This was only a matter of time. We can rotate credit card numbers, but sadly not a SSN. I wish I could rotate my US social security number when significant exposure happens (this would be the 4th or 5th time in 24 months my data has been exposed).
Assuming legislation passed that allowed you to cancel an exposed SSN and get a new one, what would it take for that to happen? Surely it's not just the one agency (SSA) that would need to make the change, but multiple agencies would need to coordinate the change?
(And of course, I would be personally responsible for informing my banks, brokerages, loan agencies, etc of my new SSN)
Does anyone have insight into how this could work?
I really wish they would issue something like this. Or put a smartcard in my driver's license (I'm sure there are privacy implications to this though).
Even the level of standardization proposed for Real ID was met with enormous push back.
The long term solution is to figure out how to make financial companies feel the pain of fraudulent accounts. Like maybe when they open an account without doing a sufficient level of verification they should have to pay the victim of the fraud $5000 (in addition to covering any damages they cause).
It was originally created alongside the Social Security Administration, to track what individuals put in and what they take out. People only received one upon becoming employed.
Over time, the IRS realized that it could be used as a national ID, and adopted it for that purpose. They encouraged people to obtain one from a young age (even for their newborn children), and it was used to replace the original 'honor system' of 'How many children do you have?' tax discounts; now they'd need to register their child with a SSN.
Companies eventually began piggybacking on the number as a national identifier (due to our lack of one), and voila. We're left with an awfully insecure identification system that shouldn't be an identification system for much in the first place.
Not only was SSN not intended to be a national id, it was explicitly not supposed to be a national id.
In the era when SSN was established, Nazi Germany and its emphasis on "papers, please" was on the public's mind. SSN was intended to be used solely for tax purposes, not as a form of national identity. There were legal constraints on when government agencies can even ask for SSN, limited to legitimate tax purposes. Sadly, these protections have been whittled down over time:
> Federal law is supposed to protect the privacy of your Social Security number from government inquiries -- but apparently that doesn’t extend to a check on whether you’ve paid back taxes and child support. In a decision with worrying implications for those who oppose a single national identification number, a divided federal appeals court has rejected a lawyer’s refusal to submit his Social Security number along with his renewal of Maryland bar membership.
> The state says it needs Social Security numbers to make sure lawyers’ child support and taxes are up to date. The court’s majority said that was enough to fit the Social Security number under the federal law that allows states to use your number for tax purposes. That definition is so loose that it enables states to ask for your Social Security number pretty much whenever they want -- even when their records have been hacked.
Really, the government should make it possible for citizens to create an arbitrary number of different tax ids (SSNs), as many as they want. One for every firm they do business with, one for every employer, and so on.
Why do we need to number people anyway? People are very consistent with spelling their own names. This combined with a birth date and/or a birth city should be enough to uniquely identify anyone.
Think about passwords. A SSN is only nine digits, 0-9.
JohnHarrySmith19900101NewYork is far more secure. And doesn't dehumanize the recipient.
> People are very consistent with spelling their own names.
Is this true of all people?
> This combined with a birth date and/or a birth city should be enough to uniquely identify anyone.
For common names and large cities, probably not.
> JohnHarrySmith19900101NewYork is far more secure.
No, it's not; SSNs aren't passwords, and shouldn't need to be “secure” in that sense, but names aren't secret and birth dates and locations are easily discoverable (and the combination of all three is frequently publicly announced!), so this would be less secure.
Not even remotely.. My name has a space and an accent, it's always different. My wife's name is spelled differently on each of her birth certificate, drivers license, and social security card. And we have 'traditional' names.
> For common names and large cities, probably not.
Would be interesting to see statistics for that. It wouldn't be New York in this case, but for example Brooklyn or Queens. Even for the most popular name combinations, the number of people with the same name born on one day in one administrative area will be extremely low. Esp if you require middle names to be included.
Or you can just use a number. Because unlike names, you can assume one thing about individuals in a population and that is that they are countable.
You still just need 33 bits of information to identify any human on the planet, anyway.
(post-singularity, evolved into an ever-merging amorphous network of consciousnesses, we can use multidimensional fractal subsets of R^n, but we'll cross that bridge when we get there)
This is definitely not reliable in large cities, and it would have privacy concerns not to mention failing to handle people who don't follow the same naming conventions you do or who don't have day-level precision on their birth date.
Numbers have the nice advantage of not assuming structure, character set, etc. and allow changes for edge cases such as someone escaping an abusive spouse — see the full list of reasons at https://faq.ssa.gov/link/portal/34011/34019/article/3789/can...
There are 8 billion people on Earth. You are a number sometimes. It's okay for {your passport, your driver's license, your social security card, your credit card, your bank accounts, etc} to treat your account as a number.
The SSN just acts as a (largely) unique identifier. In the US, it also serves as proof that someone is eligible to work in the country. It's also the primary key for the account which collects my Social Security earnings over my career.
You are asking the wrong question. Neither of the keys you identify, whether it be "123-45-6789" or "JohnHarrySmith19900101NewYork", is "secure". Perhaps the latter has more entropy, but it's not the equivalent of your password when you log into a website -- it's the equivalent of your username. When you fill out a federal form like your tax form, anyone who sees the form sees your Social Security number.
If we were talking about making Social Security secure, your Social Security card would be plastic/metal and have a chip in it, similar to an EMV chip. It would have a private key which can be used to sign digital contracts and can be used to generate login tokens. It's effectively a private key that generates different public keys for each interaction/transaction you need to perform with it. Right now, Social Security is entirely about "what you know" with an easy to fabricate "what you have" and has no "who you are" factors.
In Germany, this is how identification works to some degree. You have an ID card number but this changes with every card. There is a permanent tax number but this isn't used for anything but tax purposes.
In the end, identification can be done by name, birth date and place of birth. You'll find these requirements on many official forms. This is fairly unique and ties to birth certificates which can be obtained with this information. Even if all databases were erased, this data could restore registers (as birth certificates have a paper copy).
The SSN is not issued by government as a secret number, but a necessarily-shared number between you, government agencies, employers, financial institutions, and many other parties.
The error is that many of the parties with which it must be shared treat it (for authentication purposes) as if it were a shared secret between that party and you (though they often don't do so for security purposes—and, as they often must share it with certain third parties, sometimes cannot do so) even though it is known to be a widely-shared non-secret.
SSNs were expressly intended not to be used as identification or authentication. Thing is, there was not alternative that people were guaranteed to have. I get it on principle, we don't like government giving us tracking numbers. It just seems totally impractical not to have this though.
Public-key crypto has been around since the late 1970s. Smart cards have been around since the 1990s. Two decades is nowhere near enough time for these sorts of changes to go through, you have to wait for all the past generation's lawmakers to retire/die and be replaced. Getting financial institutions to adopt new things that don't directly make them money is even harder.
I think the true error in process is that a SSN is considered to be a secret, unique ID, and many (many!) institutions allow you to use it as a proof of identity.
It's short, guessable, would fail all of their own password requirements, and yet somehow it gets a free pass. I just consider my SSN to be public, and move about my digital life with that assumption. I don't go plastering it on walls, but if I encounter a business or process that uses by SSN instead of proper two-factor authentication (...a large number of credit-based companies and financial institutions, sadly) my trust in them simply plummets, the same as it would for the login I use on less secure forum sites.
Exactly. In the UK we have a National Insurance number, but it's stated over and over again that:
This is not proof of identity.
Anywhere it is referenced it is repeated that it should not be used as proof of identity and not given to anyone as such.
SSNs should be treated the same way, but that would require a culture change. Perhaps having 150m of them 'leaked' will bring about that change. Such a change could also be brought about through legislation making it not legal to ask for SSN as proof of ID (i.e. can only ask for SSN when required for the purposes it is intended for), but legislating such things is likely even further from your culture.
Social Security cards used to say they weren't to be used as identification. They took that off because everyone ignored it and did what they wanted to anyway.
The problem is that you need a replacement, something that can actually be used as a solid proof of identity.
The countries that don't have comparable identity theft problems have done so mostly by using an ubiquitous government issued ID that's hard to forge and hard to obtain by someone claiming to be you. In USA there seems to be a strong opposition and a legal barrier for the government to make such an ID.
Not much else can be done - a simple test of a decent identity system is to ask if my spouse, mother or brother would be able to impersonate me - it's clear that nothing that relies on "something you know" can ever be sufficient, it must be "something you are", possibly together with "something you have", i.e., biometrics or a trusted photo ID.
Can you expand on the systems that are "hard to obtain by someone claiming to be you" and biometrics? In my readings, I've found that biometrics is not unique across a large population, it changes over one's life span (which means you wouldn't know when it has changed enough to update the system that stores it), changes with one's profession (like physical labor) and health, and that the error rates across a huge population even for iris scans are quite high.
For reference, India has a unique ID called Aadhaar that collects ten fingerprints and two iris scans to deduplicate across 1.3 billion people. It uses flawed technology (relying on a fingerprint for authentication or in very rare cases, an iris scan), insecure devices, and generally has a high failure rate due to poor infrastructure. Combined with poor technology, the privacy and security policies and measures are inadequate too. There have been plenty of personal information leaked in the last few years because of the government's obstinate stand that this ID be linked to everything - phone numbers, tax ID, bank accounts, and many more.
I don't think there is any solution, including biometrics, that will work to uniquely and unambiguously identify individuals across large populations. I also see more dangers for the populace with such schemes because submitted biometrics, once compromised, cannot be revoked or reissued (this is how the Aadhaar system works - it stores the biometrics as-is).
Biometrics alone aren't sufficient, but they're a reliable way to prevent identity theft if you have a secure record linking the identity to the biometrics - there will be people with similar faces and may be fingerprint matches, but fraudsters aren't going to easily find a thief that happens to look similar to you, match your fingerprints, and forge a document just to get a small loan or some electronics on your credit. The point is that biometrics can't be treated as "something you know", and the system should be designed in a way that these biometrics getting compromised isn't a big problem; I mean, my EU ID card has a chip with my fingerprints on it, but getting a copy of my fingerprints won't really risk "my identity", all they're good for is to prevent someone else using my documents if they steal it even if their face looks similar.
Getting such a secure record, though, generally requires a decent level of gov't infrastructure throughout all areas, and can't be built up quickly. Size alone isn't an issue - if it works for half a billion people in EU, then it'd work for a billion people elsewhere, but the infrastructure needs to be there.
I.e., you need a population where all or nearly all births have been properly tracked and reliably registered for a long time, so you can't build it faster than decades if it wasn't the case; you need a general low corruption environment where mass issuing of fake IDs by corrupt officials won't happen (a limited number of fakes by organized crime might be inevitable, but they won't disrupt the system); you need an effective policing system where everyone, including the most poor, would report stolen wallets and documents to be revoked; you need effective infrastructure where it's trivial for everyone giving credit or goods "on lease" to verify online the validity of some documents.
I'm not sure how it's in India, and I assume that some of these might be a problem, but for USA (as the original article) all these things are in place and such an ID would work if it was implemented.
SSN is a fine ID, but it cannot be used as authorization. I think that a government issued photo ID, such as a passport, is probably the current best bet if you require the other part to save a photocopy of it. Perhaps in this digital age you could have a system where you need to sign in with 2 factor authentication to verify any claims to authorize you.
Biometric is a very poor ID. With current technology we can fake fingerprints and iris, the two most commonly used biometrics. They also have the issue that you cannot change them, so if you do get compromised and flag it, then you cannot use that option yourself.
All the objections to creating national ID seem like ridiculous anachronisms given every other privacy-compromising measure that's been shoved down our throats.
Strange that this is being downvoted. The video is very relevant.
I get that many Americans are suspicious about our government, but the fact is that much of our credit / jobworthiness in the US is tied up in the Social Security card. I would rather it be something more useful, such as the Estonian National ID card -- which has smart features like digital contract signing.
I think it's more that Americans don't like national ID cards because they're paranoid about the Mark of the Beast and mistrust Federal power on principle.
I'm not sure I would proclaim that unironically in a discussion of a giant American company accidentally losing track of a database containing detailed personal information about ~1/2 the country.
I mean sure, it's not in your pocket. But are you going to move house in response to this breach?
The point is that your social is a fairly predictable number if you can figure out someone's birthday and hometown. I realize this wouldn't help in the case of equifax but it would help in other instances. It would also allow us to have voter ID laws that didn't constitute a poll fav but that's a totally unrelated issue.
You don't need one central register with intimate data of citizens. You can keep registers local to avoid widespread data breaches. It's still possible to verify the authenticity (e.g. for police) by requesting from the local register (electronically) but no one has access to all data at once.
At the same time, the system can be designed to only store the data necessary. Don't think it's necessary to store more information than for SSID.
It's pretty much the flaw in not having a national ID scheme - everyone reaches for the next closest approximation, with no funding for security systems or refreshes to address flaws.
Because this is an issue the government should address seriously.
US government has been addressing this but states (which tend to issue the identity documents used widely) pushed back. Here in Montana I will shortly have to use my passport to get through airport security for this reason.
Even with a national ID scheme, I don't know of any country who has implemented a way to validate that the holder of the ID document is the person who is the person who the ID document corresponds to without the person being present so that their biometric data can be validated.
You can use many ID cards online with the chip in the card. This means you need to have access to the physical card and the PIN. Much safer than just having a number and it will be hard to steal 50 million physical ID cards.
Many banks use video chats to open accounts where you have to present the card via video. This can be even safer as you need the physical card and someone who looks like the person on the ID card. Since calls are recorded, I can imagine fraudsters are hesitant to use this process.
You can, but in very specific cases. The "cultural objections" bit requires documentation from a legitimate religious organization - you can't just say 123-45-6789 is the mark of Satan.
I've seen variations on this for exemption from educational requirements, ID requirements, medical requirements, and the like.
It's always struck me as odd that one _can't_ give as a reason "I have rationally concluded, based on the evidence I present here, that I will take X course of action."
But one _can_ say "I have been advised to take X course of action by a group of people who pinky-promise that they are authorised representatives of a sky fairy who suggested X to a hallucinating man several thousand years ago."
> you can't just say 123-45-6789 is the mark of Satan
Obviously you can't say it out loud, because you might evoke the wrath of the Old Ones.
Additionally, you can just engrave the surface your ID-card with the correct symbols in charcoal, a salted circle (actual salt, not the cryptographic kind), maybe some blood, and you should really be fine for most practical purposes.
I mean, this is not the Middle Ages any more. You can just Google this stuff.
Yes it would, and that (the extra friction) is exactly what should be done to fix the identity theft problem. It's far too easy to get credit in your name, so easy that it can be done by others.
But the change won't happen by itself unless a shift of liability away from the users makes it so that every company doing anything on credit sees that it obviously makes business sense for them to implement the extra friction (and suffer from it) because otherwise they are paying out money to fraudsters instead of trying to collect that from the impersonated people.
If only someone could invent a way to verify their identity without sharing their secret key...
But in all seriousness, we need to find ways to make real identity authentication user friendly, a la Yubikey, and then drive companies to replace this insane SSN-based system.
No. Link says it was a vulnerability in their website, so adding biometrics would've probably just meant your biometrics would've been leaked alongside your SSN.
Most are falsifiable and they are hard to do over the Internet (and are easier to fake over the internet). Also you can't change the info if there is a breach
I strongly encourage anyone in the US to put a full credit security freeze on all three credit agencies. When a credit freeze is in place, you still have access to all of your existing loan accounts and whatnot (e.g. credit cards), but lenders cannot access your credit to open new accounts unless you want them to.
It's not difficult nor expensive to do, and the freeze lasts until you decide to revoke it. Whenever you need to allow access to your credit (credit check for rent, taking out a loan, etc), you can temporarily lift your credit freeze for a small fee. The fees associated with this are going to be much cheaper than any of the professional "identify protection" services that exist out there, and the freeze is significantly more effective at protecting you.
When a company leaks your social security number and personal details, which almost certainly will happen at some point if it hasn't already, then opening fraudulent accounts in your name isn't the only risk you face, but it's an obvious and dangerous possibility that can ruin you financially or make you spend a considerable amount of time and energy fixing the situation.
For every person in the US with kids, I also strongly suggest that you freeze their credit as well. There's no good reason for your 13 year old to take out a loan, but identity thieves don't care about how old their victim is.
The Equifax site appears broken in at least some browsers. Transunion wants me to sign up for an online account, and Experian charges a $10 fee in my state to place a freeze.
All three want to collect my name, DOB, SSN, etc. _again_ in order to sign up.
This is complete and utter BS. Credit reporting agencies are one of the greatest/worst rackets in the modern financial system.
"You could be at GRAVE RISK because we accidentally leaked your personal information. Please give us all of your personal information so that we can tell you if you were affected."
It's almost funny, in a way. What, so I can become affected if I'm not already?
I don't understand this. Equifax claims they just leaked my SSN, Drivers License, and other pertinent data to everybody. How would they possibly confirm that I am the one lifting the 'freeze'?
And what happens if I call to unfreeze but have lost the PIN? Can I never get a loan again for the rest of my life? Or is there some way around the PIN - perhaps only requiring the already leaked information?
You call them up... but this will probably no longer work b/c of the data breach. Otherwise you snail mail them a letter with a govt ID and they send you a new pin.
I think you are missing something. Here's what's needed to initiate your TransUnion freeze:
To set up a security freeze with TransUnion, please visit our online form. You should be prepared with the following types of information:
1. Your full name, including middle initial and suffix, such as Jr., Sr. II, III
2. Social Security Number
3. Date of birth
4. Current address
5. All addresses where you have lived during the past two years
6. Email address
7. A copy of a government-issued identification card, such as a driver’s license or state ID card, etc.
8. A copy of a utility bill, bank or insurance statement, etc.
So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.
The problem is these companies, who non of us ever chose or nominated to collect our data, are careless with our PII. And until some accountability is added into the system, this will continue.
I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.
Equifax can handle its internal management and operations however it wants.
Externally, though, I want Equifax to have to pay a fine for every individual whose information was compromised. Identity theft can easily cause five figures worth of damage, so $10k per individual would be fair. Maybe as a warning shot we could lower this to... $1k? $100?
That's the only way to properly align incentives so companies will proactively defend against attacks like this.
I would not doubt a class action lawsuit results from this, and I'd be very surprised if Elizabeth Warren didn't pursue congressional action against them (although not officers of the company unfortunately).
And then I'll get six months of free credit monitoring from Equifax? Oh boy!!1!
