The hack isn't just SSNs - it includes address history, date of birth, drivers license number - everything reasonably necessary to establish identity. Not sure why the focus is SSNs, any solution needs to be even higher. This is about companies stockpiling our personal information and us having little say in the matter.
In particular, I've observed reliance on address history, recently. I had a forced pension cash-out, from a place I last worked years ago, and that has since been sold to / merged (and perhaps remerged) into a different entity.
In short, the pension cash-out was handed over to a third party. And a primary factor that party used in establishing that I was indeed the beneficiary, when I called to discuss the details, was to ask me questions about my address history.
In fact, where did they get these details? From an outfit like Equifax, or from the same set of data brokers from whom Equifax acquired them.
The mitigations against such a breach are so obvious -- technical "lockdown" aside. Data rate/query limits. Ongoing auditing that targets anomalous data flows and data rates for mandated attention. Etc. Etc.
You don't have to have "perfect" technology. In fact, you should expect and plan for never having perfect technology.
It shouldn't have been too hard to pick up such a sweeping outflow of records; it should have become apparent that the request channel was (systematically, once you analyse and determine the specific system being used) working its way through the U.S. population.
As for Equifax, if I had my druthers, this would be a corporate death sentence. They've demonstrated a fundamental breach of trust and a fundamental incompetence.
Criminal investigators should squeeze them like hell, flipping smaller fish to fully determine the chain of command and responsibility that decided upon and implemented this catastrophic neglect.
As for the shareholders? Well, ultimately they bet on a company that has demonstrated itself a complete failure. They were happy to take the profits, including the greater profits made by not paying for proper systems and staffing. If their investment now evaporates -- well, I'm getting to the point of simply saying, "So be it."
A few shareholder "disasters", like this, and there will be a lot less pressure for laissez faire short-term profit maximizing, and a lot more for oversight -- internal and external -- and regulation that prevents them from being screwed by incompetently or corruptly negligent management.
And any central database of this information is vulnerable to a one time leak. One period of vulnerability and potentially this information is out there forever. Once that happens automated identity verification becomes much less reliable/convenient and there will potentially be a need for a more Turing-complete and/or hardware dependent process.
In 2008, the Federal Trade Commission created the Red Flags Rule, which required businesses and organizations to collect personally identifying information from their customers, even if not necessary for service. This put Social Security numbers into the hands of utility companies, telecom providers, doctors and countless other unreliable custodians.
This is the first I've heard of this, and it's a different characterization than what one finds on e.g. Wikipedia (excepting the last section of that page). Still, I believe TFA. It's remarkable how often the impetus to "do something" leads to precisely the wrong thing being done.
A couple of people who handled Red Flags compliance for medical practices have told me they're only required to do some kind of identity verification, which can be as simple as checking a driver's license. They store SSNs to make it easier to report and collect on delinquent accounts.
Consumers don't use the credit reporting database, we have very little access to it besides restricted annual or paid for reports. The real users are the B2C companies like retail banks, cell phone companies, apartments, background checkers, etc. These B2Cs use the db in both read and write modes with little verification. The main incentive of the reporting agencies is to make it very easy for B2Cs to read and write to their db. Any strong encryption scheme would have to take into account the needs of the B2C's. Nothing is going to happen unless congress demands it because their is no market incentive to secure it. The data is already known to be frequently inaccurate but businesses don't care, they'd rather have a bunch of false positives than one deadbeat customer.
The Republic of Estonia uses such a system to identify members of its e-Residency program, even with no physical presence. Each e-resident has a public numerical key that serves as a unique identifier, and a corresponding private key that is never revealed.
So an example to emulate then!
Except: Estonia suffered an embarrassing blow to its much-vaunted ID cards that underpin everything from electronic voting to online banking [...] a security risk that affects almost 750,000 ID cards and that would enable a hacker to steal a person’s identity.
The article only says they found a "security risk". I wonder what that is, and how it would allow identity theft if they are actually using public/private keys. Did Estonia secretly backdoor their encryption?
Is there a link to this that's not behind a paywall. Very interested in understanding the flaws of such a system, as a 2 key system seems like the most viable and secure way to establish identity.
