With this Equifax hack, is it feasible this info release could endanger the lives of people?
Specifically, having current address info released for people who that could go badly for. eg ex-partners of violent people, maybe law enforcement (?) people, etc
If that's the case, then the fallout (and scrambling-to-relocate by people endangered) from it could be even more massive then so far mentioned. :/
I entered my real information and they said I was not impacted (but still asked me to sign up for TrustedID). The same for my wife. I tried it again today to make sure the answer didn't change and it's the same as yesterday.
Here's the message I got:
Based on the information provided, we believe that your personal information was not impacted by this incident.
Click the button below to continue your enrollment in TrustedID Premier.
Maybe if they can't make a positive match against their "safe" list, they give the warning.
They seem to be matching on SSN alone, I entered a completely different last name, and still was told that I'm not impacted, so maybe no one with the last 6 digits of my SSN was impacted.
So, this basically is a way for Equifax to get a mass waiver from people to make a class action lawsuit less damaging to the company. Opting out of the waiver is a long winded process of mailing a form. another funny thing is that if you sign up for their crappy product, you have to come back on a different day and complete the sign up. There wont be emails or notifications. If you forget to signup, then you have basically waived your rights to sue to company.
For every SSN entered, Equifax can say in a class action lawsuit that they have waivers from all the following SSNs ....
IANAL, but this looks like a sensible strategy for Equifax to save itself after screwing with people's SSNs and personal info.
Are you saying that merely by seeing if you were impacted, you are waiving your rights, even if you don't come back on the scheduled day to complete the enrollment? That sounds ridiculous. Nowhere in the simple form that they provided is there any mention of waiving any rights. Nor is there one of those standard checkboxes about "I accept the terms.." when filling out that little form.
Not quite. They tell you you're impacted, then "helpfully" offer to sign you up for a service that will (supposedly) help to mitigate the damage. Buried in the TOS for that service is a clause that you give up your right to sue.
You don't need to worry. Equifax can say whatever they want in their BS terms, however no judge in their right mind would enforce such language barring you from joining a class action suit. If equifax sent out some sort of compensation check, and you cashed it, that's a different story.
With this many people affected, it'd be political suicide to enforce such a claim - ideally. The ideally bit is because we may just have reached a point where judges no longer have to worry about doing the right thing.
Perhaps they were trying to do that, but after New York Attorney General mentioned that this can not be enforced, they updated their FAQ that this waiving is only for issues regarding to the service itself, it does not cover the data breach. So you should be ok, but frankly in this case the service is useless, it is only for one year, but the information is still valid after that. The minimum they should do is to remove all the fees for freezing/thawing the account and allow everyone to permanent freeze their accounts with ability to unfreeze whenever they need to open a new account.
The sad thing is that they think the current solution is adequate. They do it this way because we are not their customers, we are their product. I would encourage to complain about this to your representatives. We could have much better protections about identity theft, have account frozen by default and without any fees. Have their credit checking services available for free.
Sadly, the business is structured so they actually are making money when it is easy to open a credit line, even illegitimate one.
They're not lying, because the act of saying it made it true. A court would no longer permit them that argument because the counterparty would just present that highly public statement. (Maybe there's a tiny chance they could wiggle out of it, but they would have to find a human judge who would let them, and I imagine those are in short supply in a case like this.)
Yeah that actually makes it irrelevant. The concern of people being impacted is about biases. If everyone is impacted the bias is no different than the base concept of peer justice in the first place.
I am not a lawyer, but I have taken a bunch of law classes.
IIRC, the judge doesn't need to recuse themselves of any/all cases where they are impacted, only that they must recuse themselves where they would be unable to be unbiased, or where there would be an appearance of being unbiased.
In the lower courts, when in doubt, that's decided by other judges. At the SCOTUS level, that's decided by the individual judge on an individual level.
> Opting out of the waiver is a long winded process of mailing a form.
I freaking hate tactics like this, so I am offering to go through the mailing process for anyone who fills out the form at https://unarbitrate.org/. I'll pay to mail it, just because I hate this sort of thing. If you don't trust me with your data, the site also provides a way to print it and mail it yourself. But whatever it takes, I encourage everyone to opt out of this; you have nothing to gain by giving up these rights.
Thanks, I appreciate the support! I'll let you know if it comes to that; so far I have some money set aside and I should be able to keep costs under control by bundling them into one envelope.
It's going to take more than an envelope, if your site gains legs. There is also the expense of printing and shipping. Paper is heavy. You mentioned the idea of delivering them in person, you may wish to get some press and legal council.
considering all this information has been leaked, how on earth would they expect the people entering in their credentials to be the actual people who own the SSN!
with regards to giving up their right to class action
So basically Equifax now is engaging in fraud on massive scale. It needs to be dealt with the same way as we dealt with this company called Arthur Anderson.
Even if the information they returned was correct, do you trust them enough to enter your SSN and name anymore? Surely they will be hacked again and you will be impacted by the next hack.
1. Enter SSN
2a. Impacted by this hack
2b. Not impacted by this hack but will be impacted by next
This isn't a very rigorous test, and TC's assertion that this may be random is probably untrue given that the results seem to be consistent if you enter the same details multiple times. The idea that Equifax has implemented a random yet deterministic checking system seems beyond the pail of belief.
If I had to guess, I would say that Equifax is not checking against a list of people that they know are compromised, but rather against a list that they know have NOT been compromised. So if you check a name, and it is in Equifax's database AND it is known to be uncompromised, you get back a "you are safe message". For everyone else they give a generic "you maybe were effected", emphasis on the "maybe".
Obviously a fictional person with fictional details is not going to be in Equifax's database, so they would just throw the generic maybe message.
I have 5 and 7 yr old girls. To the degree that either exists with respect to the finance industry, they both exist. Neither has credit, obviously, or any interactions with a credit agency. The only people who have their SSNs are the federal government and our health care provider, which has some very strict laws about what they can do with _any_ data they have.
Equifax says the 7-yr old "may" have been affected. The 5 yr old comes back clean.
Sure, but they didn't give data to a credit agency. That would require consent, and even if you assume they ignored HIPAA, if they'd done it for one daughter they'd have done it for both.
Your conclusion is entirely unfounded. Returning the same result for the same input does not in any way refute the claim that it's random. It could just as well seed the RNG with the input or any number of other implementations.
This is an extinction level event for Equifax. They need to be disassembled, their stored data destroyed correctly and securely, their negligent officers charged.
This isn't an accident. You don't surface 0.134 BILLION bits of PII without some sort of criminal level incompetence.
Any organization that uses Equifax data in any decision making process needs to be held accountable, as there may have been earlier intrusions also undiscovered, that have altered. Which, if they then choose to use them in any decision process whatsoever, brings them liability for misuse of possibly tampered with data.
