Rethinking security when everyone's Social Security number is public
After Equifax disclosed a devastating data breach, much of the attention focused on whether the company did everything it could in response. But the scary truth may be that this is the sort of incident that goes beyond a single company's ability to fix.
Whatever the long-term effects will be, one thing is immediately clear: Social Security numbers are no longer as valuable as they used to be in evaluating consumer identity and creditworthiness.
"[Know Your Customer] requirements were written for a world that expects some privacy of Social Security numbers," said Zach Perret, co-founder and CEO of the fintech company Plaid, at SourceMedia's PayThink event, which took place last week in Phoenix.
"The assumption that we previously held, which was that Social Security numbers and driver's license numbers are relatively private ... that's now gone," he said. "Beyond how Equifax changes credit scoring, there's a big question about how Equifax changes identity validation."
This is a distinctly separate issue from fraud detection, Perret said. Bank accounts and card numbers can be shut down and reissued, but banks can't do the same for Social Security numbers and other identity factors.
"On the fraud side, there's a ton of work we can do, including multifactor authentication," he said, but "the KYC requirements are pretty explicit ... so that needs to be updated."
Indeed, a lot of the security practices being used today are done more out of tradition than out of effectiveness. Companies that have extremely advanced security in place may still prompt for a static password to make the customer feel involved in the process.
But even that mindset is shifting.
With the Zelle app, for example, "we might not always ask you for a password, but don't think we're not secure," Lou Anne Alexander, group president of payments at Early Warning, said at PayThink.
"We will not always ask you for a password, but don't think we're not secure," Alexander said. "We're doing a lot of things behind the scenes that are unobtrusive. I worry a bit that folks might think it's not secure, that we might have to do a little of what we call security theater and throw a roadblock up every now and then, but we do know enough about the device [and] your interaction with it to clearly understand whether it's you or not."
But not all technology improves security as intended. With EMV, fraudsters were quick to find workarounds.
"We've seen a number of examples of fraudsters convincing those checkout folks to type in their number and bypass the chip ... that's obviously not why we all have spent so much money as an industry [on EMV]. That defeats the whole purpose," said Jason Martin, senior vice president of checking and debit product management at Bank of America.
As expected, fraudsters are targeting card-not-present sales, which get no benefit from EMV security, but they are also paying more attention to other low-tech financial instruments.
"It goes back to even checks, too," Martin said. "Fraudsters will try to go back to the weakest link that they can find, and we're seeing that across the board."
Sometimes the merchant bypasses EMV on its own, due to a miscommunication, said Kathy Yee, senior vice president of debit and prepaid cards product management at Wells Fargo.
"We've had situations ... where there are little Post-its put on machines that said Wells Fargo cards didn't work," Yee said. "It ended up being not true — it was something in the implementation or something like that — but that little Post-it is very painful in trying to communicate to our customers."