Wow. They continue to dig deeper in this mess. I got that email and it looked so sketchy that I marked it as phishing. Do they have no one actually thinking this through?
It's a shame we have to wait for the lawsuits to have an impact on them since we aren't their customers and can't take our business elsewhere.
> we aren't their customers and can't take our business elsewhere
This is an understatement. We are literally a cost center for them. Complying with the Fair Credit Reporting Act is the only reason they bother listening to our complaints, yet that same Fair Credit Reporting Act has effectively enshrined the big 3 credit bureaus with a moat against effective competition.
Believe it or not, it really is. I was given this example by an attorney who specialized in HIPAA law: Say a chain store has a breach and the only thing that was stolen was a customer's name and their flu shot records - that wouldn't be that big of a deal, right? Well, say one of those customers was a fitness guru who built an empire on natural and holistic remedies. This changes the entire context of the breach.
The same thing would work for age. Look at that ridiculous California law they proposed to get IMDb to stop showing actors' and actresses' birthdays. There can always be a claim of age discrimination - especially in finance.
How on earth would that work? You're going to have to disclose your DOB at some point in the process to landing a job or applying for a loan regardless of any 'age discrimination'.
Because, for instance you have to be over 18 to get a job, because your minimum wage could be indexed to age, because your CV will give most of that away anyway and because various official forms your employer will need to fill in accurately contain a field for 'date of birth'.
You probably can't even open a bank account without specifying your DOB, let alone get a job or a loan.
I know people stick their DOB (and photo!) on their CVs in the Netherlands. As far as I'm aware that would be quite odd to see in the US. There are some differences here in what is comfortably or preemptively shared with employers between the US and the NL.
It's still the usual way of things in Germany. You bet I had a nice professional photo taken. You list not only your birth date, but birthplace and marital/family status.
Job-hunting as a married-but-childless 30 year old woman here is awesome. Not. When I was stupid enough to make the whole "why do we list our family status on our resumes" thing a point of smalltalk towards the end of one of my first interviews here, the guy cheerfully told me, "oh, because we need to pay a family father of 3 more than we need to pay a single guy"
... and the young, childless wife of an engineer working at that small city's most generously-paying employer? The guy did not seem to believe I needed a job at all. All's well that ends well, and I'm now in a far better job that has a relatively transparent union payscale, but it stung at the time.
My husband, a German, has told me that you used to also list the occupations of your parents!
Good grief, that's incredibly off-putting. I've refused to add a photo and DOB to my CV on principle and fortunately it hasn't seemed to hinder my job seeking.
I'm just saying that just because you're willingly giving your DOB, doesn't mean it's not considered "sensitive information". An employer can use it to determine if you're old enough to work there (Arby's for example), but if it got out, someone could possibly use it against you, so it's considered sensitive.
IIRC the social security number is not a globally unique identifier (only 1e9 unique values). However, in practice, the (SSN, birthdate) tuple generally is unique.
To date, less than half of the total possible SSNs have been used. They are not re-used at this time. (1)
1) I worked in a large hospital in medical information systems, and the edge cases of SSN included the (required) SSN for newborns and unidentified patients. For the former, we re-used the SSN of the mother, but added a suffix. (So in our database, it wasn't just a 9 digit integer, it was a >9 character string. I can't recall how long.) When the newborn got an SSN assigned, we updated it. For John/Jane Doe folks, we used something like all zeros or some such, with an 'auto-incrementing' character suffix. These were re-used.
ID Analytics did a study in 2010 that found 40 million out of 290 million SSNs were assigned to more than one person. The conclusion is that the odds of someone else having your SSN are roughly 1:6.
Other highlights of the study include:
1) How many SSNs do you have? – 6.1 percent of
Americans have at least two SSNs associated
with their name. More than 100,000 Americans
have five or more SSNs associated with their name.
2) Some SSNs are very popular – More than 15 percent
of SSNs are associated with two or more people.
More than 140,000 SSNs are associated with five
or more people. Significantly, more than 27,000
SSNs are associated with 10 or more people.*
> ID Analytics did a study in 2010 that found 40 million out of 290 million SSNs were assigned to more than one person.