It's something that people don't talk about much, but just the allowed existence of credit agencies violates human/civil rights.
These companies earn revenue by selling access to a database of all humans, which ranks each of us as to how valuable/risky we are to profit off of.
Many companies are starting to make hiring decisions based on this data, and obviously whether or not you are worthy of a loan has been much of the purpose of a credit rating (and these loans are necessary for nearly everyone in the US, unless you're exceptionally wealthy).
Disputing an unfair or illegal mark against your credit is an absurd process with very little recourse.
This is far worse than what the NSA has done, in my opinion, and it continues without much criticism.
Obviously this giant hack of Equifax is a very serious issue. But why should these credit companies be allowed to keep this kind of data about us anyway?
So since anyone who has access to the breached info can impersonate nearly anyone in the country...
1) Are we about to see the end of "Name, DoB, last four" as an authentication? (Damn well should if anybody can be me now)
2) Are the credit reporting agencies discredited as a business model? The other two are likely either hacked already or about to be, and given this standard of reporting we wouldn't know till months from now anyway.
Can't trust em, don't use em, don't trust anybody that does.
#1 seems almost certain if the spilled data really is as extensive as it seems. The government would be all but forced to go to some other mechanism (or at worst just open up a new space of numbers and give everyone a 12-digit "SSN+"). It's possible that the "possibly affecting 144M customers" bit is spun though and that only a tiny fraction of that ever left the datacenter.
With #2, nothing is going to change. The credit agencies business isn't identifying people (as we are discussing, they outsource that to the government), it's tracking credit activity. And that works extraordinarily well from the perspective of its customers (the banks). If Equifax dies, Experian and TransUnion will just see more business. If they all die, the banks will find some way to do this for themselves.
The pervasive want of private corporations to stockpile our private information is a huge concern as well. There's hardly any reason they should store anything beyond name and contact info.
Before the digital age, a stash of nine-digit numbers could be kept reasonably secure in a locked filing cabinet behind closed doors. So long as consumers volunteered the numbers judiciously, most people could make it through life without ever suffering a theft of identity.
Old guy here. The reason I know my SSN by heart is that it was my student ID number in college and had to be given at the beginning of each semester to get my course list, later for grades, etc.
I had a credit union account from the 80's and as of the 90's my SSN was printed on each monthly statement.
Both were before the "digital age" and neither could be considered "in a locked filing cabinet" nor under my control.
You don't even have to be that old to remember this time.
I went to a well-known university and they used SSNs as student ID number until roughly 2001-2002. The first half of my university career, my SSN wound up on every Scantron sheet, exam blue book, and term paper I handed in. It was printed on the front of my ID, and even after they recalled old IDs and replaced them with non-SSN cards, the magstripe track data still had your SSN on it because some old dining hall POS system or something like that hadn't been converted.
It was like fish in a barrel for fraudsters, just root around in the trash after finals week and grab people's term papers. I had quite a few friends who discovered that during the time they were attending college, someone had opened a cell phone (or a credit card, in one person's case) in their name.
This was before the days of the free annual credit report law. So these folks never pulled their own files, and only discovered the fraud years after graduation, when they went to apply for a car or home loan and got denied.
And both were probably illegal at the time. When Social Security was created, people were concerned about it becoming a de-facto national ID system, and it was illegal to use SSNs as an ID for anything other than taxes and Social Security Biz.
Medical insurance companies commonly broke the law but skirted it by saying it was "optional", and of course not telling anyone about the option. At least several times when I applied for insurance, I filled in "Assign ID" and had to correct the first level agent who insisted that I needed to provide and SSN. Patiently insisting that they needed to escalate the call, the first higher-level agents who knew would immediately accept it.
This sort of sloppyness confusing an IDentifier with an authentication has now gotten us into a world of trouble.
Heh, it actually changed while I was in college. As a CS student, one of the required courses was a 'Computers and Society' course which was basically sort of like a 'where ethics meets technology' course, talking about the social impact of code and computing. The kind of thing many people today seem to have need to attend. But anyhow, during it we mentioned 'hey, why are our student IDs, used everywhere, our SSNs? Isn't that unsafe?' and we actually ended up getting it changed.
