Why are identifiers being treated as passwords? It's 2017 and my mind is boggled that we continue to use SSNs and thumbprints as passwords. These are more akin to usernames. Why is our most important information not protected by passwords, or better yet, 2 factor authentication?
If I try to spend $1000 on my credit card at IKEA, my bank usually calls me to confirm the transaction. However, we don't have such a system when handling our most important information? Why is this allowed to happen? How many people have to be damaged before they stop watching Tom Brady throw touchdowns and get out there to make a difference?
> If I try to spend $1000 on my credit card at IKEA, my bank usually calls me to confirm the transaction. However, we don't have such a system when handling our most important information? Why is this allowed to happen?
It's allowed to happen for the same reason the US uses credit cards without PIN numbers - a lack of desire to spend money on security/upgrades (it's easier to pass on the cost of fraud via the transaction fees), a weak regulatory structure for protecting consumers, a glacial rate of technology adoption in banking systems, and ignorance/unwillingness to evolve by customers/businesses/executives etc.
Don't forget the odd US anti-fed/anti-state bend which led to your identity being smeared across thousands of untrustable private companies linked through a something never originally intended as an identification token (SSN) but having become done so for the sole reason of being nigh-universal.
Had the US implemented a proper citizen's registry it could be managed as that with all the security and personal details isolation that entails, including but not limited to biometric and chipped ID cards.
The sane. Frankly people who use this kind of language to insist that the only way to achieve this is through the state are just looking for excuses to be mean to people who don't trust the state.
We've had public key infrastructure for a long time, we have also had legal attestation; the reason we don't use these things to secure this information is that nobody cares.
When the state does it, you get breaches, but nobody gets all that upset. Just look at what happened with the data breach and subsequent coverup in Sweden. One person had half a month's salary docked, and that was it.
It isn't that nobody cares. Many people definitely care. Maybe not everybody cares, and maybe even among those that do there's only some subset that's actually capable of proposing effective solutions to the problem. But I know plenty of normal everyday people outside the techsphere who would prefer if data privacy and authentication worked better and are scared by data breaches like this.
The apathy is really more of a practical matter -- they don't feel like they understand the problem or know how to solve it, and they don't feel like they'd have the power to do something even if they did.
They correctly realize that we don't have a system where entities like Equifax are accountable to individuals that care. The only way you'd get that accountability is through some kind of collective action.
Same thing is true for widespread adopting of PKI-based schemes. Saying "nobody cares" is about as true as saying nobody cares if the oil in their car gets changed -- they don't want to have to pay attention, they don't want to invest in understanding/adopting, and maybe rightly so because there's so damn much that already requires attention. But you might get adoption among private institutions that matter by some kind of legal policy.
A state-run identity registry and authentication solution isn't the only way, to be sure, and I think it's a weird shibboleth in the context of democratic republic run by elected representatives, but since it's not the only solution, nobody needs to die on that hill.
But by the time you're talking about society-wide improvements that address the relevant problems, you're almost certainly going to be invoking government-like powers. The issue you've discovered here isn't about who/how many people care, it's about one of the limits of market-like institutions to transform some forms of concern into effective action. Something even for people who don't trust the state to think about.*
(Also: "people who use this kind of language to insist that the only way to achieve this is through the state are just looking for excuses to be mean to people who don't trust the state" deserves an eye roll so hard. It's manifestly true that there are people out there who enjoy trolling, but the idea that's the only possible motivation is a non-starter and not a good way to indicate you yourself are approaching a conversation in good faith.)
(* I also don't trust the state, just like I don't trust many forms of private power. But it turns out both can be situationally useful and beneficial if you can get the balance right.)
Also: "people who use this kind of language to insist that the only way to achieve this is through the state are just looking for excuses to be mean to people who don't trust the state" deserves an eye roll so hard.
You can roll your eyes all you want, but there are valid historical reasons for being concerned about the extent and disposition of the data that a government collects on its citizens or subjects.
Corporations didn't intentionally kill 100 million of their own customers in the last century alone. It took governments to do that.
Me. The less sensitive information on me that is centralized, the better for my privacy and security, as very clearly demonstrated by this leak.
If you think Equifax's security is bad, wait until you see what it's like at any government agency that doesn't explicitly focus on security.
It's also pretty unlikely that a credit bureau decides to use vast stores of personal information to prosecute people, but governments have done this several times throughout history, perhaps most notably during WWII.
I like to think that fewer try to hack US government services because of the consequences. Attempting to do so would get a black hat chased after by multiple three-letter agencies.
I'm sure the FBI is looking into the Equifax breach but not as hard as if someone breached the Social Security Administration.
> The less sensitive information on me that is centralized, the better for my privacy and security
This is interesting. I don't agree or disagree with it; I'm not informed enough to stake a position. But as a thought experiment, if we took it as given that any information a given entity tried to keep secure will eventually be revealed publicly, what kind of security infrastructure would we end up with?
A highly de-centralized one, with information joined together across services only after authentication, authorization, and a lot of artificial identifiers. Or at least, in a context where the people driving product decisions place a high priority on security.
In reality, we're in the world you hypothecate right now. Centralization is really convenient for a lot of uses, and security advocates are rarely in a position to impose the kind of privacy controls the rest of us might like. And the average people who buy services LOVE the convenience enabled by centralization - until there's a breach, and they disapprove for a few days.
"Real-name" identity services inherently need to know and store a great deal of identifying information. It's also naive to assume that the government would stop at a straightforward oauth service. They are going to add request tracking (if they don't have it already), background check data, etc. It's too politically and practically appealing to leave it even as privacy-preserving as, say, google oauth (which is a pretty low bar already).
evangelicals. they believe any sort of government issued identifier is synonymous with the biblical 'number of the beast' and a step towards biblical armageddon
Seems to me we got both pervasive state tracking capabilities AND poorly secured private systems too.
And it's interesting to note that the use of an identifier like the SSN spread not because its wide use was mandated (in fact, it spread despite being discouraged) but because it turns out organizations both public and private have the same incentives that drive them to want increased legibility throughout their systems through such an identifier. And most individuals also have a motive to want them to be able to positively identify and authenticate them (and negatively rule out imposters).
It's almost like it'd make a good utility, though that's not the only possible solution.
And the anti-govt bend is odd for at least two reasons: in a democratic republic with an elected representative government, it's pretty weird to treat the feds as a hostile occupying power. And two, even among those that do, their opposition often seems to have a cargo-cult focus on certain lines as tokens of liberty (firearms, national id, taxes) rather than frequent demonstrations of insight about the balance between having a useful federal apparatus and different ways that it can be (and is!) limited and checked.
>in a democratic republic with an elected representative government, it's pretty weird to treat the feds as a hostile occupying power.
But that's exactly our ethos and, I think, our major problem. We believe the gov't doesn't work, so fight hard to make sure it doesn't work, then sure enough, when you need it to do its job, it can't, and so it reinforces the negative loop.