Since their count of duplication the other way was based on SSNs associated with names, I wonder if they made the same mistake for that direction (assuming name = person). People can both share identical names and have different names over their lifetime, so even if SSNs were 1:1 with people there would be SSNs associated with multiple names and names with multiple associated SSNs.
I doubt they did, based upon the news reporters reposting examples from the study for the last 7 years. In particular where the name is identical or almost the same, DOB is the same, State of Birth is the same, but the birth city or county differs.
You read the name reference from the first sentence of a blog. The blog entry also mentions two of the main reasons, data entry errors and fraud.
Well cited, thank you! My information/recollection would be more correctly stated as 'the social security administration has handed out less than half of the one billion possible numbers'.
I'm not too surprised that all kinds of zany things happen with such a relatively important, relatively scarce resource.
> This is probably why it's considered "sensitive."
The Social Security Administration calls the SSN "confidential" in their own documentation to citizens.
It wasn't well designed for the modern era and Congress is ill-equipped to try and tackle the real problem (we don't have a national ID card with some sort of chip & pin/passphrase/biomarker).
One's date of birth, in isolation, may or may not be particularly sensitive. However, in combination with other information, it can help positively ID a person, and can then be used for shenanigans.
Example:
* Jacob Smith -- Not particularly identifying
* Jacob Smith, born in 2004 -- Narrows it down, but that's the most common surname in the US, and the most popular 1st name for 2004
* Jacob Smith, born July 22 2004 -- Narrows it down a lot more. Even if you have a couple thousand Jacob Smiths born in 2004, it's unlikely that more than a few will share a single birthday
* Jacob Smith, born July 22 2004, in Burbank, California -- Odds are you've identified a single individual at this point.
A single datum in isolation doesn't tell you much. But the more data you have, the easier it is to use that data for good or evil.
A further point, a date of birth can be used for validation of a SSN, making that SSN even more useful for shenanigans.
Date of birth is essential, because all trusted identity documents, including SSN, are anchored to your birth certificate. It’s basically the root of trust that you are you.
DNA, Fingerprints, footprints (captured at birth), retina patterns, etc can all identify that you are the same person that you were yesterday.
Your identity is defined by that birth certificate in most cases. In corner cases, immigration, refugee or some other document may replace it. Birth is unique because it’s the moment when you become a recognized human, and there is at least one witness to the event or the immediate aftermath. You cannot be born or die more than once, so it makes sense to chronicle that moment.
Here’s an example of how the state of New York identifies you. It is all tied to the record of your birth, either directly or indirectly.
For government purposes, Name and DoB has sometimes been considered "unique enough". There was an article[1] about two women in NYC that ran into this issue; it caused one of them (the one with good credit) lots of heartache.
It's stupid, but "mother's maiden name", "name of your first pet", "street that you lived on when you were young", etc are now de facto sensitivedata by virtue of the fact that they can be frequently used to bypass your website passwords. In 2008, Sarah Palin's Yahoo mail account was breached because the answers to all of her security questions were effectively on her Wikipedia page.
I've long since moved my family to password vaults to store nonsense strings for these password recovery questions and answers, for shielding against precisely this attack vector. Now if I could only get them to adopt 2FA for the master password of the vault.
Thanks so much for pointing me to that. If I had an always-air-gapped ORWL, I'd probably put a generator on it to be able to quickly generate them; I generate an absurd number of accounts each week, since I don't tie into SSO offers over public sites.
Only concern I need to solve for is sifting these lists for confusing words like homophones that are difficult to clearly say the words over an audio-only connection. This drives down the convenience and increases the time to call out the passphrase, since I then revert to the phonetic alphabet. Unfortunately, I've only found various lists [1], but not something that grabs the list, looks up the ExtIPA pronunciation [2] for each word, then applies rules to rank the clarity of each word when spoken over the phone.
That last part is where I am stumbling. I can't find the rules that govern what we know about clarity over telephone links, though AT&T must have has studied this at some point. I can come close, with this article [3] about factors that explain why the sounds “f”, “th”, and “s” are difficult for hearing-impaired to hear. Ideally, a ranking of not just individual words in a selected Diceware list, but also ranking of the clarity of a selected passphrase as well, would come out of such a systematic categorization.
