Prof. Jayanth R. Varma's Financial Markets Blog

About me       Latest Posts       Posts by Year       Posts by Categories

Yet more on Equifax data breach

I have written many times about the Equifax data breach arguing that the credit bureau business should be subject to the doctrine of strict liability, that society should not hesitate to impose punitive penalties on them (including shutting down errant entities), and that modern cryptography makes existing credit bureaus obsolete. My excuse for writing about them again is that I just finished reading the US Congress (Committee on Oversight and Government Reform) Majority Staff Report on The Equifax Data Breach.

This report makes it clear that things were even worse at Equifax than I thought. But what I found most interesting is that when the breach occurred, Equifax had initiated the process of making the hacked system compliant with PCI-DSS (Payment Card Industry Data Security Standard) and doing so “would have largely addressed the security concerns flagged”, and would have likely prevented the hack.

PCI DSS compliance requirements include: the use of file integrity monitoring; strong access control measures; retention of logs for at least one year, with the last three months of logs immediately available for analysis; installation of patches for all known vulnerabilities; and maintenance of an up-to-date inventory of system components.

None of this is rocket science and even tiny mom-and-pop stores are required to comply with them before they can accept credit card payments. Yet, one of the largest credit bureaus in the world did not comply with them. The reason is something that Bruce Schneier has been saying for a long time (Eliminating Externalities in Financial Security):

It’s an important security principle: ensure that the person who has the ability to mitigate the risk is responsible for the risk.

If you think this won’t work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They’re not hurting for business; and they’re not drowning in fraud, either. They’ve developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They’ve pushed most of the actual costs onto the merchants. And almost no security centers around trying to authenticate the cardholder.

Equifax was so terrible at computer security because it had no incentives to do a better job: even after one of the worst breaches in history, Equifax faced only minor penalties.

Posted at 7:48 pm IST on Mon, 31 Dec 2018         permanent link


Comments

Comments