I am quite serious when I say that Equifax should cease to exist as a result of this. All others should be audited for security, and audited hard.
Again, not being hyperbolic. But quite direct, with appropriate levels of anger at Equifax.
It's (unfortunately) far more likely that they'll simply re-brand as something else. For all intents and purposes, Equifax will cease to exist; except it will be exactly the same thing under a different name.
I agree completely. The only reason for this company to exist is to maintain the data that now is compromised. This company needs to be brought down as quickly as possible for everyone's safety, and the other two companies need to be seriously monitored.
The department of justice should break them. This is their job.
But this is a government with a grifter at the top, so I have almost no confidence attorney general Sessions will investigate this seriously, let alone destroy the company. He very clearly enjoys targeting e.g. black people who smoke weed with incarceration, destroying their lives, than punishing Equifax's officers, board, or shareholders with destruction.
I have more confidence in a handful of state attorneys general working on this effort.
Every generation is galvanized by serious injustices. But, it feels like we're far less effective at turning that anger into change; though maybe that's always how it feels at the time.
I'm almost sure I once saw a quote from Bill Clinton's press secretary that said something like "We knew that if we could survive the first 5 days of a bad story, it would get dropped."
That perspective solidified for me during the Occupy Movement. Granted, it lasted much longer than 5 days, but ultimately, what of it? The FBI didn't investigate the bankers, it investigated the protesters.
You see it with Flint. You see it with Climate Change.
I've always been politically apathetic. Moreso as a foreigner where I recognize that living in a foreign country is a privilege, not a right. Plus I'm a cynical person (not a healthy habit). Which means that whenever I hear about "boycotts", or "writing to your representative", or "held criminally responsible", or "..." I always think two things. First, that people are naïve, and second, what's it going to take to drive people to take un-ignorable action?
Disagree. I think the examples in the grandparent comment are spot on.
You can be cynical of the government and the regulators and still do something about it. If you are a landlord and running a credit check don't use Equifax. Maybe this will open the door for startup in the space.
I do wonder if America will see some kind of Red Brigades armed political group in the coming decade. There's already an extensive armed rightwing political movement.
> we're far less effective at turning that anger into change
The anger will become a mob that enacts change when a critical mass of people lose access to food and/or shelter.
> what of [Occupy]
Occupy was very successful at (re-)introducing class warfare into the public dialog.
> First, that people are naïve, and second, what's it going to take to drive people to take un-ignorable action?
3rd, why isn't this anger organizing into larger activist/political movements? Well, with enough surveillance data and modern data analysis tools it's easy to find the "leaders" or "organizers" that bring people together. Remember JTRIG[1]?
Oh, you're on the right track... but it's worse than you imagine. Those "leaders" and "organizers" are unimportant. You're familiar with the 'Six Degrees of Kevin Bacon', right? Say you were omnipotent and wanted to make it so that instead of only needing 6 links to get to Mr. Bacon, you needed 15 links on average. And you want to do as little disruption of the network as necessary.
What nodes in the graph of connections would you target? Intuition says go after the nodes with tons of connections to tons of people. Intuition is, as it almost always is, dead wrong. Removing those massively-connected people in a social network is basically useless. They are almost exclusively connected to people who are already connected to one another. They're the center of clusters, and you will almost never route through one in an attempt to find the path to Mr. Bacon.
Instead, what you want to look for are node which bridge clusters. People who are usually not strongly connected to one of the clusters they are associated with, but provide a conduit through which connections can be made. Because they are inherently a bit 'different' from the people in each of the clusters they bridge (few others bridge those two clusters), they tend not to be important figures. They're a member of a biker gang who hangs out with his great aunts knitting circle on Saturdays. They're the ones who facilitate the flow of ideas between groups that never speak to one another otherwise.
So you know who to target... but how many 'bridge' nodes like that do you need to really take out in order to significantly increase the 'distance' between nodes on the graph on average? Disturbingly few. Removing something like 25 nodes from the graph of tens of thousands of performers will make it so you need 15 or more connections on average to get to Mr. Bacon. (The book 'Linked: The New Science of Networks' details the research specifically, its been years since I read it though so I am fuzzy on exact numbers but it was definitely fewer than 30 you needed to remove)
Now, imagine a crazy scenario where you had access to the social graph of a country (somehow!) and knew who was talking to who. And your goal was just to maintain the status quo. Well, what does any large-scale social change require? An idea must spread to large numbers of extremely different, and almost entirely disconnected, groups. Any idea that remains sheltered in one or a few groups will die out of its own accord. A revolution doesn't happen because one minority wills it, there has to be buy-in from a wide array of groups. So remove those bridge nodes. Any widespread social change becomes very nearly impossible.
But what is "removing a node"? I'm not talking about black-bagging a person and dragging them off to some hole or blowing their brains out. Such things are entirely unnecessary and counter-productive. The more significant your action is, the more profound the unintended consequences will be and predicting the outcome quickly becomes intractable. Instead, notice that those bridges are usually connected more strongly to one cluster rather than the other. If their communication became more burdensome to the group they are less connected to... for how long would they persist in fighting to maintain it? If something nutty happened and they had to change their phone number, what're the odds they'll forget to give the new one to the contact in a group they're barely involved in?
You could have very quiet oppression through these means. I expect there would be unintended consequences, and have been trying to figure out for a few ways a good way to detect such changes in a social network, but its just a thing I keep in the back of my head, not something I actively work on. If you've got any ideas, I'd be happy to hear them.
American politics is driven by anger. Unfortunately, anger at "elites" and "immigrants" far outweighs any kind of desire for competence or real solutions, which is why you have Trump.
There is an entire industry keen to get people unconstructively angry about unrealistic threats so they can sell gold and ammunition.
So a few years back, Equifax bought a company I cofounded. They assisted my former business partner in diverting ~$13 million of the purchase proceeds that were supposed to go to me over to him. Then they helped stonewall the resulting litigation for years.
While I am upset on behalf of all affected consumers, mere words cannot adequately express the unbridled joy that I experienced when I found out that they were likely, at a minimum, going to lose hundreds of millions (or more) over this. Having dealt with high level executives at the company, I can tell you that an event like this is wholly unsurprising given their nonchalant attitudes toward...pretty much everything. I absolutely hope you are right that this is an extinction level event for them. My admittedly biased opinion is that they are an irresponsible company with far too much power over peoples' lives, run by malevolent executives. The company should probably cease to exist, at least in its current form.
Did they have a specific reason for screwing you over? It just seems like a lot of effort to go through on their part with no tangible benefit. Sorry if this is too personal a question.
It's a very long story, but my business partner was running everything by the time they came into the picture and so their allegiance was to him. We had a personal falling out and based upon that he became hellbent on ensuring I got nothing once it was clear that the acquisition was going to happen. It was easier and cheaper for Equifax to take the position they took. If I were a corporate lawyer, I likely would have given Equifax the same advice. That doesn't make it right though.
