Centralized Banking and Credit is Fundamentally Insecure

Let’s start with the basic facts: in a recent security breach at Equifax, 143 million people’s personal information, including full names, unobfuscated social security numbers, addresses, and other identifying information is now for sale for whoever wants to pay the most bitcoin to get ahold of it. Regardless of the individual mistakes that led to this particular breach, such a wide-reaching leak of personal information was inevitable, given our trend towards centralization of our credit providers and banks and the apparent growing desire by businesses to gather a massive amount of personal information in a central location.

One of the main services that Equifax and other consumer credit agencies provide is an aggregation of all your payment arrangements and whether or not you make those payments on time. This, combined with other personal data such as your employment history, income and debt ratio provides an overall measure of your creditworthiness. Lenders use this to determine if they want to lend you money, how much they are willing to lend, and at what interest rate. Lenders also use this information to verify that you are who you say you are when you apply for credit, which is problematic, to say the least.

Attempts to mitigate the damage from this breach have been...less than successful.

In order to provide this service, Equifax (and the other credit agencies) have chosen to gather a huge amount of personal information in one place. While historically, pre-Internet, this wasn’t too big a deal, in our current environment, this is a major problem, and one that can't be solved without reimagining our entire consumer credit system.

Our System is Broken Top to Bottom

It’s a key axiom of computer security that attackers always have the advantage. As the defender, I have to secure a million possible vulnerabilities, whereas the attacker only has to find the one vulnerability that I missed. What this means is that it’s basically impossible to prevent attackers from getting into secured systems, in the long run. But the problem is that we are now “overcentralized,” to the point that individual companies have data on nearly every citizen in a country, and they often keep this data in a central location for convenience.

As in Europe before World War I, savvy observers could see the disaster coming, just by following current events and working out the consequences. Attackers will eventually get into a system, and that system will likely have information about lots of people in it. This is because businesses want to data mine information about all their customers, because they like shiny reports in their Powerpoints, and because someone in management needs a detailed analysis tomorrow.

Because of the trends towards aggregation and data mining, every new breach is always the “biggest ever,” and more and more people are affected by multiple breaches. Despite the cost of the bad press, the statutory penalties and the lawsuits, the benefit and business value of aggregating this data still wins. In the case of Equifax, aggregating this data is literally the reason the company exists.

I hope this trend towards mass data aggregation reverses here (or at least stops accelerating), and I believe that this particular security breach is a bellwether for an future reboot of our entire consumer banking and credit system.

With the information that’s out there now our current system, at least in the US, is completely broken, because the information that is used to verify and grant consumers credit is wholly compromised. For starters:

1. The stolen data is nearly all the information needed to open new accounts in your name, or to potentially “recover” access to your existing accounts. This is because, as we mentioned above, lenders use information from your credit report to verify that you are who you say you are. If you haven’t taken the time or had the need to create an individual security PIN with many of your service providers and banks, this is likely all the information that is needed to get access to your account.
2. This information cannot be easily revoked, if at all. The criteria needed to get a new social security number are fairly restrictive. Unlike a credit card number or a password which can be cancelled or changed, your social security number is basically fixed from birth until death. Other facts used for verification such as when you applied for a mortgage or where you lived on a specific date are similarly unchangeable and cannot be revoked.
3. This information will never go out of date (at least until all the people in the dataset are dead). 30 years from now, attackers could still be using this data to open new accounts, barring a major change in how our consumer credit industry works.

Despite these facts, many people still don’t recognize just how broken our current system is, which means, like World War I, this will drag on far longer than it needs to and will result in many pointless casualties. While there are lots of half-measures that will no doubt be proposed and implemented such as fraud alerts, security monitoring, weakish-two-factor authentication and so forth, these only serve to mitigate the fallout from the fundamentally poor decision of having all this data centralized in the first place.

Actual live footage of Equifax headquarters. Your social security number is in there somewhere.

Blockchain Save Us!

The solution, then, is to not gather all this information is one place to begin with. We can never win the battle against a determined attacker, so we have to remove the target. No one is interested in buying just one person’s account information, and by decentralizing this information, you will remove the economies of scale that so greatly tip in favor of the attackers. The best, perhaps only, technology we have for decentralizing this type of information is blockchain, which is just one of many reason why I’m so excited about the sector as a whole.

