Linked by Thom Holwerda on Thu 7th Sep 2017 23:45 UTC
Legal

Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

Names, social security numbers, birthdays, addresses, driver's license numbers, credit card numbers - this is a very big breach.

Interestingly enough, three executives of the credit reporting agency sold their shares in the company days after the breach was discovered.

Thread beginning with comment 648683
To view parent comment, click here.
To read all comments associated with this story, please click here.
Alfman
Member since:
2011-01-28

Thom Holwerda,

In most countries, the SSN isn't actually an ID number. The problem in America is not with the SSN in and of itself, but with its misuse as an ID number - because for some weird political reason, Americans don't want mandatory IDs (they'd rather have a deeply insecure and broken SSN used as an effectively mandatory ID as long as it's not called a mandatory ID because logic).


I'm a bit confused with what you mean here, how is SSN being misused as an ID number? IMHO the federal government is doing the correct thing by assigning everyone a unique number. The big problem is how private companies are using it and making horribly flawed assumes about SSN security.

Reply Parent Score: 2

benoitb Member since:
2010-06-29

In France you can vote, have insurance, open bank accounts without giving a number that is your single unique identifier.

There is a number on your ID card that nobody ever asks. Another number on your passport if you have one (only necessary if you travel out of Europe). You are not legally obliged to get any of these documents.

Another number for social security.

I have not heard horror stories of people getting impersonated.

The downside is that for most procedures you are asked to provide documents justifying that you have been living in some place for 3 months.

Reply Parent Score: 2

Doc Pain Member since:
2006-10-08

In France you can vote, have insurance, open bank accounts without giving a number that is your single unique identifier.

There is a number on your ID card that nobody ever asks. Another number on your passport if you have one (only necessary if you travel out of Europe). You are not legally obliged to get any of these documents.


It's a liitle bit different in Germany: You are forced to "buy" an ID card ("Personalausweis", personal identification) for a relatively high price (compared to the actual costs of creating the ID card), and it has a built-in expiration date. If you do not have one, you'll be facing a quite heavy fine. After expiration, you may not keep the (invalidated) ID card. It also contains "online functionality" which doesn't actually work and is also insecure.

A passport ("ReisepaƟ", travel passport) is fully optional. It is more expensive than the ID card. In many cases, it can substitute the regular ID card, but often requires that you also have a registration card ("Meldebescheinigung", certificate of residence) because the passport doesn't contain your postal address. This additional document of course also costs some money.

However, revealing the identification numbers of those documents (which identify the document, not the person!) is typically not needed. Data protection and privacy laws provide strong regulations about what may be obtained and stored by private companies.

Another number for social security.


Correct, and it usually won't be used for anything else.

In Germany, also add a tax identification number which will be a "life-long companion" to any person. Again, this number will only be relevant for matters of taxes.

Reply Parent Score: 3

ahferroin7 Member since:
2015-10-30

The problem is not how private companies are using it, it's that your SSN is the sole ID number you have. Everything traces back to it. Federally issued licenses, real background checks (for security clearance for example), and passports are about the only thing in the US that requires proper identity verification beyond knowing your SSN. As a result, if you get someone's SSN, you in turn are then able to trivially impersonate them for a large majority of things that actually have an impact on their domestic life.

In contrast, in most countries in Europe, and quite a few other countries, you have either:
1. Some publicly available ID number that is used as nothing more than a database key by most companies and holds little to no weight by itself as a means of identification.
or:
2. Independent ID numbers for most things, with no need to give any of them out when registering for trivial things like library cards that don't have any reason to require an actual ID number.

Reply Parent Score: 3

Alfman Member since:
2011-01-28

ahferroin7,

The problem is not how private companies are using it, it's that your SSN is the sole ID number you have. Everything traces back to it. Federally issued licenses, real background checks (for security clearance for example), and passports are about the only thing in the US that requires proper identity verification beyond knowing your SSN. As a result, if you get someone's SSN, you in turn are then able to trivially impersonate them for a large majority of things that actually have an impact on their domestic life.


But the problem is NOT in having a unique id, it's how the ID is used that's the problem. That was dark2's point, we would be more secure if SSN were public and not treated as something we needed to keep secret.


In contrast, in most countries in Europe, and quite a few other countries, you have either:
1. Some publicly available ID number that is used as nothing more than a database key by most companies and holds little to no weight by itself as a means of identification.


This is exactly what SSN was originally intended to do and being a unique key is a perfect use of federal IDs. However somewhere along the way financial institutions started to this ID as authentication, which is what caused this whole mess with keeping them secret. Static IDs assigned at birth are great for database keys, but incredibly foolish to use as authentication.

or:
2. Independent ID numbers for most things, with no need to give any of them out when registering for trivial things like library cards that don't have any reason to require an actual ID number.


Yeah, every library card I've ever gotten in the US required a federal ID number. We could debate whether or not they need to use a federal ID for their database key. However to be clear they needed to have real proof of identification and residency to open an account, so in this case it's not like the SSN is the proof. Ironically I think the libraries have a higher security bars than many banks and credit cards.

Edited 2017-09-08 14:24 UTC

Reply Parent Score: 4

daveak Member since:
2008-12-29

IMHO the federal government is doing the correct thing by assigning everyone a unique number.


While the intention is to be unique, they are not.

https://www.nbcnews.com/technology/odds-someone-else-has-your-ssn-on...

and a quick google will find many more articles.

Reply Parent Score: 2

Alfman Member since:
2011-01-28

daveak,

While the intention is to be unique, they are not.

https://www.nbcnews.com/technology/odds-someone-else-has-your-ssn-on.....

and a quick google will find many more articles.


The report is talking strictly about fraud. I'm not denying that's a problem, but it's not a problem that has to do with unique numbers in principal.

Consider someone at a hotel staying in room #214 and asks the restaurant to charge dinner to their room. This isn't uncommon in resorts. However if staff fails to take measures to prevent fraud, then liars could clearly cause a problem by merely claiming to be in room #214, which is someone else's. One might conclude that unique room numbers are the problem, but that's silly right? The real problem is not that rooms have unique numbers, but that the number by itself does not prove occupancy.

As I keep maintaining, abstract numbers are great for unique keys, but laughably insecure as proof and it is essential for claimants to provide proof of ownership, otherwise liars can exploit the system. Proof can be something tangible, such as a physical card or cyptographic device, which ideally is cheap for an authentic original but difficult/expensive to clone (ie holograms/PKI).

Even with very strong proof, there remains a risk that a legitimate key can be stolen from the real owner. So in the PKI world we have two different solutions for that, key expiration dates, and key revocation.

Edited 2017-09-09 16:26 UTC

Reply Parent Score: 3

Lennie Member since:
2007-09-22

If I remember correctly, this video explains it (but I lack the time right now to check it): https://www.youtube.com/watch?v=Erp8IAUouus

Reply Parent Score: 2