So 134 Million then. I mean that's still an extreme amount of bits ofc. Just seems silly to use the "billion" signifier for something that is less than 1 billion.
Likewise it'd be strange to call something "1000 milliunits" instead of just 1 unit. (Unless ofc milli happens to be the frame of reference for some obvious reason like "15 millunits of x is a deadly dose".)
This is stylistic. It's basically setting a scale factor for you, that this isn't a small breach, but a noticeable fraction of a billion. I could have written it as 1.34E+08 though fewer people would have understood this, though it would have been as correct. 134 Million is obviously "alot", though from a psychological perspective, the billion gets more attention than the million, even though the number isn't changing.
Just directing it at Equifax is much too narrow, though. At the very, very least some legislation should come out of this mandating that ALL credit bureaus should allow credit freezes, at any time, for free.
The thing that really incenses me about this whole debacle is the system is designed to benefit from its own incompetence! All these "identity theft solutions" that the big credit bureaus provide are just a way to charge consumers more for a problem that the consumer had nothing to do with in the first place!
This is a "too big to fail" event. Getting rid of or changing Equifax would disrupt too many other businesses, therefore any wrongdoing of theirs will be waived away and the costs pushed onto consumers.
For more than a decade, a debate has been going on in the Communications of the ACM (as well as other places, thats just where I've read of it most often). You can't make charges of negligence stick against companies using technology. There are no 'standard practices' they are negligent of following. If they were building a bridge, they would hire licensed certified engineers, and they would be legally bound to give those engineers access to the tools needed to do their job, the time needed to do the job correctly, and even if the CEO wanted to push the project forward despite misgivings of the engineers over safety, he would be legally forbidden to do so (and criminally personally culpable if he did).
The same is not true of software-driven systems. There are no licensed developers, no regulatory body determining what tools must be made available, no guarantee of primacy of technical engineering concerns over business management. If a software engineer says "it needs more testing" or even "there is a bug that will kill people" and the CEO says "ship it", it ships and the courts will do nothing. This was proven to be true even in cases where incompetent management results in bad software that gets people killed in the case against Toyota with their "unintended acceleration" due to a firmware bug that would have been caught immediately if the developers had static analysis tools.
Companies fight against the establishment of any sort of standards because it would reduce their profit margins. Developers fight against the establishment of any sort of standards because it would raise the barrier to entry in the field and no matter who the standards body consists of, they will select standards which people disagree with, they will be reluctant and slow to change or update them, etc. Both sides are right. But the alternative is companies having free reign up to and including incompetence of the degree which gets people killed with no accountability. People are overall very bad at decisions between two scenarios with clear negatives on both sides. They feel entitled to a 'clean' option and are uncomfortable with saying "I embrace the negatives and accept the burden of working hard to try to minimize their harm in order to gain the benefits of this option." Accepting the negatives implies taking some responsibility for bringing them to fruition and no one wants to be responsible for that - even if the alternative is worse. Not every decision is easy.
While I certainly agree in spirit, Equifax is, as has been said elsewhere, unfortunately too big to fail. Too much infrastructure has been built around it.
So, instead of dissolution, I propose two very reasonable remedies that I would consider the absolute minimum in concert with whatever fines and sanctions may be levied:
1. Credit freezes/unfreezes must be offered free in perpetuity. “They cost us money to perform” is not a remotely appropriate objection - offering this for free should be a basic cost of doing business in the credit reporting industry.
2. Affected individuals (everyone, basically) must be granted a minimum of 10 years of credit monitoring following the breach. One year is a free sample you get with a coupon code from a podcast. Furthermore, the service must not auto-renew at the end of the term: send users a security report and let them decide if they want to opt-in to continued monitoring after the term ends.
Why 10 years? I mean, I don't see how one could defend any term shorter than the term of the validity and danger of the information stolen. I won't get a new SSN in 10 years. I won't get a new name. All the information will persist and still be useful. I'm personally in a worse position as my information was part of the OPM breach years ago and even images of my fingerprints are in the wild. And I got 18 months of free credit monitoring out of it.
When a charge of more than $100 is made on my credit card, I get a text message instantly. When I log into my banks web system, I get a text message instantly. I was able to set those things up. I don't see why it would be unreasonable to have a similar thing set up so that I could be alerted every single time my credit history is queried with information about who is querying it for what purpose, ideally with the ability to block it by replying to the text message.
Agreed. At this point, the only sensible thing to do is to assume that Equifax is -- and perhaps has been -- compromised indefinitely. If not by external agents, then by internal incompetence or malfeasance. They've not clearly demonstrated either the intention or the ability to handle this breach in a diligent, professional, ethically sound way. To me, that calls into serious question their ability to embody those qualities in their operations before the breach as well.
Here is a crazy alternate theory for you guys, which I think fits all the details we have so far.
1. Equifax was never hacked.
2. Equifax accidentally deleted a substantial portion of their database.
3. Come up with a system to get the information they lost back, via a "have I been pwned?" checker.
3a. If you enter your details and they are not in their database, they assume it is one of the persons they deleted, add it to their database, and give you a "maybe hacked" message. Obviously a fictitious person would never have been in any of their databases, deleted or otherwise. So, assuming this fake person must be a deleted person, they add the info and show the "maybe hacked" message.
3b. If you enter your details and you are one of the lucky (haha) persons that were not deleted, you get a "you are safe" message.
4. Equifax gets a lot of their database they deleted back with little effort on their part.
If all they need is a database of basic consumer info, they could buy that list from one of the other credit reporting agencies and avoid the public scrutiny of themselves and the industry itself.
avoid the public scrutiny of themselves and the industry
They'd probably give it to them for free if that would avoid a huge public disclosure.
Though the proposed scenario is impossible, if Equifax really did lose most of their database, asking users to type in their current name/address/SSN (or buying it from a competitor) wouldn't help them, the valuable data is in the credit history, and without that data, Equifax has no business, so they'll go bankrupt. Even if they asked consumers for the data, few people know all of the data that the credit agencies have on them.
They do it now. Typically businesses only report credit information to one of the bureaus. They exchange information with each other so information eventually makes it around to all three.
If #2 is what happened, they aren't acting in their own interests by saying they were hacked. If they were hacked, that means 3rd parties have the data. If they merely deleted a database, that implies the info is gone and nobody has it.
Surreptitiously recreating a database? They can get a list of SSNs from the government, what is a user going to add to that? One of their addresses? All of their previous financial activity? What do you think the database contains?
Not to mention the idea that Equifax doesn't have backups.
> 2. Equifax accidentally deleted a substantial portion of their database.
Although most people know of stories where backups were broken, didn't work, (etc) for some reason, it would be truly mind boggling for it to be the case here.
