Equifax has the unique ability to collect the most private information available, even when they have never or will never interact with that person.
I think the entire credit system needs to be changed. If credit bureau's can't be responsible then citizens should get a choice in the matter. These companies have us by the balls and we have no recourse. It's a monopoly complete with price fixing and everything, except the price is privacy and you don't get any options.
It reminds me of an episode of Hotel Hell I saw where the front desk stored all guest credit card numbers, expiration date, and security code in a white lined notebook unlocked behind the counter. Gordon Ramsay walks up to an unstaffed counter, grabs the book, and walks off with it.
Now imagine that the hotel blatantly admits to not giving a shit about your credit card details, and you don't have the option of checking out and taking your business elsewhere.
I'm normally not a fan of congressional hearings where everyone is trying to grandstand, but this one was particularly good.
The congresswoman asked the Equifax CEO to provide his birthday and social security number publicly for the record. He of course refused and when asked why, he said because that is sensitive information.
All the while, Equifax attorneys are arguing in court that there is no harm in leaking private data like SSNs and thus they shouldn't be held liable for any damages.
If only there were some kind of oversight by a government agency made to protect consumers from these types of things when the market based approach fails. This type of agency or bureau would be there to protect people when there was no legal recourse otherwise and establish rules so that corporate entities and businesses were beholden to someone. Meh, I'm sure the market will sort it out since you can just take your credit to another provider right?
All that would be required for reform, I think, is a small revision to the FCRA. Remove their near-immunity from libel law and let our famous hunger for civil suits do the rest.
I've heard about artists being told to destroy their artwork for obscenity or copyright reasons, but how many companies have been court ordered to purge their databases in the US?
A real-life attack based on this kind of hole was discussed at https://www.reddit.com/r/personalfinance/comments/ay7aoy/ide... : someone says that an identity thief who knows all their knowledge-based question answers (because they have a copy of a credit report, no doubt) keeps somehow removing the freeze and committing more fraud.
> the data being asked about in these KBA quizzes is culled from public records
Yesterday, when opening a savings account with a major US financial institution, one of the KBA questions asked for my Zodiac sign. The other two were about a mortgage and the year I was born (±1 year). I do not understand why any competent institution would find these secure and it appalls me that is all the information needed to open an account in my name.
That looks like Ally Bank. --BUT, it isn't, per the reply below. It's Discover, though Ally asked me the same zodiac question in what looked like the same font.--
They won't open a joint savings account for my wife and I because my wife doesn't have a phone bill in her own name "for verification." (We've been on the same Southwestern Bell/Cingular/AT&T, recently T-Mobile, family plan for the past, oh, fifteen years, and it's under solely my name because of employer discounts.)
When I mentioned this to the rep, she told both of us--we were all on speakerphone--that my wife could send in a copy of her driver license. Except Washington doesn't require us to get new licenses when moving and the address on both of our licenses is both the same...and four years out of date.
I get the need for ID verification but funny how we never run into this problem when my wife wants to borrow money in her own name. No one has ever cared about her license or a phone bill when she's taken out credit cards.
Zodiac sign? Seriously? I don't know what mine is because that is not a belief system/religion I subscribe to so I had to Google it. Turns out my birthdate must be on the border because different sources have it as a different sign. They might as well ask what color my aura is.
No one thinks this is actually secure, it's security theater.
The thing is, the cost of identity theft of consumers to credit reporting companies is less than the cost to actually adopt secure methods to judge one's credit.
When I opened my mortgage they required us to share via email everything in plain text. We did not have a choice of lender. I told my wife that these people were going to be hacked. Within 3 months we got a letter saying all of our information had been exposed. Oh whale, nothing that wasn't already out there from the numerous other breaches that I had zero control over.
United Airlines asked me to fill in a bunch of crazy password questions a few weeks ago.
Things like "What's your favorite flavor of ice cream?" Well, I dunno. It depends on my mood.
Or "What if your favorite vacation destination?" Another bad question because my favorite today may not be my favorite when I get back from the next place.
Unfortunately they were all mandatory — there wasn't an option to pick only the sane ones; all ten had to be answered.
Most of them felt more like marketing trying to build a profile on me rather than IT trying to keep my data secure.
