Examining the Top 3 Responses to the Equifax Fraud Threat
The biggest personal data security story in recent memory—probably of all time—broke in September 2017. Of course, we’re talking about the Equifax hack, as well as the possibility of post-Equifax fraud we’re dealing with.
Hackers repeatedly attacked the credit reporting bureau over the course of the Summer, ultimately exposing the personal data of 145 million Americans. They stole consumers’ Social Security numbers, addresses, birth dates, and much more. This information can be used to commit synthetic identity theft and apply for loans and other lines of credit in victims’ names.
The hack was a watershed moment for the data security, payments, and finance industries, and it left us with a lot of questions:
- How did it happen?
- Could it have been prevented?
- What can we learn?
- What changes can we implement going forward?
Let’s explore some of the more popular ideas proposed to address the post-breach security environment, and how these strategies might impact merchants…both positively and negatively.
#1. Replace SSNs as an ID Method
For a US citizen, your Social Security number is your penultimate form of personal identification. The SSN you’re assigned at birth sticks with you throughout your life; you can apply for a new number, but you will need to prove that it’s been stolen and abused. That can be difficult to prove, and even then, it doesn’t undo the damage that’s already been done to your credit and finances.
Many tech experts suggest that the Social Security number has outlived its use as a form of ID. They suggest replacing these numbers with a PIN-authorized physical token. Like a cross betwen an EMV chip payment card, and a virtual account number, the tokenization approach means it would be much easier to replace this card if stolen.
Experts are also looking to FinTech trends like the blockchain for potential answers. Blockchain technology could be used to create a “digital DNA fingerprint” that would be mathematically impossible—at least in theory—to duplicate.
Of course, while this change can help protect customers’ identities, it won’t help eCommerce merchants as much as they might hope. Synthetic theft represents a small overall share of CNP fraud compared to other loss sources like friendly fraud.
#2. Comprehensive Breach Notification
48 states have laws on the books requiring companies to notify consumers impacted by a cyberattack. There is no federal law, though, and two states—Alabama and South Dakota—do not have any legal requirements to notify customers after a breach.
South Dakota is a major business hub, and several large companies are headquartered there. If a company based in South Dakota were attacked, they would not be required to report the incident regardless of where the affected consumers live.
Friendly Fraud: A $30 Billion Problem
Want to know more about how to protect your business? Click below to get started.
Several national politicians and consumer advocates say it’s time for a national law requiring companies to notify consumers in the event of a security incident.
Remember, though, that notifying customers after a breach is a reactive strategy. This legislation wouldn’t prevent post-Equifax fraud from occurring, just warn consumers that it may be on the way. In turn, customers could be more likely to file chargebacks against any transaction they can’t identify immediately, believing it to be fraudulent.
#3. Reevaluating How We Share Information
Some suggest that we should give consumers more control over which data is provided to businesses and how that data is managed.
This idea is like the General Data Protection Regulation, or GDPR, adopted in the European Union. What they refer to as the “right to be forgotten” means that customers can contact businesses and demand that their personal data is destroyed.
While that sounds good at first glance, it could lead to much bigger problems. Consumers aren’t experts; they don’t understand the relationship between Equifax fraud and their data. Allowing customers to “be forgotten” could interfere with the free exchange of open data, which is a valuable mechanism for identifying trends in fraud activity. Thus, having less customer data available to businesses may lead to more fraud, rather than less.
Much like the GDPR, as well as the EU Digital Single Market, adopting such policies looks good on paper, but it would not necessarily work out that way.
Where Post-Breach Fraud Hits Home for Merchants
As we saw, the ideas above may help address certain post-Equifax fraud concerns, but they’re not perfect. In some cases, they’re not even desirable. There are other less-discussed reforms out there, though, which are long overdue.
To our team of payments industry experts at Chargebacks911®, the 2017 Equifax breach highlights the need for substantial reform of payment reversal policy. Although the focus is on consumers, merchants ultimately pay the price in the form of consumers filing chargebacks:
Of course, chargebacks have been abused for years by criminals and consumers alike; the former through criminal fraud, while the latter by friendly fraud.
The regulations governing chargebacks were first created in the early 1970s, and they haven’t changed much since. Chargebacks are not suited for the demands of eCommerce, and the situation following the Equifax hack just drives that point home.
It’s more important than ever that we challenge outdated chargeback regulations. Otherwise, merchants are the ones who will suffer from Equifax fraud costs.