Why are identifiers being treated as passwords? It's 2017 and my mind is boggled that we continue to use SSNs and thumbprints as passwords. These are more akin to usernames. Why is our most important information not protected by passwords, or better yet, 2 factor authentication?
If I try to spend $1000 on my credit card at IKEA, my bank usually calls me to confirm the transaction. However, we don't have such a system when handling our most important information? Why is this allowed to happen? How many people have to be damaged before they stop watching Tom Brady throw touchdowns and get out there to make a difference?
> If I try to spend $1000 on my credit card at IKEA, my bank usually calls me to confirm the transaction. However, we don't have such a system when handling our most important information? Why is this allowed to happen?
It's allowed to happen for the same reason the US uses credit cards without PIN numbers - a lack of desire to spend money on security/upgrades (it's easier to pass on the cost of fraud via the transaction fees), a weak regulatory structure for protecting consumers, a glacial rate of technology adoption in banking systems, and ignorance/unwillingness to evolve by customers/businesses/executives etc.
That's because the US government doesn't provide a convenient and reliable way of proving physical identity. And that's mostly because the people don't want it.
Most countries have some form of universal photo ID, and a copy of it is usually required, along with a signature that matches. Not perfect but better than a simple number.
Some countries like Estonia include a cryptographic token in their ID, protected by a PIN. That's the 2 factor security you wanted.
But people in the US tend not to like the idea of government IDs. But when such a thing is needed, they use the closest thing they have, and that's the SSN.
Just like bikeshedding and risk perception decreasing near sources of catastrophic risk, never discount the powers of rationalization and cognitive dissonance.
Ultimately a major cause is that America doesn't have a national ID, PKI or 2FA systems. And, as such, there is the de-facto, cargo-cult tradition of ultimate reliance on inadequate systems designed for retirement pensions and drivers' licenses. People must give up the "states rights," delusions of privacy and other similar fallacies already and demand proper authenticated and authorized identity, banking and credit systems that require positive, possibly-interactive authorization to use details or complete transactions. Such tokens/documents could be physically enrolled/administered just like passports at USPS.
Because it's not a simple problem. If you ask me for a loan, how do I know who I'm loaning the money to, who will be accountable for paying it back to me? If we have no prior relationship, then there's no pre-existing password I can use to authenticate you. What's your solution?
A government provided security token of some sort, backed by a government database? A lot of people have all kinds of problems with those, from trusting government's intent, to their competency, to their security.
How would you implement 2FA without making your personal phone number publicly available for anyone to attempt to authenticate with? It's not the same as your bank calling you when you already have an account with them - we're talking about a new bank, who you have no relationship with, trying to call you to verify your identity.
A true public key system opens up each individual user to malicious spam. Given the current prevalence of phone, mail, and email spammers, such a system would create more problems than solve.
SSNs could technically be passwords. The problem then is that data servers need to not store SSNs in plaintext, but rather store hashes of them, just like passwords should not be stored in plaintext.
SSNs are not even supposed to be used as identifiers in the first place -- that it is being used as the key identifier to determine your creditworthiness is already mind-boggling.
I've been saying for a long time. Companies that store sensitive information should be required to insure it. Want my SSN for some inane reason? 5 million^H^H^H^H^H^H^H^H^H 500k dollar insurance policy on each one. Seem excessive? Better buckle down on security or better yet not store extremely sensitive and damaging information for arbitrary reasons. There is literally zero reason or consequences for any company to care about security right now.
I understand the emotional appeal of overselling the problem, but you'd get much better response with a $50K insurance policy than an obviously absurd $5M. Even $50K is sort of generous and probably generally more towards the worst case end of identity theft than the average case. It is plainly obvious to everyone that when Bob the upstanding middle class guy is hit by identity theft that Bob may experience great loss of money and time from his point of view, but that identity theft was not the one thing standing between Bob and $5M.
At scale $50K still adds up to a lot, and we'd probably have to cap it some other way too because at-scale breaches don't add up that far, because the system does in fact react to them. This particular breach would be a seven trillion dollar payout if we don't cap it, and the simple reality is that this breach, no matter how much pain it may eventually cause us, is not going to cause anywhere near seven trillion dollar's worth of damage to consumers, or the economy, or anything else. But $50K makes sense for isolated cases that don't get a coordinated response.
