Credit Bureau Overhaul Past Due
Don't be late on a payment, it can hurt your credit file. College student or 'thin file'? Not to worry, the big three are collecting data on you as fast as they can, modeling your risk profile and repackaging you to their clients. Who benefits from all of this non-consensual data collection? Have you ever received a payment for your data from Equifax, Transunion or Experian? More likely, you have paid them to correct errors in their database via a monthly service because bad data = bad credit. As the saying goes..."you get as much justice as you pay for."
Last week's announcement by Equifax was shocking because of the type and quantity of data that the credit bureaus hold. They are a cornerstone of the economy, relied on by lenders, business, real estate, employers...everyone accesses your credit for one reason or another. They operate in the public trust and losing so much data and being unaware for so long, is unacceptable. The WSJ reported today that hackers were in the network since March, thats at least six months. The Baker Hostetler 2017 Data Security Incident Response report notes a 61 day average period from occurrence to discovery. Wouldn't you expect an entity entrusted with all of Americas personal data to be on the short end of the discovery timeline?
The credit bureaus are regulated under the FTC Act and the FCRA and an investigation is underway. Additionally, because they collect personal information, the Privacy Rule under the GLB Act also applies and a class action has been filed in the USDC of Portland Oregon. Equifax settled charges with the FTC back in 2012 for improperly selling lists of customers who were late on their mortgage. One interview with the company CEO stated that they have diversified so that only 30% of their revenue comes from providing credit services, the remainder is from new services. It seems monitoring the credit bureaus is tricky because they are not held to the high standards that Banks are for data security controls, yet banks rely on them to make critical decisions for consumers. Moreover, credit bureau product diversification pushes the boundaries of proper use of our personal data.
Proper Stewardship is essential for credit bureaus and that includes regular assessments of the security stack, personnel interviews, network monitoring of all sessions inbound/outbound and PATCHING. We all know how difficult it is for global businesses to keep up with patches but a central database that holds all of Americas personal data certainly warrants heightened scrutiny. In fact, the federal government regulates defense contractors (the "DIB") and others with sensitive data, to avoid this very outcome. Shouldn't data brokers, credit bureaus and anyone requesting to hold and sell our personal data, be held accountable at a higher standard?
The Apache Struts vulnerability opened the door for hackers at Equifax but what happened after that? Comodo Threat Intelligence Labs reported that as many as 388 "username, title, password and login URL, plus the dates on which they were obtained" are available for sale on the darkweb. They reported that a Russian password stealer kit called Pony malware was used to harvest the Identity data, most of which was basic passwords, all lower case with no special characters. The leadership of Equifax "didn’t follow basic security best practices." But this is all too common and accentuates the need for Multi Factor Authentication (MFA) which is based on biometrics and behavioral attributes. New Financial Services regulations including PSD2 in the EU, NIST 800-63 and the NY Dept. of Financial Services (DFS) Rule, all call for MFA and the use of something you Have, Know and Are. Perhaps the U.S. Senate inquiry will result in these sensible standards being imposed on all data handlers.
Back in 2013, the State of South Carolina Dept. of Revenue was hacked and the result was tax return fraud. I expect that as we are entering the fourth quarter, the hackers will have ample data to sell for use in sophisticated phishing campaigns and upcoming tax filing preparation. Prudence suggest filing the IRS affidavit and getting a special pin code for your tax filing. But as a nation, we should examine why we are allowing these credit bureaus and data brokers to access our personal information. Do we need them? Currently, yes. But there is hope!
I have been talking with blockchain companies about transaction based reputation. Essentially, every transaction that you do, every invoice that you send, every counterparty that you transact with, is recorded on a blockchain. Using strong identity at both the individual and company level, a trusted third party can be given a view into the transaction history between Company A and multiple counterparties. This data is then used to form a credit decision or whether to engage in a business transaction. The network is the trust, it cannot be changed and it doesn't require third party validation.
One example of this is HiveOnline in Denmark, where small businesses need not rely on a Google rank but their actual client transactions and validated reviews offer a much more powerful credit attestation. Another credit extending innovation is from Tallysticks in the UK. They use a network to automate supply chain documentation and financing processes between all clients/suppliers making credit decisions faster, more transparent and based on real transactions. First Access is a data driven lender which bases credit decisions for micro finance on the borrower's number of mobile phone calls and contacts in his phone. We need to embrace new ways of extending credit.
As more U.S. businesses transact on blockchain networks run by IBM, AWS and Azure, the need for credit bureaus will be vastly reduced. But caution, they see this happening too which is why they have started Identity Services. They know the future of e-transactions requires digital identity and they have a large repository which makes them good candidates to run this business, yes? No! If you have used the Facebook or Google federated identity to login at a third party website, you can see the power of this function especially when the Fido Alliance approach is used. Our data should not be held in large silos waiting to be compromised. We need to decentralize our data and put it and our credit reputation back where it belongs, with its true owner, you. Then, if you decide that you want to license your data to Equifax, you can negotiate terms with knowledge of their (lax) internal security practices.