A long time ago, back when you had to go to your living room to use the telephone, there used to be public lists of everyone’s names, addresses, and phone numbers in something called a phone book. A few people asked not to be listed, but most just accepted it as understood that if someone wanted it, your data was out there.
It’s time now to accept this same thing with regard to our social security numbers, dates of birth, and other personal data.
Equifax was hacked, and it contained all this data about hundreds of millions of us, and more. OPM was hacked, and that data contained the sensitive private information for most people in the U.S. that hold a security clearance. The IRS has been hacked. The phone companies. Our banks. The restaurants. Basically every type of business that we regularly use has had our data stolen from it.
Criminal groups and foreign governments are aggregating this data so that it can be used for various purposes. Identity theft, spam, extortion, etc. You can think of it as one big database of everyone’s data in the world, with these different groups having different versions and copies of the database. And most of our data is in it.
But we can’t change our social security numbers or our dates of birth.
So what are we supposed to do?
The first thing to do is stop panicking every time your data is leaked. It’s out there. It’s done. The pee cannot be taken out of the pool.
Do what you can to defend yourself using credit freezes and continuous credit monitoring. Watch your accounts closely, rotate your credit cards when they get breached, and try to use things like Apple Pay to avoid sending credit card data in the first place.
That’s the first thing—just realize it’s going to happen and build a system for dealing with this reality.
But more importantly—as a society—we need to come up with a better way to authenticate ourselves and authorize transactions.
Because so many people have our information, and we can’t really change that information, we can no longer authorize transactions based only on having that data. It’s pretty obvious when you think about it.
What we’re going to have to do is some sort of composite authentication, where you have multiple factors in place at once, and at least one of those will likely include a live visual component.
Expect in-person authentication to become a lot more popular in coming years, with services like notaries getting used more frequently. And as the technology becomes available, expect to see digital forms of in-person identity validation as well—things like proving you’re at a particular location, doing bio-based auth, someone not validating that you are you unless they can see you and talk to you, etc.
These will be big changes to how things are done, but they will happen simply because they’ll have to.
Our private data has been stolen, and it’s no longer a solid foundation for authorizing transactions.
Let’s get ready for authentication based on multiple factors, with the most important addition being visual and audible validation of your person.