This isn't realistic. The cost would be astronomical for a 5MM insurance policy on each user. Further, no matter how seriously you take security there's always a chance, even if a minimal one, that a hack happens. So, for example, if you were a bank and had 100,000 members and you had their SSN's and were hacked you're talking about a possible $500B settlement. The bank wouldn't take out such a policy due to cost and no underwriter would grant it because it would put the company out of business.
Another commenter, who now deleted the comment, said:
"There's a 44% chance you were affected, but a 100% chance you waive your right to be in a class action lawsuit if you enroll in their ID protection."
I thought it was a good comment, but I wonder if it matters.
How much would you get? I have been a member of these class action lawsuits before, and I get, like, $3 for my troubles at the end of the day, so I never claim the prize because it's another database where my SSN would be stored and stolen from.
I think the best is to freeze your credit report and deal with the troubles of having to unfreeze it when you need a loan.
If there are expert people from the Fin Svc industry here, is the above correct? Is freeze pretty much the only reasonable action now to protect ourselves?
I just used their "check if you've been compromised" tool on their crisis response site and they are using it not only as a notification service for potentially affected customers, but also as a lead generation tool for their TrustedID Premier service.
We need a new word, "chutzpah" isn't strong enough in this case.
If we're lucky, this will be the best leak of personal info ever.
The primacy of the SSN in American society is idiotic. It's a "secret" that you have to hand out to dozens of different organizations. I've long thought that we should phase this out by committing to publish all SSNs (and the associated info, obviously, so it's not just a list of most 9-digit numbers...) which would force all these companies to stop treating it as confidential.
The system is dumb and works poorly, but worked will enough that there was no impetus to fix it. Some people got affected by breaches, and it sucked for them, but it was always a small enough group that most people didn't care.
Now that a majority of people's "secret" info is no longer confidential, maybe they'll realize they can't rely on it anymore.
OK, the odds of this actually coming to pass are not great. But I can hope.
For anyone who wants an explanation at just how bad the social security number really is, this is the most enjoyable explanation for it I've seen, by CGP Grey
Back when I started college, my SSN was my student ID number. It felt weird, of course. I think there was a change in the law soon after I started college, because it did soon get changed into a different number of the same length.
Later on, I did a brief stint working for the federal gov't. In that setting, they used the SSN as our employee IDs. It was on all the personnel forms, and often seen on "list of people in the department" spreadsheets. Of course in order to comply with some law, these forms would also have a footnote explaining why they needed the SSN.
From these experiences, I have a very hard time actually thinking of the SSN as the sort of "secure password" everyone else wants to insist that it is. Unfortunately, I'm not aware of an alternative.
If my SSN & other personal details get out, it's my problem. If the SSN & personal details of half the country leak out, it's somebody else's problem.
Whose I'm not sure, but it would seem like banks. At this point, virtually all potential credit applicant's details have been leaked, and I believe it's the banks that ultimately lose when they issue credit to a fraud. So if you're the bank, hopefully right about now you're starting to think you need a much better method to authenticate credit applicants.
Moreover, there is no actual need for credit reporting agencies to have SSNs. They don't need to report payments to the government for tax collection. SSNs didn't prevent credit reporting agencies from commingling my father's credit data with mine.
Agree. The best thing that can happen here is the entire 149 million gets published online somewhere - that will force change. Overnight, companies will have to stop assuming SSN is secret.
This is truly low: Equifax gives the affected victims a "special offer" to protect their identities. In the fine print is a waiver to any class-action lawsuit.
This sort of reminds me of when Wells Fargo called me one day to tell me my card was compromised. I got on the phone with them only to find out it wasn't. Then they tried to hard upsell me on a pay by the month identity protection plan with a 6 month complimentary introductory period.
It seems like it's sort of in Equifax's interest for a breach to happen and have 144 million people freak out and then buy their $20/month service
I think $1000 is a lowball estimate for the per-person damage done by this breach. At $1000/head, they would be looking at $137B of liability with a market cap of $17B. Good.
How hard is it to opt-out of whatever class action settlement is offered, and take this to small claims court?
Anyone want to setup a website to automate the paperwork? I'd love to see a not-for-profit do this moving forward when things like this happen.
Consider the implications of this security breach if it's a state actor that did it. I'm going to throw out Russia as an example, but don't take that as me accusing them of doing it.