TIL, thanks for pointing out that social engineering could probably penetrate lax security operational standards at some companies. All someone has to do is state it's random on every account they already put through with known information but can't answer the password recovery questions upon, put on a flustered & angry act, and I bet some percentage of call center reps will buy it. I'll modify my practice accordingly.
My response to "your first car?" is a plausible-for-someone-a-generation-older-than-I-am make and a completely made-up model. The same with all my other security questions; the data fits what is being asked for but is almost completely fictional. That's "good enough" for me.
Here's a more in-depth analysis from the perspective of trying to figure out if the e-mail and site are legit which covers all the various things Equifax did wrong:
> Equifax is missing a lot of basics when it comes to communications and web security and must take steps to increase the trust between themselves and their customers by:
A great analysis marred only by a misunderstanding of who Equifax considers their customers.
At some point? Before the breach you paid ($17.95/mo IIRC) for "TrustedID Premier".
And during this breach, the first year is all that's free. You need to entering billing data to enroll, and they -will- start billing after the free period unless you cancel first.
Sure it did. You gave your information and they provided an accurate credit history. You trusted that information was correct, and if it didn't line up you would be contacting authorities or credit agencies trying to counter fraud and fix your life.
Equifax's business model relies on banks trusting them, not the general public. Also, I never asked to do business with Equifax and never really had a choice in the matter. I'm the product, they don't care if I trust them.
No, I never gave them my information-- someone, or something, else did without my explicit consent. If anything I would've explicitly denied them storing any and all of my information but I was never given that choice.
I'm not sure what you think Equifax's business is but you misunderstand it. Nobody gives any of their information directly to Equifax(1), they are a third party data broker. They get their information from third parties, otherwise it would not be reliable ("I totally paid that debt, trust me.)
Equifax's customers are banks, credit card companies, phone and utility companies, gyms, background check services, and landlords
(1) other than to ask them what information they already have on you.
If you had security people on staff at equifast, you'd already have realized how to stop your security bumbling, fumbling, and stumbling. Of course, you'd need to listen to their advice, first.
62 comments
[ 2.7 ms ] story [ 83.5 ms ] threadIt's a shame we have to wait for the lawsuits to have an impact on them since we aren't their customers and can't take our business elsewhere.
This is an understatement. We are literally a cost center for them. Complying with the Fair Credit Reporting Act is the only reason they bother listening to our complaints, yet that same Fair Credit Reporting Act has effectively enshrined the big 3 credit bureaus with a moat against effective competition.
Dates of birth are considered sensitive data? That's pretty sad
The same thing would work for age. Look at that ridiculous California law they proposed to get IMDb to stop showing actors' and actresses' birthdays. There can always be a claim of age discrimination - especially in finance.
You probably can't even open a bank account without specifying your DOB, let alone get a job or a loan.
https://www.uscis.gov/i-9
Job-hunting as a married-but-childless 30 year old woman here is awesome. Not. When I was stupid enough to make the whole "why do we list our family status on our resumes" thing a point of smalltalk towards the end of one of my first interviews here, the guy cheerfully told me, "oh, because we need to pay a family father of 3 more than we need to pay a single guy"
... and the young, childless wife of an engineer working at that small city's most generously-paying employer? The guy did not seem to believe I needed a job at all. All's well that ends well, and I'm now in a far better job that has a relatively transparent union payscale, but it stung at the time.
My husband, a German, has told me that you used to also list the occupations of your parents!
This is probably why it's considered "sensitive."
1) I worked in a large hospital in medical information systems, and the edge cases of SSN included the (required) SSN for newborns and unidentified patients. For the former, we re-used the SSN of the mother, but added a suffix. (So in our database, it wasn't just a 9 digit integer, it was a >9 character string. I can't recall how long.) When the newborn got an SSN assigned, we updated it. For John/Jane Doe folks, we used something like all zeros or some such, with an 'auto-incrementing' character suffix. These were re-used.
https://www.pcworld.com/article/3004654/government/a-tale-of...
Other highlights of the study include:
http://www.idanalytics.com/blog/press-releases/20-million-am...Since their count of duplication the other way was based on SSNs associated with names, I wonder if they made the same mistake for that direction (assuming name = person). People can both share identical names and have different names over their lifetime, so even if SSNs were 1:1 with people there would be SSNs associated with multiple names and names with multiple associated SSNs.