Didn't stop some professors from continuing to use them. I had one prof who would use the last 4 digits (oh, only the last 4, those aren't the most important ones or anything) as a way to post psuedoanonymous grades after tests.
I've done a lot to try and build my credit and protect my identity by restricting the information I give out. Now I can do nothing to protect it now besides hope someone doesn't target me.
Anyone have ideas on how to ensure an identity is not stolen?
> Also known as a security freeze, this tool lets you restrict access to your credit report, which in turn makes it more difficult for identity thieves to open new accounts in your name. That’s because most creditors need to see your credit report before they approve a new account. If they can’t see your file, they may not extend the credit.
I've never done this, but it sounds effective - although if you want to open another line of credit, you'll have to temporarily suspend the freeze.
There is only one solution and that is identity theft insurance.
All other solutions that purport to protect your credit are futile. Although I think some are now offering insurance as part of their guarantee.
I use Zander identity theft insurance. If my identity is ever stolen, they are supposed to take over all the hassles of getting me right. As well as up to a million dollars in damages including legal fees if necessary.
I have heard good things from customers who had their identity stolen. But I can't personally vouch for how well their recovery services work since I havent experienced a theft yet.
SWIM used to have access to Equivax data from home. In the early 90s, you could log into Equifax, type in a strangers address, and get their credit history, social, bills, and prior addresses among other things. Access was through tymnet using an <account_id>+<password>. That is it. The account_id was a ~16 digit number. The password was a 1 alpha + 1 alphanumeric. In those days it was security through obscurity, so I presume. Get an account number and after 936, you are in. Given this recent breach has nothing to do with how Equivfax/CBI was run years ago, it does make me cringe a bit.
In the 80's it was even worse. A credit bureau was available on telenet (a simple dial up service that allowed terminal connections to services) and there was no password, just an account number. You could query any social security number and see joint account information by simply adding /ty-jp or something similar. This being the 80's, you'd see the needed credentials taped to monitors.
Well of course it didn't have to be this bad. But when criminal negligence for corporations remains unpunished in an industry for 40+ years, you're not going to have corporations that dedicate the time, let alone the money, to do things right.
It is, and is related to some of the discussion in the main Equifax hack threads.
The idea is that this information shouldn't be so sensitive because it isn't really secret in the first place. It also cannot be changed, so it doesn't really meet any reasonable criteria for authenticating information.
To quote the relevant top-level comment I had in mind:
>mikeash 2 hours ago [-]
>If we're lucky, this will be the best leak of personal info ever.
The primacy of the SSN in American society is idiotic. It's a "secret" that you have to hand out to dozens of different organizations. I've long thought that we should phase this out by committing to publish all SSNs (and the associated info, obviously, so it's not just a list of most 9-digit numbers...) which would force all these companies to stop treating it as confidential.
The system is dumb and works poorly, but worked will enough that there was no impetus to fix it. Some people got affected by breaches, and it sucked for them, but it was always a small enough group that most people didn't care.
Now that a majority of people's "secret" info is no longer confidential, maybe they'll realize they can't rely on it anymore.
OK, the odds of this actually coming to pass are not great. But I can hope.
[+] [-] snomad|8 years ago|reply
[+] [-] pasbesoin|8 years ago|reply
In short, the pension cash-out was handed over to a third party. And a primary factor that party used in establishing that I was indeed the beneficiary, when I called to discuss the details, was to ask me questions about my address history.
In fact, where did they get these details? From an outfit like Equifax, or from the same set of data brokers from whom Equifax acquired them.
The mitigations against such a breach are so obvious -- technical "lockdown" aside. Data rate/query limits. Ongoing auditing that targets anomalous data flows and data rates for mandated attention. Etc. Etc.
You don't have to have "perfect" technology. In fact, you should expect and plan for never having perfect technology.
It shouldn't have been too hard to pick up such a sweeping outflow of records; it should have become apparent that the request channel was (systematically, once you analyse and determine the specific system being used) working its way through the U.S. population.