That is incredible. There are only twelve signs. I mean why not just ask your birth month? And even then, incredibly easy to guess or to find out. I honestly want to know who came up with that security gateway and question them on how they thought that was secure.
Yea. I recently had two run ins with this exact same KBA system. One for a bank and one for a health insurance type thing. Both asked a question of which hospital was closest to me. How is it "KnowledgE" when I had to google map 4 different hospitals to figure out where they even were? One of two variations also listed two 'different' hospitals that were less than 2 blocks apart, leaving the 'closest' question up to a flip of the coin.
I used to work at a fintech and seen Kba providers ask questions that provide zero security like “what county was your 1 Main Street Santa Monica,ca address located in”
I wonder if these questions were less about identity validation and more about stopping bots from opening accounts? Either way, it's not the ideal solution, but one is a little better than the other. The chance of a bot guessing all three right is pretty slim, but at least if a real person did research and made educated guesses then it would slow them down considerably.
Whenever I'm confronted with surveillance-based "identification" and I'm unable to just choose a better option like receiving a letter in the mail, I make sure to only answer questions that can be directly deduced from the basic information I've already entered, or otherwise researched online (like the ones about what street is in what city). When confronted with questions about past addresses and whatnot, I make sure to answer "don't know" lest I confirm something they actually aren't so sure of.
I haven't had any problems as a result of doing this. I wouldn't be surprised if there is some "confidence" score based on how much the surveillance databases have actually recorded about you, and even if they aren't super confident will still supply a pass result to keep the client from losing customers.
I remember being asked the name of a street I lived near once. I still don't know the right answer, but I think it was some official or unofficial name of I-80 or the 101 that no one calls it any more (e.g. Lincoln Highway).
I would rather be asked my Zodiac sign, although that is definitely weird.
You shouldn't have to spend time doing research on different versions of road names to prove my identity. That's absurd. I can imagine some dystopian future where I'm strapped to a chair and my kidnapper is demanding I answer to obscure names of highways as my only reprieve from torture.
IIRC there was a post here awhile ago about how you could refresh the pages and the options would change. Except, of course, the correct answer. Maybe someone else remembers and has the link.
I've literally noticed this myself last month when I went to temporarily lift my freeze to apply for a new credit card. I never got asked for the PIN, which I diligently save and securely store. I remember I was explicitly asked for it just a year ago (last time I had to do the same to open another card). I felt like an idiot.
What we ought to do—to tie into the "let's break up Google" story also being discussed right now—is make collecting and hoarding data about people incredibly risky. A leak of any size should be a "your company is finished" event. Much collection should simply be outlawed or at least placed under strict user control, GDPR-style.
It'd make the CRAs, various other financial institutions (credit card companies, banks), and the tech giants all stop doing a bunch of the most harmful crap they're getting up to. Or else actually pay what it takes to keep everything really secure, while ditching any data they don't absolutely have to have to operate.
I will never unfreeze Equifax, regardless of what I do with the other credit agencies. I can't prevent them from collecting my information but I can prevent them from profiting off it.
> SSN and DOB data is widely available for sale in the cybercrime underground on almost all U.S. citizens. This has been the reality for years, and was so well before Equifax announced its big 2017 breach.
Again, I find that this only reinforces the fact that SSNs are not a useful identification system because there's nothing secure about them. Can someone explain where attackers obtain SSN/DOB data with such a widespread success rate?
If you require the PIN to lift a credit freeze, some people will lose their PIN and never be able to lift the credit freeze.
So there must be a workaround that relies on verifying identity, based on non-random information (e.g. no PINs, no passwords).
They've made it too easy, but until we can request that a credit agency blacklist an SSN and forget all associated information, this will keep happening.
> “We deployed an experience that embraces both security standards (using a multi-factor and layered approach to verify the consumer’s identity) and reflects specific consumer feedback on managing security freezes and fraud alerts online without the use of a PIN,” she continued. “The account set-up process, which involves the creation of a username and password, relies on both user inputs and other factors to securely establish, verify, and authenticate that the consumer’s identity is connected to the consumer every time.”
She tosses around the word security, but really what she is saying is that Equifax decided to make the experience as simple as possible because having people create accounts with them without the need for boosting CSR headcount is more important that securing those accounts.
