The next step is to change how sensitive requests and actions are authenticated internally. With a flood of SSNs, birthdates, drivers’ licenses, addresses, and names now on the marker, it’s no longer effective or prudent to authorize these actions based on this information.
Banks have gotten better at rewriting this playbook. You may have noticed that in recent years, banks have switched from asking you questions found in the public domain, to questions only you would know. For example, asking what your first car was isn’t as effective as asking you what your favorite color is because the former can easily be found by identity criminals, while the latter cannot.
Although most companies have been gearing up for years for digital hacking prevention, fewer resources have been put into employee identity theft vulnerabilities. The truth is, if verbal authentication is based on information breached by Equifax, any impersonated employee can have their accounts manipulated, addresses changed, and passwords reset and sent, which bypasses all of your existing digital controls of two-factor authentication and other defenses.
Every company in every industry should be reviewing and changing internal controls to an authorization process that does not involve information that can be found in the public domain, like favorite animal, best friend’s name, first pet’s name, etc.
For example, if you have sensitive equipment or restricted areas at your facilities, how will you prevent identity thieves from impersonating employees to gain access? How do you know you are not authorizing a breach of your data by an impersonated partner or employee authorizing access for change of password assistance or other activities? Your employees’ information is now likely for sale, and the buyers may not only be interested in direct credit card theft, but business espionage, terrorism, and competitor actions, as well.