Linked by Thom Holwerda on Thu 7th Sep 2017 23:45 UTC
Legal

Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

Names, social security numbers, birthdays, addresses, driver's license numbers, credit card numbers - this is a very big breach.

Interestingly enough, three executives of the credit reporting agency sold their shares in the company days after the breach was discovered.

Thread beginning with comment 648732
To view parent comment, click here.
To read all comments associated with this story, please click here.
daveak
Member since:
2008-12-29

IMHO the federal government is doing the correct thing by assigning everyone a unique number.


While the intention is to be unique, they are not.

https://www.nbcnews.com/technology/odds-someone-else-has-your-ssn-on...

and a quick google will find many more articles.

Reply Parent Score: 2

Alfman Member since:
2011-01-28

daveak,

While the intention is to be unique, they are not.

https://www.nbcnews.com/technology/odds-someone-else-has-your-ssn-on.....

and a quick google will find many more articles.


The report is talking strictly about fraud. I'm not denying that's a problem, but it's not a problem that has to do with unique numbers in principal.

Consider someone at a hotel staying in room #214 and asks the restaurant to charge dinner to their room. This isn't uncommon in resorts. However if staff fails to take measures to prevent fraud, then liars could clearly cause a problem by merely claiming to be in room #214, which is someone else's. One might conclude that unique room numbers are the problem, but that's silly right? The real problem is not that rooms have unique numbers, but that the number by itself does not prove occupancy.

As I keep maintaining, abstract numbers are great for unique keys, but laughably insecure as proof and it is essential for claimants to provide proof of ownership, otherwise liars can exploit the system. Proof can be something tangible, such as a physical card or cyptographic device, which ideally is cheap for an authentic original but difficult/expensive to clone (ie holograms/PKI).

Even with very strong proof, there remains a risk that a legitimate key can be stolen from the real owner. So in the PKI world we have two different solutions for that, key expiration dates, and key revocation.

Edited 2017-09-09 16:26 UTC

Reply Parent Score: 3

daveak Member since:
2008-12-29

Nope, not just about fraud. The research is http://www.idanalytics.com/blog/press-releases/20-million-americans... and states mainly data entry errors that do genuinely result in multiple people being assigned the same number.

http://www.wptv.com/money/id-analytics-40-million-social-security-n... mentions a non fraud example. Similar name, same birth date, ended up entered as the same number.

While conceptually SSN supposedly being a unique number suggests it is great for a unique key, in practice it isn't, whether that be fraud, or the most likely, as concluded by the research mentioned, simple human error.

Reply Parent Score: 3