I just made upper management aware at Equifax. Let's see how long this takes until they require the FUCKING PIN number to unfreeze your credit on their website. What a joke.
Thanks for posting this, please reply back and let us know their reaction. It might be popcorn worthy, or it might be 'meh' - either way, it is of interest to me and I suspect HN.
>Equifax spokesperson Nancy Bistritz-Balkan said not requiring a PIN for people with existing freezes was by design.
>“With myEquifax, we created an online experience that enables consumers to securely and conveniently manage security freezes and fraud alerts,” Bistritz-Balkan said..
I lost my PIN since I moved twice after freezing my credit and apparently didn't store it in my computer. I was able to temporarily lift my security freeze without it, and I found it convenient but a bit unsettling. Glad I'm not the only one.
My guess is the pin is largely pointless anyway. This new system was put in place because a large number of people forget or lose their pin. This would require a support ticket every time. The new system is intended to reduce support costs.
Serious question: what’s to stop a startup or 2 or 3 from creating an alternative credit check system that’s not as horrendous as the current one, thus displacing the current overlords?
password policy for my.equifax.com is ... not best practice. at least they allow up to 20 characters. must include one special character from a set of ... FIVE. and those are the only allowed special characters.
Whenever they limit the number of characters to something small, it makes me wonder if they are storing the password in their database rather than some hash of the password.
I complained about this to my old bank (Wells Fargo) and they told me not to worry about it because I'm protected from fraud.
[+] [-] zelon88|7 years ago|reply
I think the entire credit system needs to be changed. If credit bureau's can't be responsible then citizens should get a choice in the matter. These companies have us by the balls and we have no recourse. It's a monopoly complete with price fixing and everything, except the price is privacy and you don't get any options.
It reminds me of an episode of Hotel Hell I saw where the front desk stored all guest credit card numbers, expiration date, and security code in a white lined notebook unlocked behind the counter. Gordon Ramsay walks up to an unstaffed counter, grabs the book, and walks off with it.
Now imagine that the hotel blatantly admits to not giving a shit about your credit card details, and you don't have the option of checking out and taking your business elsewhere.
[+] [-] jjeaff|7 years ago|reply
The congresswoman asked the Equifax CEO to provide his birthday and social security number publicly for the record. He of course refused and when asked why, he said because that is sensitive information.
All the while, Equifax attorneys are arguing in court that there is no harm in leaking private data like SSNs and thus they shouldn't be held liable for any damages.
https://www.fastcompany.com/90312551/watch-a-congresswoman-d...
[+] [-] cannonedhamster|7 years ago|reply
[+] [-] _jal|7 years ago|reply
[+] [-] spaceribs|7 years ago|reply
[+] [-] christiangenco|7 years ago|reply
[+] [-] mherdeg|7 years ago|reply
[+] [-] css|7 years ago|reply
Yesterday, when opening a savings account with a major US financial institution, one of the KBA questions asked for my Zodiac sign. The other two were about a mortgage and the year I was born (±1 year). I do not understand why any competent institution would find these secure and it appalls me that is all the information needed to open an account in my name.
Edit: Here is the screenshot https://i.imgur.com/Mr8gOOA.jpg
[+] [-] techsupporter|7 years ago|reply
They won't open a joint savings account for my wife and I because my wife doesn't have a phone bill in her own name "for verification." (We've been on the same Southwestern Bell/Cingular/AT&T, recently T-Mobile, family plan for the past, oh, fifteen years, and it's under solely my name because of employer discounts.)
When I mentioned this to the rep, she told both of us--we were all on speakerphone--that my wife could send in a copy of her driver license. Except Washington doesn't require us to get new licenses when moving and the address on both of our licenses is both the same...and four years out of date.
I get the need for ID verification but funny how we never run into this problem when my wife wants to borrow money in her own name. No one has ever cared about her license or a phone bill when she's taken out credit cards.
[+] [-] nkrisc|7 years ago|reply
[+] [-] hsk0823|7 years ago|reply
The thing is, the cost of identity theft of consumers to credit reporting companies is less than the cost to actually adopt secure methods to judge one's credit.
[+] [-] cannonedhamster|7 years ago|reply
[+] [-] reaperducer|7 years ago|reply
Things like "What's your favorite flavor of ice cream?" Well, I dunno. It depends on my mood.