More seriously, this is a breach big enough that Equifax should honestly no longer exist as a company. So call it $100/incident, and I'm happy. Other agencies would still exist, and, although they're just as terrible, it might get them to kick their asses into high gear to fix their security.
I went there and used the site and guess what? It doesn't work. It just said 'Thank You!' and gave me an enrollment date. It gave me no info as to if I was one of the people affected.
Likewise, WTF. I thought you were joking but nope, it returns this text:
-----
Thank You
Your enrollment date for TrustedID Premier is:
09/13/2017
Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process.
No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases
Company to Offer Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers
September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
Even better, they ask for your last name and the last six digits of your SSN to even check your potential impact. The problem is that the first three digits of your SSN are derived from your state of birth, so the last six give up basically the entire thing. http://www.ssofficelocation.com/social-security-number-prefi...
Did that https work for you? For me it redirects to plain http and then OpenDNS blocks it as a phishing site. Why are they using such a scammy looking domain, anyway? Why not just host it on their main site?
Edit: I'm abroad and just tried through a VPN and it worked. Don't know why I tried without it ...
Maybe, the suggested demise of Equifax, the extreme perpetrator of neglect in this particular case, should lose the ability to print money, much like Symantec and other ssl cert issuers (identity certifies) for their recklessness; perhaps that doesn't go far enough.
Maybe the whole commercial enterprise of credit reporting (and identity verification) needs to be dramatically reworked in a more modern, sane design, with different governance and oversight.
This thing called "Identity Theft" does cause damage, but it's important to remember that if fraudsters trick a bank into thinking they are you, it is the bank's fault for failing to properly verify it was actually you. Doing so would cost them more money and it is much easier to do cursory checks instead.
No doubt fraudsters impersonating you is a hassle and you must spend some time and money dealing with it if you are targeted, but do not lose sight of why it happens and who is ultimately responsible.
It hurts everyone foolish enough to still do business with the bank after they jack up their fees to pay for it. Or in jurisdictions where a small number of banks are given a monopoly, or competition is otherwise discouraged, it hurts everyone.
$1k, $100, that's far too low in my opinion even for a warning shot.
As someone who has had their info leaked by two universities before, both of whom subsequently paid for multiple years of credit/fraud protection, the sheer pain and stress of having random credit cards frozen and need to be replaced is worth far more than that dollar amount of my time. This is potentially messing with people's livelihoods with long term lasting effects.
If monetary sums are given out, then I hope a fair amount is given out instead of a warning shot. Those tiny figures won't help at all and effectively send the message that companies are more important than the people they serve.
Perfect. If they're in the business of selling access to sensitive information and cannot keep said sensitive information safe, they should not be allowed to continue to leak that sensitive information.
That's not nearly enough, considering the reach and impact this could potentially have. These people need to be getting life prison sentences before security is finally taken seriously enough by executives.
It's high time we had an equivalent law to Sarbanes-Oxley for security.
S-O made sure that when a C-level type guy signs a report, he knows his ass is on the line in case an illegal transaction just occur under his nose. If your company deals with PII, I want that data to be treated as important, if not more important, then company's funds. If you lose it, and you had any say in security (or lack thereof), you should do time.
> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay.
The issue here is likely related to business units that were acquisitions, with the breached product in question having been developed pre-acquisition by a code farm staffed by interns in some developing nation. I spent a few years trying to unfuck some of those messes and moved on.
It's more a problem with their reckless growth over the last decade than anything. (ed) Due diligence is obviously lacking, but I can personally attest that nobody in senior leadership there willfully ignores matters of security once it becomes known.
If that were the case, then who approved the acquisition? Who did due diligence on it?
Suddenly letting a bunch of untrusted, poorly audited code run on your infrastructure is itself a massive security breach. And even that doesn't explain how data was extracted for two months with no one noticing.
We don't know if this has anything to do with any acquisitions - this is a conjecture, at best.
At any rate - I don't care. I never gave Equifax permission to collect my personal data. I certainly never gave them permission to store it in a way that it can easily be hacked. If you buy a 3rd party company, "unfuck" and harden their software BEFORE you let the data flow in.
Allowing data to slip out is negligent. If you're in the army, or the intelligence community, you get punished for this. It's about time the private sector felt some sort of accountability.
This so much. The stream of corporations passing the buck into a black hole of irresponsibility needs to end now. If people arent held responsible, they will continue to make these failings without pause. I hope everyone is writing their legislators and congresspeople right now. They listen more than even my disillusioned self thought. The just might have bigger incentives to act otherwise. But if they dont know, they cant even choose to be corrupt or not, they are ignorant by proxy. Communicate to your leaders, and remember their response when you vote.
> The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
Since core business was unaffected (nobody hacked the mainframe), I guarantee you some crappy product they acquired got compromised.
And like it or not, you do give them permission to collect your personal data every time you authorize a creditor, utility or employer to run a credit check. Never sign up for utilities, loans, credit cards or get a job and then you'd have a case for privacy.
It could also be related to how they sell things. Given how commonly they redistribute this data I wouldn't be surprised if it turned out to be something like a customer portal where they can say it wasn't core because the attacker couldn't have altered data, etc.
Oh, good, it wasn't their _core_ business. What a bullshit copout - you acquire a company, you own it, warts and all. Who's worse, the crappy company or the company that acquires it and continues to operate it without fixing it?
You probably did if you have any sort of bank account or loan or job application or rent. It's pervasive in contracts/agreements that they report to partners and credit agencies.
The best way to punish them is for us all to organize and create a Proposition that bans them from being a credit bureau, etc. If this passes in California, it will destroy them as a company.
The problem here is that they've expanded their core business to be so pervasive, they're no longer reporting on just your credit history-- they've also moved into the employment history, salary history, etc. space. So you kill their financial tentacle, they'll still be collecting intelligence for other purposes.
> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.
Nope. Ain't gonna happen. Financial crime pays, big time! No one goes to Jail. They usually have an investigation followed by a hearing in Congress (if it is "BIG" enough), then come back and pay a fine. Media will report the fine as "MILLIONS OF $" but the fine hardly makes a dent in the Bank / Financial institute's coffer.
W.r.t. this particular situation, here's a story that just broke.
Of the three letter agencies, the IRS and the SEC are particularly ruthless. They can only enforce what Congress will allow, unfortunately, so that leads to bigger fish not being fried up.
> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.
> So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.
To what end? As has been pointed out they have all that info anyway so it's not like you're making the situation worse.
But more importantly, if your credit is frozen who cares? What are they going to do with your SSN? Get a loan? Get a CC? Buy a house?
That's the point of a freeze, it makes your PII less valuable.
The actual concern is about the PIN. Because surely they could go through the trouble of PIN recovery to unfreeze your credit and then make use of it. But considering the numbers game, its not worth their trouble vs all the unfrozen accounts.
I recently did this and highly recommend IdentityTheft.gov for assistance. It has tons of great resources/guidance for dealing with identity theft and other credit issues.
Anyone know if there's a way to get your free credit report if you can't answer the questions for the free one?
The computer says no, and the phone number just sends a letter that says no. I tried to to buy one from my bank, but as far as I can tell they only sell subscriptions...
Each of the credit reporting agencies has a process for requesting your credit report by snail mail. The form is hidden away on the various websites, but it has generally worked for me when the online form didn't work (it turns out another person's delinquent loans and CCs were in the report that they were using to test that it was me).
Not as free, since you need to buy envelopes / print the forms / photocopy your ID / get stamps / wait X weeks, but as free as it gets when the online system doesn't work.
I can't agree with this more. I was the victim of identity theft many years ago. I my case the data leaked from an employee at my company's payroll dept! There was nothing I could have done to prevent it. Anyway I did this many years ago and have not worried about it since. There is some small hassle because people run credit checks for weird reasons that have nothing to do with trying to get a loan or line of credit. For instance when I got promoted to a certain level at my last company they ran one, and while they didn't run them when I got hired, I think later they started doing them as part of "background checks" for all new hires. The other hassle is sometimes the credit agencies change the way you "unfreeze" and I've had some problems with that, or the people running the check don't actually know which of the three credit agencies they are using. However for the once every four or five years hassle it is definitely worth the piece of mind for me. In many cases you can "temporarily" revoke it for a week or 10 days.
I'd phrase this more as, "I was impersonated by someone, and a third-party compounded the problem by lying about it to others. Now, to avoid that problem, I pay protection money to that third-party and waste my time jumping through their hoops."
I do the same thing, BTW, because the alternative is worse. But it is a protection racket offered by the very people causing the problem.
I think that pretty much is exactly how I felt about it at the time. One thing I haven't seen mentioned is the fact that this "remedy" was actually a requirement imposed (at least in California) on the credit agencies by the government, and it wasn't always that way. So for several years instead of this, I would have to actually go check (all three) credit agencies getting my "free" report (since I was an identity theft victim). Of course I still had to ask for it, they didn't just send it to me. So yes it was the least bad alternative. If a large enough people actually signed up for this it would actually destroy the credit agencies business model, because instead of working by default, they would be broken often enough that people would do other, more reliable solutions. I think they may already be happening in some cases. For instance when my son moved into his first apartment, I had to put my name on the lease. I told them my credit was locked and they said they don't use the credit agencies, they had some other check they did. So yeah, no love for credit reporting agencies from me..
So if an identity thief has enough of my information to potentially open a new line of credit, wouldn't they also have enough information to reverse the freeze?
In other words, is a freeze enough to stop new accounts from being created?
You get a unique long pin code when you freeze the account. You need that to unfreeze it. There is some "recovery" procedure, I think you need a notary or something
At this point it's about doing that one thing the other 1 million won't. It might be surmountable but do you figure the adversary is going to have the incentive to surmount it?
And regardless of whether you claim the evidence is inconclusive, it is simply not acceptable to dismiss a known vulnerability in something important by saying "I don't know of any case where it has been exploited yet."
Exactly. All it does as far as I can see is flag the transaction as card holder present. The PIN is easy to steal as well evidenced by the number of fake reader heads and cameras found attached to ATMs as well.
I know that flaws have and will continue to be discovered in those authentication systems, and also that a theoretical shift in liability occurs. Any bugs will need to be fixed, and that's important. But you can't ignore the situation in practice – liability is not being shifted, and all UK banks and credit card providers are pretty happy to refund fraudulent transactions regardless.
It is good to hear that UK banks are apparently no longer shifting liability, but this case, and others, show that banks were shifting liability until it was irrefutably demonstrated that the system was not as secure as they claimed. 'Liability shift' is not a term invented by conspiracy theorists: banks were explicit about this being a primary goal of EMV, so it does not require a leap of faith to accept that it happened. Sadly, neither is a leap of faith required in accepting that the banks' first response to evidence of weaknesses was to deny their exploitability.
Does your statement about UK banks no longer shifting liability apply in cases of fraud against merchants?
They only refund credit card transactions if suspected with fraudulent. Debit card transactions are held and investigated. I've had a card ripped and lost £500 permanently because the bank decided I had made the transaction. I had to small claims them to get it back. I have seen at least three other people lose against the bank.
Why not just shift the presumption of liability (absent verification) to the financial institution instead of the consumer? Loan issuers can hire skilled professionals to do credit verification, so why should consumers bear the risk for their lack of due diligence?
> Consumers would love this. Financial institutions would not. Guess who wins this battle?
And everyone thought SOPA and PIPA were done deals, that is until the great internet SOPA/PIPA blackout day that resulted in so many calls to congress that the congress critters backed down.
If enough voters could be motivated appropriately to contact their congress critters requesting jail time for the Equifax executive staff that clearly did not stress security sufficiently, there would be some change that would occur.
Remember, money (donors) only help the congress critters to pay for the costs of the election. They still have to get those voters to actually vote for them. So there's still a way to influence their viewpoint. It just takes _way_ more than a few handfuls of voters calling/writing to reach the point where they actually pay attention anymore.
Their signup process for the credit freeze involves entering your SSN which is not obscured at all. It's increasingly obvious how this could have happened -_-
Also just tried to pull a credit report for Equifax via annualcreditreport.com and received a messages a condition exists at this time not allowing my report to be pulled and instead gave me mailing instructions.
It sounds like this would alert you to potential fraud, but not prevent it from happening. You'd still have the headache of undoing the damage, although that may be easier if you find out sooner.
If you freeze your credit, it basically prevents anyone from opening any new credit under your name. The reason for this is that any lender (car, mortgage, credit card, etc...) first would want to see your credit history, to determine how credit worthy you are. If they can't do that, they will not lend.
I'm waiting for the headline one day soon that hackers were able to unfreeze people's profiles and commit fraud under these accounts anyway. It's just another database entry somewhere, which says "freeze". All these systems are vulnerable and can be penetrated.
This is actually a major inconvenience. You won't be able to apply for credit cards or get a loan to buy a car if you have a credit freeze. You have to unfreeze and re-freeze each time you apply for a credit card, and this costs about $30.
It is, in any case, far less of an inconvenience than not paying the protection racket, having someone impersonate you, and having the credit oligopoly lie about you because of it, leaving you to somehow clean up their mess.
It depends on your situation. I've done this for the last 3 years, and have only had to lift the freeze a 2 times, both times actually for job offers (it's pretty routine for companies to run background checks on new hires, which includes a credit history check). It does cost ~$30, but can be done online, and takes little time. You can also reduce the cost by asking whoever wants to legitimately check on your credit history, which reporting agency they will be checking with. Then you only need to lift the freeze for that agency, and for that entity asking for a report.
If there isn't some handshake/ack mechanism like this, I'm not sure how you cut back on fraudulent activity. I can see the case for making the credit agencies eat this cost and provide these services for free. That would probably require an act of congress...
Edit: You could also ask a potential employer to eat the cost of unfreezing to check your credit history, or ask them not to do the check at all (especially if it's not really relevant to your job). Either request seems reasonable to me, although I haven't tried that, I'm betting at least most employers would pay for the unfreeze.
It's definitely not routine for employers to do credit history checks except in certain narrow roles (and even illegal in many states). You absolutely should not unfreeze it for an employer unless they can provide justification for needing credit information.
I did this about 2 years ago with all 3 of the major agencies and in addition to the benefits described in post and comments, my junk mail volume dropped considerably. I don't know if it's always the case but this did not cost me any money.
I did this about 8 years ago, and have only needed to temporally unfreeze it 3 times. Besides the big 3, I also froze reporting from Innovis.
The only unforeseen hangup from frozen credit reporting I've run into is with car rentals. With a few exceptions, most car rental companies (at least in the US) run your credit. Everything else was pretty predictable.
To unfreeze it entirely it looks like it can take no longer than 3 days. Unfreezing it for specific parties it sounds like is less money and perhaps takes less time but that will depend on the company.
Here in UK they verify address via utility bills, cross-check with drivers license (verified by gov agency, DVLA). They maybe only take card payments too, no cash?
I'd expect that to be enough, given they force you to take out expensive insurance, that must cover them, surely. What's the credit report going to get them at that point?
Unfortunately it appears freezing credit reporting is impossible in Canada, presumably because there are no laws forcing these companies to allow it here: https://money.stackexchange.com/a/54677
Lovely. I just had to give Equifax a bunch of my own info after having my identity stolen[0]. When dealing with this, I was amazed at how technically inept all three agencies seem to be. Not to mention the extent to which they use SSN and other PII to "verify" during phone calls, and try to sell their credit monitoring services to you. This sort of thing should be provided for free by these companies if they are going to be managing such valuable data.
Well, they try to find and convict the hackers, of course. Or did you mean the companies like Equifax, or Target, or Home Depot that are the victims of the break-ins?
I mean the companies like Equifax. Is there nothing illegal about being careless enough to leak this much important information to hackers? I personally think they should be held accountable.
Accountable for what? That they're a target for hackers, who managed to break into their network? How is that careless? There's no such thing as perfect security.
This case seems a little different in that it's pretty difficult to not have your personal information in their system.
You roll in to Target or Home Depot, you decide to pay with a check, card or cash. You decide to give them your information or not. You decide if you want to go back after they mismanage your information. Can you opt out of Equifax's business and still get credit or loans? Can you even opt out at all?
Putting aside the whole "punishing the victim" argument, the problem is that it's excruciatingly hard to draw a line between "being careless" and "you did everything right but it still wasn't enough", and thus it's really hard to punish someone for cybersecurity mistakes. I work in cybersec consulting, and it's certainly true that a large number of companies are simply not investing enough money/time/effort into cybersecurity protections, and are thus doing a disservice to their customers.
However, there are also plenty of companies that spend hundreds of millions of dollars, with massive cybersec departments devoted to protecting from breaches like this, doing pretty much everything they possibly can right, and they will still be hacked. Cybersecurity is incredibly difficult, incredibly expensive, and takes a really long time. And even if you get 99.999999% of your company completely impervious to attackers, it only takes that 0.0000001% of exposure to sink your ship. Cybersec is also constantly evolving, so it's nearly impossible to keep up with the latest attack vectors, etc.
Take the Target breach, for example: Target has a massive effort focused on cybersecurity. They actually have a cybersec research lab that some law enforcement agencies go to for help with cybersec issues. But the attack that hit them took them totally by surprise simply because it was a type of attack that hadn't really been considered, and thus was very very low on the radar (if there at all) when it came to protecting against it.
Now, companies in the US actually are held accountable (to an extent). Data breaches that result in HIPAA violations, for example, usually result in massive fines for companies. Violations of PCI-DSS will land you in hot water with the major payment card companies. Some states also have cybersec regulations that result in fines if you're found to be in violation of them during an audit. The problem, again, is that cybersec is constantly evolving and these regulations are years behind. The HIPAA cybersec requirements are actually pretty laughable, partly because of all the reasons listed above.
>and thus it's really hard to punish someone for cybersecurity mistakes
No. If you take it upon yourself to hold this information, you are accepting the responsibility for its disclosure. If you are not willing to accept penalty for this happening despite your best efforts, you should not be doing it.
So, what should we do? Should we just fire/jail everyone who has ever worked for a company that was breached? You realize that would be literally everyone, in pretty much every company ever, right? There's a saying in the cybersec world: "there are two types of companies: those who know they've been hacked, and those who don't realize it yet".
Cybersecurity is a field where there's already not enough good talent. And even the very best talent is still going to not be good enough from time to time.
It is simply completely naive and unrealistic to expect a company to be 100% hack-proof, and if you start punishing people for that, then you're just not going to have anyone taking the job at all, and you're going to have even less security.
Oh come on. Anyone here who is a developer has at least some experience with raising a security concern to business or management and having it shot down as not important enough to worry about. We all know companies still aren't taking cybersecurity seriously enough, and it's because the consequences for a breach aren't severe enough.
