meet an impossible challenge.  The ultimate problem is that the greater system is broken–improvements to information security amount to patching holes in a dam that is too small to hold back the volume of flow. While the unfolding news about this latest public disclosure is providing useful reminders about the importance of vulnerability management, concentrating on the specifics of the exploit distracts from the much more significant and awkward problem.  As long as we continue to inappropriately use SSNs and as long as our consumer credit system relies on flawed authentication processes, we will be plagued by a constant stream of small, medium, and sometimes huge breaches of consumer information.

The bear is hungry, and he knows where to find food.