Or "What if your favorite vacation destination?" Another bad question because my favorite today may not be my favorite when I get back from the next place.
Unfortunately they were all mandatory — there wasn't an option to pick only the sane ones; all ten had to be answered.
Most of them felt more like marketing trying to build a profile on me rather than IT trying to keep my data secure.
[+] [-] ben174|7 years ago|reply
[+] [-] ShakataGaNai|7 years ago|reply
[+] [-] adrr|7 years ago|reply
[+] [-] bonestamp2|7 years ago|reply
[+] [-] mindslight|7 years ago|reply
Whenever I'm confronted with surveillance-based "identification" and I'm unable to just choose a better option like receiving a letter in the mail, I make sure to only answer questions that can be directly deduced from the basic information I've already entered, or otherwise researched online (like the ones about what street is in what city). When confronted with questions about past addresses and whatnot, I make sure to answer "don't know" lest I confirm something they actually aren't so sure of.
I haven't had any problems as a result of doing this. I wouldn't be surprised if there is some "confidence" score based on how much the surveillance databases have actually recorded about you, and even if they aren't super confident will still supply a pass result to keep the client from losing customers.
[+] [-] zelon88|7 years ago|reply
[+] [-] isoskeles|7 years ago|reply
I would rather be asked my Zodiac sign, although that is definitely weird.
You shouldn't have to spend time doing research on different versions of road names to prove my identity. That's absurd. I can imagine some dystopian future where I'm strapped to a chair and my kidnapper is demanding I answer to obscure names of highways as my only reprieve from torture.
[+] [-] acranox|7 years ago|reply
[+] [-] Gpetrium|7 years ago|reply
* Decreases the number of bots able to get into your account
* Make it harder for a foreign agent with limited knowledge of English to do the same.
No, I did not write that question for you to answer.
[+] [-] godelski|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] russh|7 years ago|reply
[+] [-] sbr464|7 years ago|reply
[+] [-] deanmoriarty|7 years ago|reply
[+] [-] dev1n|7 years ago|reply
[+] [-] asark|7 years ago|reply
It'd make the CRAs, various other financial institutions (credit card companies, banks), and the tech giants all stop doing a bunch of the most harmful crap they're getting up to. Or else actually pay what it takes to keep everything really secure, while ditching any data they don't absolutely have to have to operate.
[+] [-] ratling|7 years ago|reply
[+] [-] ktjfi|7 years ago|reply
[deleted]
[+] [-] fhinson|7 years ago|reply
Again, I find that this only reinforces the fact that SSNs are not a useful identification system because there's nothing secure about them. Can someone explain where attackers obtain SSN/DOB data with such a widespread success rate?
[+] [-] trjordan|7 years ago|reply
So there must be a workaround that relies on verifying identity, based on non-random information (e.g. no PINs, no passwords).
They've made it too easy, but until we can request that a credit agency blacklist an SSN and forget all associated information, this will keep happening.
[+] [-] JustSomeNobody|7 years ago|reply
She tosses around the word security, but really what she is saying is that Equifax decided to make the experience as simple as possible because having people create accounts with them without the need for boosting CSR headcount is more important that securing those accounts.
[+] [-] RandomCitizen|7 years ago|reply
[+] [-] smush|7 years ago|reply
[+] [-] monochromatic|7 years ago|reply
>Equifax spokesperson Nancy Bistritz-Balkan said not requiring a PIN for people with existing freezes was by design.
>“With myEquifax, we created an online experience that enables consumers to securely and conveniently manage security freezes and fraud alerts,” Bistritz-Balkan said..
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] benatkin|7 years ago|reply
[+] [-] beart|7 years ago|reply
[+] [-] mrhappyunhappy|7 years ago|reply
[+] [-] mikeash|7 years ago|reply
[+] [-] joeblau|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] turtlegrids|7 years ago|reply
[+] [-] jiveturkey|7 years ago|reply
[+] [-] criddell|7 years ago|reply
I complained about this to my old bank (Wells Fargo) and they told me not to worry about it because I'm protected from fraud.
[+] [-] smtihwilson0907|7 years ago|reply
[deleted]
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] qrbLPHiKpiux|7 years ago|reply
?