I leave my home with a house sitter. The house sitter throws a kegger, and his guests cause six figures worth of property damage, including stealing the house sitter's laptop.
This is a great point. Without heavy fines and penalties, it seems many companies are happy to be lax on security just quietly become another "victim" company. They just need their breach to smaller than Yahoo's (which is easy for most companies).
I'm not a lawyer, and I don't know if what they've done violated the FCRA (Fair Credit Reporting Act). That said, doing a bit of research, if they've violated the FCRA knowingly, they're liable for actual damages, plus no more than $1,000 per incident, but also no less than $100 per incident. If it's just inadvertent negligence, then they're only liable for actual damages.
So, assuming each person whose info was compromised is a separate incident, willfully negligent violation could result in up to a company-shattering $143B fine, but no less than $14.3B on the low end. I imagine that that even the lower figure would be hard for them to absorb as well.
I have to imagine that class action lawyers all over the country are licking their lips, if there's an opening via FCRA. I'm not sure what the FCRA says about PII data security practices, though - it might just be having processes in place and the like.
> Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection.
Really? "We lost your info. Sign up for our credit monitoring service!"
Oh nice. A company that does nothing but collect personal information. I’m already in their identity protection program, so I'm a little nonplussed at this.
Please highlight the part where it specifically says one waives the right to sue Equifax over the data breach. Because the agreement is specific about what it covers.
Sounds pretty likely. Sadly, I already have free credit monitoring from Equifax due to a previous identity theft incident. It's free for me, but paid for by another company that got hacked.
Oddly, on their website equifax.com , they offer a solution to see if your identity is stolen by using a website created today called equifaxsecurity2017.com , which then offers the solution to 'enroll' which sends you to a website created a week ago called trustedidpremier.com . At which point you are to enter your identity information.
What I mean to say is it's not validated* They should have hosted this on a domain associated with the company and validated the cert with the business
TrustedID is an identity protection company that's been around for awhile (many companies use them as the contracted company to do credit monitoring after a breach). TrustedID is actually owned by Equifax (who were just hacked.. irony), and so my guess is that "TrustedID Premiere" is a newly created offering from Equifax/TrustedID to deal specifically with this major breach.
Well, yes, this was in response to this incident. While they're just making a public statement now, we know from their own press release that the breach occurred in May.
Regardless, it's certainly prudent to be wary of these sites since they're pretty indistinguishable from phishing sites.
Why must the consumer enroll in this? Why is it not automatic? They already pull all the strings with regard to keeping the consumer from taking out and keeping track of legitimate loans. Why must we go out of our way to prevent them from certifying and tracking illegitimate ones?
Most likely because Equifax is not providing the service and the actual provider will need to engage with each customer directly, despite the service being free.
I also noted that it asked for the last 6 digits of your social. Could be they need more digits to avoid duplicates, but I've never heard anyone ask for 6 digits. Usually it's just the 4.
Honestly, they should have used a subdomain off of Equifax.com.
The bad thing about that is the first 3 digits are the location digits, so someone that has the last 6 digits can easily guess your full SSN if they know where you were born (or where you lived when you got your SSN).
I've now been enrolled in one or more "identity monitoring" services going back at least five years offered in recompense for various breaches.... at some point it becomes ridiculous.
Same. Starting with the PlayStation hack a few years ago. If it makes you feel any better, I get notified by that service every time I do anything that accesses my credit at all, usually within minutes, so, I guess it works as designed.
And not only do I have to give them personal information to check, I have to use google's sign-reading I'm-not-a-robot captcha - feeding a little of my intellectual capability to their self-driving car companies.
By enrolling in the free "Identity Theft Protection" you waive your right to "PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION" https://trustedidpremier.com/static/terms
It is a scam to get people to sign away their rights to sue the bastards.
Can anyone with a legal background or have connections to news outlets validate this? I read through the terms and this really does seem to be the case. However, I am certainly not in a position to decide this. It would alleviate my concerns if a trusted source could publicly report on how the impacted (pretty much everyone in the US) should respond to leak.
IANAL, but I'm not sure that you are correct. The agreement refers to claims "arising from or relating to the subject matter of this Agreement or the Products", and the title of the agreement is "TrustedID Premier Terms of Use".
Doesn't that mean you're waiving your right to sue TrustedID, Inc. in a class action for grievances related to the TrustedID monitoring product, not your right to sue Equifax for the data breach?
> Equifax discovered the unauthorized access on July 29
Well over a month later and they're just now getting around to telling people about a security breach that could affect almost half of all Americans...
In this context, there are two sorts of black-hat hackers: those who already know of the exploit, and those who do not. If it takes over a month to shut out the latter, then there is another problem.
Discovering a breach is only a fraction of what has to happen before customers/public should be notified of said breach. It's not very helpful to anyone if you put out a press release that just says "we discovered a breach but have no idea who, if anyone, was affected, we have no idea what was stolen, and we have no idea who did it." There have to be investigations that happen prior to any of that being known/released. Investigations to find this type of stuff out usually takes months, and typically involves the FBI or other agencies, which sometimes will actually ask you to keep news of the breach quiet if it might help them track down the perpetrators. You also want time to fix the issue before you go tell the entire world that there's a hole in your security.
I work in cybersec and I would actually say that under 1.5 months from discovery of unauthorized access to releasing this press release (and already having the equifaxsecurity2017 website up and running) is astonishingly fast work.
That seems reasonable, up to a point, but it also looks potentially self-serving and open to abuse (especially given the news about stock sales by insiders.) If a company in a position with this level of risk cannot staunch the leak within hours, it should be required to curtail its activities to the extent necessary to stop further leakage, until it has the proximate cause of the problem under control.
Nor should the instigation of credit monitoring be delayed until the investigation is complete. To pick a contemporary analogy, it would be like not informing the public of an approaching hurricane until its precise point of landfall has been determined.
Building off your analogy, you don't order mandatory evacuations every time you see a tropical depression form out in the Atlantic. It's only when the tropical depression actually turns into a hurricane and is on a collision course that you warn the public.
Data breaches are the same. If you put out a press release every time your infosec team discovered an attack, you'd be putting out releases every single day, multiple times a day, even though most of those breaches would turn out to be inconsequential after investigation. The public would become totally desensitized to them. That's why the investigation has to be done to determine if there actually is something to notify the public about.
Now, there's surely a point in the investigation where you "know" that the public needs to be notified, but you aren't completely done with the investigation yet. It would probably be in the public interest to notify then rather than waiting, but I think companies are scared to do this because many companies in the past have been lambasted by the public for doing just that. Apparently people don't like it when you release a statement saying "we had a major breach and some customers are affected but we don't know who yet", so it seems that companies are opting to get all the facts before saying anything.
Time for criminal penalties for the management team.
A breach like this will affect thousands of people monetarily and suck time from them they could have used elsewhere. If you've ever dealt with something like this, you know the hours it takes to rectify the damage.
The only way corporations will learn to appreciate data security is when management teams suffer criminal penalties.
I don't think it's fair to be throwing any individuals under the bus like that. There's obviously been several failures at multiple levels but the company as a whole will have to face the consequences, not just a few managers it decides to use as scapegoats.
"Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers."
Hah, that's actually excellent news for those hoping for criminal consequences. It might be hard to put anybody in jail for their security negligence, but to me it looks like those three have served themselves up on a platter for an insider trading conviction.
> I don't think it's fair to be throwing any individuals under the bus like that. There's obviously been several failures at multiple levels but the company as a whole will have to face the consequences, not just a few managers it decides to use as scapegoats.
We don't know how the security breach happened. Should Equifax be criminally liable for using software which contains a remote-exploitable buffer overflow vulnerability? Or for the actions of a corrupt employee who stole some data and sold it on the black market?
It's possible that Equifax did something really negligent and if so maybe there should be a class-action lawsuit against the company. But it's also possible they did all the things they should have done and still failed because security is really hard and maybe the attacker got lucky.
Isn't the traditional capitalistic argument that the people on top are the ones taking all the risk, which is why they should be making all of that money in the first place?
Note that I'm not making that argument, but trying to understand how this situation differs.
You take a lot of the risk but not all. If this was due to weaknesses in their IT then managers should be liable. But it's possible that they had one of the most secure systems in finance and still someone found a way in via undisclosed exploits. In that case there's nothing a manager could've done.
But since the core database wasn't hacked, it seems likely that someone had a database dump on a development machine which was outside the scope..
>Exploited a US website application vulnerability
>The information accessed primarily includes names, Social Security numbers... credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed
Was all this data available and accessible through the same application? I wonder how likely it was something incredibly trivial, like SQL injection, or whether they were truly targeted and infiltrated
If it's online, it will be hacked and exposed. The new reality! Let's just try to limit what info we give to companies, knowing it will be leaked soon or later.
The problem with this is the major reporting bureaus source their information from banks and credit card companies. The data gets out of their hands quickly, and you don't have the option to protect it in the first place.
My opinion is that the only real solution is to internalize the externalities via fines, taxes, or regulation.
It makes me wonder how they set up their security infrastructure. Were the hackers able to freely access their HSMs? Do they not monitor access?
Would be nice if some form of RCA is made public.
That's what I came here for too. They have a site (go to Equifax for a notification banner) but providing the information they want just tells me to check back later. From the text I would assume I wasn't impacted, despite the fact that it seems almost everyone who used the site would have been.
Thanks for the info will check it out, I suppose one saving grace for me is my credit is destroyed.
edit: that's funny "I know we just lost your SSN, but could you type it in again?" Also curious if by asking for the last six makes search faster, probably.
>Equifax said that, it had hired a cybersecurity firm to conduct a review to determine the scale of the invasion.
I think most people are unaware of the depth of data Equifax has on them, beyond simple credit scores (e.g. health information).
Which makes the above quote from the article even more unconscionable. There should be no need for an outside firm to figure out what happened. They should have in-house expertise that is unmatched (although third-party audits ahead of time would be wise).
Suppose Alice is a "victim of identity theft". BigBank gives $10k to Fraudster as a loan, thinking that Alice is the actual recipient. Experian, Transunion and Equifax report this loan as a debt which Alice owes to BigBank.
Who is the real victim? The credit reporting agencies want to convince people that the consumer is the victim, and so Alice bears the burden and risk of clearing her name. But it is the credit reporting agencies inflicting this upon Alice. BigBank is the victim who lost money, and BigBank bears the responsibility for making the mistake of giving out a loan in Alice's name. The Fraudster committed a crime against BigBank, not against Alice. It is Experian, Transunion and Equifax, by holding this fraudulent loan against Alice, who are victimizing Alice.
The idea that Alice was victimized by Fraudster is a concept being perpetuated by the credit reporting agencies as a way to absolve themselves of responsibility, and place the burden upon the consumer, and to avoid realistic identity-verifiction which might slow or complicate the practice of issuing large amounts of debt to the general public.
This is very clearly what's going on. Fraud is uncommon enough and the cost of fraud to the banks is smaller than the cost of reducing the velocity of money and loan-making, so the problem will never get fixed so long as it depends on the banks to initiate the fix.
Work at a financial firm and have built a bunch of identity theft detection features. Curious what your fix would be. Identity theft and friendly fraud losses are in the tens of billions annually and identity verification services is a huge industry.
Change the way checks are issued/redeemed. Right now the customer is on the hook for 7 years because a check isn't cleared until it goes back to the bank that issued the check . The customer thinks by seeing the money in the account the check was good and can clear a sale. The reality is the bank can take that money back if it is later determined to be false/fake.
Paper checks are going away. Some of the online banks don't even support them. ACH allows only 60 days to claw back the money(disputes) and with same day clearing requirement we can get rid of 2 day holds.
What are they being replaced with? Yeah, as a young renter I went years without using a check. When buying a home last year I had various inspectors during the process. After buying, I've had electricians, plumbers, contractors, locksmiths, and other consultants. I think one gave me a bill and accepted credit card. The rest preferred checks (to be fair, I didn't seek other forms).
I've tried all sorts of p2p methods over the years. All of the banks are too confusing, obscure, or too limited (i.e. only within their bank). Paypal and credit cards charge a not-insignificant fee. Venmo or Square Cash work fine if your group of friends accept them--but more than half the time, they don't for me.
I often do ACH transfers between my own accounts, but the first time I set it up a cringe a little bit and cross my fingers. It sucks waiting the 2 or 3 days waiting to see something. I can't see small businesses accepting ACH as payment because they want something in hand. If we had the setup I've heard about in Britain or Europe, I can see checks going away, but with as much churn as I've seen in this space in the 20 years since Paypal, nothing seems to stick.
> I've had electricians, plumbers, contractors, locksmiths, and other consultants. I think one gave me a bill and accepted credit card. The rest preferred checks
Try cash? I use cash for almost all transactions like that and have never been turned down :-)
Cash is nice, but the the main point of banks is that I don't have to carry a bunch around. I honestly didn't even use an ATM or carry cash for years. I started carrying cash only when my job reimbursed me for parking (and they only accepted cash). It's also nice for bookkeeping. I can write the account number or purpose on the check itself.
Not just bankruptcy. Banks and businesses contract with check verification companies such as ChexSystems. I had a friend who bounced a check and it took him a few weeks to reimburse the bank. By then the bank closed his account and reported him to Chex, who put a 5 year hold on his ability to get another checking account through any bank that used Chex verification (> 90%), essentially blackballed.
Negative credit information falls off after 7 years from date of first delinquency.
Always dispute negative credit items; more likely than not, it won't be verified and is usually removed. Otherwise, wait 7 years and then dispute again.
That may be so, but the GP was talking about the time it takes checks to clear. IIRC, uncashed checks aren't even valid after 180 days, let alone 7 years.
I've never talked about this with anyone who knows the industry so it may be stupid in some obvious way, but I would gladly accept the inconvenience of having to go to my bank in person, carrying official ID, when opening lines of credit, if it would make the whole process secure. Banks could serve the process of relatively slow but reliable authentication for specific financial transactions, and communicate those authorizations to each other. Individuals who need more flexibility could opt out or do something more complicated, at the cost of some risk.
There's some cost to this, but I still suspect quite a few people would accept it.
This is basically what Vanguard does if they get suspicious about your account security. Basically you have to show up at a notary with photo ID and get a form notarized.
My information was used to open a fraudulent mortgage loan, then when I asked my bank to not allow opening credit lines or transfers online was told "we can't do that!"
It's probably not hard to forge a social security card and birth certificate if you have the relevant information. From there, a state ID (or maybe even passport) should be possible to get. I don't believe there is any biometric security on either. A determined identity thief might go that far.
The thief would have to physically resemble the victim's photo, height, age, gender, etc, which is some added defense in depth. For instance it would be hard for most males to pass themselves off as a typical female.
> The thief would have to physically resemble the victim's photo
Why? Show up to a government station with your birth certificate, SSN, some telephone and utility bills, and they'll take the thiefs picture and put it on an identity card with your name on it.
That sounds incredibly bad for a first-world country. If that was the case, I'd argue that the entire country is in collapse. As you then have no control over foreigners impersonating locals and manipulating something as serious as elections, never-mind bank-fraud.
Edit: Point being, this needs to be fixed ASAP if you are to move your country into the future. Fix the regulatory/state hurdles that prevent it from happening, and get yourselves National Identification that's secure. Things will flow positively from there.
They don't use the SSN to check for prior IDs issued by other states and/or the Feds, and compare the applicant's photo/gender/age/height/eye color, etc to them first?
About twenty five years ago a bank allowed someone to cash checks with my name on them with all the correct account info on them as well, but was a different race and gender than I am (the banks had video of the customer). They did this about a dozen times for checks for what I assume was just under the amount that would flag it (about $2000) to empty my account over the course of about an hour, using different drive throughs at different branches in Houston, I lived in Austin at the time and had never visited a branch in Houston.
This is the old "because a solution is not 100% effective, it's not good" chestnut. This solution would cut down on the theft by over 90%, I'd venture, probably more like 98%. There is huge difference between perpetrating a crime from the safety of a computer and physically walking into a bank to commit it.
$16 billion was stolen from 15.4 million U.S. consumers in 2016, compared with $15.3 billion and 13.1 million victims a year earlier. In the past six years identity thieves have stolen over $107 billion.
Thats how traditional banks work. You walk in Chase with your government ID to open up an account. It doesn't work. You can get high quality forgeries of government IDs made in China and there's no public DB to verify information on the card. RealID requirement for states to open up their driver license DBs only applies to government agencies(eg: TSA).
Also would you want to go in person to signup for paypal, venmo, etrade, betterment etc?
> Also would you want to go in person to signup for paypal, venmo, etrade, betterment etc?
Honestly, maybe that wouldn't be such a bad idea. A well-designed system would probably wind up contracting the post office for ID verification for online services (since in my country at least, they do a pile of random related stuff).
1. The bank should capture the ID you used the first time you entered and do comparisons. They should also capture your ID when you come in again. This will raise the difficulty of impersonating you and the risk the criminal takes.
2. One thing I didn't think to say, because my bank only exists in North Carolina: geography should matter. If you live in a particular city, opening an account from another state should be seen as suspicious, and merit greater checks. This is the kind of thing some people should be able to relax, but it's probably a good default for most of us.
3. Should I have to go to my bank for PayPal, Venmo, Betterment, eTrade, etc? Those cases don't all sound the same to me. But here's what I'd consider: how often is a person going to need to do this, and does the activity involve requesting credit? We've currently optimized almost exclusively for convenience at the expense of security. I'm proposing that we shift that balance a bit.
The big architectural flaw is that when I as a consumer prove my identity to company A, that gives company A enough information to impersonate me to company B. Or equivalently, it can give a rogue employee at company A that power, or anybody who hacks company A's database.
The solution is asymmetric cryptography, wherein identity is tied to a public/private keypair, and I can prove I have the corresponding private key without giving the other party the ability to impersonate me. Ideally, the government wouldn't know my private key, either, rather they would just give their own attestation that a given public key is owned by a person with a given name, DoB, SSN, and biometrics.
Along similar lines, any financial account would have its own keypair, with moving money out of the account requiring signing with the private key.
The state of cryptography today is way too obtuse for this to work right now, but I think it could be made more user friendly with specialized hardware to hold the keys and perform the encryption.
The idea that SSNs are secret, but we hand it out to half a dozen organizations is absolutely ludicrous.
Eve lies to bob, and tells Bob she's Alice. Bob asks Claire, who says
Yes, that's Alice." Bob gives Eve money, and Eve runs off.
This should not be Alice's fault, responsibility to solve, or problem to deal with. It is, because Bob is much, much more politically powerful than he ought to be.
Bigbank is the only one in your scenario that actually has monetary loss since they lent out the money and most likely will never get it back. In identity theft, the company has the financial loss. FBI won't investigate unless its over 250k in losses as well.
You certainly can quantify the monetary losses to Alice too. When her credit rating is shit and she buys a car or home, the banks are expert at placing those rates and can tell you exactly how much more she pays. What is more difficult is calculating the loss of what she doesn't even do due to bad credit, like she might not be able to rent the same apartment, she might not even try to buy a car.
She may not have to pay that bank loan back but that doesn't clear her credit up immediately.
Fraud isn't limited to credit. My dad had someone open a savings account in his name and transfer a significant amount of money via ACH. He only found out because he got a welcome or from the bank!
The police investigator told him that the particular fraud that he was a victim to was impacting >500 people and >$5M
Precisely. In no way was Alice's identity stolen - that's tautologically impossible. Rather, the bank was defrauded by the criminal - Alice is of not a party to whether or not the bank recovers from its own loss. Alice's ownership is entirely unaffected, though the bank's internal processes might not reflect that - again, their problem, not Alice's.
Further - this rat race, where I have to give ever more intimate details about myself to verify who I am, "for my own protection", seems to only ratchet away my privacy until there is nothing about me left unpublic. Facebook, Banks, Airbnb, Credit Card companies, Telephony companies have ALL given me that line when I resist providing SSN, DoB, or whatever mine-able nugget they're looking for this month. Every time I give out a new kind of private information it inevitably leaks - defeating their point of having asked me - all the while my privacy is left scorched while they move on unconcerned to the next piece of my private life. It's uncomfortable.
I've worked a bit in the industry and around the industry, the worrying thing for me is that it doesn't seem to be working for anyone apart from equifax/experian/call credit.
I have separately worked with one of those companies with a client and their IT staff were utterly incompetent (I won't say which). Loads of different sites, lots of little fiefdoms, utterly inconsistent security policies on each site, blaming everyone but themselves because only half their sites could access a video on a major commercial video provider (not-youtube). We ended up having to host it on AWS cloudfront as none of them had blocked it yet. Their sharepoint could only host a 50mb file, which made their CEO look like a blockhead in the 20 min high def video.
Utterly incapable of hosting a simple video file so all their staff could access it in 2010.
I've also worked with a company one of those companies acquired for $100 million+, holding millions of people's personal details in the UK, with some very sensitive data. Some of the worst IT engineering I have ever seen, a bunch of tools written by the worst out-sourced IT teams I have ever seen (if you've ever worked with C#, these idiots made a project per .cs file. Yes, PER CS FILE. They also wrote the worst SQL I have ever seen, all of the stored procedures seemed to be duplicated but the duplicates had op_ before them. I eventually realised the op_ stood for optimized! They were still terrible and half the program used one set of SQL, the other half the optimised. Whenever I re-wrote one of these 'optimised' queries, I usually knocked it from seconds to milliseconds. Outsourcers in the naughties really did suck that bad, young 'uns).
We've given up huge amounts of privacy, but the scores are utter bullshit and the 2008 crash show what a load of nonsense they are.
A friend even told me at uni he'd got a £1000 loan out to get a good credit rating. You just put the money in an account, pay the capital off every month, lose a little bit of interest and in 2 years you have a shiny credit rating even though it means zilch.
equifax/experian/call credit basically get given all our personal spending habits for free, sell it on to everyone else for crazy money, don't add anything to the economy and as far as i can tell, are a huge security hole.
EDIT: Another anecdote on how incompetent these people are, a couple of years ago someone used my details to scam a few free phones. I got alerted to it when I started receiving insurance contracts for those phones in the post. The phone companies sorted it pronto, almost immediately admitting they'd been scammed, but I wanted to make sure my credit rating hadn't been trashed. In the UK these agencies must provide you with a credit report for a nominal fee so you can check for incorrect details, so I applied to the big 3.
One of them accused me of trying to hack their system because I'd forgotten a security question, eventually told me to fuck off after passing through various layers, then sent me a letter saying they'd detected a hacker trying to access my details. No, you idiots, that was me. Still never got my report from them.
You just put the money in an account, pay the capital off every month, lose a little bit of interest and in 2 years you have a shiny credit rating even though it means zilch.
I don’t really get that - doesn’t it mean that the person who took a loan is relatively responsible and was able to pay their loan back on time?
Any system can be gamed, but I don’t get the impression that credit agencies are attempting to eliminate all risk - after all, it’s obviously possible that someone who has had perfect credit for years might simply run away with your cash! But the system doesn’t have to be perfect, or detect all outliers, to have value.
It seems intuitively obvious that lending to someone who is frequently late with credit repayments is riskier than lending to one who isn’t, and this is the mechanism by which that information is shared.
For £100 you get a shiny credit rating for no risk. That'll get you a mortgage for £100,000s.
In the 60s/70s it was about knowing your bank manager, so he knew you'd be able to pay. I appreciate that it probably benefited a certain type of person, but the new system probably has the same prejudices built in. Now it's all about the ephemeral and easily game-able credit score. Until a few years ago you would get negatively scored for not having a landline.
These scores are utter bullshit, they're simply about if you haven't screwed up yet, they're not actual assessments of your ability to pay or the risk you've exposed yourself to.
Again, I worked in the mortgage industry before the Northern Rock collapse, brokers used to be able to go to those guys and openly fudge people's incomes by calling them self-employed, they had a good credit score so no-one blinked an eyelid, get 105% mortgage, and then lo-and-behold, the bank collapsed. Yes, part of it was that they lost their access to easy bank credit, but another part of it was they lent to hugely risky people.
As a slight-side, my bank was willing to lend me crazy credit card money a few years ago because for 10 years I never missed a payment. In reality in those ten years I went through a patch of being the most business-un-savvy freelancer ever, selling myself at a stupid rate and not putting enough aside to pay my tax bill, to the point where I had to get a loan from a parent to pay it. I was flat broke, almost bankrupt, and these people were willing to lend me almost 9 months of my income.
I was not a good risk.
But because I paid on time for X years before, I was to the credit agencies.
> In the 60s/70s it was about knowing your bank manager, so he knew you'd be able to pay.
You do recognize how terribly inefficient that is, right? In this day and age its all about scale. Expecting a bank manger to have financial profile of all the clients using his firm is impractical.
For all it's faults, the credit reporting agencies are providing a service. It's not perfect and I think it's best they could do with the information available to them. I expect they will improve their score though once they start incorporating signals from social media and other sources.
You do recognize how terribly inefficient that is, right? In this day and age its all about scale.
Is it, tho'? It is well known that IT doesn't improve productivity[1]; all the benefits of automation get swallowed up in the extra people needed to support and maintain it. So we can assume that the ratio of bank employees to bank customers has remained constant over time. So actually there's no reason for bank's not to operate the old personal-relationship model; they would need to employ the same number of staff to do it, just locate them in branches rather than at head office.
Banks are using actuarial science to make loans. You were (possibly) an outlier. That doesn't matter. All that matters is that their risk models work in aggregate. If they're right enough of the time, they profit. It doesn't have to be perfect.
> I don’t really get that - doesn’t it mean that the person who took a loan is relatively responsible and was able to pay their loan back on time?
That's probably the reason why it would increase one's credit rating in a positive way. I have no doubts about these systems being broken in such a way that they consider people who take on credit, paying it back in time, as more "credit-worthy" than people who never needed/wanted to take up a loan.
A bank obviously wouldn't want to miss out on the first group of people, why they couldn't care less about the second group of people from which they make no money in the form of interest.
It's also interesting how these kinds of rating systems seem to be "broken" all over the world. In Germany there is "Schufa", which is not a bank but basically a private company with a de-facto monopoly position in regards to credit ratings in Germany and they are quite infamous for mixing up people and thus giving them a negative rating, often without the people noticing until it's too late and their negative credit check denied them access to a rented flat/credit whatever, after which it's their responsibility to get in touch with Schufa to clear up their misidentification.
> In Germany there is "Schufa", which is not a bank but basically a private company with a de-facto monopoly position in regards to credit ratings in Germany
Just for anyone from Germany reading: There are multiple, less well known agencies that are used by banks and others as well. They are definitely worth keeping an eye on. I will only mention Creditreform Boniversum, Arvato Infoscore, and Bürgel.
> In no way was Alice's identity stolen - that's tautologically impossible.
I see this as you being too strict with your definition of "identity".
We, as people, have multiple identities. We have one with our government, another with our employer, another with our friends, another on pseudonymous websites, etc.
"Stolen identity" in this sense means Alice's attributes (the ones which Big Bank uses to identify a person) have been compromised by a 3rd party. It's not that all of Alice's identity has been compromised -- only a subset of her identity. Sadly that subset almost entirely consists of "something you know" (which the internet usually also knows) rather than "something you have" (like a government-issued ID) or "something you are" (biological traits).
I totally agree about the rat race. I think the credit bureaus are complicit in keeping the burden of credit identity low and the availability of credit reports high in the US, both of which lead to perverse incentives for {credit bureaus, consumers, creditors, governments, etc}. But they aren't alone. Credit card systems {VISA, Mastercard, AMEX, Discover, etc} and credit card merchants have done the same, causing the US to fall far behind other developed countries in consumer security.
Additionally, I've heard horror stories about the effort required for consumers to "prove" to credit bureaus that their identity was stolen. It sounds a lot like the insurance company's policies in The Rainmaker.
> I see this as you being too strict with your definition of "identity".
> We, as people, have multiple identities. We have one with our government, another with our employer, another with our friends, another on pseudonymous websites, etc.
Which is not relevant here, as this is not about different sets of attributes pointing to the same body, but about the exact same set of attributes being claimed to only possibly be pointing to one body (hence they supposedly identify Alice) while it is claimed at the same time that they can be replicated by a "thief", which necessarily implies that they don't identify Alice, and hence are not an identity, therefore tautological impossibility.
For example, it is claimed that being able to say the DoB of Alice is an attribute that identifies Alice's body. Then, it is also claimed that somebody else saying Alice's DoB supposedly is an act of stealing her identity, and that the set of such people is non-empty. Which means that being able to say Alice's DoB is not actually an identity in the first place, much less one that could be stolen.
So the only way around this is to disregard information about a person other than information that 100% without a doubt identifies that person making a purchase is who they say they are? I am just genuinely curious.
While I thoroughly agree with everything you've said on the subject thus far...
How does being in possession of a picture, or any other biometric data, help? These data are reproducible, like any other attribute that supposedly identifies only-Alice.
Checking the possession of a picture is not biometry (that would be possession-of-a-picture-metry). Making a picture is biometry (measuring the body, essentially).
The hard problem with biometry is proving to a third party that a certain identity is responsible for a contract, but identification with biometry (convincing yourself that the person before you is the same person that you enrolled earlier) at least works a lot better than asking for essentially public information.
No. It's to accept liability when you make a mistake. If a criminal tricks a bank into giving away money and debiting some random account, the victim is the bank, not whoever happened to own the account.
> while it is claimed at the same time that they can be replicated by a "thief", which necessarily implies that they don't identify Alice, and hence are not an identity, therefore tautological impossibility.
Attributes can be replicated -> attributes don't identify Alice
Why do you consider this implication necessary? It sounds nonsensical.
Counterexample: to verify an identity, the verifier must possess a replication the identifying attributes. If replication implies non-identity, then identity verification becomes impossible.
Note that we're speaking of identity in the context of a technical implementation.
> Why do you consider this implication necessary? It sounds nonsensical.
Because it is implied by the definition that is implied by the concept of "identity theft".
Let's assume we define "identity" to mean "any set of attributes of Alice", so widening it essentially as far as possible. Then "is a human", being an attribute of Alice, would become an identity of Alice. Using that definition in the context of identity theft would then lead to the following sort of justification: Alice is responsible for paying back this loan because the person that we gave this loan to was a human and we identified Alice by her attribute of being a human to be the person we gave this loan to.
That doesn't make much sense, does it?
The whole justification for calling it identity theft, and thus blaming the identified person, hinges on the implication that whatever attributes are being used to "identify" Alice do imply that it is in fact uniquely Alice who has those attributes. It only logically works if you can say "those attributes are the attributes of the person that we made the contract with, and they are unique to Alice, therefore Alice is the person we made the contract with", not if your claim is "those attributes are the attributes of the person that we made the contract with, which are shared by a whole bunch of people, therefore Alice is the person we made the contract with".
> Counterexample: to verify an identity, the verifier must have replicated the identifying attributes. If replication implies non-identity, then identity verification becomes impossible.
Erm ... no? Just two obvious examples:
In order to check that you are the person on a picture I have of you, all I need is the picture, no need to have a replica of you.
In order to check that you are in the possession of a private key, all I need is the corresponding public key, not the private key.
Also, if it were the case that identity verification were in fact impossible ... what would be your point then? You don't like the (hypothetical) fact that it is impossible, therefore it is possible?
> Note that we're speaking of identity in the context of a technical implementation.
Actually, we kindof don't. We are really talking about a legal implementation, where there really is no requirement to do anything as a "technical implementation"!?
The original parent posited that we have multiple identities, as in: multiple sets of attributes, each of which uniquely identify us within a certain context.
> Let's assume we define "identity" to mean "any set of attributes of Alice", so widening it essentially as far as possible. Then "is a human", being an attribute of Alice, would become an identity of Alice.
> That doesn't make much sense, does it?
If Alice is the last surviving human being in the universe, it does.
If Alice isn't the last surviving human being in the universe, than the premise of "is a human" as an identity is already nonsensical (because it no longer identifies), hence also any conclusions you derive from that premise are also nonsensical.
> In order to check that you are the person on a picture I have of you, all I need is the picture, no need to have a replica of you.
You haven't checked that it's me, you've checked that it is someone who looks like me.
Within any given context, that may or may not be treated as my identity. Hence, we're back at multiple identities, each in their own context.
> In order to check that you are in the possession of a private key, all I need is the corresponding public key, not the private key.
Which says nothing about identity, only about possession. Whether this possession is taken to be sufficient proof of identity again depends on the context.
> Also, if it were the case that identity verification were in fact impossible ... what would be your point then? You don't like the (hypothetical) fact that it is impossible, therefore it is possible?
Do you believe this hypothetical example to be true? If not, what's your point?
> The original parent posited that we have multiple identities, as in: multiple sets of attributes, each of which uniquely identify us within a certain context.
In which case it's just not a refutation of the tautological impossibility at all. Either something uniquely identifies someone, or it does not. Uniquely identifying someone while at the same time being (trivially) being replicated by somebody else is just a contradiction.
> If Alice is the last surviving human being in the universe, it does.
Seriously?
> If Alice isn't the last surviving human being in the universe, than the premise of "is a human" as an identity is already nonsensical (because it no longer identifies), hence also any conclusions you derive from that premise are also nonsensical.
Which is exactly why "was able to tell us the DoB of Alice" as an identity is nonsensical, and hence any conclusion of the form "therefore, Alice's identity was stolen" is nonsensical as well, correct.
> You haven't checked that it's me, you've checked that it is someone who looks like me.
Which contradicts the claim that the verifier does not need a replica of you how exactly?
> Within any given context, that may or may not be treated as my identity. Hence, we're back at multiple identities, each in their own context.
Which still cannot be stolen. So?
> Which says nothing about identity, only about possession. Whether this possession is taken to be sufficient proof of identity again depends on the context.
Which contradicts the claim that the verifier in a context where it is taken to be sufficient proof of identity does not need the private key how exactly?
> Do you believe this hypothetical example to be true? If not, what's your point?
My point is that I am responding to your argument that was about an implication from that hypothetical case.
Right, and this is the point where we, as computer system / information security / software (whatever, but) professionals switch to using the word "authentication", and stop being obtuse about the ambiguity in the multiple definitions of the word "identity".
> For example, it is claimed that being able to say the DoB of Alice is an attribute that identifies Alice's body.
And then we say that the stating the DoB authenticates anyone to make changes to Alice's account.
And then we say this is a terrible idea. And then we are in agreement.
And then we don't have to say completely unhelpful nonsense like the following:
> Then, it is also claimed that somebody else saying Alice's DoB supposedly is an act of stealing her identity, and that the set of such people is non-empty. Which means that being able to say Alice's DoB is not actually an identity in the first place, much less one that could be stolen.
If these credit bureaus insist on conflating the word "identity" with "authentication" then it is up to us, computer / information / system / security professionals to correct this error and continue with more clarity.
Not not to start a one-sided (credit bureaus aren't listening) philosophical argument that nobody was really talking about in the first place. This isn't about ontology, and it never was.
(Ontology is the field of philosophy that asks the question what "is" is, a.k.a. "identity" and it's very interesting but also very much irrelevant to this incident and the problem it poses to badly designed authentication systems)
An important part of our jobs is being able to clearly explain such computer security and authentication concepts to a layman. That includes properly framing the question. Digging into a philosophical argument because you feel you can argue your way around a particular word that is used, only feeds pedantry.
> Right, and this is the point where we, as computer system / information security / software (whatever, but) professionals switch to using the word "authentication", and stop being obtuse about the ambiguity in the multiple definitions of the word "identity".
Except it's nonsensical to switch to "authentication" when the discussion is about how the term "identity theft" is misleading. It's not "authentication theft", it's "identity theft", and that is exactly why it is misleading.
The point is that it is NOT "identity theft", even if that's what people call it. It is more aptly "authentication theft/fraud".
The original point of this comment thread was that the credit reporting agencies want to keep it confusing so that it's not clear who exactly was the victim of the crime, so it's not obvious that the system sucks.
Yes, I agree, and I might have slightly misread what tripzilch wrote to mean that we should avoid the term here in this discussion, which I objected to. Towards the general public, it totally should be framed as an authentication failure, yes, I agree.
I think my point would be that, by discussing the minute semantic / philosophical points of the concept of "identity", you're still letting them frame the discussion that way. It's a word that they choose to describe something which it isn't. First is to just not go along with it, not to dig in and try to beat them on their own territory (if you succeed, you won nothing).
For the same reason I won't go into discussions about the finer moral points when stealing is wrong or not, if the topic is copyright. Especially not get carried into far-fetched analogies such that it is okay if a starving family steals the blueprint for a 3D printed load of bread or whatever.
In that sense, the term "intellectual property" is actually similarly problematic as "identity theft". While it evokes the connotation of "property", intellectual_property is actually just a legal term that stands on its own and derives nothing from the common concept of "property" except where explicitly defined as such.
Except that identity_theft is, afaik, not a legal term. I believe it stems from the idea of the loss of an interconnected number of (mostly electronic) credentials, an adversary could use to, in a sense "become you", and wreck one's life. This then became a serious fear, that was (in the public) not quite blamed on terrible security practices of powerful entities, but on the ever-growing interconnectedness and electronicification of all aspects of our life. In fact literally about the fear that the large amount of data about us in these computer databases, would some day mistaken to be us and identify, regardless of its truth in the real world. But identify_theft has always been painted as a sort of "curse of the modern age", our penance for living in an ever automated society, kind of typical Hollywood morality story.
Except these credit companies seem to be just focusing on the "wreck your life" part, twisting the definition around, that suddenly a security failure with their authentication/credential system gets to be blamed on the general societal menace of identity_theft, mainly because their error has the capability to wreck one's life.
I'm pretty sure Baudrillard or some other person in critical theory / semiotics has written some interesting stuff about this. Now that is a philosophical discussion on this topic that I would actually find worthwhile.
Online loan firm gives money to someone. Months later, they default, so they call who they think is the holder of the debt. That person has no clue what they are talking about. Finds out through first ever credit report they are defrauded. Victim calls loan firm, who requests lots of proof of existence as well as a police report, before they will help them. Process takes weeks. Victim finds out they signed up at Equifax during hack. Now they are in worse shape.
Why are they in worse shape?
A well written fb post + patreon/gofund me link or YouTube clip with a few tears shed will rectify things. Our YC 2018 submission is going to automate this process with ex DeepMind employees and some Russians. A micro celeb in every home by 2020. Just download the app and leak your data the most profitable way.
All financial companies are required to have you SSN for reporting income for taxes and also report money movement under the anti-money laundering laws(AML). Know your customer(KYC) requires a financial company to gather documentation and information to verify your identity and to ensure your not on any list of people we're legally not allowed to provide services eg terrorist watch list.
You don't need to provide a SSN to get cell service or provide real information. Lots fraud is done through tethering through burner phones.
Seems KYC as used in the real world doesn't do a very good job of verifying whether the "customer" is Alice or the fraudster... It'd be nice if _that_ requirement had enough teeth to reduce the ability of the financial institution to claim Alice is "the victim"...
Curious how would you verify a user? Right now standard solution is to use public records(LexisNexis), credit history(Experian), fraud detection networks(early warning). Along with a bunch reputation providers around IP(Maxmind,Socure), email(emailage), address. Also government based ID and utility bills etc. This isn't cheap and can costs $10+ to run all these checks.
Even government can't verify people and its problem because people give other people's SSN and DOB when they get arrested which is the worst type of identity theft as it can lead to the victim getting arrested or not getting a job(criminal record showing up in background check).
> You don't need to provide a SSN to get cell service or provide real information. Lots fraud is done through tethering through burner phones.
Don't give them any stupid ideas. This year Germany did exactly that: Require proper identification for purchased SIM cards. Lot's of people used that opportunity for some extra cash by selling pre-activated SIM's through Ebay, after the requirements had been changed.
Too bad they also introduced Euro roaming, so people are still free to buy their anonymous SIM's in other EU countries and use them in Germany.
I guess those are the consequences of a future where your mobile device is used for your personal authentication everywhere by everybody. [0]
Clearly, both the bank and the individual are victims of the crime.
Generally speaking, the impact to the customer is usually greater, as bank business model aren't dependent on every loan being repaid. Consumers stand to lose money directly and lose the opportunity to access capital.
The credit agency or anyone else who has a breach is usually a negligent third party.
Not sure how the individual is victimised by the fraudster here. If the bank had a 100% success rate at detecting fraud with no false positives and no false negatives, then the individual wouldn't need to know and likely would never find out about the impersonation attempt.
The individual is victimised by the bank and the credit reporting agencies by their spread of misinformation.
The individual isn't in any way a victim of the crime. A bank used some information presented to them to conclude that they were dealing with Alice when that information was objectively not sufficient to justify that conclusion. That has absolutely nothing to do with Alice. Alice is victimized in the next step by the bank when the bank claims that it somehow is Alice's responsibility that they took someone else for Alice.
In some countries when you sign out a loan and a card you get picture snapped. but then this measure would stick banks with loans and not the consumer.
What Alice is the victim of is slander, not fraud or identity theft. The bank lent some money to someone who claimed to be Alice (though the bank only relied on the fact that that person knew Alice's SSN as proof of that fact). Then when the bank didn't get paid back, they told a bunch of credit check bureaus that Alice was a credit risk. This was a lie about Alice, which has a material impact on Alice's reputation. The credit agencies then go ahead and repeat that slander.
This is a great description of what is going on with "identity theft". I don't usually like changing the name of something to try to push an agenda, but calling "identity theft" "bank slander" would be good idea.
So presumably a class action law suit against the reporters for slander? Might depend on specifics of the law... Maybe it's time for a better credit reporting agency startup.
Well, yes, Alice is the victim of slander, and the bank is a victim of fraud. But the important point is that neither of those imply that Alice is responsible for anything.
Defamation laws differ by state, but in NY for example, I believe libel (slander refers to oral defamation) requires that the perpetrator knew, or should have known, that the statements were false.
The question would then become whether the bank's identity verification procedures satisfy that burden. I think it would be a difficult endeavor, but it would be good to see it tested.
They absolutely should have known it was wrong -- their business is lending money to people! If their procedure is insufficient, they should have fixed this.
I would love to see the banks sued for libel, a massive class action suit. There are real monetery damages it one could put a number on, and the difference between a bad and a good 30 year mortgage will be a big number.
Hmm, I guess you could call it slander if the person and the dossier were perfectly interchangeable. But all the institutions know is that someone has been failing to pay back loans that were issued based on the information in a dossier. After a series of fraudulent loans to "Alice Doe, SSN 123-45-6789" (the file, not the person), when some random shows up at Yet Another State Bank and tries to take out a loan under the same credentials, the credit reporter is right to warn of the risk. They don't know if Human Alice is a risk, but Paper Alice definitely is.
She would be inconvenienced, but that doesn't mean she was slandered.
If someone steals Alice's car and commits a hit-and-run, she will be inconvenienced when the cops show up at her door, but the person who reports her plates won't be committing slander.
If they said they had received word that the car was registered to Alice, that wouldn't be libelous. If they said she was the driver, that would be libelous. If she was charged with murder and they said she was an alleged murderer, that wouldn't be libelous.
I haven't dug too deeply into this, but a defamation claim under state law would probably be pre-empted by the Fair Credit Reporting Act. You mostly can't sue them unless you can prove they defamed you with malice or with willful intent.
In this case, maybe you could have a shot by arguing that since the bureaus know that like half the population's information was stolen, they are acting with reckless disregard for whether their statements are true if they don't now do additional investigation to confirm the identity of the subject of their statements in order to mitigate the effects of the breach.
The credit agencies report what has been told to them by BigBank. Once the fraud is detected BigBank should update them that Alice does not in fact have a $10,000 loan with them and it would then be removed from Alice's report. If the loan has been determined to be fraudulent and it has not removed from her credit report, BigBank is victimizing her not the credit agencies.
"Now back when I worked in banking, if someone went to Barclays, pretended to be me, borrowed £10,000 and legged it, that was "impersonation", and it was the bank's money that had been stolen, not my identity. How did things change?" https://www.lightbluetouchpaper.org/2017/08/26/is-the-city-f...
This argument is akin to splitting hairs. The fraudster who applied for the loan against BigBank was at fault. The BigBank accepted the Fraud and reported it to the credit agency. The Credit Bureau reports/includes the data provided by BigBank; it's what they do.
If there is a dispute between what BigBank says and what Alice says, it's not necessarily so easy to resolve, and that's the position the Credit Bureau has to deal with.
To absolve the fraudster of the primary fault is ridiculous. That said, this is the problem with difficulties in identity verification, we all want privacy and security at the same time. While they are not mutually exclusive, having both is much more complicated than one or the other.
Agreed. Thought experiment: suppose instead that Fraudster convinced Alice that he represented BigBank, and so Alice was duped and gave her money to Fraudster thinking she was depositing into BigBank.
The only thing she could expect from BigBank was politeness while explaining to her that she was duped. If it's a very friendly bank, she may tie up a manager for a couple hours, but that's it. If she keeps coming back, she'll soon be escorted out by security, or the cops.
Now, what if she started falsely telling others that BigBank took her money, and that significantly affected BigBank's reputation? Are we talking jail time, or just civil penalties?
> Now, what if she started falsely telling others that BigBank took her money, and that significantly affected BigBank's reputation? Are we talking jail time, or just civil penalties?
Probably not jail time, and perhaps not civil penalties. Even civil defamation in US law generally requires knowing falsehood or reckless disregard for the truth, not just mere falsehood, and criminal defamation, where it exists, tends to have high . Unless the bank had provided concrete evidence so solid that it was unreasonable for her not to believe their denial of responsibility, there likely be no legal wrongdoing.
An even more analogous experiment would have Alice take out a mortgage with BigBank, then receive a fake notice of debt reassignment to BiggerBank, which is actually Mallory. Alice makes mortgage payments to Mallory for many months. Now BigBank is wondering why Alice fell behind on her mortgage.
This may damage Alice's reputation temporarily however,
once the bank determines that it has been defrauded, it should make the loan information inaccurate.
I believe the Fair Credit Reporting Act allows Alice to remove inaccurate information from the report?
>It is Experian, Transunion and Equifax, by holding this fraudulent loan against Alice, who are victimizing Alice.
I think you're confused. It's BigBank that's falsely placing a debt burden on Alice. The credit reporting agencies are only reporting what they are told. Imagine if Alice doesn't care about her own credit worthiness. Let's say she has no debt, and no intention of acquiring debt. What happens if criminal tricks BigBank? They say, "Alice, you owe us this money." Alice tells BigBank, "No, prove it or pound sand."
What happens then? BigBank goes to the court and tries to get a judgment against Alice for the money owed. If Alice isn't aware of the proceeding, the judge will grant BigBank's request, and now Alice will owe BigBank the money stolen by criminal.
BigBank's poor authentication and the judicial branch are the ones doing the real harm to Alice. If anything, the credit reporting agencies are providing value to Alice by warning her before BigBank goes after her in a secret proceeding and makes the debt hers.
That's exactly the point. BigBank isn't going to warn anyone. It's just going to seek judgement, or sell the debt to shady collectors and write off the difference.
Think about the credit reporting agencies as a rather sloppy "master list" of who owes who money. It seems what is needed are stiff penalties for banks and collection agencies who falsely claim they are owed money. Until then, you can't live in peace. Someone is going to claim you owe them money if you have any money yourself.
1. Alice does have debt, and does intend to acquire debt in the future, like most people. The presence of this fraudulent debt in her credit report makes credit more expensive and hard to get.
2. Before filing suit and going to court, BigBank makes persistent but usually polite attempts to collect. But when she says "that wasn't me" they don't believe her, because lots of deadbeats say that sort of thing too.
3. Perhaps BigBank sells the debt to a collection agency, which is far more aggressive and (willfully?) ignorant of laws regulating how and when they can contact Alice. Perhaps they call Alice's employer, threaten to garnish her wages (even if they legally can't), or lie about Alice's ability to contest the debt.
4. If Alice is determined enough to keep fighting and go to court, she has still sunk significant time and money into fighting this. It's unlikely she'll be compensated fairly for that.
I agree the credit reporting agency is in some ways helping Alice, and would add that these agencies probably do reduce the rate of fraud overall. But they also have a responsibility to do a good job minimizing errors. We can't expect them to never make a mistake, but they should have some skin in the game when their inaccuracies hurt a credit applicant.
Step 3 is the insidious part. If Alice files a paper with the reporting agencies, they're required to remove the false report. But the collection agency will just as persistently file an equal but opposite paper to reinstate. The reporting agency is legally caught in the middle of he said, she said. And if asked for proof? The collection agency says BigBank told them Alice owed it, and sold them that debt. So now the originator of the loan has harmed the collection agency as well as Alice.
Don't kill the messenger. The credit reporting agencies are doing what they are obligated to do in that business. There needs to be penalties for BigBank beyond the money BigBank lost in the scam perpetrated by criminal.
Blaming the credit reporting agencies for bad credit reports is intellectually lazy. Blaming them for garbage computer security is much more appropriate in this story. A more interesting discussion here would be about the technical details of the hack.
If the credit reporting agencies wishes no responsibility then for all practical purposes they are a database table, nothing more. In that case they must offer their services on the same lines as AWS or Google Cloud. That is guarantee is only on infrastructure uptime and availability and not the quality of information. Note even in this case, a level of liability regarding security is on them.
If you wish to provide a service with a level of guarantee, responsibility and liability comes along with it.
Agree with your point on Experian absolving itself, but there are many scenarios in which Alice is also the victom of the thief. With enough info about someone, you can steal digital assets too.
If it was on the BigBank to always prove that their identity was indeed stolen, it would quickly become unmanageable. People would commit fraud in the opposite direction, by getting a huge loan from some a bank and claiming that their identity is stolen. I'm sure it would be easier than stealing someones identity to do it, and it would obviously involve some necessary actions to avoid being caught but this would drive loan rates through the roof for the average citizen to make up for all the fraud occurring. I agree with you ideologically, but in practicality i do not believe it would work.
In that case banks would just have to verify who they were giving money to before they start handing out loans. That doesn't sound particularly unmanagable to me.
This would obviously drive the BigBank to collect some better evidence that the person applying for the loan is who they say they are, which is exactly the incentives we want here.
I wish I could remember details, but a cofounder or single digit employee of a acquisition Equifax made, elected to forgo their earn out, because they were opposed to working in any capacity for Equifax. I think that they were somehow bullied into revealing their reasoning, to escape penalties in contract (which in any event were unlawful in the UK, I heard this from a employment attorney friend who has super reported cases, ie those which established new law). They were immediately snapped up by a startup in VA. Equifax managed to suppress their credit file completely. Preventing them from even renting a apartment for at least a year, and I believe it was a year before they had been even recognised by a US reporting agency and could open and operate a checking account. This was picked up by The Register, which still was then still Mike Magee's baby, so honourable 1., 2.. I can't find a link from my phone, but even if you never believe me the actual events happened, I bet you had a thought that you would not be surprised if it happened more often.
1.(added to qualify that adjective "honourable" which I apply to individuals not companies, and individuals who risk sacrifice without burdening others. My career is in advertising and I am truly impressed when publishers are able to maintain standards that are able to raise their costs of sales. (a large publisher may not lose a account, but the sale often consumes expensive energy, even only to explain why policies exist. I work far from such high sensitivity issues, as does the company I started around the time of this recollection.)
2. last I spoke to Mike, he was telling me how he simply was never issued his shares in "ElReg" and he was long enough into The Inquirer to think that Limitations applied. But Limitations 80 runs from the time of discovery of tort, not the event of tort. Before the chance arose to catch up, and establish facts, Mike had passed away. RIP a great man and two great journalistic servants to the IT community. I did not establish the facts that were alleged, therefore my statement is hearsay, but protected by the statutory defence of genuine belief, and I had always faith in my source.
Edit: italics removed from footnote, earn out replaced phypo earnings, and great man replaced good man. Mike was exceptional and altruistic to a fault.
Which says it would tell me if I'm likely impacted, but instead it just gives a date where I can enroll in some free product, but no info on whether I'm likely compromised.
Anyone have a workaround? This is important to anyone that wants to identify if they've been "pwned."
You can proceed with the enrollment anyway, even if you receive that message, with any set of six digits and any set of characters for the last name and receive a message indicating that you're enrolled.
I watched the video of the CEO describing what Equifax was doing in response to the incident and he does not specifically name "equifaxsecurity2017.com" or "trustedidpremier.com" as the sites they've set up, only that they've set up a special website.
To that end: if you're an HN user with the last name "HHHHHH" and with a Social Security number ending in 000000, don't worry about enrolling. I very helpfully took care of it for you!
From the r/personalfinance thread, the site kicks back 3 different JSON status messages:
"message-deferred": "Thank You -- Your enrollment date for TrustedID Premier is: xxxxxx Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process."
"message-success": "Thank You -- Based on the information provided, we believe that your personal information may have been impacted by this incident. Click the button below to continue your enrollment in TrustedID Premier."
"message-not-impacted": "Thank You -- Based on the information provided, we believe that your personal information was not impacted by this incident. Click the button below to continue your enrollment in TrustedID Premier"
I really don't know. If we take it at face value, I think it means they're unsure and will hopefully know more later (whatever date it kicks back). At least, that's what I hope, because I gave in and punched in my information and I received the deferred message.
"Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier. You will receive an enrollment date."
"Equifax Cybersecurity Incident: To learn more about the cybersecurity incident, including whether your personal information was potentially impacted, or to sign up for complimentary identity theft protection and credit file monitoring, click here"
I did the same - they are offering free identity theft protection to all US Consumers starting on some kind of rolling enrollment date beginning 2017-09-14.
A website registed a month ago with a simple DV certificate. Either the gentlemen at equifax are grossly incompetent, either this is a phishing website.
545 comments
[ 2029 ms ] story [ 6923 ms ] threadThis was only a matter of time. We can rotate credit card numbers, but sadly not a SSN. I wish I could rotate my US social security number when significant exposure happens (this would be the 4th or 5th time in 24 months my data has been exposed).
Assuming legislation passed that allowed you to cancel an exposed SSN and get a new one, what would it take for that to happen? Surely it's not just the one agency (SSA) that would need to make the change, but multiple agencies would need to coordinate the change?
(And of course, I would be personally responsible for informing my banks, brokerages, loan agencies, etc of my new SSN)
Does anyone have insight into how this could work?
If the gov is going to issue a 'secret number ' why not a 2fa device?
The long term solution is to figure out how to make financial companies feel the pain of fraudulent accounts. Like maybe when they open an account without doing a sufficient level of verification they should have to pay the victim of the fraud $5000 (in addition to covering any damages they cause).
This has been predictably bad for security.
It was originally created alongside the Social Security Administration, to track what individuals put in and what they take out. People only received one upon becoming employed.
Over time, the IRS realized that it could be used as a national ID, and adopted it for that purpose. They encouraged people to obtain one from a young age (even for their newborn children), and it was used to replace the original 'honor system' of 'How many children do you have?' tax discounts; now they'd need to register their child with a SSN.
Companies eventually began piggybacking on the number as a national identifier (due to our lack of one), and voila. We're left with an awfully insecure identification system that shouldn't be an identification system for much in the first place.
For anyone interested in more: https://www.youtube.com/watch?v=Erp8IAUouus, and the sources below the video.
In the era when SSN was established, Nazi Germany and its emphasis on "papers, please" was on the public's mind. SSN was intended to be used solely for tax purposes, not as a form of national identity. There were legal constraints on when government agencies can even ask for SSN, limited to legitimate tax purposes. Sadly, these protections have been whittled down over time:
https://www.bloomberg.com/view/articles/2016-09-15/this-loop...
> Federal law is supposed to protect the privacy of your Social Security number from government inquiries -- but apparently that doesn’t extend to a check on whether you’ve paid back taxes and child support. In a decision with worrying implications for those who oppose a single national identification number, a divided federal appeals court has rejected a lawyer’s refusal to submit his Social Security number along with his renewal of Maryland bar membership.
> The state says it needs Social Security numbers to make sure lawyers’ child support and taxes are up to date. The court’s majority said that was enough to fit the Social Security number under the federal law that allows states to use your number for tax purposes. That definition is so loose that it enables states to ask for your Social Security number pretty much whenever they want -- even when their records have been hacked.
Really, the government should make it possible for citizens to create an arbitrary number of different tax ids (SSNs), as many as they want. One for every firm they do business with, one for every employer, and so on.
Think about passwords. A SSN is only nine digits, 0-9. JohnHarrySmith19900101NewYork is far more secure. And doesn't dehumanize the recipient.
Is this true of all people?
> This combined with a birth date and/or a birth city should be enough to uniquely identify anyone.
For common names and large cities, probably not.
> JohnHarrySmith19900101NewYork is far more secure.
No, it's not; SSNs aren't passwords, and shouldn't need to be “secure” in that sense, but names aren't secret and birth dates and locations are easily discoverable (and the combination of all three is frequently publicly announced!), so this would be less secure.
Not even remotely.. My name has a space and an accent, it's always different. My wife's name is spelled differently on each of her birth certificate, drivers license, and social security card. And we have 'traditional' names.
Would be interesting to see statistics for that. It wouldn't be New York in this case, but for example Brooklyn or Queens. Even for the most popular name combinations, the number of people with the same name born on one day in one administrative area will be extremely low. Esp if you require middle names to be included.
You still just need 33 bits of information to identify any human on the planet, anyway.
(post-singularity, evolved into an ever-merging amorphous network of consciousnesses, we can use multidimensional fractal subsets of R^n, but we'll cross that bridge when we get there)
See http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-b... and especially http://latanyasweeney.org/work/identifiability.html
Numbers have the nice advantage of not assuming structure, character set, etc. and allow changes for edge cases such as someone escaping an abusive spouse — see the full list of reasons at https://faq.ssa.gov/link/portal/34011/34019/article/3789/can...
The SSN just acts as a (largely) unique identifier. In the US, it also serves as proof that someone is eligible to work in the country. It's also the primary key for the account which collects my Social Security earnings over my career.
You are asking the wrong question. Neither of the keys you identify, whether it be "123-45-6789" or "JohnHarrySmith19900101NewYork", is "secure". Perhaps the latter has more entropy, but it's not the equivalent of your password when you log into a website -- it's the equivalent of your username. When you fill out a federal form like your tax form, anyone who sees the form sees your Social Security number.
If we were talking about making Social Security secure, your Social Security card would be plastic/metal and have a chip in it, similar to an EMV chip. It would have a private key which can be used to sign digital contracts and can be used to generate login tokens. It's effectively a private key that generates different public keys for each interaction/transaction you need to perform with it. Right now, Social Security is entirely about "what you know" with an easy to fabricate "what you have" and has no "who you are" factors.
In the end, identification can be done by name, birth date and place of birth. You'll find these requirements on many official forms. This is fairly unique and ties to birth certificates which can be obtained with this information. Even if all databases were erased, this data could restore registers (as birth certificates have a paper copy).
The error is that many of the parties with which it must be shared treat it (for authentication purposes) as if it were a shared secret between that party and you (though they often don't do so for security purposes—and, as they often must share it with certain third parties, sometimes cannot do so) even though it is known to be a widely-shared non-secret.
It's short, guessable, would fail all of their own password requirements, and yet somehow it gets a free pass. I just consider my SSN to be public, and move about my digital life with that assumption. I don't go plastering it on walls, but if I encounter a business or process that uses by SSN instead of proper two-factor authentication (...a large number of credit-based companies and financial institutions, sadly) my trust in them simply plummets, the same as it would for the login I use on less secure forum sites.
This is not proof of identity.
Anywhere it is referenced it is repeated that it should not be used as proof of identity and not given to anyone as such.
SSNs should be treated the same way, but that would require a culture change. Perhaps having 150m of them 'leaked' will bring about that change. Such a change could also be brought about through legislation making it not legal to ask for SSN as proof of ID (i.e. can only ask for SSN when required for the purposes it is intended for), but legislating such things is likely even further from your culture.
What is it then?
I've seen it used as a quasi-password by car hire companies to access driving license history.
(I don't know that they do, it's just that the one doesn't necessarily follow from the other)
It is the username you are issued by the government. It is solely used to identify you.
Not exactly. It's used to map your Social Security account to other records they have about you. It's not, by itself, identification.
What proves that it is you to Hacker News is what you type into the password field when you log in.
Here in the US, our Social Security Act said exactly the same thing.
Guess what. It got used as a proof of identity.
The countries that don't have comparable identity theft problems have done so mostly by using an ubiquitous government issued ID that's hard to forge and hard to obtain by someone claiming to be you. In USA there seems to be a strong opposition and a legal barrier for the government to make such an ID.
Not much else can be done - a simple test of a decent identity system is to ask if my spouse, mother or brother would be able to impersonate me - it's clear that nothing that relies on "something you know" can ever be sufficient, it must be "something you are", possibly together with "something you have", i.e., biometrics or a trusted photo ID.
For reference, India has a unique ID called Aadhaar that collects ten fingerprints and two iris scans to deduplicate across 1.3 billion people. It uses flawed technology (relying on a fingerprint for authentication or in very rare cases, an iris scan), insecure devices, and generally has a high failure rate due to poor infrastructure. Combined with poor technology, the privacy and security policies and measures are inadequate too. There have been plenty of personal information leaked in the last few years because of the government's obstinate stand that this ID be linked to everything - phone numbers, tax ID, bank accounts, and many more.
I don't think there is any solution, including biometrics, that will work to uniquely and unambiguously identify individuals across large populations. I also see more dangers for the populace with such schemes because submitted biometrics, once compromised, cannot be revoked or reissued (this is how the Aadhaar system works - it stores the biometrics as-is).
Getting such a secure record, though, generally requires a decent level of gov't infrastructure throughout all areas, and can't be built up quickly. Size alone isn't an issue - if it works for half a billion people in EU, then it'd work for a billion people elsewhere, but the infrastructure needs to be there.
I.e., you need a population where all or nearly all births have been properly tracked and reliably registered for a long time, so you can't build it faster than decades if it wasn't the case; you need a general low corruption environment where mass issuing of fake IDs by corrupt officials won't happen (a limited number of fakes by organized crime might be inevitable, but they won't disrupt the system); you need an effective policing system where everyone, including the most poor, would report stolen wallets and documents to be revoked; you need effective infrastructure where it's trivial for everyone giving credit or goods "on lease" to verify online the validity of some documents.
I'm not sure how it's in India, and I assume that some of these might be a problem, but for USA (as the original article) all these things are in place and such an ID would work if it was implemented.
Biometric is a very poor ID. With current technology we can fake fingerprints and iris, the two most commonly used biometrics. They also have the issue that you cannot change them, so if you do get compromised and flag it, then you cannot use that option yourself.
https://youtu.be/Erp8IAUouus
I get that many Americans are suspicious about our government, but the fact is that much of our credit / jobworthiness in the US is tied up in the Social Security card. I would rather it be something more useful, such as the Estonian National ID card -- which has smart features like digital contract signing.
I mean sure, it's not in your pocket. But are you going to move house in response to this breach?
At the same time, the system can be designed to only store the data necessary. Don't think it's necessary to store more information than for SSID.
Also, if I recall correctly, the UN had to actually remind the US about the actual dangers of the Third Reich only a few weeks ago.
Because this is an issue the government should address seriously.
Many banks use video chats to open accounts where you have to present the card via video. This can be even safer as you need the physical card and someone who looks like the person on the ID card. Since calls are recorded, I can imagine fraudsters are hesitant to use this process.
I've seen variations on this for exemption from educational requirements, ID requirements, medical requirements, and the like.
It's always struck me as odd that one _can't_ give as a reason "I have rationally concluded, based on the evidence I present here, that I will take X course of action."
But one _can_ say "I have been advised to take X course of action by a group of people who pinky-promise that they are authorised representatives of a sky fairy who suggested X to a hallucinating man several thousand years ago."
Obviously you can't say it out loud, because you might evoke the wrath of the Old Ones.
Additionally, you can just engrave the surface your ID-card with the correct symbols in charcoal, a salted circle (actual salt, not the cryptographic kind), maybe some blood, and you should really be fine for most practical purposes.
I mean, this is not the Middle Ages any more. You can just Google this stuff.
But the change won't happen by itself unless a shift of liability away from the users makes it so that every company doing anything on credit sees that it obviously makes business sense for them to implement the extra friction (and suffer from it) because otherwise they are paying out money to fraudsters instead of trying to collect that from the impersonated people.
But in all seriousness, we need to find ways to make real identity authentication user friendly, a la Yubikey, and then drive companies to replace this insane SSN-based system.
One can even fake DNA if you have enough time, money and expertise...
It's not difficult nor expensive to do, and the freeze lasts until you decide to revoke it. Whenever you need to allow access to your credit (credit check for rent, taking out a loan, etc), you can temporarily lift your credit freeze for a small fee. The fees associated with this are going to be much cheaper than any of the professional "identify protection" services that exist out there, and the freeze is significantly more effective at protecting you.
When a company leaks your social security number and personal details, which almost certainly will happen at some point if it hasn't already, then opening fraudulent accounts in your name isn't the only risk you face, but it's an obvious and dangerous possibility that can ruin you financially or make you spend a considerable amount of time and energy fixing the situation.
For every person in the US with kids, I also strongly suggest that you freeze their credit as well. There's no good reason for your 13 year old to take out a loan, but identity thieves don't care about how old their victim is.
https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo...
https://www.transunion.com/credit-freeze/place-credit-freeze
https://www.experian.com/freeze/center.html
The Equifax site appears broken in at least some browsers. Transunion wants me to sign up for an online account, and Experian charges a $10 fee in my state to place a freeze.
All three want to collect my name, DOB, SSN, etc. _again_ in order to sign up.
This is complete and utter BS. Credit reporting agencies are one of the greatest/worst rackets in the modern financial system.
It's almost funny, in a way. What, so I can become affected if I'm not already?
Exactly. There's no shot this "PIN" is like one-way a encryption passphrase. There is definitely a way around it.
To set up a security freeze with TransUnion, please visit our online form. You should be prepared with the following types of information: 1. Your full name, including middle initial and suffix, such as Jr., Sr. II, III 2. Social Security Number 3. Date of birth 4. Current address 5. All addresses where you have lived during the past two years 6. Email address 7. A copy of a government-issued identification card, such as a driver’s license or state ID card, etc. 8. A copy of a utility bill, bank or insurance statement, etc.
So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.
The problem is these companies, who non of us ever chose or nominated to collect our data, are careless with our PII. And until some accountability is added into the system, this will continue.
I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.
Externally, though, I want Equifax to have to pay a fine for every individual whose information was compromised. Identity theft can easily cause five figures worth of damage, so $10k per individual would be fair. Maybe as a warning shot we could lower this to... $1k? $100?
That's the only way to properly align incentives so companies will proactively defend against attacks like this.
More seriously, this is a breach big enough that Equifax should honestly no longer exist as a company. So call it $100/incident, and I'm happy. Other agencies would still exist, and, although they're just as terrible, it might get them to kick their asses into high gear to fix their security.
-----
Thank You Your enrollment date for TrustedID Premier is: 09/13/2017 Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process.
For more information visit the FAQ page.
Equifax Announces Cybersecurity Incident Involving Consumer Information
[Equifax CEO statement] https://youtu.be/bh1gzJFVFLc
No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases
Company to Offer Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers
September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
Read More
This whole system is so fucked.
Edit: I'm abroad and just tried through a VPN and it worked. Don't know why I tried without it ...
Maybe the whole commercial enterprise of credit reporting (and identity verification) needs to be dramatically reworked in a more modern, sane design, with different governance and oversight.
https://news.ycombinator.com/newsguidelines.html
Well, maybe not expect. This is America... I expect infuriating golden parachutes. But I certainly hope for criminal charges and jail time.
No doubt fraudsters impersonating you is a hassle and you must spend some time and money dealing with it if you are targeted, but do not lose sight of why it happens and who is ultimately responsible.
If a "Too Big to Fail Bank" fails, we all pay. If a credit union in Utah messes up, their customers pay. Let banks compete on operational excellence.
As someone who has had their info leaked by two universities before, both of whom subsequently paid for multiple years of credit/fraud protection, the sheer pain and stress of having random credit cards frozen and need to be replaced is worth far more than that dollar amount of my time. This is potentially messing with people's livelihoods with long term lasting effects.
If monetary sums are given out, then I hope a fair amount is given out instead of a warning shot. Those tiny figures won't help at all and effectively send the message that companies are more important than the people they serve.
That's not nearly enough, considering the reach and impact this could potentially have. These people need to be getting life prison sentences before security is finally taken seriously enough by executives.
S-O made sure that when a C-level type guy signs a report, he knows his ass is on the line in case an illegal transaction just occur under his nose. If your company deals with PII, I want that data to be treated as important, if not more important, then company's funds. If you lose it, and you had any say in security (or lack thereof), you should do time.
The issue here is likely related to business units that were acquisitions, with the breached product in question having been developed pre-acquisition by a code farm staffed by interns in some developing nation. I spent a few years trying to unfuck some of those messes and moved on.
It's more a problem with their reckless growth over the last decade than anything. (ed) Due diligence is obviously lacking, but I can personally attest that nobody in senior leadership there willfully ignores matters of security once it becomes known.
Suddenly letting a bunch of untrusted, poorly audited code run on your infrastructure is itself a massive security breach. And even that doesn't explain how data was extracted for two months with no one noticing.
I guess choosing not to prioritize security (vs profit or whatever) when making acquisitions is different than just ignoring it entirely.
At any rate - I don't care. I never gave Equifax permission to collect my personal data. I certainly never gave them permission to store it in a way that it can easily be hacked. If you buy a 3rd party company, "unfuck" and harden their software BEFORE you let the data flow in.
Allowing data to slip out is negligent. If you're in the army, or the intelligence community, you get punished for this. It's about time the private sector felt some sort of accountability.
There is no reason beneficial to consumers to be collecting intelligence of this nature.
> The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
Since core business was unaffected (nobody hacked the mainframe), I guarantee you some crappy product they acquired got compromised.
And like it or not, you do give them permission to collect your personal data every time you authorize a creditor, utility or employer to run a credit check. Never sign up for utilities, loans, credit cards or get a job and then you'd have a case for privacy.
Nope. Ain't gonna happen. Financial crime pays, big time! No one goes to Jail. They usually have an investigation followed by a hearing in Congress (if it is "BIG" enough), then come back and pay a fine. Media will report the fine as "MILLIONS OF $" but the fine hardly makes a dent in the Bank / Financial institute's coffer.
W.r.t. this particular situation, here's a story that just broke.
Three Equifax Managers Sold Stock Before Cyber Hack Was Revealed (bloomberg.com) => https://news.ycombinator.com/item?id=15196309
It's called INSIDER TRADING.
Sure, but TU already has all the above information anyways.
No. With jail. And go bankrupt.
To what end? As has been pointed out they have all that info anyway so it's not like you're making the situation worse.
But more importantly, if your credit is frozen who cares? What are they going to do with your SSN? Get a loan? Get a CC? Buy a house?
That's the point of a freeze, it makes your PII less valuable.
The actual concern is about the PIN. Because surely they could go through the trouble of PIN recovery to unfreeze your credit and then make use of it. But considering the numbers game, its not worth their trouble vs all the unfrozen accounts.
https://www.identitytheft.gov/
The subreddit https://reddit.com/r/personalfinance
The wiki https://www.reddit.com/r/personalfinance/wiki/index
The computer says no, and the phone number just sends a letter that says no. I tried to to buy one from my bank, but as far as I can tell they only sell subscriptions...
Not as free, since you need to buy envelopes / print the forms / photocopy your ID / get stamps / wait X weeks, but as free as it gets when the online system doesn't work.
There's info on that page on how to proceed to get yours via snail mail (along with a link to the form).
[0]: https://www.consumer.ftc.gov/articles/0155-free-credit-repor...
I do the same thing, BTW, because the alternative is worse. But it is a protection racket offered by the very people causing the problem.
In other words, is a freeze enough to stop new accounts from being created?
/s
And regardless of whether you claim the evidence is inconclusive, it is simply not acceptable to dismiss a known vulnerability in something important by saying "I don't know of any case where it has been exploited yet."
I know that flaws have and will continue to be discovered in those authentication systems, and also that a theoretical shift in liability occurs. Any bugs will need to be fixed, and that's important. But you can't ignore the situation in practice – liability is not being shifted, and all UK banks and credit card providers are pretty happy to refund fraudulent transactions regardless.
Does your statement about UK banks no longer shifting liability apply in cases of fraud against merchants?
Consumers would love this. Financial institutions would not. Guess who wins this battle?
And everyone thought SOPA and PIPA were done deals, that is until the great internet SOPA/PIPA blackout day that resulted in so many calls to congress that the congress critters backed down.
If enough voters could be motivated appropriately to contact their congress critters requesting jail time for the Equifax executive staff that clearly did not stress security sufficiently, there would be some change that would occur.
Remember, money (donors) only help the congress critters to pay for the costs of the election. They still have to get those voters to actually vote for them. So there's still a way to influence their viewpoint. It just takes _way_ more than a few handfuls of voters calling/writing to reach the point where they actually pay attention anymore.
https://www.transunion.com/fraud-victim-resource/important- contacts
[1] https://www.discover.com/credit-cards/member-benefits/securi...
If you freeze your credit, it basically prevents anyone from opening any new credit under your name. The reason for this is that any lender (car, mortgage, credit card, etc...) first would want to see your credit history, to determine how credit worthy you are. If they can't do that, they will not lend.
