The learned helplessness of Equifax

Is there a formal name for the fallacy of assuming that the status quo is sane? Such a name would become more useful with each passing year. There are a shocking number of examples, but I give you, as a perfect, vivid, front-of-mind example, the credit rating system of the United States of America, as exemplified by that radioactive disaster of a company called Equifax.

It is well understood by every adult American that you must keep your nine-digit Social Security Number absolutely secret, lest someone use it to open accounts in your name and ransack your name, your credit, and your sacred honor. There is a real learned helplessness to this: Americans just take it for granted that this is the way things work, it is the way things have always worked, it is the way things always will work. If your SSN and a few personal details get hacked, as with Equifax, apparently because it negligently leaving its server software unpatched for two months — that’s it, you’re screwed.

This is, of course, completely insane.

“But what else could we do?” you might ask. “It’s not realistic for credit rating companies, the grimdark apotheosis of surveillance capitalism, to actually verify someone’s identity before someone opens a new account in their name. Not if that someone has their social security number! What else could possibly be done?”

What if I told you that the credit rating companies already had a system to verify identities before opening new accounts — but, because this would be a minor inconvenience, and a drag on their profits, they only allow this status to last for 90 days for any given account unless a police report can be filed, and furthermore, while they may claim that they’ll do this, it’s not actually a legal requirement? From a Krebs on Security piece from 2015 (as ever, Krebs is two years ahead of the zeitgeist):

With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert … Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they’re not legally required to do this.

That’s right: a solution to the ongoing insane catastrophe which is the American credit system already exists. The infrastructure and process for it is already in place. But thanks to regulatory capture, an inability to understand the scale of data hacks that modern technology enables, or sheer incompetence, it only exists on a case-by-case, opt-in, short-term solution.

Obviously everybody should have this verification — “two-factor authentication,” if you will — turned on and kept on. This would not be a panacea, of course. Security hipsters will loudly protest that phones and email are terrible second authentication factors that no one should even consider using. Phone and email are not ideal, but the point is, universalizing this existing solution would hugely improve matters for a relatively trivial cost.

If you want long-term ideal 2FA, decentralized blockchain solutions, etc., more power to you! Build it and try to get it adopted! But this is something we could do today to immediately mitigate, if not outright eliminate, a huge swathe of an ongoing disaster, while waiting for an even better long-term solution.

The current credit-rating system is insane. But it gets even worse: the current system actually already contains its own solution. It is staring us in the face. All we have to do is flick the switch to turn it on. Alas, I have little to no hope that we will actually do this, because our larger socioeconomic system, which contains the credit system, does not seem particularly rational these days either. What’s the name of that fallacy again? Because are we ever going to need it in the years to come.