Did we really learn anything from the Equifax data breach?

by Perry Chaffee, on Wed 20 December 2017

If a company says it "protects" your data with usernames and passwords, they basically hate you and are complicit in helping hackers steal your data (and your identity). Yes, I said it. They hate you. Human readable credentials, like those exposed with Equifax, must not continue to be used as identification for any purpose. I see it over and over - the only thing companies are telling us to do is the same thing that they were suggesting five or six years ago, and that’s to make our passwords more complex. Usernames and passwords are obsolete and we must consider them ALL compromised whether we know it yet or not. So what can you do?

Speak your mind.

Customers must complain to customer service for any website or service which requires them to use passwords and usernames to login, since they can be compromised. It's not only inconvenient trying to remember or manage all your different usernames and passwords, it's a completely false sense of security. Additionally, two-step verification doesn't do anything but add inconvenience, and traditional two-factor authentication is just a band-aid added onto a critical problem. The only viable solution is strong, right-factor authentication using "something you have." (Nobody does that more securely than WWPass.)

Contact your elected officials.

Our government needs to be protecting its citizens, and that means in the cybersphere, too. Instead of issuing people smart card IDs--which can't be counterfeited and can be used to login to websites and services--our government continues to use obsolete "dumb" IDs like driver’s licenses. These are regularly counterfeited and offer zero online security. They actually put people at greater risk because when an ID is required for purposes like opening a bank account, the information is all human readable, and can be abused or counterfeited for the purpose of committing fraud or identity theft.

The only real solution that should be considered is the use of a token (something you have) as the first factor in the identification process. With WWPass authentication, one smartcard ID card can be securely linked to an unlimited number of personal accounts, and the verification process is all handled securely to remove the opportunity for human error, deception, abuse, counterfeiting, and impersonation. It's way more convenient, and also way more secure. Each year America loses an average of $15 billion to identity theft, and most of that could be stopped with technology available to our government today.

Consider all of this.

The United States Office of Personnel Management was breached and the security background investigations of over 20 million US citizens working for the Department of Defense were compromised (including social security numbers, every address people ever lived, the names of all their family members, trusted friends, neighbors, co-workers, as well as full sets of fingerprints, psychological evaluations, etc).

Organizations like the Department of Defense, the NSA and CIA can't seem to stop their top secret information from showing up on Wikileaks. If they can't reliably control the information they are collecting, then what's to stop unknown third parties from accessing the information collected by surveillance tools and using it against you? While many people already have an issue trusting the government, consider what happens when hostile criminal organizations secretly get access to the information we may have unknowingly entrusted our government to protect?

If the federal government can't protect highly sensitive records for military personnel, what makes you think other organizations like the IRS, the Department of Licensing, or the Social Security Administration are doing any better to protect average people?

We are at war.

It is time that the governments of our world stop trying to pretend that we're not all engaged in an ongoing cyber war against one another. While traditional, conventional warfare is defined and understood under internationally-accepted and agreed-upon laws of armed combat, cyber warfare is much more vague. While you may not worry about foreign tanks or planes invading your neighborhood and attacking your community or your businesses on a daily basis, you do need to worry about foreign cyber attacks. State sponsored attacks happen continually, and seemingly without consequence to their perpetrators. This is largely because they rarely have notable media coverage. “Victims” like Equifax tend to be embarrassed and can see adverse impacts like falling stock value, so they may also try to hide evidence of these attacks as long as possible. Our governments do not wish to recognize acts of war as such, so they tend to downplay them as well. The bottom line is this: If an organization like Equifax receives overwhelming evidence that the use of passwords and usernames to protect sensitive user data will inevitably result in that data being compromised, and uses them anyway, then that enterprise is not a victim. It is complicit in the crime against the people who entrusted it with their data as a result of gross negligence. End of story.

Ready to learn about different types of multi-factor authentication? Check out this infographic to find out more.