Deleting a substantial amounts of production data... seen that before (I used to be a NetBackup Admin for large places). But recovery procedures do exist, and for them not to have multiple levels of recovery available for their core mission data is extremely unlikely.
This is silly, because losing data would be lower outrage, and they might even purchase the data from other agencies so we wouldn't even know it happen.
Also the data that leaked is not the valuable data to them. See how proudly they stated that no core databases were affected? Not giving a damn about us?
What's valuable to them and to banks that use them are the actual information about our credit. If that was compromised that would kill them, because they would lose trust of their real customers (banks).
I read on Krebs on Security [1] that those who visited the site from a computer got one result, but also got the other when they visited from a mobile phone. Not that this might apply to you, but the results from the equifaxsecurity2017 site do not seem trustable.
Quote from the article:
> In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat. In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.
I'm sure Techcrunch verified this is legit, but there's going to be a lot of similar sites shared on Facebook popping up that are similar to get your data.
If you read the message, it's very noncommital. You "may have been impacted" which doesn't take a position either way.
They could issue that response regardless of what you type and cover all possibiliites.
My guess: to account for typos, they are responding with "may have been impacted" if they get a hit on either the name or SSN, not only when there is a match on both.
"As specified on the website, Your membership subscription may be subject to automatic renewal. TrustedID may, in its sole discretion, terminate this Agreement (or suspend, terminate, or otherwise restrict Your use of and access to the Product) at any time, without notice."
Not only can they renew you automatically (unclear what the renewal term is, plausibly the autorenew could obligate you with another year of service you'd have to pay for); but they can also cancel the service, and not inform you. So you're "protected". Maybe. You don't really know, nothing about it is transparent.
What we do know, is they're bad at their job of protecting consumer credit data from people who shouldn't have it. They're not to be trusted, and therefore no good reason to agree to anything they offer.
Given the fact that every other week some company gets hacked and leaks data on customers they shouldn't have been keeping in the first place, I'm looking forward to some court precedent being set. I don't know why the Equifax leak is getting all the attention and hate when https://haveibeenpwned.com/ discloses a major hack constantly, but it'd be great if companies were held financially responsible for security carelessness and improper disclosure.
In Sweden your social security number is public information. What's the reason for it being private in the US? Sounds like a horrible thing to rely on for security anyway.
And then, when their shitty "easy signups" authentication is exploited, they attempt to reframe the flaw as the individual's identity being stolen, rather than the bank being negligent.
In the US, a combination of personal information is taken by most as proof that you are who you claim to be. If you know enough of someone else's information, you can steal money rather easily. We need a better identity solution, but it's what we have right now.
There is probably no way to make that work, without improving the security. Same thing with credit cards, is it so hard to ask for a PIN when trying to pay with them? Or use 2FA like in any internet banking?
For what it's worth, here in Europe you could pretend to be someone else as well, if you have enough information, but what's the point when you can't touch their money?
>What do you mean by, "you can't touch their money"?
If you had the number of my credit card, my account number, my social security number (or the local equivalent), my address or my name, or whatever else, short of my 2FA device and my internet banking credentials, you won't be able to steal anything. (And at that point, you might as well walk up to my house, break a window and steal whatever the hell you need while I'm somewhere else, why bother with hacking.)
If the 2FA device is just a phone, there's a few things you can do, otherwise not really. Are you going to deploy a fake cell tower to steal the code? Probably just conning the cell company support person would be good enough. Not sure whether they'd mail a new SIM to a different address (and they'd probably let me know). Maybe they'd give it to you if you presented an ID. You could have a fake one made, I guess. It would be a bit weird if you didn't speak the local language though. Quite a lot of effort compared to copy pasting a credit card number. Not something you'd do on a large scale.
>And, if you are extremely persistent, you can spoof identity documents and hack bank accounts.
Yes, but against a determined attacker that singles you out, you are fucked regardless of what you do, especially if it's your bank or similar service provider that screws up even if you don't.
When applying for new accounts, or logging in from new devices, you should be receiving an email and/or sms on the endpoints of your choice. And then able to stop those things from happening.
There have indeed been issues of identity theft here in Sweden where the thieves ordered a new login to the 2fa app and then managed to get hold of it from postal offices with bad verification processes.
So now the practice is to fetch the credentials from the nearest bank office or something like that.
>Yes, but against a determined attacker that singles you out, you are fucked regardless of what you do, especially if it's your bank or similar service provider that screws up even if you don't.
Isn't that what we're trying to prevent- becoming the victim of a determined attacker?
I don't really care about protecting myself from /only/ script kiddies.
If I put my money in a bank and they "accidentally" allow someone other than myself to withdraw it, /the bank/ has been defrauded, not me.
Thanks to corporate control of the US gov't, it is now me who has actually been defrauded, thanks to some fun mental gymnastics.
So, I have to spend time and money and frustration trying to convince the bank to uh... what's it called... oh yes, give me my money back, please.
The system is broken for sure, but I really truly hope we can vote some people into office who will turn the tables on how these laws currently work.
Otherwise we will all eventually be hacked, stolen from, or worse.
That's the funny part - there's no 2fa available for most internet banking in Canada or the US. In Denmark we get the NemID card mailed to us, but in Canada it's just your card number+password+sometimes they ask a security question like "what high school did you go to?"
It is not only the US that is like that. Also in Norway it is considered a secret, and you can get a worrying amount of information about someone just by having their social security number.
My guess that this is misguided and muddled security thinking behind this, and is something that happens when the involved institutions do not have a coherent understanding of information security.
To me the fact that the data was hacked represents no real change, as I've viewed the organizations that had access to this information just as adversarial as the crooks who stole it. At least now anybody can pay the price to see, and that means there is no corporate monopoly on the data about us. It's time to face the world of open data and structure ourselves so that it is to our advantage.
Well I mean, what it comes down to is you need someway of establing that it's actually you over a phone or Internet and you can assume that an equifax-equivalent would be storing that info regardless of exactly what it is in Sweden.
>Well I mean, what it comes down to is you need someway of establing that it's actually you over a phone or Internet
Why do you need that exactly? If you are selling something, it's quite simple: if you receive the money, you provide the service -- if not, you don't.
The payment processor can use 2FA (this is actually done by a number of banks in Europe, when you enter the payment information, you get a text message with a code from your bank to confirm the transaction).
> The payment processor can use 2FA (this is actually done by a number of banks in Europe, when you enter the payment information, you get a text message with a code from your bank to confirm the transaction).
In Sweden you use a special authentication method you install on your phone through your bank to prove your identity. It's basically a national 2FA. So when you for example declare your taxes you enter your social security number and authenticate the action with your phone each time.
So no, I don't think there's any Equifax equivalent where a data leakage would enable stuff like this.
You open the account in person, by showing them your ID card. The bank has access to the central national database of IDs, so they can compare if the ID card shown by the person matches the information coming from the central db, matching the person showing it on the picture. Hence you have strong in-person proofing, that is now the basis for the 2FA.
