By Brian Barrett for WIRED.
(Getty Images)
YOU ALREADY KNOW that identity theft could happen to you. You're never more than a few headlines away from another wide-scale hack. But what are you supposed to do with that knowledge? According to a new service called Civic, the answer is simple: track your Social Security number.
Civic, which bills itself as an "identity protection network" and launches in beta today, hinges on a simple enough premise: If your Social Security number is used, you'll get a push notification. That's about it. "We think the way you secure information is not by keeping information private, it's about being able to follow its use," says Civic co-founder and CEO Vinny Lingham.
Civic is free, and if you sign up you get $1 million of identity theft insurance for as long as you use the app. There's an always-open help line if you get in an identity theft quagmire. And if the company where the fraud occurred pays to partner with Civic, you'll have the option to cancel transactions before they go through. That last part is how Civic is planning to pay its bills.
"At the end of the day, the companies are losing the money," says Lingham. "When [an ID thief] walks out of the store with a new laptop computer, the company has lost money. The insurance may pay out, but the premiums go up more and more." As fraud victims, the year or two of fraud protections that many companies offers isn't sufficient, Lingham says, given that it can take years for their information to surface on the dark web. Very recent history backs him up; a 2013 MySpace hack surfaced just a few weeks ago, putting the information from 360 million accounts on the black market.
It's an interesting idea, and using the Social Security number, specifically, should help with the most financially devastating attacks, those involving bank accounts and mobile carriers. (Recently, hackers used the last four digits of activist DeRay McKesson's Social Security number to compromise his AT&T account and, from there, his Twitter).
But the idea also invites a few questions. Many of the large-scale hacks of recent years have involved passwords, some personal information, and occasionally credit card numbers, but Social Security numbers are less frequently compromised. Lingham counters that a "decent hacker" can match up that info with Social Security numbers in a matter of minutes. "If I get your personal information, I can pay for a file of people with similar names to you," he says.
It's also unclear how effective Civic will be in these early days. It relies on third-party partners to match up information with, and currently has three on board: Onfido and GoodHire, two startups that facilitate background checks, and TransUnion, which can alert users when changes occur to their credit report. That covers decent ground, but it's not comprehensive, especially when one of Civic's most useful features--approving or denying transactions in real-time--depends on buy-in from wherever that transaction is taking place. Civic could, in this way, create a false sense of security. However robust its protective powers may be, its scope, at least for now, is fairly narrow.
Lingham notes that Civic's million-dollar ID theft insurance should make up for any unease about its early effectiveness, and that more partners will be coming soon.
There's also the matter of Civic's security. A service that collects people's Social Security numbers to protect them from hacks surely becomes a prime target for those very hackers. Lingham says Civic uses "best in breed security practices," including a hashing algorithm to obscure actual digits. Here, too, Lingham urges patience, promising a "quantum leap" in data security is coming through the pipeline.
That seems emblematic of Civic as a whole. It's a smart idea, with lots of potential to make people's digital lives much more secure. It's just going to need some time to prove that it can fulfill it.
More from Wired:
