Linked by Thom Holwerda on Thu 7th Sep 2017 23:45 UTC
Legal

Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

Names, social security numbers, birthdays, addresses, driver's license numbers, credit card numbers - this is a very big breach.

Interestingly enough, three executives of the credit reporting agency sold their shares in the company days after the breach was discovered.

Order by: Score:
Comment by PJBonoVox
by PJBonoVox on Fri 8th Sep 2017 00:04 UTC
PJBonoVox
Member since:
2006-08-14

Isn't that practically insider trading?

Reply Score: 5

RE: Comment by PJBonoVox
by ahferroin7 on Fri 8th Sep 2017 12:20 UTC in reply to "Comment by PJBonoVox"
ahferroin7 Member since:
2015-10-30

Only if they actually knew about the breach and it influenced their decision.

People with stock options in their employer as part of their benefits often sell off stock on a semi-regular basis so that they don't have all their money tied up in one company. Without further background on the individuals, I'd say it's 50/50 whether it was insider trading or not.

Reply Score: 2

RE: Comment by PJBonoVox
by Bobthearch on Fri 8th Sep 2017 17:12 UTC in reply to "Comment by PJBonoVox"
Bobthearch Member since:
2006-01-27

Practically? It's the definition of Insider Trading.

Company executives regularly sell stock in their companies, true enough. But it's normally done at pre-scheduled intervals in order to avoid any perception of Insider Trading. These Equifax trades were not announced and not part of an existing routine trade program.

The source journalist at Bloomberg (if your ad-blocker is up to the task):

https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-exe...

An Equifax statement claims the executives, “had no knowledge that an intrusion had occurred at the time.” And if you believe that...

Reply Score: 4

RE[2]: Comment by PJBonoVox
by daveak on Sat 9th Sep 2017 10:54 UTC in reply to "RE: Comment by PJBonoVox"
daveak Member since:
2008-12-29

removed as I didn't read the parent

Edited 2017-09-09 10:54 UTC

Reply Score: 2

Comment by ilovebeer
by ilovebeer on Fri 8th Sep 2017 00:24 UTC
ilovebeer
Member since:
2011-08-08

"Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases."

Of course not. Hackers tend to sit on that kind of data for years because there's no rush. People can't change their social security numbers, drivers license number, birthday, etc., and anything you can change is easily obtainable with the information you can't.

What I'd like to know is what Equifax is going to do to clean up the mess once people start having their lives ruined. I've seen/read reports of erroneous credit files that took the victims 10-15 years or *more* to clear up, all while suffering the consequences in that time.

Reply Score: 8

Public social security numbers
by dark2 on Fri 8th Sep 2017 00:43 UTC
dark2
Member since:
2014-12-30

I hear one of the European countries solves this problem by making their version of the social security number public information, that way anyone can look online an verify if they have the right person. The secret number thing just doesn't work at all.

Reply Score: 4

Thom_Holwerda Member since:
2005-06-29

In most countries, the SSN isn't actually an ID number. The problem in America is not with the SSN in and of itself, but with its misuse as an ID number - because for some weird political reason, Americans don't want mandatory IDs (they'd rather have a deeply insecure and broken SSN used as an effectively mandatory ID as long as it's not called a mandatory ID because logic).

Edited 2017-09-08 00:50 UTC

Reply Score: 6

ilovebeer Member since:
2011-08-08

You're always told to protect your SSN with your life, but then you can't do any banking without revealing it, you can't get non-emergency medical care, you can't be registered for school, etc etc etc... It's ridiculous. And of course these places are always having their data breached.

Here's the best part.. Once someone has you SSN, they can reverse everything else and essentially become you with *real* id, bank accts, etc. Once you find out they've trashed your credit, trashed your accounts, and trashed your life, you have to go on a very long & expensive fight to clear your name. And it's never truly cleared as if it all never happened. The shit is completely stupid and politicians do absolutely nothing to fix it.