Thats how it should be done, except in the US there is no way to check against a national database of IDs, not even on the state level with DMVs. You literally trust the plastic card the person shows you and thats where the problems start. Online its even worse.
Yes. If you steal the ID card or passport of a person who looks like you, you can do most things in life in their name. Take out a loan, travel the world, get married, etc.
The major benefits compared to SSN authentication still are:
* It's a physical object, you have to be physically present to steal each one instead of getting a hundred million at a time.
* Most people would quickly notice that their card is gone, report it, and get it revoked. You only have between a few hours to a week to use it, not the next 50 years.
Yes if you forge a drivers license or passport with my name and id number, and you put your own photo on it (or happen to look like me) you could probably do something bad like get a phone contract or request a credit card in my name.
However, most of those scenarios have the added security that the CC or some necessary confirmation letter to sign is sent to the registered address of that id. So you'd also have to stalk my mailbox to actually get the credit card. This actually happens - so people use locked mail boxes to protect against this.
That is, even for this "manual" id method, there is 2fa in the form of regular mail, made possible by the fact that you can't use my id and give them your street address. When you show my id - they immediately know what address belongs to that id.
@EGreg below me - no, the national database has biometric information including finger and retina prints as well (definitely fingerprints, not sure of retina prints). The bank is able to check that too.
Important thing here: each id number has an address. I.e if you call them and say you are Bob with id 123456789 then they know the street address. So they can send a confirmation letter that needs to be signed, to the address belonging to Bob with id 123456789.
This makes the phone scam a lot more involved because you can impersonate someone on the phone but the mail makes it kind of 2fa. The credit card you tried to open in Bob's name will always be sent to the real address of Bob.
The bank didn't need to store much here - names and addresses they can lookup directly from the id number.
When I got my first driver's license in Georgia USA, 1986, the license number was my SSN. Every system used it to identify you: banks, doctors...
But things started to get weird. As other have already commented, everyone got confused, and let "Identity" = "Authorization".
Perhaps in a world of paper records, this system would have been ok. But always more transactions from remote locations. Many stores required you to write the last four digits of SSN on checks, or credit card slips, because they had no way of authorizing the transaction with your bank. Large vendors had these little modems that could dial up and talk to your bank, but small shops only had paper.
Anyway, it was in the banks' interest to roll out Point-Of-Sale transaction tech, because USA banking laws committed the bank to pay the vendor.
But fraud increased as the tech got faster. Someone noted that Social Security, by explicit law, cannot be used as ID in any situation that is not directly involving a Social Security pension or insurance.
The banks and medical systems rolled a lot of the shift away from SSN under their huge Y2K projects.
Here we are. Now they all ask for other publicly-available personal information, and still confuse ID with Auth.
The social security cards here use to say "Not for identification." Then the IRS started using it as a Tax ID instead of creating their own (my Tax IDs in Australia and NZ, two places I had work visas for, were public as well).
Most countries have some type of citizen identification number, which is attached to some ID with a photo and/or finger prints. The US does not, and the political climate for the past several decades would probably never allow this. The Real ID act has been seen as a sign of the beast by religious fundamentalist and a basic erosion of rights by libertarians et. al.
Passport numbers can't be used either because not all US citizens/residents have a passport and the numbers change when you renew them. Most parents get a SSN for their child at birth. Even people I know with dual citizenship overseas have them (all except for one, and you don't really need one unless you want to go to America to work .. and then you'll also need to pay an immigration/tax lawyer to go back and reconcile all your taxes).
Yes, it kind of is public, because you have to use it in many contexts.
But knowing a persons name and social security number allows you to do all kind of misuse, i. e. identity theft. I have not lived in Sweden for 30 years, but I assume many things still work similar as here in Finland. Closing other people's credit cards and mobile phone subscriptions typically works by knowing the social security number. Ordering online without credit card and paying the bill (or not) after delivery, too.
I have now placed freezes [1] on my accounts with each of the four agencies.
It is perplexing to pay $5-10 to each of these companies that have collected my data without my permission to stop the sale of that data. In particular after they have mismanaged that data and put me at risk.
They will probably see a large surge in revenue based on this breach.
From the New York Times [0]:
In the meantime, here’s hoping that this breach is the nudge you need to finally sign up for permanent freezes on your credit files. I’ve used them for years, and here’s how they work. You sign up (and pay some fees, because you knew it wasn’t going to be free to protect data that you didn’t ask these companies to store, right?) at Equifax’s, Experian’s and TransUnion’s websites. Christina Bater, managing director at Barrett Asset Management in New York, suggests freezing your file at the little-known company Innovis, too. Hey, why not?
"New York attorney general Eric Schneiderman has hammered Equifax for using language meant to discourage arbitration and is asking Equifax for answers over the data breach. The company has stated since it would not bar consumers from joining breach-related lawsuits."
Is anyone else mortified that this is the reality? Where companies are allowed to dictate how much legal privilege we have to seek legal recourse if they legitimately screw up?
This title is patently false. After entering my information in the Equifax incident site, the site claimed that I and my mother were "potentially impacted". However, both my aunt and cousin were NOT "potentially impacted."
While my single experience qualifies as an anecdote, I nullifies this idiotic headline.
156 comments
[ 0.21 ms ] story [ 226 ms ] threadSpecifically, having current address info released for people who that could go badly for. eg ex-partners of violent people, maybe law enforcement (?) people, etc
If that's the case, then the fallout (and scrambling-to-relocate by people endangered) from it could be even more massive then so far mentioned. :/
Though it'd be nice if this caused new data privacy and protection regulations. (But it won't)
Here's the message I got:
Based on the information provided, we believe that your personal information was not impacted by this incident.
Click the button below to continue your enrollment in TrustedID Premier.
Maybe if they can't make a positive match against their "safe" list, they give the warning.
They seem to be matching on SSN alone, I entered a completely different last name, and still was told that I'm not impacted, so maybe no one with the last 6 digits of my SSN was impacted.
For every SSN entered, Equifax can say in a class action lawsuit that they have waivers from all the following SSNs ....
IANAL, but this looks like a sensible strategy for Equifax to save itself after screwing with people's SSNs and personal info.
It's a textbook scam.
This whole thing is just weird.
The sad thing is that they think the current solution is adequate. They do it this way because we are not their customers, we are their product. I would encourage to complain about this to your representatives. We could have much better protections about identity theft, have account frozen by default and without any fees. Have their credit checking services available for free.
Sadly, the business is structured so they actually are making money when it is easy to open a credit line, even illegitimate one.
Equifax themselves have said they'll only use the waiver with respect to the credit monitoring service, and not to the security breach:
https://techcrunch.com/2017/09/08/equifax-says-it-wont-bar-c...