It's probably why we're at where we are now where a large percentage of the voting age population didn't vote on two candidates no one really wanted to run a gov't while ceding most of our representatives to the power of the corporate world, rather than the people actually being able to hold them accountable. But that gets even more off-topic.
Sorry. And thanks for the very cogent statement vs my ramble.
>>> And the anti-govt bend is odd for at least two reasons: in a democratic republic with an elected representative government, it's pretty weird to treat the feds as a hostile
You don't explain why you think the sentiment "is weird". Maybe you have never been the target of repression so congratulations.
Government officials with lists are potentially very effective ashes-creators:
Ironically, at most companies that use SSN's for ID, someone impersonating you doesn't usually don't even need to know your full SSN, just the last 4 digits will do.
It's not ironic, it's exactly what I pointed out: for lack of a proper universal secure ID, people (including the federal government itself) started using the improper insecure one which was there as it was universal enough for most purposes.
The chip implementation in the US provides zero incremental security. It was done as part of a liability struggle between shops and credit card providers, not to improve your life.
I wouldn't say it provides NO incremental security, EMV defeats skimmers which is a pretty big issue - but until everywhere has it deployed and magstrips are no more we're still in a phase where the benefits are partial at best.
Sigh. You have to deploy the new stuff before getting rid of the old stuff. If everyone had this impatient attitude, instead of taking many years to improve credit card security it wouldn't happen at all.
I made a statement of fact. I'm making no normative claims, I'm describing reality. At this point in time, there is zero additional security provided by the implementation. Am I supposed to ignore reality and lie about it, because someday things will be better?
Saying "For now, there is zero incremental security" would be better. But it's not really zero since it protects against credit card cloning at a particular point of sale.
Eh. Humans don't generally qualify their statements that way when informally describing things. "Did Bob graduate college?" "His educational background may improve in the future." If you want me to sound like a PR-bot, you can pay me to write copy for you.
> protects against credit card cloning at a particular point of sale
A sieve stops water from streaming through at particular points in the mesh, too.
Applying for jobs my senior year of college was such a pain because of this. Why is there so often no degree option for "I will have my degree very soon".
I almost wish EMV-capable ATM's would stop holding the card captive until the magstrip is abolished, they're one of the best targets for skimmers so only inserting the card partially would help deal with magstripe readers attached to the machine. It's increasingly rare I go to a store that doesn't have the chip reader or NFC enabled, but every ATM I use still insists on eating my card.
ANZ bank in Australia has actually started rolling out Contactless ATMs.
Which is great, as even some chip ATMs you put the card in far enough to have a magstripe skimmer work on most cases (presumably so that they work with the magstripe cards also)
Not the case for contactless!
(Of course here in Australia, Chip+Pin is Universal and Contactless is near-universal... I can use Apple Pay almost everywhere even small shops and have been able to for several years.. different story to much of the world)
Now the one thing that annoys me, is that currently shops here despite having separate payment terminals customer facing (largely for pin numbers) still operate sometimes on you handing your card to them - which is totally not necessary - especially in drive throughs. This is getting less common with tap to pay using mobile phones as people are (somewhat amusingly to me, given the value potential) hesistent to hand their phone to someone versus their actual card. I really wish merchants would enforce hard not letting the shop assistants handle cards (at least, prompt to handle it, if someone really wants help I'm not against that, but I don't like the default expectation).
But I also realise this kind of thing is much more common in some places so your mileage and feelings may vary.
Even in Canada, where we’ve had the chip + pin for far longer, the ATM eats your card. After a certain amount of incorrect PIN attempts, or the bank flags the card, it will not release the card.
You can get the incremental security easily at home: swipe over your card with a strong magnet. Now card thieves (and you) can only use chip & PIN payments.
As a warning before trying this for real: most ATMs annoyingly check both the chip and magstripe, so you won't be able to get cash out even in countries where chip & PIN are the widely used in payment terminals. Found out by carrying my cards in a phone case with a snap-close magnet.
Eventually banks are going to stop issuing cards with magstripes on them. But this will take years, until everyone has both on their cards and both readers in their terminals.
Even if they have newer terminals, they are still going to accept signature, so essentially there's zero security. The only way forward is to stop accepting the magnetic strip + signature altogether.
Are you sure about this? In Canada we've had chip-and-PIN for almost a decade now (2009 I believe?), and almost all merchants have chip-capable POS terminals.
(Yes, really! I don't know what the delay is in the US.)
These terminals still have a mag stripe reader, and our cards have mag stripes as well. But they're just for compatibility: if you try to use the mag stripe of a chip-capable card on a chip-capable terminal, it beeps at your angrily and tells you to use the chip.
Yeah, and you just put some paint over the chip, it will beep 3 times and then let you use the signature, even for cards which are marked "electronic use only". It's a failsafe for situations when the chip is genuinely damaged, the terminal lets you sign for the transaction.
I have a Sams Club credit card that has the chip & PIN feature. They state that the PIN is required when using it at Walmart and Sams Club, but I have used it in other places and have had the transaction go through with or without a signature (the latter of which was for a purchase under $50).
Do the terminals have an order of preference in terms of what's required for payment. For instance, try chip+pin first, then try chip+signature, then try mag stripe+signature? If that's the case, then I don't see why all stores that have chip readers won't start using chip+PIN as a first preference for payments with chip enabled cards.
chips have just become another salvo in an arms race between merchants/consumers and fraudsters. A chip card is more prized than a non-chip card so the rewards for capturing one is higher so more work is justified in cracking into one.
That's because the US government doesn't provide a convenient and reliable way of proving physical identity. And that's mostly because the people don't want it.
Most countries have some form of universal photo ID, and a copy of it is usually required, along with a signature that matches. Not perfect but better than a simple number.
Some countries like Estonia include a cryptographic token in their ID, protected by a PIN. That's the 2 factor security you wanted.
But people in the US tend not to like the idea of government IDs. But when such a thing is needed, they use the closest thing they have, and that's the SSN.
That's because the US government doesn't provide a convenient and reliable way of proving physical identity.
And that's a Good Thing. Government should exist to protect property rights, provide rule of law, and maybe to enforce contracts. Managing everyone's identity is clearly not something that the State should be involved in.
It's not clear to me. Care to elaborate? Seems like a good thing to know how many citizens are in the country, for keeping track of voters if nothing else.
In Denmark we have a government sponsored two-factor authentication system linked to the Central Person Register or CPR number which every citizen gets assigned at birth. The two factor authentication is used for all communication with state and municipal and for all banking. Works quite nicely from my point of view. Makes a lot of things a lot easier.
How do you enforce such things without being able to identify and validate that the parties in the dispute are who they say they are ? Example how do you make sure that the crime ends up being recorded against the right John Smith ?
The US government actually does have a a convenient and reliable way of proving physical identity (a Green Card for example serves the purpose of identifying permanent residents), they've just declined to deploy it more widely.
