OPINION – Why Does Anyone Think PII Can Prove Your Identity?
American Banker ran a piece this morning digesting the Experian breach announced last week. It said it was good that the breach only compromised 15 million T-Mobile customers instead of the hundreds of millions of customers that probably live in the Experian Decision Analytics service platform and that it only took them two weeks to announce the breach.
It also said that the breach was bad news for banks in that the information stolen – Social Security Number, Date Of Birth, military ID, Passport numbers – are important information for identity thieves.
Experian said that the good news is that no payment information was stolen. That is actually is the bad news. If it was credit card or bank account information, that is easily changed. Try changing your passport number. Or your Military ID.
That could be the reason that the attackers went after that data – the useful life expectancy of that data is decades.
Curiously, Experian owns a very well respected fraud detection service called 41st Parameter or The 41st. Banks use this service but it is not clear if they use this internally.
Obviously, other Experian customers should be worried and start asking a lot of questions, answers to which they may get in private, but not in public. Any organization that uses any credit decision analytics service from any vendor ought to be asking questions today.
But here is the opinion part –
Who, is this day of the Internet, is using the fact that government issued information is private enough to identify anyone?
Organizations that are doing that are fooling themselves. Even ignoring family fraud (I likely know the so-called secret information of many extended family members), with all of the breaches over the last ten years, do you think that I could not acquire the Social Security Number or Birth Date of anyone I wanted to with a little effort?
Experian, among others, offers an identity verification service that uses “out of wallet” information to identify a customer. While this may be a little bit better than using your Social or Birth Date, it is only because the hacker didn’t research what color car you owned in 1982. Since most people don’t remember what color or make car they owned in 1982 – assuming they were even alive then – the questions are multiple guess. This means that even if all you did was throw a dart at it (and since it is on your computer screen or phone, I recommend a suction cup dart rather than one with a sharp point), you have a 25% chance of being right. The questions are always from public records, so as there are more breaches, that data becomes less private as well.
So, while I agree with American Banker that this breach is a big problem for banks, maybe it is a wake up call to stop using non-secret information to identify people. And while I am beating up the banks this morning, it applies to any company that uses non private personal information to supposedly identify their customers.
Which means that WE, as customers, should get used to the businesses we do business with identifying us in a completely different manner and not complain when they do?
Here is a link to the American Banker article.