Reply Score: 8

Alfman Member since:
2011-01-28

ilovebeer,

You're always told to protect your SSN with your life, but then you can't do any banking without revealing it, you can't get non-emergency medical care, you can't be registered for school, etc etc etc... It's ridiculous. And of course these places are always having their data breached.

...The shit is completely stupid and politicians do absolutely nothing to fix it.


You get it. This is one of those things that annoys the hell out of many tech people, but many ordinary people haven't really considered that the process is fundamentally broken. They view the problem as hackers getting through the defense walls. They think having bigger and stronger walls will keep them out. We know better, but this is how many people think.

Reply Score: 7

ilovebeer Member since:
2011-08-08

Exactly! It drives me nuts whenever I heard this subject being discussed and the `solution` is to just add a bigger/stronger wall like you said. Part of me thinks they don't actually buy into that as a real solution but rather just a typical kick-the-can-down-the-road type of response.

Reply Score: 3

bryanv Member since:
2005-08-26

Because their friends who pay them to 'represent you and me' (har har har!) can't make money off _fixing_ the problem. They make more money by _prolonging_ it.

Also, if you legislated _fixing_ something, then you wouldn't be able to keep legislating around it, and that keeps you from being able to sneak more legislation in as pork on top of it.

The incentives all around for the US legislation system is to:

* prolong all problems, rather than actual deal with root causes.
* Transfer money from taxpayers to private accounts through legislation of non-solutions for both real and imaginary threats.

There really is no incentive or positive reinforcement for an elected official in the US to actually do the moral and ethical thing.

Reply Score: 1

Alfman Member since:
2011-01-28

Thom Holwerda,

In most countries, the SSN isn't actually an ID number. The problem in America is not with the SSN in and of itself, but with its misuse as an ID number - because for some weird political reason, Americans don't want mandatory IDs (they'd rather have a deeply insecure and broken SSN used as an effectively mandatory ID as long as it's not called a mandatory ID because logic).


I'm a bit confused with what you mean here, how is SSN being misused as an ID number? IMHO the federal government is doing the correct thing by assigning everyone a unique number. The big problem is how private companies are using it and making horribly flawed assumes about SSN security.

Reply Score: 2

benoitb Member since:
2010-06-29

In France you can vote, have insurance, open bank accounts without giving a number that is your single unique identifier.

There is a number on your ID card that nobody ever asks. Another number on your passport if you have one (only necessary if you travel out of Europe). You are not legally obliged to get any of these documents.

Another number for social security.

I have not heard horror stories of people getting impersonated.

The downside is that for most procedures you are asked to provide documents justifying that you have been living in some place for 3 months.

Reply Score: 2

Doc Pain Member since:
2006-10-08

In France you can vote, have insurance, open bank accounts without giving a number that is your single unique identifier.

There is a number on your ID card that nobody ever asks. Another number on your passport if you have one (only necessary if you travel out of Europe). You are not legally obliged to get any of these documents.


It's a liitle bit different in Germany: You are forced to "buy" an ID card ("Personalausweis", personal identification) for a relatively high price (compared to the actual costs of creating the ID card), and it has a built-in expiration date. If you do not have one, you'll be facing a quite heavy fine. After expiration, you may not keep the (invalidated) ID card. It also contains "online functionality" which doesn't actually work and is also insecure.

A passport ("Reisepaß", travel passport) is fully optional. It is more expensive than the ID card. In many cases, it can substitute the regular ID card, but often requires that you also have a registration card ("Meldebescheinigung", certificate of residence) because the passport doesn't contain your postal address. This additional document of course also costs some money.

However, revealing the identification numbers of those documents (which identify the document, not the person!) is typically not needed. Data protection and privacy laws provide strong regulations about what may be obtained and stored by private companies.

Another number for social security.


Correct, and it usually won't be used for anything else.

In Germany, also add a tax identification number which will be a "life-long companion" to any person. Again, this number will only be relevant for matters of taxes.