Cross reference financial information on millions of americans with data breaches from yahoo and linked in, and the social graph data that's freely available from both and you have a serious national security problem. It would be easy to search for employees with serious financial problems at any institution you wanted to target with either blackmail or further intrusions.
Anyone know roughly how useful this debug information is to would-be attackers?
> com.ibm.websphere.servlet.error.ServletErrorReport: com.ibm.ws.jsp.JspCoreException: Unable to convert string 'uiadmin' to class javax.el.ValueExpression for attribute basename: java.lang.IllegalArgumentException: Property Editor not registered with the PropertyEditorManager
>
> Caused by:
> com.ibm.ws.jsp.JspCoreException - Unable to convert string 'uiadmin' to class javax.el.ValueExpression for attribute basename: java.lang.IllegalArgumentException: Property Editor not registered with the PropertyEditorManager
It looks to me like it's choking on some sort of deserialization, which could lead to execution of EL code.
I'm not in netsec, but this looks pretty damning to me. The fact that I was able to go from "I have no idea how I'd begin to hit this" to "hey I wonder if I can hammer on this particular interface and see if I can get it to pop" makes me think this reaaally not something you should be revealing, above and beyond the usual "don't show debug information to the outside world".
There still doesn't seem to exist the political will do to anything real about this, or to hold accountable in any real way the companies that leak. These stories happen pretty much every week now, often more than one a week. I think companies will continue not caring, simply do a blog post after they get owned about how sorry they are and then proceed with business as usual, unless that changes.
I don't think the issue is SSN, though it is absurd how we treat SSN as both an identifier and a secret at the same time. The problem is we don't really care when secret info gets leaked- even when it's actual secrets and not something sort-of-secret like SSNs.
I previously signed up for someone's free Identity Theft Protection service. After the free service was completed my account was charged around $9 per month until I noticed it and fixed it.
I don't own any credit cards and I do not use credit. Am I still at risk for having credit taken out in my name if I don't enroll in this "credit freeze" protection racket people keep mentioning?
Everyone knew these where more or less worthless to begin with, but the people doing things either have to use them or don't have anything better.
I think at this point we should start authenticating anything that ends up on someone's credit report using strong cryptography. People who refuse to use it out of ignorance or disagreement don't have to, they just don't get background checks (which is kind of the way it works now.)
Frankly what is necessary here is a version of medical malpractice for the IT industry. If you do something which is far outside what is considered industry best practice and it results in a penetration which harms users, you should be criminally liable in severe cases with strong punishments. People from these companies should also be black balled out of the industry.
I've been using a credit checker called Clearscore, who as far as I recall get their credit information from Equifax. Has this breach affected any of their customers outside of the US?
[+] [-] chrisabrams|8 years ago|reply
If I try to spend $1000 on my credit card at IKEA, my bank usually calls me to confirm the transaction. However, we don't have such a system when handling our most important information? Why is this allowed to happen? How many people have to be damaged before they stop watching Tom Brady throw touchdowns and get out there to make a difference?
[+] [-] knz|8 years ago|reply
It's allowed to happen for the same reason the US uses credit cards without PIN numbers - a lack of desire to spend money on security/upgrades (it's easier to pass on the cost of fraud via the transaction fees), a weak regulatory structure for protecting consumers, a glacial rate of technology adoption in banking systems, and ignorance/unwillingness to evolve by customers/businesses/executives etc.
[+] [-] GuB-42|8 years ago|reply
Most countries have some form of universal photo ID, and a copy of it is usually required, along with a signature that matches. Not perfect but better than a simple number. Some countries like Estonia include a cryptographic token in their ID, protected by a PIN. That's the 2 factor security you wanted.
But people in the US tend not to like the idea of government IDs. But when such a thing is needed, they use the closest thing they have, and that's the SSN.
[+] [-] calvinbhai|8 years ago|reply
Until Equifax and the like get sued out of business, Equifax and its shareholders won't feel the heat.
[+] [-] burntrelish1273|8 years ago|reply
Ultimately a major cause is that America doesn't have a national ID, PKI or 2FA systems. And, as such, there is the de-facto, cargo-cult tradition of ultimate reliance on inadequate systems designed for retirement pensions and drivers' licenses. People must give up the "states rights," delusions of privacy and other similar fallacies already and demand proper authenticated and authorized identity, banking and credit systems that require positive, possibly-interactive authorization to use details or complete transactions. Such tokens/documents could be physically enrolled/administered just like passports at USPS.
