Sizzle
Cyberattack insurance: The more headlines gather on data breaches, new (Equifax) and old (Yahoo), and the bad news keeps getting worse (both attacks have been more widespread than had been thought), the more firms are looking to boost their defenses. One Denmark insurer, Tryg, predicts that 90 percent of corporate customers will buy cybersecurity insurance within the next five years.
Voices everywhere, especially outside the U.S.: Voice-enabled activities are branching well beyond the home, and Apple’s Siri and Amazon’s Alexa are making splashes in the corporate realms. Singapore’s OCBC Bank is integrating Siri to help conduct corporate banking across 12,000 customers. Voice commands send payments and can also inquire about account balances. Alexa is now available in India, and will soon debut in Japan later in the year.
They’ll always have Paris?: Amazon is likely to make further physical footprints, looking to the City of Lights to bring more than a dozen stores to France. Amazon Go is the way they’re going — via grocery store concepts right out of the gate after the Whole Foods acquisition — with outreach efforts to a number of French retailers. Might this mean France may like America for more than Jerry Lewis?
Fizzle
Equifax: CEO Richard Smith went to Washington, and it wasn’t pretty. The IRS deal — where Equifax was awarded a $7.2 million contract — was panned, insults were hurled (“You legislate against [stupidity],” said one congressman) and even Monopoly’s moneybags guy showed up to protest. In the meantime, legislators are mulling federal fines against data breaches, where firms would have to pay up for each person affected by data theft.
Payday Lending: Tough new rules are going to make it a lot harder to borrow, with requirements for proof of income and for limits on how many loans can be taken out quickly. As for headline-grabbing, one large payday lender is in court — via Scott Tucker and AMG Services. The industry will likely get some scrutiny amid what seems to be egregious business practices at that one large firm, led by race car impresario Tucker. The fizzle here is that a whole industry may get painted with the broadest of brushes, with all those providing services on the up-and-up being tarred and feathered as preying on the down and out. The double whammy of negative press and even further-reaching regulations may hit lenders who are helping cash-strapped borrowers meet necessities like car and utility payments.
CFPB: Late to the party, and amid the credit reporting agency snafus (you know who, folks), the Consumer Financial Protection Bureau seems to be playing the “me too” game. The CFPB looks set to pursue Equifax via investigation and a levying of fines. CFPB Head Richard Cordray has announced that “a new regime” is in the offing, as embedded regulators at all three credit agencies are on the way. This comes despite years of consumer concerns over the way credit bureaus grab data and how they report it. They’ve missed the forest for the trees, and now swing the ax.
The Big Fizzle: Social Security Numbers
In recent years, the Social Security number — those magic nine digits that provide Americans with their basic numeric identity — has fallen on hard times. The era of the ever-connected consumer has brought in its wake the era of the ever-vigilant cybercriminal on the hunt for consumer data.
Four weeks ago, the cybercriminal community was hit with what can only and best be described as the consumer data motherload after successfully hacking the credit records of 143 million Americans from credit reporting giant Equifax. In a keystroke, the Social Security numbers, home addresses, birth dates, account numbers and scores of other data points became available on the dark web.
And dark days for the already oft-contested Social Security number (SSN) shifted to what might just be the end days.
This week, news reports emerged that the Trump administration — in the wake of the big breach that left the entire U.S. adult population with compromised SSNs — believes it’s time to say goodbye to the Social Security number as the nation’s main way of identifying consumers.
The White House is asking federal departments and agencies to investigate how to best replace the existing SSN-dependent system and how it might find a replacement for that system, according to Rob Joyce, special assistant to the President and White House cybersecurity coordinator.
“I feel very strongly that the Social Security number has outlived its usefulness,” Joyce said Tuesday at a cyber conference in Washington organized by The Washington Post. “Every time we use the Social Security number, you put it at risk.”
While the administration is certainly the most clearly heard voice on this issue, they are certainly not alone in their opinion.
Former Equifax CEO Richard Smith, during his testimony before the House Energy and Commerce Committee, emphasized that the rising number of hacks involving Social Security numbers means it has lost much of what made it valuable as an identifier for consumers.
“The concept of a Social Security number in this environment being private and secure — I think it’s time as a country to think beyond that,” Smith said. “What is a better way to identify consumers in our country in a very secure way? I think that way is something different than an SSN, a date of birth and a name.”
Congressmen — and women — during their rather extensive questioning and critique of Smith noted repeatedly that if the Social Security number has finally broken as an identifier, it was because his firm was lax about protecting the data of American citizens.
And not just because they got SSNs — but because they got every other single bit of data that is used to identify a person, all thanks to the Equifax hack. That’s what’s really put a fork in the SSN.
As for what might come next, the White House’s Rob Joyce has confirmed that ideally the replacement for Social Security numbers would be “modern cryptographic identifiers,” such as public and private keys.
The goal, he said, is to remove a security system that everyone knows full well is not capable of securing anything.
“It’s a flawed system [when] we can’t roll back that risk after we know we’ve had a compromise,” he said. “I personally know my Social Security number has been compromised at least four times in my lifetime. That’s just untenable.”
One named solution involves giving individuals a private key, essentially a long cryptographic number that’s embedded in a “physical token” that then requires users to verify that the number belongs to them — a contribution of Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology in Washington. Ideally, it would work something like an EMV chip: to access the data would require the owner to enter a pin.
“Your pin unlocks your ability to use that big number,” Lorenzo said, noting the system is roughly modeled on what is currently in use in Estonia.
“It’s very promising,” he told Bloomberg. “It’s possible to technically design something like this.”
The problem, however, is that the U.S. is much larger than Estonia, and it could be expensive and time-consuming to try and distribute this technology to citizens.
“This is a pretty big endeavor,” Lorenzo admitted.
Another idea is to adopt something like India’s biometric identification system Aadhaar, which leverages collected fingerprints and iris scans from more than 1 billion residents and from that biometric signature assigns a 12-digit number. The only way to access it — and any benefit associated with it — is with the right biometric.
The upside: No one has to have their fingerprint delivered to them.
The downside? Some people complain the government taking a fingerprint and iris scan verges on dystopian creepiness.
Whatever the replacement tech, it seems clear that after 81 years of issuing Social Security numbers and using them as primary identifiers for citizens, that security method is no longer the best way to give each customer an individual marker. Instead, it saddles customers with an unchangeable, highly necessary numbers that is easily — and probably already has been — stolen.
The Trump administration is also participating in discussions Congress is having about the requirement of protecting personal data and company breach notifications and about giving consumers rights over how their data is used.
The Social Security number is very ingrained, and experts agree that doing away with it entirely is not doable overnight. Laws would need to be rewritten and any replacement would need to be vetted thoroughly.
At this point, however, it seems clear to everyone that we need a new system.
“Once it’s compromised one time, you’re done,” said Robert Stasio, a fellow at the Truman National Security Project and former chief of operations at the National Security Agency’s Cyber Operations Center.
The question now isn’t if it is going away, but when exactly, and what will replace it.
A big fizzle after a strong eight-decade run.