Reply Score: 3

zima Member since:
2005-07-06

It's a liitle bit different in Germany: You are forced to "buy" an ID card ("Personalausweis", personal identification) for a relatively high price (compared to the actual costs of creating the ID card), and it has a built-in expiration date. If you do not have one, you'll be facing a quite heavy fine. After expiration, you may not keep the (invalidated) ID card. It also contains "online functionality" which doesn't actually work and is also insecure.

Whoa, I can't believe I'm saying this, but it looks like Poland is "nicer" than Germany in some respect: in PL the ID card ("dowód osobisty", ~personal ~proof ...which BTW was made first required under occupation by Nazi Germany ;) ) is free (it wasn't that way untill few years ago - you had to pay a small fee - but a court established that sinve it was mandatory, it shouldn't cost anything). It also expires / lasts for 10 years. I think you can also be fined for not having one. You may also not keep it after expiration. Latest-gen ID cards, issued from 2015 IIRC (and long in the planning stages...), were supposed to have a chip/"online functionality" ...but it was ultimatelly cancelled.

A passport ("Reisepaß", travel passport) is fully optional. It is more expensive than the ID card. In many cases, it can substitute the regular ID card, but often requires that you also have a registration card ("Meldebescheinigung", certificate of residence) because the passport doesn't contain your postal address. This additional document of course also costs some money.

Here even the ID card doesn't have your adress! (the post-2015 ones; previous gen does have the adress, but it was removed in current gen)

However, revealing the identification numbers of those documents (which identify the document, not the person!) is typically not needed. Data protection and privacy laws provide strong regulations about what may be obtained and stored by private companies.

In PL we have personal number "PESEL" which is printed on ID cards and typically required by banks or hospitals ...but it seems we avoid the issues plaguing US with its SSN, I think largely because the number is used mostly only as a database key and not a proof of identification/authentication by itself (for that, you need to show the ID card) ...though there are exceptions to this - I remember that during 2010 EU-wide census, you could login to the census webpage with nothing more than the personal number, and there were some instances of abuse...

Edited 2017-09-13 22:58 UTC

Reply Score: 2

ahferroin7 Member since:
2015-10-30

The problem is not how private companies are using it, it's that your SSN is the sole ID number you have. Everything traces back to it. Federally issued licenses, real background checks (for security clearance for example), and passports are about the only thing in the US that requires proper identity verification beyond knowing your SSN. As a result, if you get someone's SSN, you in turn are then able to trivially impersonate them for a large majority of things that actually have an impact on their domestic life.

In contrast, in most countries in Europe, and quite a few other countries, you have either:
1. Some publicly available ID number that is used as nothing more than a database key by most companies and holds little to no weight by itself as a means of identification.
or:
2. Independent ID numbers for most things, with no need to give any of them out when registering for trivial things like library cards that don't have any reason to require an actual ID number.

Reply Score: 3

Alfman Member since:
2011-01-28

ahferroin7,

The problem is not how private companies are using it, it's that your SSN is the sole ID number you have. Everything traces back to it. Federally issued licenses, real background checks (for security clearance for example), and passports are about the only thing in the US that requires proper identity verification beyond knowing your SSN. As a result, if you get someone's SSN, you in turn are then able to trivially impersonate them for a large majority of things that actually have an impact on their domestic life.


But the problem is NOT in having a unique id, it's how the ID is used that's the problem. That was dark2's point, we would be more secure if SSN were public and not treated as something we needed to keep secret.


In contrast, in most countries in Europe, and quite a few other countries, you have either:
1. Some publicly available ID number that is used as nothing more than a database key by most companies and holds little to no weight by itself as a means of identification.


This is exactly what SSN was originally intended to do and being a unique key is a perfect use of federal IDs. However somewhere along the way financial institutions started to this ID as authentication, which is what caused this whole mess with keeping them secret. Static IDs assigned at birth are great for database keys, but incredibly foolish to use as authentication.

or:
2. Independent ID numbers for most things, with no need to give any of them out when registering for trivial things like library cards that don't have any reason to require an actual ID number.


