Data breaches have become so frequent as to be commonplace. We almost expect
them to happen now. The typical response for saving corporate face is to issue
a somber apology and then offer a year of free credit monitoring.
"Sorry some hackers got your data because we suck, but in recompense, we'll pay
some third party to 'monitor' your credit for a while".
Well, gee whiz, that fixes the problem, doesn't it?
So there are two assumptions being made here. The first one is that the only
thing the thief will do with your information is try to establish a new line of
credit in your name. The second one is that if they have not exploited this
within one year, they probably are not going to.
The first assumption does not account for basic credit card purchase fraud,
which I have to believe is more probable than someone trying to buy a new
washing machine and dryer with it.
The second assumption seems somewhat reasonable. In this day and age, online
data can have a very short shelf life and would more likely be exploited sooner
than later. Of course, it depends on what information was acquired.
Suppose it was Amazon.com. What are you out? Name, date of birth, address,
credit card data, and a lot of marketing data about your buying and browsing
habits. But what about something like the US government's OPM breach? Now you
are out pretty much everything including long-term data about past residences,
your finances, etc that could be exploited far later and have far greater
consequences. In that case, the bad actor is presumed to have been a foreign
government who would be looking for security holes like blackmail targets rather
than trying to buy clothes at the Gap for free with your credit card.
My point is that credit monitoring will do nothing against any of this. It only
works if the thief tries to get a new card in your name or buy something really
big with financing where they merchant will run a credit check on you.
And even then, you merely get notified after the fact. Hopefully you are paying
attention to their communication back to you but the initial damage is already
done and happening and now you have to try and clean it up.
A post by Brian Krebs explored this issue and offered some excellent advice.
He pointed out that monitoring is reactive, not proactive. You can voluntarily
freeze your credit reports (there are 4 different companies) and then everyone
including you, the thief and all merchants are denied access to check your
report. And that prevents any new illicit lines of credit from being established.
Something that would be really nice is if you could combine the freezing and
monitoring so that you get notified that someone tried to check it and was
denied due to the freeze. I don't think that happens because the freeze prevents
the check, so there's nothing to report so to speak.
Doing this does have some downsides. If you want to legitimately apply for new
credit, you will have to temporarily lift the freeze before the merchant makes
the check. That does not happen instantly and involves large PIN numbers you
are given when you place the freeze. Also, most merchants either do not know or
will not tell you which company they are going to use for the check.
Perhaps they will use more than one? So you have to unfreeze all four of them.
That's probably not a huge deal because how often does the average person apply
for new credit? And you probably don't do that on a whim unless it's a
department store card offered at the time of checkout so you can save an extra
10% today just for signing up. So freezing your reports is a form of self-denial
of service. A loss of availability and a usability problem.
Another problem is something called "knowledge-based authentication". Sometime
when applying for something online, they want further assurance of your identity.
One relatively common technique is to probe your credit report and invent
questions about past residences or loans that, in theory, only you would know
the correct answer to. Which one of these addresses have you previously lived
at? Which company held the mortgage for your first home? The correct answer
pulled from your credit report is inserted along with three bogus answers for a
multiple choice quiz. Unfortunately, in order for them to generate the
questions, they have to access your credit report which is frozen so the whole
process fails.
One breach I was involved in tried to use this technique to verify my identity
before setting up the free credit monitoring. The freeze resulted in an
unexpected error code requiring me to call them for resolution. I ended up
opting out of the monitoring and half-jokingly told them that it did not matter
because I was already being monitored from about three other breaches and
another one was sure to come along before those expired.
The problem with this technique is that it relies on the flimsy assumption that
only I would know the correct answers. First, it's a 4-option multiple choice
quiz. Not that hard to guess correctly by sheer luck.
Second, that information could have been obtained via some other breach
(e.g. OPM, IRS, etc). So this becomes a circular problem of trying to use the
stolen goods to protect the stolen goods from further stealing... hmmm.
No comments:
Post a Comment