US citizens can legally exist without any government identification or documentation whatsoever - no SSN, no birth certificate, no driver's license, no state ID, no nothing.
It deals with them the way the government dealt with such cases before government identification ever existed - who do you say you are, and who do other people say you are? Where do you and other people say you live?
In your example, in the modern age, "John Smith" would have an arrest mugshot to aid with identification. Whatever criminal records are kept would probably just have the missing information blank. It's not as if there's a big database of citizens with Felon? Y/N as one of the fields, making you run the risk of marking the wrong John Smith as a felon.
The world is a very messy place - the US system does an okay job of treating it as one.
I still have a paper driving certificate, and it is still legal (https://www.gov.uk/exchange-paper-driving-licence). I used it 2 days ago in Germany to hire a car. I have resisted "upgrading" to a photo drviers license because my address is still valid, and the photo driving license isn't (at least wasn't) valid without the paper extra anyway. If it ain't broke...
In reality I carry my passport in my briefcase because I both travel overseas fairly often, and visit customers where it is necessary to show a photo id and that is all I have.
As I recall, you may be required to report to a police station and show an ID or proof of identity if necessary - within a few days. But without evidence to the contrary (and subject to powers listed above for police), you are believed when you identify yourself.
Agreed. Any company worth its salt should allow me to authenticate myself purely cryptographically if I want to do so. This is easier, more secure, and more human-friendly than a centralized government ID registry.
Unfortunately, most companies aren't worth their salt.
And as is the case for every class action suit ever, some lawyers make a lot of money and everybody whose information was compromised by Equifax gets a check for 24 cents.
Honestly I don't mind too much. At this point I just want significant punishment for those who allow massive data leaks so there's a reasonable deterrent for other companies. Something needs to happen to make these executives take data security issues seriously.
"Worth more" in the sense that they probably charge more for it, but I doubt it would cost Equifax as much to provide that service as it would if they actually were forced to cough up real money.
They've already built out the infrastructure necessary for the monitoring product. The marginal cost of every additional person they add to it is probably quite low.
>Until Equifax and the like get sued out of business, Equifax and its shareholders won't feel the heat.
Equifax's breach might be deserving of it being sold to the government for pennies and having leadership reorganized (read: fired), but I don't think we can nuke it out of existence immediately. Primarily due to it being relied on by so many other banks and services.
Just like bikeshedding and risk perception decreasing near sources of catastrophic risk, never discount the powers of rationalization and cognitive dissonance.
Ultimately a major cause is that America doesn't have a national ID, PKI or 2FA systems. And, as such, there is the de-facto, cargo-cult tradition of ultimate reliance on inadequate systems designed for retirement pensions and drivers' licenses. People must give up the "states rights," delusions of privacy and other similar fallacies already and demand proper authenticated and authorized identity, banking and credit systems that require positive, possibly-interactive authorization to use details or complete transactions. Such tokens/documents could be physically enrolled/administered just like passports at USPS.
Because it's not a simple problem. If you ask me for a loan, how do I know who I'm loaning the money to, who will be accountable for paying it back to me? If we have no prior relationship, then there's no pre-existing password I can use to authenticate you. What's your solution?
A government provided security token of some sort, backed by a government database? A lot of people have all kinds of problems with those, from trusting government's intent, to their competency, to their security.
How would you implement 2FA without making your personal phone number publicly available for anyone to attempt to authenticate with? It's not the same as your bank calling you when you already have an account with them - we're talking about a new bank, who you have no relationship with, trying to call you to verify your identity.
A true public key system opens up each individual user to malicious spam. Given the current prevalence of phone, mail, and email spammers, such a system would create more problems than solve.
SSNs could technically be passwords. The problem then is that data servers need to not store SSNs in plaintext, but rather store hashes of them, just like passwords should not be stored in plaintext.
SSNs are not even supposed to be used as identifiers in the first place -- that it is being used as the key identifier to determine your creditworthiness is already mind-boggling.
I've been saying for a long time. Companies that store sensitive information should be required to insure it. Want my SSN for some inane reason? 5 million^H^H^H^H^H^H^H^H^H 500k dollar insurance policy on each one. Seem excessive? Better buckle down on security or better yet not store extremely sensitive and damaging information for arbitrary reasons. There is literally zero reason or consequences for any company to care about security right now.
I understand the emotional appeal of overselling the problem, but you'd get much better response with a $50K insurance policy than an obviously absurd $5M. Even $50K is sort of generous and probably generally more towards the worst case end of identity theft than the average case. It is plainly obvious to everyone that when Bob the upstanding middle class guy is hit by identity theft that Bob may experience great loss of money and time from his point of view, but that identity theft was not the one thing standing between Bob and $5M.
At scale $50K still adds up to a lot, and we'd probably have to cap it some other way too because at-scale breaches don't add up that far, because the system does in fact react to them. This particular breach would be a seven trillion dollar payout if we don't cap it, and the simple reality is that this breach, no matter how much pain it may eventually cause us, is not going to cause anywhere near seven trillion dollar's worth of damage to consumers, or the economy, or anything else. But $50K makes sense for isolated cases that don't get a coordinated response.
Why would you cap punitive damages? Sure, it won't be collected, but that's okay--this sort of failure should destroy a company that betrayed the societal trust. It should be a smoking crater when all is said and done.
We should go one step further and just terminate consumers that use companies that don't have good security. That way it will never happen again for sure.
I can get on board with this as soon as you figure out a way to require security training for the masses as opposed to the handful in charge of security.
If you get it to work, we can then proceed to get rid of police departments.
Not the person you replied to, but while I see your point, there should not be a cap to prevent companies from taking consumer trust for granted, especially at the scale and magnitude of companies that handle almost all American's information. If a person's SSN is pretty much a key to screwing that person's financial life up is not worth protecting correctly by these companies, these companies should be financially screwed too. In the current state, will Equifax be held liable for any identity theft that occurs from this breach?
I think we can probably all find a cap somewhere south of 1/3rd of the 2016 United States GDP for a single breach.
I mean, really, once you get past the amount of assets that Apple holds, it's all the same penalty anyhow: Instant corporate bankruptcy. Arguing about whether we penalize a company trillions of dollars or quadrillions of dollars is not really an argument.
That's when insurance companies make premiums depend on your security. E.g. (some (our)) home insurance premiums depend on the quality of your lock, etc. It's a case of let the market sort it out.
The Social Security Administration could make everyone's SSN public[1] immediately and then we could watch the entire credit industry scramble. Probably not a good idea without a reasonable alternative already in place but I think a certain amount of grim satisfaction would be gained in seeing the issue forced.
[1]: But unfortunately they may be constrained by the aforementioned Privacy Act of 1974.
I honestly can't tell if you're arguing for or against the blockchain here, but regardless, I think you've misunderstood my comment because I left off the /s tag.
It is a mistake and perhaps Pollyanna-ish to believe a governmental entity has not and cannot exert control over a blockchain ledger system of any kind either by means of protocol or other methods.