Yeah, every library card I've ever gotten in the US required a federal ID number. We could debate whether or not they need to use a federal ID for their database key. However to be clear they needed to have real proof of identification and residency to open an account, so in this case it's not like the SSN is the proof. Ironically I think the libraries have a higher security bars than many banks and credit cards.

Edited 2017-09-08 14:24 UTC

Reply Score: 4

daveak Member since:
2008-12-29

IMHO the federal government is doing the correct thing by assigning everyone a unique number.


While the intention is to be unique, they are not.

https://www.nbcnews.com/technology/odds-someone-else-has-your-ssn-on...

and a quick google will find many more articles.

Reply Score: 2

Alfman Member since:
2011-01-28

daveak,

While the intention is to be unique, they are not.

https://www.nbcnews.com/technology/odds-someone-else-has-your-ssn-on.....

and a quick google will find many more articles.


The report is talking strictly about fraud. I'm not denying that's a problem, but it's not a problem that has to do with unique numbers in principal.

Consider someone at a hotel staying in room #214 and asks the restaurant to charge dinner to their room. This isn't uncommon in resorts. However if staff fails to take measures to prevent fraud, then liars could clearly cause a problem by merely claiming to be in room #214, which is someone else's. One might conclude that unique room numbers are the problem, but that's silly right? The real problem is not that rooms have unique numbers, but that the number by itself does not prove occupancy.

As I keep maintaining, abstract numbers are great for unique keys, but laughably insecure as proof and it is essential for claimants to provide proof of ownership, otherwise liars can exploit the system. Proof can be something tangible, such as a physical card or cyptographic device, which ideally is cheap for an authentic original but difficult/expensive to clone (ie holograms/PKI).

Even with very strong proof, there remains a risk that a legitimate key can be stolen from the real owner. So in the PKI world we have two different solutions for that, key expiration dates, and key revocation.

Edited 2017-09-09 16:26 UTC

Reply Score: 3

daveak Member since:
2008-12-29

Nope, not just about fraud. The research is http://www.idanalytics.com/blog/press-releases/20-million-americans... and states mainly data entry errors that do genuinely result in multiple people being assigned the same number.

http://www.wptv.com/money/id-analytics-40-million-social-security-n... mentions a non fraud example. Similar name, same birth date, ended up entered as the same number.

While conceptually SSN supposedly being a unique number suggests it is great for a unique key, in practice it isn't, whether that be fraud, or the most likely, as concluded by the research mentioned, simple human error.

Reply Score: 3

Alfman Member since:
2011-01-28

daveak,

Nope, not just about fraud. The research is http://www.idanalytics.com/blog/press-releases/20-million-americans..... and states mainly data entry errors that do genuinely result in multiple people being assigned the same number.


This comes from the same source cited in the previous article. Look, I'm not claiming using the wrong number isn't a problem...it obviously is a problem. However you are missing my point completely, the problem is not with having unique numbers but with the lack of proof.

I still think the hotel room is very illustrative. People can give the wrong room number either accidentally or intentionally resulting in fraudulent charges to one's room, but that could be rectified by supplementing the unique room number with actual proof, like scanning the room card.


http://www.wptv.com/money/id-analytics-40-million-social-security-n..... mentions a non fraud example. Similar name, same birth date, ended up entered as the same number.

"
The government gave both babies the same Social Security number.

There are honest mistakes where Social Security numbers get mixed up in data systems.

The Social Security Administration said it was a mistake made in 1990 by the hospitals that created the Social Security record for two babies with similar first names, the same last name, and same date of birth.

The acknowledgement by the Social Security Administration finally ends a 25-year mystery.

"


That's a great example actually of how everybody makes mistakes, even the social security administration. They deserve criticism when they do. Still 1) it's nowhere near the "One in 7" statistic caused by people submitting fraudulent/incorrect id numbers cited in your previous links. 2) it's fixable in that new numbers can be assigned to the duplicate entities that were mistakenly given the same number.


While conceptually SSN supposedly being a unique number suggests it is great for a unique key, in practice it isn't, whether that be fraud, or the most likely, as concluded by the research mentioned, simple human error.