You read the name reference from the first sentence of a blog. The blog entry also mentions two of the main reasons, data entry errors and fraud.
I'm not too surprised that all kinds of zany things happen with such a relatively important, relatively scarce resource.
The Social Security Administration calls the SSN "confidential" in their own documentation to citizens.
It wasn't well designed for the modern era and Congress is ill-equipped to try and tackle the real problem (we don't have a national ID card with some sort of chip & pin/passphrase/biomarker).
Example:
* Jacob Smith -- Not particularly identifying
* Jacob Smith, born in 2004 -- Narrows it down, but that's the most common surname in the US, and the most popular 1st name for 2004
* Jacob Smith, born July 22 2004 -- Narrows it down a lot more. Even if you have a couple thousand Jacob Smiths born in 2004, it's unlikely that more than a few will share a single birthday
* Jacob Smith, born July 22 2004, in Burbank, California -- Odds are you've identified a single individual at this point.
A single datum in isolation doesn't tell you much. But the more data you have, the easier it is to use that data for good or evil.
A further point, a date of birth can be used for validation of a SSN, making that SSN even more useful for shenanigans.
There is no identification that can be made that doesn't at some point reference DOB.
Not saying that any of those are great, or even defect free, but you could certainly come up with schemes that don't involve DoB?
Your identity is defined by that birth certificate in most cases. In corner cases, immigration, refugee or some other document may replace it. Birth is unique because it’s the moment when you become a recognized human, and there is at least one witness to the event or the immediate aftermath. You cannot be born or die more than once, so it makes sense to chronicle that moment.
Here’s an example of how the state of New York identifies you. It is all tied to the record of your birth, either directly or indirectly.
https://dmv.ny.gov/driver-license/prove-identity-age-permitl...
If you don't already know WHO the person is, you are verifying sameness of a person not relating to a known identity in identification.
This is a real question. In what scenario would you chip someone or take their DNA if you didn't already know their DOB?
It's stupid, but "mother's maiden name", "name of your first pet", "street that you lived on when you were young", etc are now de facto sensitive data by virtue of the fact that they can be frequently used to bypass your website passwords. In 2008, Sarah Palin's Yahoo mail account was breached because the answers to all of her security questions were effectively on her Wikipedia page.
[1] https://www.theguardian.com/us-news/2017/apr/03/identity-the...
[0]: https://xkcd.com/936/
[1]: http://world.std.com/~reinhold/diceware.html
Only concern I need to solve for is sifting these lists for confusing words like homophones that are difficult to clearly say the words over an audio-only connection. This drives down the convenience and increases the time to call out the passphrase, since I then revert to the phonetic alphabet. Unfortunately, I've only found various lists [1], but not something that grabs the list, looks up the ExtIPA pronunciation [2] for each word, then applies rules to rank the clarity of each word when spoken over the phone.
That last part is where I am stumbling. I can't find the rules that govern what we know about clarity over telephone links, though AT&T must have has studied this at some point. I can come close, with this article [3] about factors that explain why the sounds “f”, “th”, and “s” are difficult for hearing-impaired to hear. Ideally, a ranking of not just individual words in a selected Diceware list, but also ranking of the clarity of a selected passphrase as well, would come out of such a systematic categorization.
[1] http://www.stlcc.edu/Student_Resources/Academic_Resources/Wr...
[2] https://en.wikipedia.org/wiki/Extensions_to_the_Internationa...
[3] https://www.hearingaidknow.com/words-difficult-to-understand...
https://www.linkedin.com/pulse/equifax-how-can-you-phished-t...
A great analysis marred only by a misunderstanding of who Equifax considers their customers.
And during this breach, the first year is all that's free. You need to entering billing data to enroll, and they -will- start billing after the free period unless you cancel first.
Regain? Equifax's business model has never depended on having the public's trust in the first place.
Your grasp of how this all works is unsettling.
Equifax's customers are banks, credit card companies, phone and utility companies, gyms, background check services, and landlords
(1) other than to ask them what information they already have on you.
http://archive.is/648A5
If you had security people on staff at equifast, you'd already have realized how to stop your security bumbling, fumbling, and stumbling. Of course, you'd need to listen to their advice, first.