[+] [-] ddlatham|8 years ago|reply
A government provided security token of some sort, backed by a government database? A lot of people have all kinds of problems with those, from trusting government's intent, to their competency, to their security.
A private party identity provider? Go start it.
[+] [-] emodendroket|8 years ago|reply
[+] [-] quarkral|8 years ago|reply
A true public key system opens up each individual user to malicious spam. Given the current prevalence of phone, mail, and email spammers, such a system would create more problems than solve.
SSNs could technically be passwords. The problem then is that data servers need to not store SSNs in plaintext, but rather store hashes of them, just like passwords should not be stored in plaintext.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] mafellows|8 years ago|reply
[+] [-] michel-slm|8 years ago|reply
[+] [-] 0x00000000|8 years ago|reply
[+] [-] jerf|8 years ago|reply
At scale $50K still adds up to a lot, and we'd probably have to cap it some other way too because at-scale breaches don't add up that far, because the system does in fact react to them. This particular breach would be a seven trillion dollar payout if we don't cap it, and the simple reality is that this breach, no matter how much pain it may eventually cause us, is not going to cause anywhere near seven trillion dollar's worth of damage to consumers, or the economy, or anything else. But $50K makes sense for isolated cases that don't get a coordinated response.
[+] [-] _Codemonkeyism|8 years ago|reply
[+] [-] banned1|8 years ago|reply
[+] [-] YCode|8 years ago|reply
[+] [-] rabidonrails|8 years ago|reply
[+] [-] HillaryBriss|8 years ago|reply
wouldn't disclosure of hacks (by Equifax) be strongly disincentivized with this scheme?
wouldn't Equifax just lie to the public if they discovered a hack so that their insurance premiums stayed low?
worse yet, would Equifax just eliminate security audits and stop looking for hacks altogether so they could plausibly claim their data was secure?
[+] [-] calvinbhai|8 years ago|reply
In fact, it's the best case scenario for the company, to make even more money by selling insurance for protecting the data you just gave them.
[+] [-] banned1|8 years ago|reply
I thought it was a good comment, but I wonder if it matters.
How much would you get? I have been a member of these class action lawsuits before, and I get, like, $3 for my troubles at the end of the day, so I never claim the prize because it's another database where my SSN would be stored and stolen from.
I think the best is to freeze your credit report and deal with the troubles of having to unfreeze it when you need a loan.
If there are expert people from the Fin Svc industry here, is the above correct? Is freeze pretty much the only reasonable action now to protect ourselves?
[+] [-] leroy_masochist|8 years ago|reply
We need a new word, "chutzpah" isn't strong enough in this case.
[+] [-] jandrese|8 years ago|reply
[+] [-] mikeash|8 years ago|reply
The primacy of the SSN in American society is idiotic. It's a "secret" that you have to hand out to dozens of different organizations. I've long thought that we should phase this out by committing to publish all SSNs (and the associated info, obviously, so it's not just a list of most 9-digit numbers...) which would force all these companies to stop treating it as confidential.
The system is dumb and works poorly, but worked will enough that there was no impetus to fix it. Some people got affected by breaches, and it sucked for them, but it was always a small enough group that most people didn't care.
Now that a majority of people's "secret" info is no longer confidential, maybe they'll realize they can't rely on it anymore.
OK, the odds of this actually coming to pass are not great. But I can hope.
[+] [-] bmelton|8 years ago|reply
https://www.youtube.com/watch?v=Erp8IAUouus
[+] [-] octorian|8 years ago|reply
Later on, I did a brief stint working for the federal gov't. In that setting, they used the SSN as our employee IDs. It was on all the personnel forms, and often seen on "list of people in the department" spreadsheets. Of course in order to comply with some law, these forms would also have a footnote explaining why they needed the SSN.
From these experiences, I have a very hard time actually thinking of the SSN as the sort of "secure password" everyone else wants to insist that it is. Unfortunately, I'm not aware of an alternative.
[+] [-] sliverstorm|8 years ago|reply
If my SSN & other personal details get out, it's my problem. If the SSN & personal details of half the country leak out, it's somebody else's problem.