I'm waiting for the headline one day soon that hackers were able to unfreeze people's profiles and commit fraud under these accounts anyway. It's just another database entry somewhere, which says "freeze". All these systems are vulnerable and can be penetrated.
It is, in any case, far less of an inconvenience than not paying the protection racket, having someone impersonate you, and having the credit oligopoly lie about you because of it, leaving you to somehow clean up their mess.
If there isn't some handshake/ack mechanism like this, I'm not sure how you cut back on fraudulent activity. I can see the case for making the credit agencies eat this cost and provide these services for free. That would probably require an act of congress...
Edit: You could also ask a potential employer to eat the cost of unfreezing to check your credit history, or ask them not to do the check at all (especially if it's not really relevant to your job). Either request seems reasonable to me, although I haven't tried that, I'm betting at least most employers would pay for the unfreeze.
The only unforeseen hangup from frozen credit reporting I've run into is with car rentals. With a few exceptions, most car rental companies (at least in the US) run your credit. Everything else was pretty predictable.
Source: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...
Why Innovis? Who typically uses their reports?
Here in UK they verify address via utility bills, cross-check with drivers license (verified by gov agency, DVLA). They maybe only take card payments too, no cash?
I'd expect that to be enough, given they force you to take out expensive insurance, that must cover them, surely. What's the credit report going to get them at that point?
(It may be even stricter now, don't know.)
[0] https://chrxs.net/articles/2017/03/23/responding-to-identity...
You roll in to Target or Home Depot, you decide to pay with a check, card or cash. You decide to give them your information or not. You decide if you want to go back after they mismanage your information. Can you opt out of Equifax's business and still get credit or loans? Can you even opt out at all?
However, there are also plenty of companies that spend hundreds of millions of dollars, with massive cybersec departments devoted to protecting from breaches like this, doing pretty much everything they possibly can right, and they will still be hacked. Cybersecurity is incredibly difficult, incredibly expensive, and takes a really long time. And even if you get 99.999999% of your company completely impervious to attackers, it only takes that 0.0000001% of exposure to sink your ship. Cybersec is also constantly evolving, so it's nearly impossible to keep up with the latest attack vectors, etc.
Take the Target breach, for example: Target has a massive effort focused on cybersecurity. They actually have a cybersec research lab that some law enforcement agencies go to for help with cybersec issues. But the attack that hit them took them totally by surprise simply because it was a type of attack that hadn't really been considered, and thus was very very low on the radar (if there at all) when it came to protecting against it.
Now, companies in the US actually are held accountable (to an extent). Data breaches that result in HIPAA violations, for example, usually result in massive fines for companies. Violations of PCI-DSS will land you in hot water with the major payment card companies. Some states also have cybersec regulations that result in fines if you're found to be in violation of them during an audit. The problem, again, is that cybersec is constantly evolving and these regulations are years behind. The HIPAA cybersec requirements are actually pretty laughable, partly because of all the reasons listed above.
No. If you take it upon yourself to hold this information, you are accepting the responsibility for its disclosure. If you are not willing to accept penalty for this happening despite your best efforts, you should not be doing it.
Cybersecurity is a field where there's already not enough good talent. And even the very best talent is still going to not be good enough from time to time.
It is simply completely naive and unrealistic to expect a company to be 100% hack-proof, and if you start punishing people for that, then you're just not going to have anyone taking the job at all, and you're going to have even less security.
Who are all the criminal parties here?
So, assuming each person whose info was compromised is a separate incident, willfully negligent violation could result in up to a company-shattering $143B fine, but no less than $14.3B on the low end. I imagine that that even the lower figure would be hard for them to absorb as well.
I have to imagine that class action lawyers all over the country are licking their lips, if there's an opening via FCRA. I'm not sure what the FCRA says about PII data security practices, though - it might just be having processes in place and the like.
Really? "We lost your info. Sign up for our credit monitoring service!"
Can someone notify me when the class action has been initiated?
It does indeed.
https://trustedidpremier.com/static/terms
Oh, and the ability to force them to delete 100% of the information they have on my and never be allowed to store another bit.
Um.
https://trustedidpremier.com/
Regardless, it's certainly prudent to be wary of these sites since they're pretty indistinguishable from phishing sites.
Honestly, they should have used a subdomain off of Equifax.com.
https://en.wikipedia.org/wiki/List_of_Social_Security_Area_N...
Of course, this is cold comfort for adults today whose SSNs were issued around the time of their birth.
They keep taking...
It is a scam to get people to sign away their rights to sue the bastards.
Doesn't that mean you're waiving your right to sue TrustedID, Inc. in a class action for grievances related to the TrustedID monitoring product, not your right to sue Equifax for the data breach?
Shit I hope I don't miss out on like $3.37 of class-action BOUNTY!
Well over a month later and they're just now getting around to telling people about a security breach that could affect almost half of all Americans...
How is this ok/legal?
I work in cybersec and I would actually say that under 1.5 months from discovery of unauthorized access to releasing this press release (and already having the equifaxsecurity2017 website up and running) is astonishingly fast work.
Nor should the instigation of credit monitoring be delayed until the investigation is complete. To pick a contemporary analogy, it would be like not informing the public of an approaching hurricane until its precise point of landfall has been determined.
Data breaches are the same. If you put out a press release every time your infosec team discovered an attack, you'd be putting out releases every single day, multiple times a day, even though most of those breaches would turn out to be inconsequential after investigation. The public would become totally desensitized to them. That's why the investigation has to be done to determine if there actually is something to notify the public about.
Now, there's surely a point in the investigation where you "know" that the public needs to be notified, but you aren't completely done with the investigation yet. It would probably be in the public interest to notify then rather than waiting, but I think companies are scared to do this because many companies in the past have been lambasted by the public for doing just that. Apparently people don't like it when you release a statement saying "we had a major breach and some customers are affected but we don't know who yet", so it seems that companies are opting to get all the facts before saying anything.
A breach like this will affect thousands of people monetarily and suck time from them they could have used elsewhere. If you've ever dealt with something like this, you know the hours it takes to rectify the damage.
The only way corporations will learn to appreciate data security is when management teams suffer criminal penalties.
"Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers."
https://www.bloomberg.com/news/articles/2017-09-07/three-equ...
Why not?
It's possible that Equifax did something really negligent and if so maybe there should be a class-action lawsuit against the company. But it's also possible they did all the things they should have done and still failed because security is really hard and maybe the attacker got lucky.
Note that I'm not making that argument, but trying to understand how this situation differs.
But since the core database wasn't hacked, it seems likely that someone had a database dump on a development machine which was outside the scope..
Was all this data available and accessible through the same application? I wonder how likely it was something incredibly trivial, like SQL injection, or whether they were truly targeted and infiltrated
My opinion is that the only real solution is to internalize the externalities via fines, taxes, or regulation.
Why is this posted now?
And the response is great. "Please give us your SSN and last name, so that we can check to see if we exposed your info to being stolen ^.^
BRB TIME TO SELL ALL MY STOCK
THANK U FOR UR PATRONAGE LOL ^.^"
Edit: Seems that if you have a date you're impacted. https://www.reddit.com/r/personalfinance/comments/6yq36a/equ...
Thanks for the info will check it out, I suppose one saving grace for me is my credit is destroyed.
edit: that's funny "I know we just lost your SSN, but could you type it in again?" Also curious if by asking for the last six makes search faster, probably.
site to check impact: https://trustedidpremier.com/eligibility/eligibility.html
Edit that link (trusted) doesn't even say equifax in it, pulled it from Reddit, would be funny if it was a phishing site
Edit: this one looks more legit
https://www.equifaxsecurity2017.com/potential-impact/
Still not the main domain
I think most people are unaware of the depth of data Equifax has on them, beyond simple credit scores (e.g. health information).
Which makes the above quote from the article even more unconscionable. There should be no need for an outside firm to figure out what happened. They should have in-house expertise that is unmatched (although third-party audits ahead of time would be wise).
Who is the real victim? The credit reporting agencies want to convince people that the consumer is the victim, and so Alice bears the burden and risk of clearing her name. But it is the credit reporting agencies inflicting this upon Alice. BigBank is the victim who lost money, and BigBank bears the responsibility for making the mistake of giving out a loan in Alice's name. The Fraudster committed a crime against BigBank, not against Alice. It is Experian, Transunion and Equifax, by holding this fraudulent loan against Alice, who are victimizing Alice.
The idea that Alice was victimized by Fraudster is a concept being perpetuated by the credit reporting agencies as a way to absolve themselves of responsibility, and place the burden upon the consumer, and to avoid realistic identity-verifiction which might slow or complicate the practice of issuing large amounts of debt to the general public.
I've tried all sorts of p2p methods over the years. All of the banks are too confusing, obscure, or too limited (i.e. only within their bank). Paypal and credit cards charge a not-insignificant fee. Venmo or Square Cash work fine if your group of friends accept them--but more than half the time, they don't for me.
I often do ACH transfers between my own accounts, but the first time I set it up a cringe a little bit and cross my fingers. It sucks waiting the 2 or 3 days waiting to see something. I can't see small businesses accepting ACH as payment because they want something in hand. If we had the setup I've heard about in Britain or Europe, I can see checks going away, but with as much churn as I've seen in this space in the 20 years since Paypal, nothing seems to stick.
Try cash? I use cash for almost all transactions like that and have never been turned down :-)
7 years? Are you sure it's not something like 7 days?
Always dispute negative credit items; more likely than not, it won't be verified and is usually removed. Otherwise, wait 7 years and then dispute again.
There's some cost to this, but I still suspect quite a few people would accept it.
It's probably not hard to forge a social security card and birth certificate if you have the relevant information. From there, a state ID (or maybe even passport) should be possible to get. I don't believe there is any biometric security on either. A determined identity thief might go that far.
Why? Show up to a government station with your birth certificate, SSN, some telephone and utility bills, and they'll take the thiefs picture and put it on an identity card with your name on it.
Edit: Point being, this needs to be fixed ASAP if you are to move your country into the future. Fix the regulatory/state hurdles that prevent it from happening, and get yourselves National Identification that's secure. Things will flow positively from there.
This is the old "because a solution is not 100% effective, it's not good" chestnut. This solution would cut down on the theft by over 90%, I'd venture, probably more like 98%. There is huge difference between perpetrating a crime from the safety of a computer and physically walking into a bank to commit it.
http://www.iii.org/fact-statistic/identity-theft-and-cybercr...
Also would you want to go in person to signup for paypal, venmo, etrade, betterment etc?
Honestly, maybe that wouldn't be such a bad idea. A well-designed system would probably wind up contracting the post office for ID verification for online services (since in my country at least, they do a pile of random related stuff).
1. The bank should capture the ID you used the first time you entered and do comparisons. They should also capture your ID when you come in again. This will raise the difficulty of impersonating you and the risk the criminal takes.
2. One thing I didn't think to say, because my bank only exists in North Carolina: geography should matter. If you live in a particular city, opening an account from another state should be seen as suspicious, and merit greater checks. This is the kind of thing some people should be able to relax, but it's probably a good default for most of us.
3. Should I have to go to my bank for PayPal, Venmo, Betterment, eTrade, etc? Those cases don't all sound the same to me. But here's what I'd consider: how often is a person going to need to do this, and does the activity involve requesting credit? We've currently optimized almost exclusively for convenience at the expense of security. I'm proposing that we shift that balance a bit.
http://www.htxt.co.za/2015/09/16/this-is-how-banks-and-home-...
The solution is asymmetric cryptography, wherein identity is tied to a public/private keypair, and I can prove I have the corresponding private key without giving the other party the ability to impersonate me. Ideally, the government wouldn't know my private key, either, rather they would just give their own attestation that a given public key is owned by a person with a given name, DoB, SSN, and biometrics.
Along similar lines, any financial account would have its own keypair, with moving money out of the account requiring signing with the private key.
The state of cryptography today is way too obtuse for this to work right now, but I think it could be made more user friendly with specialized hardware to hold the keys and perform the encryption.
The idea that SSNs are secret, but we hand it out to half a dozen organizations is absolutely ludicrous.
Eve lies to bob, and tells Bob she's Alice. Bob asks Claire, who says Yes, that's Alice." Bob gives Eve money, and Eve runs off.
This should not be Alice's fault, responsibility to solve, or problem to deal with. It is, because Bob is much, much more politically powerful than he ought to be.
She may not have to pay that bank loan back but that doesn't clear her credit up immediately.
The police investigator told him that the particular fraud that he was a victim to was impacting >500 people and >$5M
Further - this rat race, where I have to give ever more intimate details about myself to verify who I am, "for my own protection", seems to only ratchet away my privacy until there is nothing about me left unpublic. Facebook, Banks, Airbnb, Credit Card companies, Telephony companies have ALL given me that line when I resist providing SSN, DoB, or whatever mine-able nugget they're looking for this month. Every time I give out a new kind of private information it inevitably leaks - defeating their point of having asked me - all the while my privacy is left scorched while they move on unconcerned to the next piece of my private life. It's uncomfortable.
I have separately worked with one of those companies with a client and their IT staff were utterly incompetent (I won't say which). Loads of different sites, lots of little fiefdoms, utterly inconsistent security policies on each site, blaming everyone but themselves because only half their sites could access a video on a major commercial video provider (not-youtube). We ended up having to host it on AWS cloudfront as none of them had blocked it yet. Their sharepoint could only host a 50mb file, which made their CEO look like a blockhead in the 20 min high def video.
Utterly incapable of hosting a simple video file so all their staff could access it in 2010.
I've also worked with a company one of those companies acquired for $100 million+, holding millions of people's personal details in the UK, with some very sensitive data. Some of the worst IT engineering I have ever seen, a bunch of tools written by the worst out-sourced IT teams I have ever seen (if you've ever worked with C#, these idiots made a project per .cs file. Yes, PER CS FILE. They also wrote the worst SQL I have ever seen, all of the stored procedures seemed to be duplicated but the duplicates had op_ before them. I eventually realised the op_ stood for optimized! They were still terrible and half the program used one set of SQL, the other half the optimised. Whenever I re-wrote one of these 'optimised' queries, I usually knocked it from seconds to milliseconds. Outsourcers in the naughties really did suck that bad, young 'uns).
We've given up huge amounts of privacy, but the scores are utter bullshit and the 2008 crash show what a load of nonsense they are.
A friend even told me at uni he'd got a £1000 loan out to get a good credit rating. You just put the money in an account, pay the capital off every month, lose a little bit of interest and in 2 years you have a shiny credit rating even though it means zilch.
equifax/experian/call credit basically get given all our personal spending habits for free, sell it on to everyone else for crazy money, don't add anything to the economy and as far as i can tell, are a huge security hole.
EDIT: Another anecdote on how incompetent these people are, a couple of years ago someone used my details to scam a few free phones. I got alerted to it when I started receiving insurance contracts for those phones in the post. The phone companies sorted it pronto, almost immediately admitting they'd been scammed, but I wanted to make sure my credit rating hadn't been trashed. In the UK these agencies must provide you with a credit report for a nominal fee so you can check for incorrect details, so I applied to the big 3.
One of them accused me of trying to hack their system because I'd forgotten a security question, eventually told me to fuck off after passing through various layers, then sent me a letter saying they'd detected a hacker trying to access my details. No, you idiots, that was me. Still never got my report from them.
Yes, they still use security questions.
I don’t really get that - doesn’t it mean that the person who took a loan is relatively responsible and was able to pay their loan back on time?
Any system can be gamed, but I don’t get the impression that credit agencies are attempting to eliminate all risk - after all, it’s obviously possible that someone who has had perfect credit for years might simply run away with your cash! But the system doesn’t have to be perfect, or detect all outliers, to have value.
It seems intuitively obvious that lending to someone who is frequently late with credit repayments is riskier than lending to one who isn’t, and this is the mechanism by which that information is shared.
In the 60s/70s it was about knowing your bank manager, so he knew you'd be able to pay. I appreciate that it probably benefited a certain type of person, but the new system probably has the same prejudices built in. Now it's all about the ephemeral and easily game-able credit score. Until a few years ago you would get negatively scored for not having a landline.
These scores are utter bullshit, they're simply about if you haven't screwed up yet, they're not actual assessments of your ability to pay or the risk you've exposed yourself to.
Again, I worked in the mortgage industry before the Northern Rock collapse, brokers used to be able to go to those guys and openly fudge people's incomes by calling them self-employed, they had a good credit score so no-one blinked an eyelid, get 105% mortgage, and then lo-and-behold, the bank collapsed. Yes, part of it was that they lost their access to easy bank credit, but another part of it was they lent to hugely risky people.
As a slight-side, my bank was willing to lend me crazy credit card money a few years ago because for 10 years I never missed a payment. In reality in those ten years I went through a patch of being the most business-un-savvy freelancer ever, selling myself at a stupid rate and not putting enough aside to pay my tax bill, to the point where I had to get a loan from a parent to pay it. I was flat broke, almost bankrupt, and these people were willing to lend me almost 9 months of my income.
I was not a good risk.
But because I paid on time for X years before, I was to the credit agencies.
You do recognize how terribly inefficient that is, right? In this day and age its all about scale. Expecting a bank manger to have financial profile of all the clients using his firm is impractical.
For all it's faults, the credit reporting agencies are providing a service. It's not perfect and I think it's best they could do with the information available to them. I expect they will improve their score though once they start incorporating signals from social media and other sources.
Is it, tho'? It is well known that IT doesn't improve productivity[1]; all the benefits of automation get swallowed up in the extra people needed to support and maintain it. So we can assume that the ratio of bank employees to bank customers has remained constant over time. So actually there's no reason for bank's not to operate the old personal-relationship model; they would need to employ the same number of staff to do it, just locate them in branches rather than at head office.
[1] http://www.computerweekly.com/opinion/McKinsey-Why-IT-does-n...
Banks are using actuarial science to make loans. You were (possibly) an outlier. That doesn't matter. All that matters is that their risk models work in aggregate. If they're right enough of the time, they profit. It doesn't have to be perfect.
But you were- you had access to a parent with money to bail you out.
That's probably the reason why it would increase one's credit rating in a positive way. I have no doubts about these systems being broken in such a way that they consider people who take on credit, paying it back in time, as more "credit-worthy" than people who never needed/wanted to take up a loan.
A bank obviously wouldn't want to miss out on the first group of people, why they couldn't care less about the second group of people from which they make no money in the form of interest.
