The way we identify ourselves — especially in our digital lives — no longer works. Each major data breach exposes one more crack in the façade, and those cracks keep widening:
- Yahoo admitted this week that a 2013 data breach affected 3 billion accounts, up from 1 billion.
- The credit bureau Equifax acknowledged millions more consumers had their data swiped during its recent breach, up to 145.5 million from 143 million.
You should assume your identity has been compromised. If you do nothing else in the wake of the Equifax breach, tackle the basics like freezing your credit. The Department of Homeland Security also is offering tips as part of Cyber Security Awareness Month.
The potentially good news is that financial companies, a slew of startups and several other industries are working on solutions. Banks specifically have a vested interest since they are often on the hook for covering your losses.
Identity systems incorporating blockchain technology and other enhancements that keep your data from reaching every website are on the way.
In the meantime, if you really want to take control, here are three further steps you should take.
Focus on being small
You should be concerned about your data: who can see it, who can use it and who thinks they own it. The trouble is, unless the system changes, there is only so much you can do.
The Equifax breach is a perfect example.
When you apply for a bank account, credit card or mortgage you agree to allow your bank to share data with the credit bureaus. But there are plenty of times when sharing your data is not a requirement.
The next time a doctor asks you for your Social Security number, push back. Your insurance card may be all they need, especially if you aren’t enrolled in Medicare. And when another e-retailer asks for your date of birth, consider whether those birthday coupons they might send are really worth you compromising your data once again.
Get a burner card
Saying no is one way to keep control of your digital footprint. Here’s another: Masking your credit and debit card numbers while shopping.
Startup firm Privacy.com is offering free virtual debit cards — the company calls them burner cards — for your transactions. The burner cards link directly to your bank account and can only be used once. (You can create up to 12 cards per day with an initial spending limit of $1,000 per day and $2,000 per month.)
You create an account, link your debit card and install a browser extension. If you want to buy something from a site that you don’t frequent or are otherwise uncomfortable sharing your legitimate credentials with, Privacy.com generates a burner number. You can even use a fake name.
“There is a signal-to-noise challenge. We are looking to put out more noise,” said CEO Bo Jiang.
Privacy.com also wants to help consumers keep continuity. Imagine one of your subscription services gets breached and your real debit card number was exposed. It would be a good idea to alert your bank, have it cancel that card and reissue you a new one.
But then you’d have to share your new number with Netflix, Spotify, Seamless, ClassPass and every other company that you’ve allowed to debit your account.
With Privacy.com, all you would have to do is reset that one burner card.
“We are going to see more breaches and we are trying to minimize the downside and make it so you’re not interrupted,” Jiang said.
Of course, you just have to trust Privacy.com to keep your real debit card number safe.
PayPal can function in a similar way, says Steve Pannifer of Consult Hyperion, a U.K. consulting firm. The benefit with PayPal is that you can link your credit card. In the case that your card is breached, a credit card wouldn’t affect your ability to, say, pay your rent, since it is borrowed money.
Consider a digital ID provider
Think of the ubiquitous “Login with Facebook” button on websites — rather than create a unique username and password for each site, Facebook vouches for you.
Your bank may someday provide a similar button for situations that call for more security, like logging into a government website. The idea is to limit the personal data you share and to prevent you from having to create a unique username and password at each website you visit.
Such digital passports exist today.
One worth highlighting is ID.me. The primary benefits of the digital ID service today are discounts, typically for reserved groups like military, students, teachers and first responders.
Plenty of retailers already offer those groups discounts, but ID.me is playing the authenticator — verifying that you’re indeed in the military, for instance. People not in those groups can sign up for an ID, too, and receive some discounts.
The firm also announced a partnership with AARP earlier this year on an ID system that is expected to be rolled out in 2018.
But ID.me’s partnership with the U.S. Department of Veteran Affairs is a good example of how it envisions the future. Recently, the firm worked with the VA on its new Vets.gov site, a single portal intended to bring together veteran services spread out over more than 500 websites.
ID.me provides each agency with the appropriate level of detail from a veteran’s profile. For instance, ID.me would confirm whether someone is a veteran for certain websites, but would hold more sensitive information, such as health records, for other sites.
The dream is to establish a system where people are not creating accounts and passwords with every site they use — but maybe have one or two, says Blake Hall, CEO of ID.me.
This could work in the real world, too. Imagine rather than handing a bartender your ID, which is brimming with personal data, he scans a QR code from your phone that gives him the one piece of ID he needs — that you’re older than 21.