In the Wake of the Equifax Breach, Are Biometrics the Answer?

The recent security breach of credit reporting agency Equifax exposed birth dates, social security numbers and credit card information of up to 143 million consumers. The hackers will likely sell this personal information which could result in financial and medical identity left, and fraudulent credit card activity and tax reporting, along with a slew of other activities. Earlier this week Equifax announced their CEO, Richard Smith will be retiring and could walk away with $18 million in pension benefits. The Massachusetts Attorney General, Maura Healey called it “the most brazen failure to protect consumer data we have ever seen.” As a result, the Federal Trade Commission, members of Congress and multiple states’ authorities are looking into criminal investigations. However, the burden of this breach will fall primarily on individual consumers to ensure they are protected, and only 10 percent of the potential 143 million affected have even checked the Equifax site to see if their information was compromised. (You can check to see if you may have been impacted here.)

The precautionary recommendations put forth have been to: 1. Check your credit score regularly (which can only be done for free once a year); 2. Freeze your credit; and 3. Purchase credit monitoring services. (Freezing your credit means establishing a “lock” that prevents opening new forms of credit in your name, while monitoring your credit is the process of periodically reviewing your credit reports for accuracy and changes that might be the result of fraudulent activity.) The irony of these suggestions is that you have to rely on the three major credit bureaus (Equifax, Experian and TransUnion) to perform these consumer protection activities. How can we know we are safe from fraud when our recourse requires trusting the entities that have been compromised? What’s more, why should we pay additional fees to correct the credit bureau’s mistake?

The Equifax breach affects consumers at all levels of the socioeconomic landscape, and unfortunately those with fewer financial resources and capability will be affected the most. Correcting identity theft can be a time consuming and financially burdensome endeavor. For many it is challenging to come up with emergency cash to cover legal fees to prove identity theft or restore credit, recover stolen assets and pay for additional credit monitoring services. And sadly, we haven’t seen strong consumer protection support on behalf of the credit bureaus and formal financial service providers in the wake of this breach — support like educating the public about monitoring credit, providing more than one free credit report annually or offering free/discounted credit monitoring for more than one year. Thomas Hinton, CEO of the consumer advocacy non-profit American Consumer Council, said he “is deeply concerned that Equifax – and all credit reporting companies – are not doing enough in a timely manner to protect under-served consumers who have been victimized by this data breach and stand to suffer the most.”

Such massive security breaches erode the public’s trust in the financial system, particularly among the unbanked already skeptical of entering the formal financial fold. The U.S. Financial Dairies showed that many Americans don’t trust the financial system because of unexpected bank fees – like overdraft fees – and because banks provide little or no social support, which many people get with informal group lending and savings options.

This isn’t the first major data breach in U.S. history and it won’t be the last. Last year when Yahoo was in negotiations to be bought by Verizon, it came out that 1.5 billion user accounts were compromised between 2013 and 2014. And we can’t forget the 2013 Target breach that compromised credit/debit card and contact information of up to 110 million customers.

So, what can be done? How can anyone feel comfortable about the protection of personal information?

Financial service providers are looking to biometric data as a secure identification source for financial services. Over the past seven years, the Unique Identification Authority of India (UIDAI) has issued over one billion Unique Identification Numbers (UID), also known as Aadhaar numbers, which are verified and authenticated with biometric data via finger prints or iris scans. This identification system is a part of India Stack that uses four distinct technology layers – including simplified payments addressing and interoperability – to provide digital financial services across governments and businesses in India.

The technology already exists to use finger print and facial scans to unlock our phones or log into personal banking apps, and there is even the potential of using ear scans and heart beat identification as biometric identification sources. But so far biometric identification is fairly unregulated, some consider the security to not yet be airtight and there are additional privacy concerns with using bodily identifiers. Hackers are already finding ways to spoof biometric identification. Recently, the security firm Vkansee was able to break into Apple’s Touch ID system with a small piece of play doh. But we will see rapid improvements in Apple’s security, particularly with the new iPhone X Face ID technology.

In the case of India’s Aadhaar scheme, there is robust opposition to the program, with concerns including the perceived ease of forging fingerprints, the program’s potentially inadequate digital security, and its ubiquity. Some opponents of the program believe that if the Aadhaar numbers are widely integrated and linked between previously-siloed databases, it expands the opportunity for citizen profiling and surveillance. In August, India’s Supreme Court issued a ruling enshrining the fundamental right to privacy. The anti-Aadhaar movement in the country celebrated the ruling, asserting that the program is in conflict with this fundamental right. Soon the Supreme Court will indeed assess if Aadhaar does violate Indian citizen’s privacy rights.

Regardless of how our information is authenticated, it is becoming increasingly important for consumers to protect and regularly track their financial information. Consumers should be concerned about the potential threats and take appropriate action by checking their credit score and monitoring credit card activity. But we can also realize that, at least as of now, security breaches are mostly out of our hands.

Have you read?

How Secure Is Data Used in Digital Credit?

Demonetization Brought Out the Best in Indian Microfinance Clients

Why Do Privacy Policies Matter for Digital Credit?


Join the Conversation

Stay informed. Subscribe to our newsletter.