You could say, "Maybe they're lying", but it seems like it would be pretty easy for the class action attorneys to act on your behalf here.
See: http://legal-dictionary.thefreedictionary.com/Promissory+Est...
Would it be possible to find any judge who can try this case, since the set of people affected by the breach is basically everyone?
IIRC, the judge doesn't need to recuse themselves of any/all cases where they are impacted, only that they must recuse themselves where they would be unable to be unbiased, or where there would be an appearance of being unbiased.
In the lower courts, when in doubt, that's decided by other judges. At the SCOTUS level, that's decided by the individual judge on an individual level.
So, yes... They will find a judge.
I freaking hate tactics like this, so I am offering to go through the mailing process for anyone who fills out the form at https://unarbitrate.org/. I'll pay to mail it, just because I hate this sort of thing. If you don't trust me with your data, the site also provides a way to print it and mail it yourself. But whatever it takes, I encourage everyone to opt out of this; you have nothing to gain by giving up these rights.
(I've submitted it to HN as well: https://news.ycombinator.com/item?id=15207151)
Reach out, should you need financial assistance.
with regards to giving up their right to class action
/s
1. Enter SSN
2a. Impacted by this hack
2b. Not impacted by this hack but will be impacted by next
I think it'd be nearly impossible to be an adult living on your own and not have your SSN in a credit agency's database.
If I had to guess, I would say that Equifax is not checking against a list of people that they know are compromised, but rather against a list that they know have NOT been compromised. So if you check a name, and it is in Equifax's database AND it is known to be uncompromised, you get back a "you are safe message". For everyone else they give a generic "you maybe were effected", emphasis on the "maybe".
Obviously a fictional person with fictional details is not going to be in Equifax's database, so they would just throw the generic maybe message.
Equifax says the 7-yr old "may" have been affected. The 5 yr old comes back clean.
This sure looks scammy.
My comments ... https://twitter.com/hpcjoe/status/906549917509980160
This is an extinction level event for Equifax. They need to be disassembled, their stored data destroyed correctly and securely, their negligent officers charged.
This isn't an accident. You don't surface 0.134 BILLION bits of PII without some sort of criminal level incompetence.
Any organization that uses Equifax data in any decision making process needs to be held accountable, as there may have been earlier intrusions also undiscovered, that have altered. Which, if they then choose to use them in any decision process whatsoever, brings them liability for misuse of possibly tampered with data.
I am quite serious when I say that Equifax should cease to exist as a result of this. All others should be audited for security, and audited hard.
Again, not being hyperbolic. But quite direct, with appropriate levels of anger at Equifax.
But this is a government with a grifter at the top, so I have almost no confidence attorney general Sessions will investigate this seriously, let alone destroy the company. He very clearly enjoys targeting e.g. black people who smoke weed with incarceration, destroying their lives, than punishing Equifax's officers, board, or shareholders with destruction.
I have more confidence in a handful of state attorneys general working on this effort.
I'm almost sure I once saw a quote from Bill Clinton's press secretary that said something like "We knew that if we could survive the first 5 days of a bad story, it would get dropped."
That perspective solidified for me during the Occupy Movement. Granted, it lasted much longer than 5 days, but ultimately, what of it? The FBI didn't investigate the bankers, it investigated the protesters.
You see it with Flint. You see it with Climate Change.
I've always been politically apathetic. Moreso as a foreigner where I recognize that living in a foreign country is a privilege, not a right. Plus I'm a cynical person (not a healthy habit). Which means that whenever I hear about "boycotts", or "writing to your representative", or "held criminally responsible", or "..." I always think two things. First, that people are naïve, and second, what's it going to take to drive people to take un-ignorable action?
Brave New World.
You can be cynical of the government and the regulators and still do something about it. If you are a landlord and running a credit check don't use Equifax. Maybe this will open the door for startup in the space.
I honestly think that criminally they are going to get a slap on the wrist if anything. The majority of damages will come from civil suits.
The anger will become a mob that enacts change when a critical mass of people lose access to food and/or shelter.
> what of [Occupy]
Occupy was very successful at (re-)introducing class warfare into the public dialog.
> First, that people are naïve, and second, what's it going to take to drive people to take un-ignorable action?
3rd, why isn't this anger organizing into larger activist/political movements? Well, with enough surveillance data and modern data analysis tools it's easy to find the "leaders" or "organizers" that bring people together. Remember JTRIG[1]?
[1] https://theintercept.com/2014/02/24/jtrig-manipulation/
What nodes in the graph of connections would you target? Intuition says go after the nodes with tons of connections to tons of people. Intuition is, as it almost always is, dead wrong. Removing those massively-connected people in a social network is basically useless. They are almost exclusively connected to people who are already connected to one another. They're the center of clusters, and you will almost never route through one in an attempt to find the path to Mr. Bacon.
Instead, what you want to look for are node which bridge clusters. People who are usually not strongly connected to one of the clusters they are associated with, but provide a conduit through which connections can be made. Because they are inherently a bit 'different' from the people in each of the clusters they bridge (few others bridge those two clusters), they tend not to be important figures. They're a member of a biker gang who hangs out with his great aunts knitting circle on Saturdays. They're the ones who facilitate the flow of ideas between groups that never speak to one another otherwise.
So you know who to target... but how many 'bridge' nodes like that do you need to really take out in order to significantly increase the 'distance' between nodes on the graph on average? Disturbingly few. Removing something like 25 nodes from the graph of tens of thousands of performers will make it so you need 15 or more connections on average to get to Mr. Bacon. (The book 'Linked: The New Science of Networks' details the research specifically, its been years since I read it though so I am fuzzy on exact numbers but it was definitely fewer than 30 you needed to remove)
Now, imagine a crazy scenario where you had access to the social graph of a country (somehow!) and knew who was talking to who. And your goal was just to maintain the status quo. Well, what does any large-scale social change require? An idea must spread to large numbers of extremely different, and almost entirely disconnected, groups. Any idea that remains sheltered in one or a few groups will die out of its own accord. A revolution doesn't happen because one minority wills it, there has to be buy-in from a wide array of groups. So remove those bridge nodes. Any widespread social change becomes very nearly impossible.
But what is "removing a node"? I'm not talking about black-bagging a person and dragging them off to some hole or blowing their brains out. Such things are entirely unnecessary and counter-productive. The more significant your action is, the more profound the unintended consequences will be and predicting the outcome quickly becomes intractable. Instead, notice that those bridges are usually connected more strongly to one cluster rather than the other. If their communication became more burdensome to the group they are less connected to... for how long would they persist in fighting to maintain it? If something nutty happened and they had to change their phone number, what're the odds they'll forget to give the new one to the contact in a group they're barely involved in?