As for Equifax, if I had my druthers, this would be a corporate death sentence. They've demonstrated a fundamental breach of trust and a fundamental incompetence.
Criminal investigators should squeeze them like hell, flipping smaller fish to fully determine the chain of command and responsibility that decided upon and implemented this catastrophic neglect.
As for the shareholders? Well, ultimately they bet on a company that has demonstrated itself a complete failure. They were happy to take the profits, including the greater profits made by not paying for proper systems and staffing. If their investment now evaporates -- well, I'm getting to the point of simply saying, "So be it."
A few shareholder "disasters", like this, and there will be a lot less pressure for laissez faire short-term profit maximizing, and a lot more for oversight -- internal and external -- and regulation that prevents them from being screwed by incompetently or corruptly negligent management.
[+] [-] shakestheclown|8 years ago|reply
"What check number did you use to pay the 13,753rd dollar of your car loan in 2001?"
"In 2014, you signed up for an American Express Gold card. Which version of Firefox did you use to complete the application?"
[+] [-] uobytx|8 years ago|reply
[+] [-] 567arlo|8 years ago|reply
[+] [-] jessaustin|8 years ago|reply
This is the first I've heard of this, and it's a different characterization than what one finds on e.g. Wikipedia (excepting the last section of that page). Still, I believe TFA. It's remarkable how often the impetus to "do something" leads to precisely the wrong thing being done.
[+] [-] pseudalopex|8 years ago|reply
[+] [-] MicroBerto|8 years ago|reply
[+] [-] guelo|8 years ago|reply
[+] [-] avid-infovore|8 years ago|reply
So an example to emulate then!
Except: Estonia suffered an embarrassing blow to its much-vaunted ID cards that underpin everything from electronic voting to online banking [...] a security risk that affects almost 750,000 ID cards and that would enable a hacker to steal a person’s identity.
https://www.ft.com/content/874359dc-925b-11e7-a9e6-11d2f0ebb...
[+] [-] gbarc888|8 years ago|reply
[+] [-] unpwn|8 years ago|reply
[+] [-] beebmam|8 years ago|reply
These companies earn revenue by selling access to a database of all humans, which ranks each of us as to how valuable/risky we are to profit off of.
Many companies are starting to make hiring decisions based on this data, and obviously whether or not you are worthy of a loan has been much of the purpose of a credit rating (and these loans are necessary for nearly everyone in the US, unless you're exceptionally wealthy).
Disputing an unfair or illegal mark against your credit is an absurd process with very little recourse.
This is far worse than what the NSA has done, in my opinion, and it continues without much criticism.
Obviously this giant hack of Equifax is a very serious issue. But why should these credit companies be allowed to keep this kind of data about us anyway?
[+] [-] DanBC|8 years ago|reply
What human right is being violated, and what treaty is that right listed in?
[+] [-] zentiggr|8 years ago|reply
1) Are we about to see the end of "Name, DoB, last four" as an authentication? (Damn well should if anybody can be me now)
2) Are the credit reporting agencies discredited as a business model? The other two are likely either hacked already or about to be, and given this standard of reporting we wouldn't know till months from now anyway.
Can't trust em, don't use em, don't trust anybody that does.
Oh joy.
[+] [-] ajross|8 years ago|reply
With #2, nothing is going to change. The credit agencies business isn't identifying people (as we are discussing, they outsource that to the government), it's tracking credit activity. And that works extraordinarily well from the perspective of its customers (the banks). If Equifax dies, Experian and TransUnion will just see more business. If they all die, the banks will find some way to do this for themselves.
[+] [-] shmerl|8 years ago|reply
[+] [-] AckSyn|8 years ago|reply
[+] [-] AngeloAnolin|8 years ago|reply
Likely they may not be paying taxes, but have already found a way to circumvent the system such that they collect something (aid, EI, etc).
[+] [-] prdonahue|8 years ago|reply
[+] [-] jdhzzz|8 years ago|reply
Old guy here. The reason I know my SSN by heart is that it was my student ID number in college and had to be given at the beginning of each semester to get my course list, later for grades, etc.
I had a credit union account from the 80's and as of the 90's my SSN was printed on each monthly statement.