Any application that accepts an ID without requiring some kind of proof of ownership is fundamentally insecure. I feel like I'm reiterating the same point over and over again, but the problem isn't with the unique ids themselves, but with how they are being used.

Edited 2017-09-09 17:26 UTC

Reply Score: 3

daveak Member since:
2008-12-29

You are missing the point. SSN are supposed to be unique. They are not. End of story. There is no problem in having a unique number. They just need to actually bloody be unique.

Reply Score: 1

Lennie Member since:
2007-09-22

If I remember correctly, this video explains it (but I lack the time right now to check it): https://www.youtube.com/watch?v=Erp8IAUouus

Reply Score: 2

dark2 Member since:
2014-12-30

for some weird political reason, Americans don't want mandatory IDs


The problem is the people that want mandatory IDs want to use it as a platform to "fight voter fraud," which always means use it as a way to stop people we don't like from voting.

Reply Score: 3

RE: Public social security numbers
by Alfman on Fri 8th Sep 2017 01:46 UTC in reply to "Public social security numbers"
Alfman Member since:
2011-01-28

dark2,

I hear one of the European countries solves this problem by making their version of the social security number public information, that way anyone can look online an verify if they have the right person. The secret number thing just doesn't work at all.


Yes!

It is so stupid for companies to insist on using SSN as proof of authorization. SSN works fine as a form of unique ID, it is extremely useful to have a unique identifier for databases. But it *not* proof of consent and all the businesses using that way need to stop pretending that it is. Frankly if I had a say, I'd pass a law explicitly dismissing any liability for any transactions only backed by this federal ID number without a record of consent. It should be treated as public information.

Too often we just point fingers at the gate keepers for allowing the leak to happen, but what is really needed is to adapt security mechanisms that don't break when partners get hacked. We have much better security models we could be using if only businesses would stop relying on archaic security solutions. I wish we could collectively move to something more secure like PKI where security is not based on having shared secrets (like SSN, CC#), but alas I've been playing the same broken record for two decades now.

Reply Score: 4

leech Member since:
2006-01-10

Well, there are two types of worry about the SSNs being out there now. The stupidity that with that number and basically a matching name, you can change address, name, bank information, etc.

Then there is the full on Identity theft, but on that side of things to have someone become you is probably a bit less likely, since there are already tons of dead people's SSNs out there thanks to many years back one of the genealogy sites were posting their SSNs...

But who knows, I'm thinking more than likely the biggest ones at risk for fraud here are the ones who have a high credit rating... And the fact that I don't think any of us really have a choice whether or not the big three can have our credit history to have that score. So pretty much every grown adult in the US that has any sort of credit history is potentially boned.

Reply Score: 3

Comment by XKCD
by XKCD on Fri 8th Sep 2017 07:25 UTC
XKCD
Member since:
2017-09-05

Good. World needs to learn that IT security matters. The bigger and worse the incident, the better. That's the only way people learn these days: through catastrophic incidents. Sadly, I am sure even this incident is not bad enough and big enough for people to learn... But it's something.

Reply Score: 1

RE: Comment by XKCD
by Kochise on Fri 8th Sep 2017 08:23 UTC in reply to "Comment by XKCD"
Kochise Member since:
2006-03-03

No, people don't learn. History repeats like a Groundhog Day.

Reply Score: 2

RE: Comment by XKCD
by Sidux on Fri 8th Sep 2017 19:38 UTC in reply to "Comment by XKCD"
Sidux Member since:
2015-03-10

That's mostly for managers and those with decision power. The ones that usually suffer are the end users.
Most of them hardly understand the idea that their data is stored on someone else's computer or care enough about it.

Reply Score: 1

RE[2]: Comment by XKCD
by leech on Fri 8th Sep 2017 22:23 UTC in reply to "RE: Comment by XKCD"
leech Member since:
2006-01-10

The real problem with this one is that it's completely out of the hands of the 'normals'. Pretty sure not a single damn one of us really is happy with the credit reporting agencies having our information, it's just the way it works. How these places can be for profit though...

