Linked by Thom Holwerda on Thu 7th Sep 2017 23:45 UTC
Legal

Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

Names, social security numbers, birthdays, addresses, driver's license numbers, credit card numbers - this is a very big breach.

Interestingly enough, three executives of the credit reporting agency sold their shares in the company days after the breach was discovered.

Thread beginning with comment 648695
To view parent comment, click here.
To read all comments associated with this story, please click here.
ahferroin7
Member since:
2015-10-30

The problem is not how private companies are using it, it's that your SSN is the sole ID number you have. Everything traces back to it. Federally issued licenses, real background checks (for security clearance for example), and passports are about the only thing in the US that requires proper identity verification beyond knowing your SSN. As a result, if you get someone's SSN, you in turn are then able to trivially impersonate them for a large majority of things that actually have an impact on their domestic life.

In contrast, in most countries in Europe, and quite a few other countries, you have either:
1. Some publicly available ID number that is used as nothing more than a database key by most companies and holds little to no weight by itself as a means of identification.
or:
2. Independent ID numbers for most things, with no need to give any of them out when registering for trivial things like library cards that don't have any reason to require an actual ID number.

Reply Parent Score: 3

Alfman Member since:
2011-01-28

ahferroin7,

The problem is not how private companies are using it, it's that your SSN is the sole ID number you have. Everything traces back to it. Federally issued licenses, real background checks (for security clearance for example), and passports are about the only thing in the US that requires proper identity verification beyond knowing your SSN. As a result, if you get someone's SSN, you in turn are then able to trivially impersonate them for a large majority of things that actually have an impact on their domestic life.


But the problem is NOT in having a unique id, it's how the ID is used that's the problem. That was dark2's point, we would be more secure if SSN were public and not treated as something we needed to keep secret.


In contrast, in most countries in Europe, and quite a few other countries, you have either:
1. Some publicly available ID number that is used as nothing more than a database key by most companies and holds little to no weight by itself as a means of identification.


This is exactly what SSN was originally intended to do and being a unique key is a perfect use of federal IDs. However somewhere along the way financial institutions started to this ID as authentication, which is what caused this whole mess with keeping them secret. Static IDs assigned at birth are great for database keys, but incredibly foolish to use as authentication.

or:
2. Independent ID numbers for most things, with no need to give any of them out when registering for trivial things like library cards that don't have any reason to require an actual ID number.


Yeah, every library card I've ever gotten in the US required a federal ID number. We could debate whether or not they need to use a federal ID for their database key. However to be clear they needed to have real proof of identification and residency to open an account, so in this case it's not like the SSN is the proof. Ironically I think the libraries have a higher security bars than many banks and credit cards.

Edited 2017-09-08 14:24 UTC

Reply Parent Score: 4