Whose I'm not sure, but it would seem like banks. At this point, virtually all potential credit applicant's details have been leaked, and I believe it's the banks that ultimately lose when they issue credit to a fraud. So if you're the bank, hopefully right about now you're starting to think you need a much better method to authenticate credit applicants.
[+] [-] flavio81|8 years ago|reply
I'm not from the US. The first time i had an american friend explain me the SSN thing, I thought they were crazy, for the exact same reasons.
It is idiotic, as you say.
Here in my third-world country there isn't any number or code that I need to keep secret and I need to hand over to other companies at the same time.
[+] [-] Zigurd|8 years ago|reply
[+] [-] tommoor|8 years ago|reply
[+] [-] emodendroket|8 years ago|reply
[+] [-] miguelrochefort|8 years ago|reply
Secrecy (and privacy) aren't sustainable, and relying on them will just end up hurting people.
Identity must be solved, not through secrecy, but through transparency.
If AI overcomes us, it will be (in part) because we failed to adapt to this reality.
[+] [-] wyc|8 years ago|reply
https://twitter.com/wyatt_privilege/status/90612079459342745...
[+] [-] dabockster|8 years ago|reply
Remember, any legalize like this is worthless unless a judge says it's valid.
[+] [-] nerdponx|8 years ago|reply
[+] [-] YCode|8 years ago|reply
The entirety of federal government SF-86s being dumped to a foreign government has diplomatic and economic repercussions that will last for decades.
[+] [-] diyseguy|8 years ago|reply
It seems like it's sort of in Equifax's interest for a breach to happen and have 144 million people freak out and then buy their $20/month service
[+] [-] hedora|8 years ago|reply
How hard is it to opt-out of whatever class action settlement is offered, and take this to small claims court?
Anyone want to setup a website to automate the paperwork? I'd love to see a not-for-profit do this moving forward when things like this happen.
[+] [-] empath75|8 years ago|reply
Cross reference financial information on millions of americans with data breaches from yahoo and linked in, and the social graph data that's freely available from both and you have a serious national security problem. It would be easy to search for employees with serious financial problems at any institution you wanted to target with either blackmail or further intrusions.
[+] [-] kortex|8 years ago|reply
> com.ibm.websphere.servlet.error.ServletErrorReport: com.ibm.ws.jsp.JspCoreException: Unable to convert string 'uiadmin' to class javax.el.ValueExpression for attribute basename: java.lang.IllegalArgumentException: Property Editor not registered with the PropertyEditorManager > > Caused by: > com.ibm.ws.jsp.JspCoreException - Unable to convert string 'uiadmin' to class javax.el.ValueExpression for attribute basename: java.lang.IllegalArgumentException: Property Editor not registered with the PropertyEditorManager
It looks to me like it's choking on some sort of deserialization, which could lead to execution of EL code.
https://issues.jboss.org/browse/RF-13977?_sscc=t
I'm not in netsec, but this looks pretty damning to me. The fact that I was able to go from "I have no idea how I'd begin to hit this" to "hey I wonder if I can hammer on this particular interface and see if I can get it to pop" makes me think this reaaally not something you should be revealing, above and beyond the usual "don't show debug information to the outside world".
https://www.equifax.com/cs7/faces/jspx/login.jspx
[+] [-] whipoodle|8 years ago|reply
I don't think the issue is SSN, though it is absurd how we treat SSN as both an identifier and a secret at the same time. The problem is we don't really care when secret info gets leaked- even when it's actual secrets and not something sort-of-secret like SSNs.
[+] [-] codazoda|8 years ago|reply
[+] [-] donatj|8 years ago|reply
[+] [-] kakarot|8 years ago|reply
[+] [-] plandis|8 years ago|reply
[+] [-] swiley|8 years ago|reply
I think at this point we should start authenticating anything that ends up on someone's credit report using strong cryptography. People who refuse to use it out of ignorance or disagreement don't have to, they just don't get background checks (which is kind of the way it works now.)
[+] [-] Thriptic|8 years ago|reply
[+] [-] Accacin|8 years ago|reply
[+] [-] gldalmaso|8 years ago|reply
[+] [-] hmhrex|8 years ago|reply
https://faq.ssa.gov/link/portal/34011/34019/article/3789/can...
[+] [-] astura|8 years ago|reply