It's also interesting how these kinds of rating systems seem to be "broken" all over the world. In Germany there is "Schufa", which is not a bank but basically a private company with a de-facto monopoly position in regards to credit ratings in Germany and they are quite infamous for mixing up people and thus giving them a negative rating, often without the people noticing until it's too late and their negative credit check denied them access to a rented flat/credit whatever, after which it's their responsibility to get in touch with Schufa to clear up their misidentification.
Just for anyone from Germany reading: There are multiple, less well known agencies that are used by banks and others as well. They are definitely worth keeping an eye on. I will only mention Creditreform Boniversum, Arvato Infoscore, and Bürgel.
I see this as you being too strict with your definition of "identity".
We, as people, have multiple identities. We have one with our government, another with our employer, another with our friends, another on pseudonymous websites, etc.
"Stolen identity" in this sense means Alice's attributes (the ones which Big Bank uses to identify a person) have been compromised by a 3rd party. It's not that all of Alice's identity has been compromised -- only a subset of her identity. Sadly that subset almost entirely consists of "something you know" (which the internet usually also knows) rather than "something you have" (like a government-issued ID) or "something you are" (biological traits).
I totally agree about the rat race. I think the credit bureaus are complicit in keeping the burden of credit identity low and the availability of credit reports high in the US, both of which lead to perverse incentives for {credit bureaus, consumers, creditors, governments, etc}. But they aren't alone. Credit card systems {VISA, Mastercard, AMEX, Discover, etc} and credit card merchants have done the same, causing the US to fall far behind other developed countries in consumer security.
Additionally, I've heard horror stories about the effort required for consumers to "prove" to credit bureaus that their identity was stolen. It sounds a lot like the insurance company's policies in The Rainmaker.
> We, as people, have multiple identities. We have one with our government, another with our employer, another with our friends, another on pseudonymous websites, etc.
Which is not relevant here, as this is not about different sets of attributes pointing to the same body, but about the exact same set of attributes being claimed to only possibly be pointing to one body (hence they supposedly identify Alice) while it is claimed at the same time that they can be replicated by a "thief", which necessarily implies that they don't identify Alice, and hence are not an identity, therefore tautological impossibility.
For example, it is claimed that being able to say the DoB of Alice is an attribute that identifies Alice's body. Then, it is also claimed that somebody else saying Alice's DoB supposedly is an act of stealing her identity, and that the set of such people is non-empty. Which means that being able to say Alice's DoB is not actually an identity in the first place, much less one that could be stolen.
As for fraud: There probably is no easy way around it. But that doesn't mean it's not fraud.
How does being in possession of a picture, or any other biometric data, help? These data are reproducible, like any other attribute that supposedly identifies only-Alice.
The hard problem with biometry is proving to a third party that a certain identity is responsible for a contract, but identification with biometry (convincing yourself that the person before you is the same person that you enrolled earlier) at least works a lot better than asking for essentially public information.
Attributes can be replicated -> attributes don't identify Alice
Why do you consider this implication necessary? It sounds nonsensical.
Counterexample: to verify an identity, the verifier must possess a replication the identifying attributes. If replication implies non-identity, then identity verification becomes impossible.
Note that we're speaking of identity in the context of a technical implementation.
Because it is implied by the definition that is implied by the concept of "identity theft".
Let's assume we define "identity" to mean "any set of attributes of Alice", so widening it essentially as far as possible. Then "is a human", being an attribute of Alice, would become an identity of Alice. Using that definition in the context of identity theft would then lead to the following sort of justification: Alice is responsible for paying back this loan because the person that we gave this loan to was a human and we identified Alice by her attribute of being a human to be the person we gave this loan to.
That doesn't make much sense, does it?
The whole justification for calling it identity theft, and thus blaming the identified person, hinges on the implication that whatever attributes are being used to "identify" Alice do imply that it is in fact uniquely Alice who has those attributes. It only logically works if you can say "those attributes are the attributes of the person that we made the contract with, and they are unique to Alice, therefore Alice is the person we made the contract with", not if your claim is "those attributes are the attributes of the person that we made the contract with, which are shared by a whole bunch of people, therefore Alice is the person we made the contract with".
> Counterexample: to verify an identity, the verifier must have replicated the identifying attributes. If replication implies non-identity, then identity verification becomes impossible.
Erm ... no? Just two obvious examples:
In order to check that you are the person on a picture I have of you, all I need is the picture, no need to have a replica of you.
In order to check that you are in the possession of a private key, all I need is the corresponding public key, not the private key.
Also, if it were the case that identity verification were in fact impossible ... what would be your point then? You don't like the (hypothetical) fact that it is impossible, therefore it is possible?
> Note that we're speaking of identity in the context of a technical implementation.
Actually, we kindof don't. We are really talking about a legal implementation, where there really is no requirement to do anything as a "technical implementation"!?
> Let's assume we define "identity" to mean "any set of attributes of Alice", so widening it essentially as far as possible. Then "is a human", being an attribute of Alice, would become an identity of Alice.
> That doesn't make much sense, does it?
If Alice is the last surviving human being in the universe, it does.
If Alice isn't the last surviving human being in the universe, than the premise of "is a human" as an identity is already nonsensical (because it no longer identifies), hence also any conclusions you derive from that premise are also nonsensical.
> In order to check that you are the person on a picture I have of you, all I need is the picture, no need to have a replica of you.
You haven't checked that it's me, you've checked that it is someone who looks like me.
Within any given context, that may or may not be treated as my identity. Hence, we're back at multiple identities, each in their own context.
> In order to check that you are in the possession of a private key, all I need is the corresponding public key, not the private key.
Which says nothing about identity, only about possession. Whether this possession is taken to be sufficient proof of identity again depends on the context.
> Also, if it were the case that identity verification were in fact impossible ... what would be your point then? You don't like the (hypothetical) fact that it is impossible, therefore it is possible?
Do you believe this hypothetical example to be true? If not, what's your point?
In which case it's just not a refutation of the tautological impossibility at all. Either something uniquely identifies someone, or it does not. Uniquely identifying someone while at the same time being (trivially) being replicated by somebody else is just a contradiction.
> If Alice is the last surviving human being in the universe, it does.
Seriously?
> If Alice isn't the last surviving human being in the universe, than the premise of "is a human" as an identity is already nonsensical (because it no longer identifies), hence also any conclusions you derive from that premise are also nonsensical.
Which is exactly why "was able to tell us the DoB of Alice" as an identity is nonsensical, and hence any conclusion of the form "therefore, Alice's identity was stolen" is nonsensical as well, correct.
> You haven't checked that it's me, you've checked that it is someone who looks like me.
Which contradicts the claim that the verifier does not need a replica of you how exactly?
> Within any given context, that may or may not be treated as my identity. Hence, we're back at multiple identities, each in their own context.
Which still cannot be stolen. So?
> Which says nothing about identity, only about possession. Whether this possession is taken to be sufficient proof of identity again depends on the context.
Which contradicts the claim that the verifier in a context where it is taken to be sufficient proof of identity does not need the private key how exactly?
> Do you believe this hypothetical example to be true? If not, what's your point?
My point is that I am responding to your argument that was about an implication from that hypothetical case.
... seriously, just stop.
> For example, it is claimed that being able to say the DoB of Alice is an attribute that identifies Alice's body.
And then we say that the stating the DoB authenticates anyone to make changes to Alice's account.
And then we say this is a terrible idea. And then we are in agreement.
And then we don't have to say completely unhelpful nonsense like the following:
> Then, it is also claimed that somebody else saying Alice's DoB supposedly is an act of stealing her identity, and that the set of such people is non-empty. Which means that being able to say Alice's DoB is not actually an identity in the first place, much less one that could be stolen.
If these credit bureaus insist on conflating the word "identity" with "authentication" then it is up to us, computer / information / system / security professionals to correct this error and continue with more clarity.
Not not to start a one-sided (credit bureaus aren't listening) philosophical argument that nobody was really talking about in the first place. This isn't about ontology, and it never was.
(Ontology is the field of philosophy that asks the question what "is" is, a.k.a. "identity" and it's very interesting but also very much irrelevant to this incident and the problem it poses to badly designed authentication systems)
An important part of our jobs is being able to clearly explain such computer security and authentication concepts to a layman. That includes properly framing the question. Digging into a philosophical argument because you feel you can argue your way around a particular word that is used, only feeds pedantry.
Except it's nonsensical to switch to "authentication" when the discussion is about how the term "identity theft" is misleading. It's not "authentication theft", it's "identity theft", and that is exactly why it is misleading.
The original point of this comment thread was that the credit reporting agencies want to keep it confusing so that it's not clear who exactly was the victim of the crime, so it's not obvious that the system sucks.
For the same reason I won't go into discussions about the finer moral points when stealing is wrong or not, if the topic is copyright. Especially not get carried into far-fetched analogies such that it is okay if a starving family steals the blueprint for a 3D printed load of bread or whatever.
In that sense, the term "intellectual property" is actually similarly problematic as "identity theft". While it evokes the connotation of "property", intellectual_property is actually just a legal term that stands on its own and derives nothing from the common concept of "property" except where explicitly defined as such.
Except that identity_theft is, afaik, not a legal term. I believe it stems from the idea of the loss of an interconnected number of (mostly electronic) credentials, an adversary could use to, in a sense "become you", and wreck one's life. This then became a serious fear, that was (in the public) not quite blamed on terrible security practices of powerful entities, but on the ever-growing interconnectedness and electronicification of all aspects of our life. In fact literally about the fear that the large amount of data about us in these computer databases, would some day mistaken to be us and identify, regardless of its truth in the real world. But identify_theft has always been painted as a sort of "curse of the modern age", our penance for living in an ever automated society, kind of typical Hollywood morality story.
Except these credit companies seem to be just focusing on the "wreck your life" part, twisting the definition around, that suddenly a security failure with their authentication/credential system gets to be blamed on the general societal menace of identity_theft, mainly because their error has the capability to wreck one's life.
I'm pretty sure Baudrillard or some other person in critical theory / semiotics has written some interesting stuff about this. Now that is a philosophical discussion on this topic that I would actually find worthwhile.
Online loan firm gives money to someone. Months later, they default, so they call who they think is the holder of the debt. That person has no clue what they are talking about. Finds out through first ever credit report they are defrauded. Victim calls loan firm, who requests lots of proof of existence as well as a police report, before they will help them. Process takes weeks. Victim finds out they signed up at Equifax during hack. Now they are in worse shape.
You don't need to provide a SSN to get cell service or provide real information. Lots fraud is done through tethering through burner phones.
Even government can't verify people and its problem because people give other people's SSN and DOB when they get arrested which is the worst type of identity theft as it can lead to the victim getting arrested or not getting a job(criminal record showing up in background check).
Don't give them any stupid ideas. This year Germany did exactly that: Require proper identification for purchased SIM cards. Lot's of people used that opportunity for some extra cash by selling pre-activated SIM's through Ebay, after the requirements had been changed.
Too bad they also introduced Euro roaming, so people are still free to buy their anonymous SIM's in other EU countries and use them in Germany.
I guess those are the consequences of a future where your mobile device is used for your personal authentication everywhere by everybody. [0]
[0] https://www.nytimes.com/2017/02/13/business/dealbook/banks-l...
Generally speaking, the impact to the customer is usually greater, as bank business model aren't dependent on every loan being repaid. Consumers stand to lose money directly and lose the opportunity to access capital.
The credit agency or anyone else who has a breach is usually a negligent third party.
The bank is a victim of fraud.
The individual is a victim of impersonation by the borrower, and slander by the bank and credit agencies.
The individual is victimised by the bank and the credit reporting agencies by their spread of misinformation.
Calling all identity thief peeps....
The question would then become whether the bank's identity verification procedures satisfy that burden. I think it would be a difficult endeavor, but it would be good to see it tested.
They absolutely should have known it was wrong -- their business is lending money to people! If their procedure is insufficient, they should have fixed this.
I would love to see the banks sued for libel, a massive class action suit. There are real monetery damages it one could put a number on, and the difference between a bad and a good 30 year mortgage will be a big number.
If someone steals Alice's car and commits a hit-and-run, she will be inconvenienced when the cops show up at her door, but the person who reports her plates won't be committing slander.
https://www.law.cornell.edu/uscode/text/15/1681h
In this case, maybe you could have a shot by arguing that since the bureaus know that like half the population's information was stolen, they are acting with reckless disregard for whether their statements are true if they don't now do additional investigation to confirm the identity of the subject of their statements in order to mitigate the effects of the breach.
That's a long process (5+ years sometimes).
https://www.youtube.com/watch?v=CS9ptA3Ya9E
If there is a dispute between what BigBank says and what Alice says, it's not necessarily so easy to resolve, and that's the position the Credit Bureau has to deal with.
To absolve the fraudster of the primary fault is ridiculous. That said, this is the problem with difficulties in identity verification, we all want privacy and security at the same time. While they are not mutually exclusive, having both is much more complicated than one or the other.
The only thing she could expect from BigBank was politeness while explaining to her that she was duped. If it's a very friendly bank, she may tie up a manager for a couple hours, but that's it. If she keeps coming back, she'll soon be escorted out by security, or the cops.
Now, what if she started falsely telling others that BigBank took her money, and that significantly affected BigBank's reputation? Are we talking jail time, or just civil penalties?
Jail time could be a possibility depending on jurisdiction. In the US, a handful of states have criminal defamation statutes - https://en.wikipedia.org/wiki/Defamation#Criminal_defamation...
Probably not jail time, and perhaps not civil penalties. Even civil defamation in US law generally requires knowing falsehood or reckless disregard for the truth, not just mere falsehood, and criminal defamation, where it exists, tends to have high . Unless the bank had provided concrete evidence so solid that it was unreasonable for her not to believe their denial of responsibility, there likely be no legal wrongdoing.
Who's the victim?
I believe the Fair Credit Reporting Act allows Alice to remove inaccurate information from the report?
https://www.youtube.com/watch?v=CS9ptA3Ya9E
I think you're confused. It's BigBank that's falsely placing a debt burden on Alice. The credit reporting agencies are only reporting what they are told. Imagine if Alice doesn't care about her own credit worthiness. Let's say she has no debt, and no intention of acquiring debt. What happens if criminal tricks BigBank? They say, "Alice, you owe us this money." Alice tells BigBank, "No, prove it or pound sand."
What happens then? BigBank goes to the court and tries to get a judgment against Alice for the money owed. If Alice isn't aware of the proceeding, the judge will grant BigBank's request, and now Alice will owe BigBank the money stolen by criminal.
BigBank's poor authentication and the judicial branch are the ones doing the real harm to Alice. If anything, the credit reporting agencies are providing value to Alice by warning her before BigBank goes after her in a secret proceeding and makes the debt hers.
https://www.nytimes.com/interactive/2014/08/15/magazine/bad-...
Think about the credit reporting agencies as a rather sloppy "master list" of who owes who money. It seems what is needed are stiff penalties for banks and collection agencies who falsely claim they are owed money. Until then, you can't live in peace. Someone is going to claim you owe them money if you have any money yourself.
1. Alice does have debt, and does intend to acquire debt in the future, like most people. The presence of this fraudulent debt in her credit report makes credit more expensive and hard to get.
2. Before filing suit and going to court, BigBank makes persistent but usually polite attempts to collect. But when she says "that wasn't me" they don't believe her, because lots of deadbeats say that sort of thing too.
3. Perhaps BigBank sells the debt to a collection agency, which is far more aggressive and (willfully?) ignorant of laws regulating how and when they can contact Alice. Perhaps they call Alice's employer, threaten to garnish her wages (even if they legally can't), or lie about Alice's ability to contest the debt.
4. If Alice is determined enough to keep fighting and go to court, she has still sunk significant time and money into fighting this. It's unlikely she'll be compensated fairly for that.
I agree the credit reporting agency is in some ways helping Alice, and would add that these agencies probably do reduce the rate of fraud overall. But they also have a responsibility to do a good job minimizing errors. We can't expect them to never make a mistake, but they should have some skin in the game when their inaccuracies hurt a credit applicant.
Don't kill the messenger. The credit reporting agencies are doing what they are obligated to do in that business. There needs to be penalties for BigBank beyond the money BigBank lost in the scam perpetrated by criminal.
Blaming the credit reporting agencies for bad credit reports is intellectually lazy. Blaming them for garbage computer security is much more appropriate in this story. A more interesting discussion here would be about the technical details of the hack.
If you wish to provide a service with a level of guarantee, responsibility and liability comes along with it.
1.(added to qualify that adjective "honourable" which I apply to individuals not companies, and individuals who risk sacrifice without burdening others. My career is in advertising and I am truly impressed when publishers are able to maintain standards that are able to raise their costs of sales. (a large publisher may not lose a account, but the sale often consumes expensive energy, even only to explain why policies exist. I work far from such high sensitivity issues, as does the company I started around the time of this recollection.)
2. last I spoke to Mike, he was telling me how he simply was never issued his shares in "ElReg" and he was long enough into The Inquirer to think that Limitations applied. But Limitations 80 runs from the time of discovery of tort, not the event of tort. Before the chance arose to catch up, and establish facts, Mike had passed away. RIP a great man and two great journalistic servants to the IT community. I did not establish the facts that were alleged, therefore my statement is hearsay, but protected by the statutory defence of genuine belief, and I had always faith in my source.
Edit: italics removed from footnote, earn out replaced phypo earnings, and great man replaced good man. Mike was exceptional and altruistic to a fault.
https://www.equifaxsecurity2017.com/potential-impact/
Which says it would tell me if I'm likely impacted, but instead it just gives a date where I can enroll in some free product, but no info on whether I'm likely compromised.
Anyone have a workaround? This is important to anyone that wants to identify if they've been "pwned."
> Thank You
> Based on the information provided, we believe that your personal information was not impacted by this incident.
So if you just get the enrollment date, I think that means you’re affected.
I watched the video of the CEO describing what Equifax was doing in response to the incident and he does not specifically name "equifaxsecurity2017.com" or "trustedidpremier.com" as the sites they've set up, only that they've set up a special website.
"Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier. You will receive an enrollment date."
"Equifax Cybersecurity Incident: To learn more about the cybersecurity incident, including whether your personal information was potentially impacted, or to sign up for complimentary identity theft protection and credit file monitoring, click here"
and that "click here" goes to http://www.equifaxsecurity2017.com/
So it'd seem legit, if rather silly to have its own domain.
In other words, when they say "143 million US customers" they really mean "the vast majority of Americans with a credit card".
Astounding.
[0] https://www.census.gov/data/tables/2016/demo/families/cps-20...