Both were before the "digital age" and neither could be considered "in a locked filing cabinet" nor under my control.
[+] [-] ben1040|8 years ago|reply
I went to a well-known university and they used SSNs as student ID number until roughly 2001-2002. The first half of my university career, my SSN wound up on every Scantron sheet, exam blue book, and term paper I handed in. It was printed on the front of my ID, and even after they recalled old IDs and replaced them with non-SSN cards, the magstripe track data still had your SSN on it because some old dining hall POS system or something like that hadn't been converted.
It was like fish in a barrel for fraudsters, just root around in the trash after finals week and grab people's term papers. I had quite a few friends who discovered that during the time they were attending college, someone had opened a cell phone (or a credit card, in one person's case) in their name.
This was before the days of the free annual credit report law. So these folks never pulled their own files, and only discovered the fraud years after graduation, when they went to apply for a car or home loan and got denied.
[+] [-] toss1|8 years ago|reply
Medical insurance companies commonly broke the law but skirted it by saying it was "optional", and of course not telling anyone about the option. At least several times when I applied for insurance, I filled in "Assign ID" and had to correct the first level agent who insisted that I needed to provide and SSN. Patiently insisting that they needed to escalate the call, the first higher-level agents who knew would immediately accept it.
This sort of sloppyness confusing an IDentifier with an authentication has now gotten us into a world of trouble.
[+] [-] otakucode|8 years ago|reply
Didn't stop some professors from continuing to use them. I had one prof who would use the last 4 digits (oh, only the last 4, those aren't the most important ones or anything) as a way to post psuedoanonymous grades after tests.
[+] [-] tbrock|8 years ago|reply
I've done a lot to try and build my credit and protect my identity by restricting the information I give out. Now I can do nothing to protect it now besides hope someone doesn't target me.
Anyone have ideas on how to ensure an identity is not stolen?
[+] [-] ReidZB|8 years ago|reply
> Also known as a security freeze, this tool lets you restrict access to your credit report, which in turn makes it more difficult for identity thieves to open new accounts in your name. That’s because most creditors need to see your credit report before they approve a new account. If they can’t see your file, they may not extend the credit.
I've never done this, but it sounds effective - although if you want to open another line of credit, you'll have to temporarily suspend the freeze.
[+] [-] jjeaff|8 years ago|reply
All other solutions that purport to protect your credit are futile. Although I think some are now offering insurance as part of their guarantee.
I use Zander identity theft insurance. If my identity is ever stolen, they are supposed to take over all the hassles of getting me right. As well as up to a million dollars in damages including legal fees if necessary.
I have heard good things from customers who had their identity stolen. But I can't personally vouch for how well their recovery services work since I havent experienced a theft yet.
[+] [-] robert_foss|8 years ago|reply
[+] [-] iblaine|8 years ago|reply
[+] [-] technofiend|8 years ago|reply
[+] [-] tr1ck5t3r|8 years ago|reply
[deleted]
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] otakucode|8 years ago|reply
[+] [-] throwaway17761|8 years ago|reply
[deleted]
[+] [-] ErikVandeWater|8 years ago|reply
[+] [-] mfoy_|8 years ago|reply
The idea is that this information shouldn't be so sensitive because it isn't really secret in the first place. It also cannot be changed, so it doesn't really meet any reasonable criteria for authenticating information.
To quote the relevant top-level comment I had in mind:
>mikeash 2 hours ago [-]
>If we're lucky, this will be the best leak of personal info ever. The primacy of the SSN in American society is idiotic. It's a "secret" that you have to hand out to dozens of different organizations. I've long thought that we should phase this out by committing to publish all SSNs (and the associated info, obviously, so it's not just a list of most 9-digit numbers...) which would force all these companies to stop treating it as confidential. The system is dumb and works poorly, but worked will enough that there was no impetus to fix it. Some people got affected by breaches, and it sucked for them, but it was always a small enough group that most people didn't care. Now that a majority of people's "secret" info is no longer confidential, maybe they'll realize they can't rely on it anymore. OK, the odds of this actually coming to pass are not great. But I can hope.