In any case, I find it highly unlikely blockchains will not be implemented by various governmental agencies. As a store of auditable data, they would certainly be more trustworthy than some papers filed away somewhere or in some given database.
This isn't realistic. The cost would be astronomical for a 5MM insurance policy on each user. Further, no matter how seriously you take security there's always a chance, even if a minimal one, that a hack happens. So, for example, if you were a bank and had 100,000 members and you had their SSN's and were hacked you're talking about a possible $500B settlement. The bank wouldn't take out such a policy due to cost and no underwriter would grant it because it would put the company out of business.
Clear regulations with legal penalties and regular audits for companies that hold information like SSNs.
Maybe this would lead to a rise in secure storage firms that actually do their job with this so small outfits like employers could continue to identify employees without having to actually have a SSN in the database.
is the government going to do those? it doesn't seem to be able to do that sort of thing now. how will the government gain the resources, the capability?
The government inspects buildings, food, a number of things. Somewhat capably. For the record I'm not a big proponents of more government. But something needs to be done about companies irresponsibly holding personal information at this level.
i'm not against government regulations or government inspections, but it seems to me the government is mainly good at passing laws and regulations it cannot or will not enforce.
i don't see the government doing a good job of regulation enforcement.
sometimes it's corrupt (e.g. building inspection approvals in Los Angeles, where I live, have sometimes required side payments to the inspectors).
Another commenter, who now deleted the comment, said:
"There's a 44% chance you were affected, but a 100% chance you waive your right to be in a class action lawsuit if you enroll in their ID protection."
I thought it was a good comment, but I wonder if it matters.
How much would you get? I have been a member of these class action lawsuits before, and I get, like, $3 for my troubles at the end of the day, so I never claim the prize because it's another database where my SSN would be stored and stolen from.
I think the best is to freeze your credit report and deal with the troubles of having to unfreeze it when you need a loan.
If there are expert people from the Fin Svc industry here, is the above correct? Is freeze pretty much the only reasonable action now to protect ourselves?
Saying it's a 44% chance you're affected is really skewing things away from how severe they really are. At least 22% of Americans are under 18. There are actually 167 million Americans who own one or more credit cards, so this actually affects 86% of all US credit card holders.
Not to shamelessly promote, but as soon as this broke yesterday I brought this to the attention of my firm and we filed I believe this morning.
Could you guys push for free credit freezes and unfreezes going forward instead of some sorta ridiculously small monetary comp. It should be free at all bureaus, with Equifax picking up the bill for unfreezing and freezing at the other two.
And. Make it possible to do the process online for all three credit reporting agencies (one of them still requires a phone call). Having to pay and spend at least 20 minutes on the phone to lift your credit freeze because is just ridiculous.
Better yet, lets do away with credit reporting agencies. Why should any oligopoly or, indeed any non-government entity be allow to have the power to cause so much harm to is with effectively no accountability?
Glad filings are being made already, I wonder if it will be possible for someone to also seek relief/guidance for individuals checking to see if they were breached on trustedidpremier.com and may be inadvertently waiving their rights to class action suits and instead being forced into individual arbitration.
Based on the fact their privacy policy and terms of service were just updated on Sep 6, this seems pretty blatant. Browserwrapped agreements haven't held up in most cases, but having the arbitration clause at the very beginning seems to be point of the entire thing. Pushing a notice 41 days after a breach (just in time for the 45 day requirement in most states) and directing individuals to check if they are impacted all while tricking them into waiving rights. Seems deceptive to me.
I was just making fun of the info highlighted in the press release. If I have it right, the Target breach affected 41 million people. Helping them put it in the rear view mirror for ~$10 million is quite a service.
That's how class actions work. The lawyers extract a fee from the perpetrator as protection against larger settlements/judgments.
Perp limits their downside, law firm gets paid, consumers are left holding the bag.
AFAIK, one of our attorneys was involved in 2 with Target, one for $10mil and one for $13mil. We're also involved with Home Depot and other data breach cases. They scope of those breaches is much smaller than this one, by the way.
To date, having been a participant in three - that I was notified of by email - I've netted about twenty bucks.
But I'm also not sure what the benefit of enrolling in their ID protection scheme is, given that the whole reason they're offering it is because they already gave it out to some rando on the internet.
It's rather like paying the schoolyard bully to stop taking your lunch money.
I've received $20.43 from the Perkins v. LinkedIn class action settlement. Personally, it's not about the money, but rather about trying to hold companies accountable for their actions.
Exactly. People complain about how the lawyers who managed the case (sometimes for years!) take most of the payout, but so long as the company's risk/reward math is tipped towards the safety of their customers I have no issue with not seeing much of the settlement.
>the lawyers who managed the case (sometimes for years!) take most of the payout
This meme is part of the problem. The lawyers take maybe a third of the settlement, after bearing most of the costs of litigation themselves, which they would still bear if they lost. It's high risk/high reward. Lowering the reward just means no lawyer will take the case.
There is a real issue where the incentives for the lawyers don't line up well with the interests of the class. The lawyers likely do pretty well if they settle a huge case for tens of millions and the main thing that happens for the class is they can't file a lawsuit anymore.
The financial penalty for the company is better than nothing, but it often isn't all that much and often doesn't do the class any real good either.
Part of the reason that is an issue is that they're settling for much smaller amounts because the cut they get is big. So you have some massive data breach cases settled for things like $10 million. That's not even punitive at that point for companies like Target.
In practice it seems it basically just winds up being a big payout for whoever actually filed.
> Personally, it's not about the money, but rather about trying to hold companies accountable for their actions.
I'm not entirely certain that a class action settlement is a sufficient deterrent; do the payouts typically hurt the company enough to not take some given risk again?
But didn't you have to provide your SSN to them? That would seem like a huge risk to give your SSN to some paralegal somewhere or some Wordpress plugin and MySQL unsecured database right?
This is a space where I think the id theft protection industry misses. A large chunk of the space revolves around the 3 bureaus, but there's a lot more to it than that.
A credit freeze is only effective if the entity using your information actually checks your credit/talks to the bureaus.
Tax fraud, healthcare fraud, shady car dealerships that don't care about your credit, buying a house where the seller 'holds the papers', etc, are all attack vectors that can be used with this sort of information.
A question that came up among my coworkers and I was: given the nature of the data that was accessed, don't the thieves already have all the info needed to unfreeze your credit?
When you freeze, they give you a PIN to unlock it. You can't unfreeze with just your hacked data alone. Of course, the PIN is probably in the next column over, so...
I don't know if it's still the case, but Virginia used to your SSN as an ID. There was an opt-out for that, which I exercised about 25-30 years ago, so I don't know if that policy is still in place.
There was no mention made that unfreeze PINs were leaked. When you freeze your report with the three CRAs, you are given an unlock code or PIN needed to unfreeze it.