You could have very quiet oppression through these means. I expect there would be unintended consequences, and have been trying to figure out for a few ways a good way to detect such changes in a social network, but its just a thing I keep in the back of my head, not something I actively work on. If you've got any ideas, I'd be happy to hear them.
There is an entire industry keen to get people unconstructively angry about unrealistic threats so they can sell gold and ammunition.
While I am upset on behalf of all affected consumers, mere words cannot adequately express the unbridled joy that I experienced when I found out that they were likely, at a minimum, going to lose hundreds of millions (or more) over this. Having dealt with high level executives at the company, I can tell you that an event like this is wholly unsurprising given their nonchalant attitudes toward...pretty much everything. I absolutely hope you are right that this is an extinction level event for them. My admittedly biased opinion is that they are an irresponsible company with far too much power over peoples' lives, run by malevolent executives. The company should probably cease to exist, at least in its current form.
So 134 Million then. I mean that's still an extreme amount of bits ofc. Just seems silly to use the "billion" signifier for something that is less than 1 billion.
Likewise it'd be strange to call something "1000 milliunits" instead of just 1 unit. (Unless ofc milli happens to be the frame of reference for some obvious reason like "15 millunits of x is a deadly dose".)
Again, stylistic.
The thing that really incenses me about this whole debacle is the system is designed to benefit from its own incompetence! All these "identity theft solutions" that the big credit bureaus provide are just a way to charge consumers more for a problem that the consumer had nothing to do with in the first place!
http://www.ncdoj.gov/freefreeze
Equifax were already in the process of having the law rewritten in their favour by the Republican party, at least that might be derailed or delayed for a few years. https://www.americanbanker.com/news/equifax-breach-may-kill-...
There's some claims here about the history of Equifax as a form of legal redlining, but they're a bit hard to substantiate with simple googling: https://twitter.com/matthewstoller/status/906257077215133696
The same is not true of software-driven systems. There are no licensed developers, no regulatory body determining what tools must be made available, no guarantee of primacy of technical engineering concerns over business management. If a software engineer says "it needs more testing" or even "there is a bug that will kill people" and the CEO says "ship it", it ships and the courts will do nothing. This was proven to be true even in cases where incompetent management results in bad software that gets people killed in the case against Toyota with their "unintended acceleration" due to a firmware bug that would have been caught immediately if the developers had static analysis tools.
Companies fight against the establishment of any sort of standards because it would reduce their profit margins. Developers fight against the establishment of any sort of standards because it would raise the barrier to entry in the field and no matter who the standards body consists of, they will select standards which people disagree with, they will be reluctant and slow to change or update them, etc. Both sides are right. But the alternative is companies having free reign up to and including incompetence of the degree which gets people killed with no accountability. People are overall very bad at decisions between two scenarios with clear negatives on both sides. They feel entitled to a 'clean' option and are uncomfortable with saying "I embrace the negatives and accept the burden of working hard to try to minimize their harm in order to gain the benefits of this option." Accepting the negatives implies taking some responsibility for bringing them to fruition and no one wants to be responsible for that - even if the alternative is worse. Not every decision is easy.
So, instead of dissolution, I propose two very reasonable remedies that I would consider the absolute minimum in concert with whatever fines and sanctions may be levied:
1. Credit freezes/unfreezes must be offered free in perpetuity. “They cost us money to perform” is not a remotely appropriate objection - offering this for free should be a basic cost of doing business in the credit reporting industry.
2. Affected individuals (everyone, basically) must be granted a minimum of 10 years of credit monitoring following the breach. One year is a free sample you get with a coupon code from a podcast. Furthermore, the service must not auto-renew at the end of the term: send users a security report and let them decide if they want to opt-in to continued monitoring after the term ends.
When a charge of more than $100 is made on my credit card, I get a text message instantly. When I log into my banks web system, I get a text message instantly. I was able to set those things up. I don't see why it would be unreasonable to have a similar thing set up so that I could be alerted every single time my credit history is queried with information about who is querying it for what purpose, ideally with the ability to block it by replying to the text message.
That's what the 10yr monitoring is for?
1. Equifax was never hacked.
2. Equifax accidentally deleted a substantial portion of their database.
3. Come up with a system to get the information they lost back, via a "have I been pwned?" checker.
3a. If you enter your details and they are not in their database, they assume it is one of the persons they deleted, add it to their database, and give you a "maybe hacked" message. Obviously a fictitious person would never have been in any of their databases, deleted or otherwise. So, assuming this fake person must be a deleted person, they add the info and show the "maybe hacked" message.
3b. If you enter your details and you are one of the lucky (haha) persons that were not deleted, you get a "you are safe" message.
4. Equifax gets a lot of their database they deleted back with little effort on their part.
What do you think?
They'd probably give it to them for free if that would avoid a huge public disclosure.
Though the proposed scenario is impossible, if Equifax really did lose most of their database, asking users to type in their current name/address/SSN (or buying it from a competitor) wouldn't help them, the valuable data is in the credit history, and without that data, Equifax has no business, so they'll go bankrupt. Even if they asked consumers for the data, few people know all of the data that the credit agencies have on them.
Surreptitiously recreating a database? They can get a list of SSNs from the government, what is a user going to add to that? One of their addresses? All of their previous financial activity? What do you think the database contains?
Not to mention the idea that Equifax doesn't have backups.
Although most people know of stories where backups were broken, didn't work, (etc) for some reason, it would be truly mind boggling for it to be the case here.
Deleting a substantial amounts of production data... seen that before (I used to be a NetBackup Admin for large places). But recovery procedures do exist, and for them not to have multiple levels of recovery available for their core mission data is extremely unlikely.
Also the data that leaked is not the valuable data to them. See how proudly they stated that no core databases were affected? Not giving a damn about us?
What's valuable to them and to banks that use them are the actual information about our credit. If that was compromised that would kill them, because they would lose trust of their real customers (banks).
I suspect the reason for this might be that I froze my info years ago.
In some way they must be screening against people who are frozen, or I got lucky.
Quote from the article:
> In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat. In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.
[1]: https://gixtools.net/2017/09/equifax-breach-response-turns-d...
I'm sure Techcrunch verified this is legit, but there's going to be a lot of similar sites shared on Facebook popping up that are similar to get your data.
They could issue that response regardless of what you type and cover all possibiliites.
My guess: to account for typos, they are responding with "may have been impacted" if they get a hit on either the name or SSN, not only when there is a match on both.
"As specified on the website, Your membership subscription may be subject to automatic renewal. TrustedID may, in its sole discretion, terminate this Agreement (or suspend, terminate, or otherwise restrict Your use of and access to the Product) at any time, without notice."
Not only can they renew you automatically (unclear what the renewal term is, plausibly the autorenew could obligate you with another year of service you'd have to pay for); but they can also cancel the service, and not inform you. So you're "protected". Maybe. You don't really know, nothing about it is transparent.
