An Identity Crisis

Cybersecurity

​​Photo illustration by Keith Schilling​​

An Identity Crisis
 

​It was "A Case of Identity." Mary Sutherland's fiancé, Mr. Hosmer Angel, had disappeared on what was to be their wedding day, and she needed Sherlock Holmes's help to find him.

Angel, however, was a bit of a mystery. Sutherland knew very little about him, just that he worked in an office on Leadenhall Street and sent her letters that were typewritten via a post office box. He also only visited Sutherland in person when her stepfather, James Windibank, was out of town.

Through logical reasoning, and some minor investigatory work, Holmes deduced that Angel was not who he claimed to be. Based on in-person observations in the physical world, Holmes deduced that Angel was Windibank in disguise, and could not marry Sutherland.

The same circumstances surrounded the verification of an individual's identity for most of the 20th century. Most transactions, legal actions, and meetings occurred in the physical world. People saw those they were doing business with, looked at physical copies of their driver's license or passport, and used that to verify their identity.

They could also use an individual's Social Security number—the most common numbering system in the United States—to help ensure that the person was the person they claimed to be, based on all the information associated with that specific number.

And to steal sensitive data that could verify identity in the physical world from millions of people would have required a network of people willing to break into businesses that store that information. Their odds of getting caught would have been high.

But in today's digital world, it's much simpler to carry out a major heist of sensitive information. And the building blocks that are used to create an identity online and verify it are regularly being compromised, making it more difficult than ever before to prove who anyone is online.

The latest example of this is the mega data breach of credit reporting agency Equifax, in which hackers accessed and stole data on 145.5 million people—mostly U.S. citizens but individuals from Canada and the United Kingdom, as well.

Along with names and telephone numbers, the hackers gained access to Social Security numbers and the extensive information the agency collects on individuals and uses to verify their identities, such as previous residences, relationship and employment history, and financial histories.

This information is often used to compile a credit report, which can be shared with employers, leasing institutions, and others, to verify an individual's identity as part of a screening process.

"The Equifax hack is highly disturbing not only because of its massive scope, but also because of the specific type of personal data that was stolen," wrote U.S. Representative Ted Lieu (D-CA) in an op-ed for Slate. "Credit reporting agencies are supposed to be one of our lines of defense in data security and privacy protection—and Equifax failed in its core mission."

No one has claimed responsibility for the Equifax breach, and experts expect an increase in fraud using the information that was stolen, especially during the upcoming holiday season.

"We're going to see an uptick in fraud, synthetic IDs, and accounts being compromised—busting out credit cards, taking fraudulent loans across multiple channels of products," according to James Heinzman, senior vice president of financial services solutions for ThetaRay.

In addition to fraudsters, nation-state actors are also likely to acquire the information compromised in the Equifax breach, says Rick Holland, vice president of strategy at cybersecurity firm Digital Shadows.

China, for instance, would find the data very valuable combined with what it allegedly stole in the U.S. Office of Personnel Management (OPM) breach, Holland explains, because it would allow China to create a broader data set on individuals it might already be targeting.

"You could see [China] leveraging and purchasing this sort of data for types of activity that it would conduct, such as social engineering," Holland says. "I would expect nation-states across the board to try to acquire this data, as well as the defenders. I wouldn't be surprised to see the U.S. government try to acquire this data to understand the implications of it from a counterintelligence perspective."

Those implications could be widespread because the information compromised in the Equifax breach is not ephemeral—Social Security numbers and personal histories do not change—creating a serious problem with how identity is constructed and verified online.

Because of this, Lee Munson, a security researcher and blogger with Comparitech and senior associate, information security training and awareness at Re:Sources UK, says he now thinks there is no way for a victim of identity theft to 100 percent prove they are who they are over the Internet.

"The ironic thing for me is that one of the first bits of advice you give to identity theft victims is to go get copies of their credit report from people like Equifax," Munson says. "Now you've got to ask, 'Can you trust them?'"

Victims have "the option of sending emails, copying documents and sending copies of their Social Security numbers and passports, but those could easily be faked," he explains. Victims can also go to their local police department to get documents saying they're a victim of identity theft, but this places the onus on victims to prove their identity after it's already been stolen.

Instead, organizations might need to rethink what kind of data they collect on people to uniquely identify them and consider no longer using Social Security numbers as identifiers. Almost every legal U.S. resident has one issued on a card from the Social Security Administration that is then shared with financial institutions, employers, healthcare providers, and more to connect the resident's documents with that number.

"Which in retrospect seems like the worst idea ever," says Lance Cottrell, chief scientist of Ntrepid. "Here's this piece of paper. It's got a number printed on it. You're going to give it to everyone, and yet, keeping it secret is the key to security. It's an inherently paradoxical approach to things."

Instead of using Social Security numbers and other static information, Cottrell says he thinks we'll begin to see a push for greater use of biometrics to identify individuals. Prior to the Equifax breach, Apple debuted new facial recognition technology that iPhone users will soon be able to take advantage of to unlock their devices.

"Things like the iPhone are showing how a lot of this is going to move," Cottrell says. "The biometrics and the secure enclaves in these locked down physical devices are allowing for authentication."

Biometrics are not a silver-bullet solution, however. Apple has announced that its facial recognition technology is only 98 percent accurate.

"That means one in 50 people in the population could unlock your phone," Munson says. "And previous facial recognition systems that are more mature have been tricked by high-resolution digital photographs. Even though it's theoretically sound, in practice it may still not prove that the person on the other end of that device is who they say they are."

Despite a possible increase in the use of biometrics, however, Cottrell says that the United States is not ready for what some call smart IDs—a form of identification card that contains biometric data, such as a DNA sample, to identify the carrier.

He also thinks it's likely that for some interactions with government agencies or businesses online, there will be a renewed emphasis on using notaries. For instance, to interact with a business online a person would physically have to go to a notary, show ID, and get a document notarized that will then be sent to the business to verify the individual's identity.

"Not that you can't fake physical documents, but it doesn't scale," Cottrell says. "It's a lot more work. It needs to be done in person in the United States. And one of the characteristics of Internet-based attacks is that they can be launched outside your jurisdiction at scale."

And focusing on scale is what's important because limiting the number of people that can be compromised per attack helps keep fraud at a manageable rate so it can be identified and mitigated, much like the Sherlock Holmes case.

"The goal doesn't need to be eliminating fraud and eliminating these kinds of crimes; it's making sure that the fraud rates are manageable," he explains. "I think, unfortunately, the Equifax breach may be pivoting things towards fraud and attacks that can be launched at scale, and that's a problem." ​