That's not clear from their help article about it [1], depending on what, in their definition, constitutes "proper identification forms":
"If you lose the PIN that was issued to you when you added the Security Freeze to your credit file, you may request a new one in writing. Please provide proof of identification, such as a copy of your driver's license, passport, birth certificate or other proper identification forms."
The point of a class action suit isn't really the individual gain; it's the pain it's supposed to make the corporation feel. Providing a free trial of their stupid credit monitoring service probably doesn't do that.
It matters a great deal, because the company is saying, in effect, "We will help you mitigate the consequences of our failure, but only if you indemnify us against being held accountable."
> you waive your right to be in a class action lawsuit if you enroll in their ID protection
Good luck to them trying to get that to hold in a court of law. Remember that it's ultimately a judge's decision on whether or not legalize like that has any real power.
I've been a member of many class action law suits. Often the payout is literally pennies, maybe dollars. But I have been a member of one class that received several thousand dollars from one suit. So it can happen, it's just rare.
I just used their "check if you've been compromised" tool on their crisis response site and they are using it not only as a notification service for potentially affected customers, but also as a lead generation tool for their TrustedID Premier service.
We need a new word, "chutzpah" isn't strong enough in this case.
If we're lucky, this will be the best leak of personal info ever.
The primacy of the SSN in American society is idiotic. It's a "secret" that you have to hand out to dozens of different organizations. I've long thought that we should phase this out by committing to publish all SSNs (and the associated info, obviously, so it's not just a list of most 9-digit numbers...) which would force all these companies to stop treating it as confidential.
The system is dumb and works poorly, but worked will enough that there was no impetus to fix it. Some people got affected by breaches, and it sucked for them, but it was always a small enough group that most people didn't care.
Now that a majority of people's "secret" info is no longer confidential, maybe they'll realize they can't rely on it anymore.
OK, the odds of this actually coming to pass are not great. But I can hope.
For anyone who wants an explanation at just how bad the social security number really is, this is the most enjoyable explanation for it I've seen, by CGP Grey
Wow. Having an ID card seems so normal to me that I would never have thought that the US didn't have any. I've been to the US before and never even noticed. Thanks for the link.
There's a substantial faction of the American right wing which is vehemently opposed to any sort of national ID scheme. They don't want the government having a big database of all citizens. Strangely, these tend to be the same people who want to require photo ID to vote.
I hate to play the recently poisoned "both sides" argument, but it really is weirdly widely unpopular. The ACLU in particular is strongly opposed to a national ID system.
I say this as someone who would strongly support a federal mandatory national ID system (and the ACLU, generally)
In this particular case, I think the "both sides" argument may well have merit. Thanks for pointing that out. I really should just say a big chunk of Americans.
There's a substantial faction of the American right wing which is vehemently opposed to any sort of national ID scheme.
Oh, I doubt it's a left-right thing. I'm pretty lefty these days, and I oppose a national ID. Some minority groups, like say Jewish folks, might carry bad connotations about putting everybody in a big database so we can keep track of (and categorize) them.
I believe the majority of these people would be against the Federal government requiring such an ID. They are likely fine with their local government, that they have more control over, handling such IDs which would be required for voting.
But, of course, there's not much preventing the local government from sharing the info with the Feds.
No, some of us would love for the government to have one in an ideal world, we just recognize that the US government that exists today is not competent enough to be trusted to run such a database. Just think about the topic we're discussing - do you really trust the US Department of Identity to not have breaches like this every year? The only difference is that we'd never hear about them.
One can dream that the state governments would be competent enough though. I feel like it wouldn't be that hard to make driver's licenses / state identification cards mandatory at the state level (fewer people to piss off).
This is not a right wing issue, it's an authoritarian vs libertarian issue. Plenty of people on every side don't trust the government and don't want to give it more power.
To be fair, I've traveled many places that require national ID cards, and yet never carried my passport on my person, in violation of local laws. And I've never had an issue.
It's something so unlikely to come up in day-to-day interactions that it's not really that important. I'm sure if I got stopped in, say, France, and had no passport to show, they wouldn't exactly lock me up on the spot, they'd find a way to accommodate me.
I still only have a really vague understanding of what happens if a cop in the US wants me to identify myself and I refuse. If I'm not suspected of a crime, obviously, I can just walk away. I'm not really sure what I'd do if I was arrested for cause and refused to identify myself.
Others have already chimed in here, but I honestly can't remember a CGP Grey video that I wasn't thoroughly entertained by, even when I already knew all of the facts presented.
For amusement's sake, I really enjoy his videos on geography, such as (his first video ever) this one on the UK (which I guess might need updating soon?):
There are a lot. I thought this one was really funny [0]. This one I found very interesting [1].
Somewhat different, is the Hello Internet [2] podcast, which is by Grey and Brady Haran who you might know from the Numberphile youtube channel [3]. It's basically the 2 of them chatting about random stuff, but I find it very entertaining.
Back when I started college, my SSN was my student ID number. It felt weird, of course. I think there was a change in the law soon after I started college, because it did soon get changed into a different number of the same length.
Later on, I did a brief stint working for the federal gov't. In that setting, they used the SSN as our employee IDs. It was on all the personnel forms, and often seen on "list of people in the department" spreadsheets. Of course in order to comply with some law, these forms would also have a footnote explaining why they needed the SSN.
From these experiences, I have a very hard time actually thinking of the SSN as the sort of "secure password" everyone else wants to insist that it is. Unfortunately, I'm not aware of an alternative.
If my SSN & other personal details get out, it's my problem. If the SSN & personal details of half the country leak out, it's somebody else's problem.
Whose I'm not sure, but it would seem like banks. At this point, virtually all potential credit applicant's details have been leaked, and I believe it's the banks that ultimately lose when they issue credit to a fraud. So if you're the bank, hopefully right about now you're starting to think you need a much better method to authenticate credit applicants.
Banks never lose. They just create a fee to pass it on, throw a party and hand out bonuses.
But... in this case, the overall cost may be high enough that there's a competitive advantage in not needing to charge this particular fee, and that will force the industry to do something about it. Maybe.
Banks are already charging all the fees they think they can while still remaining competitive. If they could have already charged another fee they would have.
If you don't mind me asking, because I'm genuinely curious how it works in other countries. Does your country have an equivalent of a 'credit score' like in the US, which would be used by financial institutions when they judge whether or not they can loan you money? If so, how is this score calculated, how does it aggregate all your financial information without a specific identifier, and how do you secure yourself from identity fraud/theft without having a 'secret' number to id yourself?
>If you don't mind me asking(...)how is this score calculated, how does it aggregate all your financial information without a specific identifier
We do have an specific identifier. Each person has an ID card, with an ID number. The ID number is not secret at all and used for many things everywhere. By the way, we don't have anything like a "social security card". Even kids have this ID card, their parents can (and ought to) request one for each kid.
This ID number has nothing in common with your birthday or anything. It is mostly a sequential number.
All aggregations are done using this (unique) ID number. So financial companies submit payment data associated to your ID number. So later credit scores can be computed as well.