What we do know, is they're bad at their job of protecting consumer credit data from people who shouldn't have it. They're not to be trusted, and therefore no good reason to agree to anything they offer.
Relevant comedy: https://www.youtube.com/watch?v=CS9ptA3Ya9E
For what it's worth, here in Europe you could pretend to be someone else as well, if you have enough information, but what's the point when you can't touch their money?
You can spoof their identity, to instantly acquire material goods / lines of credit.
And, if you are extremely persistent, you can spoof identity documents and hack bank accounts.
If you had the number of my credit card, my account number, my social security number (or the local equivalent), my address or my name, or whatever else, short of my 2FA device and my internet banking credentials, you won't be able to steal anything. (And at that point, you might as well walk up to my house, break a window and steal whatever the hell you need while I'm somewhere else, why bother with hacking.)
If the 2FA device is just a phone, there's a few things you can do, otherwise not really. Are you going to deploy a fake cell tower to steal the code? Probably just conning the cell company support person would be good enough. Not sure whether they'd mail a new SIM to a different address (and they'd probably let me know). Maybe they'd give it to you if you presented an ID. You could have a fake one made, I guess. It would be a bit weird if you didn't speak the local language though. Quite a lot of effort compared to copy pasting a credit card number. Not something you'd do on a large scale.
>And, if you are extremely persistent, you can spoof identity documents and hack bank accounts.
Yes, but against a determined attacker that singles you out, you are fucked regardless of what you do, especially if it's your bank or similar service provider that screws up even if you don't.
When applying for new accounts, or logging in from new devices, you should be receiving an email and/or sms on the endpoints of your choice. And then able to stop those things from happening.
So now the practice is to fetch the credentials from the nearest bank office or something like that.
Isn't that what we're trying to prevent- becoming the victim of a determined attacker?
I don't really care about protecting myself from /only/ script kiddies.
If I put my money in a bank and they "accidentally" allow someone other than myself to withdraw it, /the bank/ has been defrauded, not me.
Thanks to corporate control of the US gov't, it is now me who has actually been defrauded, thanks to some fun mental gymnastics.
So, I have to spend time and money and frustration trying to convince the bank to uh... what's it called... oh yes, give me my money back, please.
The system is broken for sure, but I really truly hope we can vote some people into office who will turn the tables on how these laws currently work.
Otherwise we will all eventually be hacked, stolen from, or worse.
That's the funny part - there's no 2fa available for most internet banking in Canada or the US. In Denmark we get the NemID card mailed to us, but in Canada it's just your card number+password+sometimes they ask a security question like "what high school did you go to?"
https://www.youtube.com/watch?v=Erp8IAUouus
My guess that this is misguided and muddled security thinking behind this, and is something that happens when the involved institutions do not have a coherent understanding of information security.
Why do you need that exactly? If you are selling something, it's quite simple: if you receive the money, you provide the service -- if not, you don't.
The payment processor can use 2FA (this is actually done by a number of banks in Europe, when you enter the payment information, you get a text message with a code from your bank to confirm the transaction).
I think 3-D Secure is the protocol they use.
https://en.wikipedia.org/wiki/3-D_Secure
So no, I don't think there's any Equifax equivalent where a data leakage would enable stuff like this.
Thats how it should be done, except in the US there is no way to check against a national database of IDs, not even on the state level with DMVs. You literally trust the plastic card the person shows you and thats where the problems start. Online its even worse.
The major benefits compared to SSN authentication still are:
* It's a physical object, you have to be physically present to steal each one instead of getting a hundred million at a time.
* Most people would quickly notice that their card is gone, report it, and get it revoked. You only have between a few hours to a week to use it, not the next 50 years.
However, most of those scenarios have the added security that the CC or some necessary confirmation letter to sign is sent to the registered address of that id. So you'd also have to stalk my mailbox to actually get the credit card. This actually happens - so people use locked mail boxes to protect against this.
That is, even for this "manual" id method, there is 2fa in the form of regular mail, made possible by the fact that you can't use my id and give them your street address. When you show my id - they immediately know what address belongs to that id.
The 2fa app is driven by a separate company that only does identification service.
This makes the phone scam a lot more involved because you can impersonate someone on the phone but the mail makes it kind of 2fa. The credit card you tried to open in Bob's name will always be sent to the real address of Bob.
The bank didn't need to store much here - names and addresses they can lookup directly from the id number.
When I got my first driver's license in Georgia USA, 1986, the license number was my SSN. Every system used it to identify you: banks, doctors...
But things started to get weird. As other have already commented, everyone got confused, and let "Identity" = "Authorization".
Perhaps in a world of paper records, this system would have been ok. But always more transactions from remote locations. Many stores required you to write the last four digits of SSN on checks, or credit card slips, because they had no way of authorizing the transaction with your bank. Large vendors had these little modems that could dial up and talk to your bank, but small shops only had paper.
Anyway, it was in the banks' interest to roll out Point-Of-Sale transaction tech, because USA banking laws committed the bank to pay the vendor.
But fraud increased as the tech got faster. Someone noted that Social Security, by explicit law, cannot be used as ID in any situation that is not directly involving a Social Security pension or insurance.
The banks and medical systems rolled a lot of the shift away from SSN under their huge Y2K projects.
Here we are. Now they all ask for other publicly-available personal information, and still confuse ID with Auth.
Most countries have some type of citizen identification number, which is attached to some ID with a photo and/or finger prints. The US does not, and the political climate for the past several decades would probably never allow this. The Real ID act has been seen as a sign of the beast by religious fundamentalist and a basic erosion of rights by libertarians et. al.
Passport numbers can't be used either because not all US citizens/residents have a passport and the numbers change when you renew them. Most parents get a SSN for their child at birth. Even people I know with dual citizenship overseas have them (all except for one, and you don't really need one unless you want to go to America to work .. and then you'll also need to pay an immigration/tax lawyer to go back and reconcile all your taxes).
Here's a great video on it: https://www.youtube.com/watch?v=Erp8IAUouus
But knowing a persons name and social security number allows you to do all kind of misuse, i. e. identity theft. I have not lived in Sweden for 30 years, but I assume many things still work similar as here in Finland. Closing other people's credit cards and mobile phone subscriptions typically works by knowing the social security number. Ordering online without credit card and paying the bill (or not) after delivery, too.
It is perplexing to pay $5-10 to each of these companies that have collected my data without my permission to stop the sale of that data. In particular after they have mismanaged that data and put me at risk.
They will probably see a large surge in revenue based on this breach.
[1] https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...
There are quite a few, actually.
[0] https://www.nytimes.com/2017/09/08/your-money/identity-theft...
Is anyone else mortified that this is the reality? Where companies are allowed to dictate how much legal privilege we have to seek legal recourse if they legitimately screw up?
While my single experience qualifies as an anecdote, I nullifies this idiotic headline.