The days of logging into a web site or application with nothing more than facts stored in your brain are nearing their end, pushed to extinction by the unrelenting pace of information sharing online and an equally unrelenting storm of data breaches that expose that data.
The theft and re-use of data stolen from e-commerce and social media firms spells the end of knowledge based authentication using passwords or other seemingly obscure information like a mother’s maiden name or the name of an elementary school, experts told a Congressional Committee on Thursday. To replace them, companies will have to invest in new authentication tools that cannot simply be mined from troves of public or stolen and re-circulated personal data.
The widespread sharing and aggregating of personal data, coupled with data breaches that have exposed immutable information like Social Security Numbers, addresses and dates of birth has “a fundamental impact on the viability of knowledge based authentication,” security expert Troy Hunt told the House Committee on Energy and Commerce in testimony Thursday on “Identity Verification in a Post Breach World.”
Hunt created the site Have I Been Pwned, which informs individuals if their personal information was caught up in a data breach. He testified on Thursday that he has recorded breaches affecting more than 4.8 billion records and 250 separate incidents in the last four years. He told Committee members that the confluence of easy-to- provision cloud based services, the emergence of The Internet of Things and a strategy of “data maximization” (or hoarding) by online businesses add up to a “perfect storm” for data exposure.
Data aggregation and analysis tools mean that the product of many breaches can be rolled together to create detailed composites of individuals. The result is that, in time, much of the information that individuals think of as private and personal will become “public knowledge,” Hunt said.
Hunt’s comments were echoed by Jeremy Grant, a Managing Director at the firm Venable LLP, who said that while consumers have access to more tools to supplement passwords and secure their online accounts, it is getting harder for organizations to prove that consumers are who they say. “Attackers have caught up to some of the tools we have depended on for identity proofing and verification,” Grant said in his testimony.
The solutions for the federal government are not simple. Grant called for legislation restricting how government issued identifiers like Social Security Numbers can be used, including rules preventing the Social Security Number – or any part of it – from being used to authenticate individuals in online transactions.
Speaking before the committee, Edmund Mierzwinski, the Consumer Program Director at U.S. PIRG advocated a range of reforms, from making it easier for consumers to sign up for credit freezes, to monitoring the business practices of credit bureaus like Equifax, TransUnion and Experian. But Mierzwinski also warned Congress about efforts by the business community to water down needed reforms. He said that businesses would like to push a Federal data breach law that would preempt and water down state-level protections in 48 states – for example: by prohibiting private lawsuits by breached consumers, or establishing a “harm trigger” for enforcement actions that would force consumers to prove they had suffered damages as a result of a breach.
Mierzwinski said that the U.S. has long lagged other industrial nations in creating an omnibus privacy protection law, but that the drafting of such a law shouldn’t be used as a “Trojan horse” to undermine consumer protections. Actions by other nations, such as the EU’s General Data Privacy Rule (GDPR) are filling the void. But the country must avoid weakening existing protections as it looks to modernize the federal government’s privacy protections. “Federal law should never become a ceiling of protection, it should always serve as a minimal floor that allows state experimentation,” he said.
The hearings on Capitol Hill come in the wake of a series of damaging breaches including the theft of information on some 140 million people from the data broker Equifax. More recently, the ride sharing firm Uber announced that hackers had stolen information on 57 million customers and some 600,000 drivers – a breach the company neglected to inform state regulators and customers about for more than a year.