The difference with this ID number versus the SSN is that our ID number is not used as a password of any sort.
How do companies or government institutions check out if you are who you say you are? They can take a look at your ID card. And usually they do have fingerprint scanners and signature scanners to check against the government's central ID registry.
By the way, last year we issued the Electronic Id Card, this one has a security certificate (public-private key cryptography) associated with it, and each person chooses (and keeps secret) a password. This password never needs to be revealed to anyone. With this password one can do digital signatures of any document, etc.
> By the way, we don't have anything like a "social security card". Even kids have this ID card, their parents can (and ought to) request one for each kid.
Nowadays SSNs are generally issued at birth, particularly since the IRS wants one for each dependent listed on the tax return. I believe this has been the case for at least twenty or thirty years; certainly my card dates from when I was born.
> This ID number has nothing in common with your birthday or anything. It is mostly a sequential number.
If it's a sequential number requested near birth that would mean that most people with the same birthday have similar numbers, doesn't it?
> If it's a sequential number requested near birth that would mean that most people with the same birthday have similar numbers, doesn't it?
In practice it is not requested near birth. It is sequential to the time you asked for an ID card, so people who asked for one in the same timeframe get a close number
It probably varies by country, but here you have a unique personal ID-number.
First number denotes your sex, next six numbers contain your birtday, and the next four numbers are assigned (probably? not certain) in order of births during that day. Last number acts as checksum, allowing immediate check for typos.
That ID number is public and allows government & any companies/organisations you show it to immediately verify that they are dealing with a specific person, instead of having to spend time figuring out which specific person named "John Smith" they are dealing with.
Having this number simply makes life more quicker and convinient. It also allows to remove any pointless duplications for cards.
For some examples: separate medical insurance card was discontinued, you can verify medical coverage by a simple number query. Same with drivers licences, they still exist in a separate physical forms for foreign trips, but but not inside the country.
There is no separate libary cards, I don´t have to carry a separate card for my gym or various retailers.
I can verify myself online quickly and securely. I can digitally sign documents and contracts and email them.
Honestly, I´m having hard time imagining my life without it.
I´m aware that all proposals for national identification methods in the US have failed thanks to fears of "mark of the beast" and big brother, but it seems pretty silly to me. All that data already exists and can be cross referenced. Making average person waste more time and money by having such massive inefficiencies in the system seems rather silly in these times.
A personal primary key that's semipublic, and when you do a financial transaction the institution performs know-your-customer identification checks - checking photo ID (with key printed), that sort of thing.
Some even have federated systems where you can later ask the financial institution to hand out a 2FA crypto token that you can use to identify yourself to other institutions over the Internet without ever showing up in person.
Moreover, there is no actual need for credit reporting agencies to have SSNs. They don't need to report payments to the government for tax collection. SSNs didn't prevent credit reporting agencies from commingling my father's credit data with mine.
I think the bigger point is that companies like Equifax shouldn't be using ID numbers at all in the way that they rely on them. They use SSNs as a database ID crutch to keep from having to do the actual leg work of talking to people, verifying/reverifying the accuracy their data, and basically doing the job people pay them to do.
Others on this thread have suggested that storing information that can cause me to incur a liability should require insurance against such a damage. I'm confident that with the right incentives in place, commerce will proceed without getting bogged down.
Agree. The best thing that can happen here is the entire 149 million gets published online somewhere - that will force change. Overnight, companies will have to stop assuming SSN is secret.
I agree - but this is going to get forgotten about in a month, Equifax's stock price will be back where it was in 6 months (or less) and everything will continue as before
He's right though, with any luck, the SSNs of a slew of politicians will be included in the data leak and then we may just get the ball rolling on change. Hopefully, this is the one that gets us moving.
If they do something like that in between elections, conservatives will flip.
The sentiment goes something like this:
- Conservatives gave up on minorities, historically stated that the less they vote, the better
- Conservatives push the narrative that voting fraud is a big problem, and that the liberals are doing it (many high profile member's of Trump's family/cabinet are registered to vote in many states simultaneously)
- They push for Voter ID laws and push back against weekend voting days, as it makes it harder for hourly/poor/minority voters to show up and vote.
So it would probably be a great idea, but since conservatives consider non-white franchising is an existential threat to their cause, they'll probably scream "state's rights" and block it from happening.
This is truly low: Equifax gives the affected victims a "special offer" to protect their identities. In the fine print is a waiver to any class-action lawsuit.
OPM: Office of Personnel Management, where all the 'blackmail' files for cleared gov employees and contractors are stored, in addition to many other more mundane functions.
DoD: Department of Defense, but this also refers to contractors in places like Lockheed and other smaller contrating firms.
SF-86: Standard Form #86, the form that must be completed to gain any kind of clearance with the gov. These clearance processes can run into the $20k+ range, though not usually, as they have to send agents out to talk to people to verify the applicant.
The 2015 data breach of the OPM was a BIG deal in the security clearance world, as it seems all the blackmail files were stolen. The a large issue was that the OPM worked on an entirely separate internet that the gov built, as in they had totally different wires and cables and everything, very expensive. How this happened is yet to be released AFAIK. Also, many people were trusting the gov with their darkest secrets, so as to be un-blackmail-able by others. Now, the gov is not so trustworthy and this then throws a huge wrench into all of the processes, including retention of employees and recruitment of new ones.
No worries! Thanks for putting this up. This Equifax issue is a big deal, for sure, but the OPM was too. In general, these breaches are just getting bigger and worse as time goes on. There has been a lot of talk about the CyberWar, and if there is one going on, it seems that the US is not winning it very well.
As part of the DoD I generated my SF 86 with e-QIP and sent it to my S2 but he needed the S1 to get some PII out of SIDPERS which required a DA 4187 to send to the G1 but I couldn't sign it with my CAC because the NIPR is down and the TACSAT is deadlined so for now my TS/SCI is MIA.
That's a very positive outlook. Maybe it was just the governments way of initiating a distributed file sharing service?
By strange coincidence, the missus was saying that she needed another drive to backup more photos. I told her she didn't need to, the NSA already has them archived. She did not see the humor.
This sort of reminds me of when Wells Fargo called me one day to tell me my card was compromised. I got on the phone with them only to find out it wasn't. Then they tried to hard upsell me on a pay by the month identity protection plan with a 6 month complimentary introductory period.
It seems like it's sort of in Equifax's interest for a breach to happen and have 144 million people freak out and then buy their $20/month service
Wells Fargo is the biggest mortgage servicer in the United States and you don't have a choice over who services your mortgage- mine was sold to Wells Fargo without my say. I could refinance but that comes with significant fees (>$1,000), I'd lose my amazing interest rate, and there is no guarantee it won't end up back in Wells Fargo's hands again.
Not all banks re-service mortgages. BB&T is known to keep servicing mortgages that they originate.[1]
Disclaimer: I have a mortgage through Wells Fargo (that was almost immediately re-serviced!), but I work for [redacted].