Imagine a blockchain implementation of your credit history where every bill you pay or payment contract you enter into is stored in an entry the chain. Your payments aren’t necessarily made in cryptocurrency, but ledger entries are created there for each payment and contract. Your personal information is not there but the whole history of your creditworthiness is attached to your public key, which you can verify for a potential lender by publishing a signed transaction to the blockchain, using some random nonce data that they provide you. If you failed to make payment on an obligation, this would again be apparent from the blockchain, without the possibility of fraud or mistaken information being added to your report. The data stored in the blockchain is wholly anonymous, and only made personally identifiable off-chain when you reveal your association to the data to a potential lender.

When you wish to enter into a new credit agreement, your history is all there for the lender to see, and moreover there’s nothing there to steal.

Your private key is, as always, very important to secure, but this key is not stored centrally, eliminating the incentive for an attacker to go after a single big target. You keep it at home, hopefully offline entirely.

This all sounds great, why aren’t we moving to a system like this yesterday? While there are no doubt many teams working on all manner of blockchain solutions for this problem, there are non-trivial challenges for consumers and lenders alike:

1. Blockchain is really pretty difficult to understand unless you have something approaching an undergraduate-level education in math and/or computer science. Helping consumers understand why something is better when it’s harder to use is a difficult task. And have no doubt, even the best blockchain-based implementation of this type of technology will be more complicated for the end user and require them to secure a new piece of data, which people are really bad at. Firms would arise to manage keys and secure data for end users, leading to a new prime target for data breach, thus defeating the whole purpose of decentralization.
2. The economic incentives still favor centralization. There’s no additional money for credit agencies in a decentralized consumer credit system, so it probably falls to the lenders to implement such a system, since credit agencies have little to no incentive to do so, currently. The cost needs to be low enough that it is a net gain over paying credit agencies for credit reports. Additionally, fees need to be high enough for miners to have an economic incentive to mine new blocks. Otherwise the whole chain is at risk of takeover by malicious entities.
3. Humans make mistakes, and mistakes are difficult to rollback on the blockchain. Think about how many times you’ve replied to the wrong email, messaged the wrong person or sent an email without adding an attachment that you meant to. Signing the wrong payment agreement or transaction would create a permanent entry in your credit history, and scams would no doubt be prevalent. There’s no central authority to appeal to, so if you accidentally enter into a payment agreement with a Nigerian prince, there’s little recourse. A layer of trust management/reputation score on top of the transaction blockchain would probably help out a lot in this case. Not all payees and lenders are equally reputable, nor are all borrowers.
4. Migration of existing credit histories to a blockchain based model is non-trivial, and attempts to decentralize this data may, ironically, fall victim to a form of centralization, since this data would initially flow through relatively few lenders and banks, giving these agencies a lot of control over the initial blockchain conditions.
5. Lenders could track your subsequent transactions after you have applied with them, as they now know the association between your public key and your real-world identity. Ideally we would want to prevent them from storing this data, but if they do store this data, after the inevitable data breach, these associations could be made public.
   This would be bad, of course, but there are ways we could mitigate it, for example, by encrypting key rollovers and only having the existence and details of a rollover be made decryptable in the context of a credit check, when you are providing the necessary decryption key(s). After a credit check, we could always rollover to a new key, broadcast the rollover as encrypted data and then all new transactions would be on the new key. The association between the old and new keys is timestamped and hashed on the blockchain, but only decrypted when you choose to do so.
6. Potential borrowers could choose to just leave off portions of their credit history that are bad. They could declare bankruptcy, abandon their keypair and create a new one and move on with a clean bill of credit. This is obviously bad as well, but it’s possible that we could create an economic incentive that would discourage this type of behavior, making creating new accounts like this expensive in some sense. A social trust/reputation system would be valuable here as well.

Despite these challenges, I truly believe that a similar decentralized system is in our future, perhaps sooner than we think, although maybe not soon enough. The risk of going forward as we have in the past is higher than it has ever been, and the technologies are there to take us to a more secure decentralized future. But we have to be willing to take the leap, forget what we think we know and embrace these new technologies, even if they feel risky, because where we’re standing right now is even worse.