Reply Score: 2

Comment by Boogaloo
by Boogaloo on Sun 10th Sep 2017 19:25 UTC
Boogaloo
Member since:
2017-09-10

I am actually happy to hear about such things. People need a hard hit on the head to wake up and smell the reality. A system where single "secret" number is enough to impersonate a person is retarded. A company that pays little to no attention to IT and data security deserves to crash and burn. People who put up with both these things deserve a painful lesson.

Reply Score: 2

RE: Comment by Boogaloo
by Alfman on Sun 10th Sep 2017 21:44 UTC in reply to "Comment by Boogaloo"
Alfman Member since:
2011-01-28

Boogaloo,

I am actually happy to hear about such things. People need a hard hit on the head to wake up and smell the reality. A system where single "secret" number is enough to impersonate a person is retarded. A company that pays little to no attention to IT and data security deserves to crash and burn. People who put up with both these things deserve a painful lesson.


I agree with your general assessment, but you are very wrong on the last point. You can blame the victims however much you want, but when it is companies that you have no relationship with that are ruining your credit and sending your interest payments skyrocketing, then what do you really expect people can do?

Their options:
1. Spend time and money going to court.
2. Wait in vein for congress to act (we're in a deregulatory political climate, so good luck with that).
3. Go to each of the three major credit bureaus who are selling your data and pay their fee so they stop selling your data.

https://www.transunion.com/credit-freeze/place-credit-freeze

This is probably the easiest option, but they still technically collect your data and it can still get leaked, they just stop selling it out.

You could argue it's your data and they have no ethical right to sell it in the first place. But they don't give a crap if you're right or wrong because they're making boatloads of money and congress has done nothing to stop them. Until their activities are banned by law, they'll continue to do it regardless of what we think.

Always keep in mind when it comes to companies selling personal credit data, you are the product and not the customer. It makes the whole notion of boycotting them completely mute unless you have a way to persuade companies to stop buying credit data. If you think there's a good way to do that, then please share because many of us would like to see changes.

Edited 2017-09-10 21:46 UTC

Reply Score: 2

RE[2]: Comment by Boogaloo
by darknexus on Mon 11th Sep 2017 13:01 UTC in reply to "RE: Comment by Boogaloo"
darknexus Member since:
2008-07-15

You could argue it's your data and they have no ethical right to sell it in the first place. But they don't give a crap if you're right or wrong because they're making boatloads of money and congress has done nothing to stop them. Until their activities are banned by law, they'll continue to do it regardless of what we think.


And even if it were to be made illegal, they'd still do it on the sly, and with the government's covert blessing and approval. That's what you get when corruption is everywhere and encouraged.

Reply Score: 2

RE[3]: Comment by Boogaloo
by Alfman on Mon 11th Sep 2017 14:56 UTC in reply to "RE[2]: Comment by Boogaloo"
Alfman Member since:
2011-01-28

darknexus,

And even if it were to be made illegal, they'd still do it on the sly, and with the government's covert blessing and approval. That's what you get when corruption is everywhere and encouraged.


Yea, first the laws have to get passed. Quid pro quo dynamics between government and business make this unlikely.

Secondly, the laws have to be enforced. Without enforcement, laws don't help. Do not call legislation is an example of laws that were supposed to help, but many companies ended up taking advantage of the fact that violating the laws can still be low risk and profitable. ;)

Reply Score: 2

In socialist Sweden...
by Megol on Mon 11th Sep 2017 20:58 UTC
Megol
Member since:
2011-04-11

... the personal identifier is used as a key, it contains the date of birth, sex, location of birth combined with a running counter whose size depends on the location (highly populated areas need to support more births per day). There's also a simple checksum.

With the personal id number one can get the name. With the name one can get the current living address. With the name and address one can get the id number. Oh and the declared income and tax returns, marital status and cars owned too - it's all available if one really want to find out.

The only problems with this kind of system (except for paranoid people - those that have reason to be paranoid can get their data tagged secret for normal accesses) is in combination in bad systems design.

Reply Score: 2