I don't disagree for a second there are some banks and credit unions that intend to service their mortgages but you don't know that will always be so. That's their policy now but it can change in the future and you have no control over it. Banks and credit unions are being bought and sold all the time.
The bank that held my parents mortgage was acquired no less than four times between 1996-2012. In 2007 I got a credit card from my local credit union - right now it's being transitioned into a Bank of America credit card. The credit union still exists though, they sold their credit card division to another company which then was acquired by BoA. Funny thing is a several years after they sold their credit cards they decided to offer them again and create new ones.
First Tech bought out the HP Credit Union (Addison Avenue) and others so in some sense, it has acted as [mega credit union].
Beyond that, this question is an imponderable for me because who can say what the future brings vs. the present. I guess one can refinance with some other credit union were this to happen in the future in a manner that was not desirable for one's mortgage.
I dropped them around 2012 when every encounter with a teller turned into an upsell session. I now use credit unions (First Tech, for example) for banking. Also moved the mortgage over to the credit union since they promise to service it for the life of the loan.
For day to day financial services maybe. But for fixed APR mortgages? They are still very competitive, and if you are a member of certain groups, like veterans, even better.
I think $1000 is a lowball estimate for the per-person damage done by this breach. At $1000/head, they would be looking at $137B of liability with a market cap of $17B. Good.
How hard is it to opt-out of whatever class action settlement is offered, and take this to small claims court?
Anyone want to setup a website to automate the paperwork? I'd love to see a not-for-profit do this moving forward when things like this happen.
Consider the implications of this security breach if it's a state actor that did it. I'm going to throw out Russia as an example, but don't take that as me accusing them of doing it.
Cross reference financial information on millions of americans with data breaches from yahoo and linked in, and the social graph data that's freely available from both and you have a serious national security problem. It would be easy to search for employees with serious financial problems at any institution you wanted to target with either blackmail or further intrusions.
Consider the consequences if it is the same/cooperating state actors behind the 2015 OPM breach. At that point there would be mountains of blackmail data.
Anyone know roughly how useful this debug information is to would-be attackers?
> com.ibm.websphere.servlet.error.ServletErrorReport: com.ibm.ws.jsp.JspCoreException: Unable to convert string 'uiadmin' to class javax.el.ValueExpression for attribute basename: java.lang.IllegalArgumentException: Property Editor not registered with the PropertyEditorManager
>
> Caused by:
> com.ibm.ws.jsp.JspCoreException - Unable to convert string 'uiadmin' to class javax.el.ValueExpression for attribute basename: java.lang.IllegalArgumentException: Property Editor not registered with the PropertyEditorManager
It looks to me like it's choking on some sort of deserialization, which could lead to execution of EL code.
I'm not in netsec, but this looks pretty damning to me. The fact that I was able to go from "I have no idea how I'd begin to hit this" to "hey I wonder if I can hammer on this particular interface and see if I can get it to pop" makes me think this reaaally not something you should be revealing, above and beyond the usual "don't show debug information to the outside world".
There still doesn't seem to exist the political will do to anything real about this, or to hold accountable in any real way the companies that leak. These stories happen pretty much every week now, often more than one a week. I think companies will continue not caring, simply do a blog post after they get owned about how sorry they are and then proceed with business as usual, unless that changes.
I don't think the issue is SSN, though it is absurd how we treat SSN as both an identifier and a secret at the same time. The problem is we don't really care when secret info gets leaked- even when it's actual secrets and not something sort-of-secret like SSNs.
I previously signed up for someone's free Identity Theft Protection service. After the free service was completed my account was charged around $9 per month until I noticed it and fixed it.
This link [0] tells you if they think you are affected (you probably are) and then asks if you want to sign up for protection which you don't have to do.
Why should I trust trustedidpremier dot com? Their whois info is a PO box, which isn't encouraging. And asking for the last 6 digits of my SS# is super-suspicious [Added:] because the remaining (first 3) digits, called the "area number", are generally discoverable, because they are more or less determined by the zip code of where you were born (if you're older than 6).
Equifax.com links to EquifaxSecurity2017.com, which links to TrustedIDPremier.com, but yeah, it looks like a phishing scam. OpenDNS even flagged it as such this morning.
Why they didn't go with a subdomain of Equifax.com is beyond me.
I registered. I figured my data is already exposed, so this is not incremental. I got a date in mid September, so I will see what to do next then. I figure I am already exposed anyway, and the protection will be needed.
Now, I wonder if it's best to DIY on the credit freeze thing. The only thing is that it appears that a freeze needs to be redone every few months.
A "fraud alert" is valid for only 90 days. A "security freeze" remains in place until you lift it with your PIN code, which is provided when you place the freeze.
it is really important to be aware that the duration of the freeze varies based on your state - it isn't always "until you lift it". I believe pennsylvania is an example where it is a 7 year term.
This is crucial. I am concerned that #4 of the Terms of Use for this site does state that you give up your right to sue Equifax or join a class action lawsuit:
I clicked on the "Enroll" button before reading this (after giving my last name and six-digit social), and it told me to come back in a week to enroll. Now I'm wondering, did I just give up my rights?
Maybe. The TOS requires arbitration for disputes over the credit monitoring solution, but I don't read it as affecting suits over the breach itself. That said, IANAL.
> As used in this arbitration provision, the term "Claim" or "Claims" means any claim, dispute, or controversy between You and Us relating in any way to Your relationship with Equifax, including but not limited to any Claim arising from or relating to this Agreement, the Products or this Site, or any information You receive from Us, whether based on contract, statute, common law, regulation, ordinance, tort, or any other legal or equitable theory, regardless of what remedy is sought. This arbitration obligation extends to claims You may assert against Equifax’s parents, subsidiaries, affiliates, successors, assigns, employees, and agents. The term "Claim" shall have the broadest possible construction, except that it does not include any claim, dispute or controversy in which You contend that EIS violated the FCRA. Any claim, dispute, or controversy in which You contend that EIS violated the FCRA is not subject to this provision and shall not be resolved by arbitration.
Note the retroactive nature of the terms. Open question: does this indemnify the parent company? (A CNN story says it may not, but is not definite: money.cnn.com/2017/09/08/technology/equifax-monitoring-services/index.html)
No, you don't. Please point out where you think it says that.
I mean, let's think this through. You're not the only one that can read a contract and figure out this "scam". You think a NYT reporter can't do the same? And are you assuming Equifax thinks no one will figure it out? Because catching them pulling a stunt like that would probably make the front page.
Regardless, I may not be a lawyer, but the agreement doesn't say that.
Where's it say that? I read carefully, not carefully enough perhaps, but I just went back and I see no such mention. My enrollment date isn't until mid Sept anyway so is this something that comes up later?
Is that something equifax set up in response to this breach? Like an idiot, I punched in my info and it said "yep, you're probably affected" but did I just give my information to equifax or some scammer who's going to use that to scam me?
It's legit (you can follow the chain from the announcement on Equifax.com) but horrible practice. Should've been a subdomain - they're just training folks to fall for phishing scams this way.
That link didn't actually answer in the affirmative for me. It just dumped me into the enrollment workflow. It followed that with a message that my enrollment date would be next week and that I would receive no further reminders but I have to return on that day to complete enrollment.
For my spouse, your link answered that they weren't affected.
Of course not, that only contains public data breaches. Not only that but Equifax doesn't keep usernames and emails, it's names, addresses, credit cards, etc.
I don't own any credit cards and I do not use credit. Am I still at risk for having credit taken out in my name if I don't enroll in this "credit freeze" protection racket people keep mentioning?
Most people don't realize this, but credit checks are standard with many employment applications, apartment applications and utility connections (cell phones, electric, gas, etc).
You may not have an open line of credit, but by virtue of the fact that your SSN/PII was queried, it creates a stub profile in the database. Your SSN, address, license number, whatever you provided are now within potential scope of this leak-- you just have no credit associated with your identity.
Armed with the PII the fraudster can have gleaned from this leak, there's nothing stopping them from opening accounts in your name.
(FD: ex-employee. This is not a pitch in favor of their solutions, only an advisement that you should not assume you're safe.)
Apologies for my ignorance, but what is the best method of recourse here? If I need to freeze my credit by necessity of covering the asses of other credit companies whose bad security practices lead to being hacked, I'll be damned if I will be paying any sort of fee to freeze my credit. That should be covered by Equifax.
I agree with your principles. Unfortunately I don't have a solution to recommend.
As with all cybersecurity incidents there are going to be a lot of vultures circling this mess, happy to Hoover up your money in exchange for nebulous "protection"-- but even Lifelock got hacked some years ago.
Paying for "credit protection" doesn't also address some of the other things fraudsters can do armed with your PII, such as filing and collecting fraudulent tax returns. Have fun sorting that out.
My own data was leaked. What am I doing? Admitting I'm fucked, refusing to feed the vultures, and for all else I have the number of a good attorney.
Yes. The issuing banks don't care if you get a low interest card or 25% per annum.
I lived at my current address for 20+ years and still a bank issued a credit card for someone 3 states away ....
I have a credit monitoring (not through Equifax, Transunion or the other one; 3rd party) due to a identity breach through Blue Cross a few years ago.
The credit monitoring alerted me that the bank issued a credit card 3 states away. That 3-way call between the monitoring agency, myself and the issuing bank was interesting.
Since I don't participate in the credit market, have no affiliation with any bank and do not affiliate with any credit reporting agency, I see absolutely no reason that I should have to pay into this protection racket to cover their asses. I don't even know how to do this credit freeze thing and have no interest in learning for the next foreseeable couple of years, until I have money worth investing in something.
And what about all of those who are homeless, have no internet/phone access, live in the wilderness, etc? What's to stop them from re-entering society in 10 years only to discover they have a massive amount of debt?
There must be some way for me to exclude myself from this market, from the woefully inadequate security practices of our financial system, without paying a "protection". If there isn't, I would sooner spend thousands on a lawsuit than I would tuck my tail between my legs and pay up.
I'd like to look into this 3rd party agency you mentioned, if you don't mind sharing the name.
(my .02; just because you want to exclude yourself doesn't mean that you can avoid the fallout of someone impersonating you. An identity theft is costly to clean up and better to be caught early than 10,000's or 100,000's in the red. Some aspects, being alert and checking periodically can save headaches in the long run.)
Have you ever had a post paid cellphone plan? Rented an apartment? Gotten car insurance? If so you are probably in the database. You can check what data these companies have on you here:
https ://www.annualcreditreport.com/
>What's to stop them from re-entering society in 10 years only to discover they have a massive amount of debt?
Nothing. They would have to file several disputes.
>There must be some way for me to exclude myself from this market, from the woefully inadequate security practices of our financial system
There is not.
>I'd like to look into this 3rd party agency you mentioned, if you don't mind sharing the name.
I am not the person you are replying to but I do my credit monitoring with Credit Karma and it's free.
pretty sure the responsibility of announcing that sort of thing goes to chief risk officer, or legal -- not usually technology. though clearly they failed in some way (security training, sdlc process, m&a due-diligence, or whatever)
Everyone knew these where more or less worthless to begin with, but the people doing things either have to use them or don't have anything better.
I think at this point we should start authenticating anything that ends up on someone's credit report using strong cryptography. People who refuse to use it out of ignorance or disagreement don't have to, they just don't get background checks (which is kind of the way it works now.)
Frankly what is necessary here is a version of medical malpractice for the IT industry. If you do something which is far outside what is considered industry best practice and it results in a penetration which harms users, you should be criminally liable in severe cases with strong punishments. People from these companies should also be black balled out of the industry.
I've been using a credit checker called Clearscore, who as far as I recall get their credit information from Equifax. Has this breach affected any of their customers outside of the US?
> As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps.
I've been wondering for awhile: what would it take to implement a revocable identifier to replace SSNs? I've given up hope that companies can secure their data, but people have no options to take back control when their data is inevitably disclosed.
I just want my own info. Like, I need to see it. Problem is: there is no simple way to see my own info in this leak. I either get a third-party involved, and thus make the leak worse, or I .. get everyone elses data and have a look at it, too.
This is not a separate service, this is just a unified request to the three bureaus for your credit report. It's run by the bureaus themselves and redirects you to their individual sites. You can choose just Equifax if you want. The other option is contacting Equifax directly by mail - https://www.equifax.com/personal/education/credit/report/how...
As someone who has no time to deal with lawsuits or anything of that sort, what's the best course of action here? According to their website, it seems I'm affected?..
My experience was that any "Instant Qualification!!" fails instantly, and then you can't unlock it.
After Equifax lost my data in the last (T-Mobile) breach, I locked all three providers. Each of the places charged me $10 for the privilege. I still claim that Equifax should have covered if not for all providers, at least themselves, instead of providing me with worthless credit monitoring. But that's a whole other rant.
I was applying for a credit card. The bank then followed up with, "We killed this because we asked Equifax, and they said no. If you still want a card, you can apply a temporary unlock for us."
The problem is, as is clear from all the other posts here, Equifax is terrible. You need to send your super-secret unlock pin via mail to somewhere and link it up with something and blah blah blah...
It was more trouble than it was worth. I asked the bank if they would consider switching to another reporting agency because Equifax was demonstrably terrible, but they said that once they select an agency for a transaction, they're locked into it.
So, I let that request die. I can try again some time, and there's a 1:3 chance that I'll get screwed all over again, and a 3:3 chance that I'll have to unlock something, and a 100% chance that I will get angry.
If I try to spend $1000 on my credit card at IKEA, my bank usually calls me to confirm the transaction. However, we don't have such a system when handling our most important information? Why is this allowed to happen? How many people have to be damaged before they stop watching Tom Brady throw touchdowns and get out there to make a difference?