Linked by Thom Holwerda on Thu 7th Sep 2017 23:45 UTC
Legal

Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

Names, social security numbers, birthdays, addresses, driver's license numbers, credit card numbers - this is a very big breach.

Interestingly enough, three executives of the credit reporting agency sold their shares in the company days after the breach was discovered.

Thread beginning with comment 648735
To view parent comment, click here.
To read all comments associated with this story, please click here.
daveak
Member since:
2008-12-29

Nope, not just about fraud. The research is http://www.idanalytics.com/blog/press-releases/20-million-americans... and states mainly data entry errors that do genuinely result in multiple people being assigned the same number.

http://www.wptv.com/money/id-analytics-40-million-social-security-n... mentions a non fraud example. Similar name, same birth date, ended up entered as the same number.

While conceptually SSN supposedly being a unique number suggests it is great for a unique key, in practice it isn't, whether that be fraud, or the most likely, as concluded by the research mentioned, simple human error.

Reply Parent Score: 3

Alfman Member since:
2011-01-28

daveak,

Nope, not just about fraud. The research is http://www.idanalytics.com/blog/press-releases/20-million-americans..... and states mainly data entry errors that do genuinely result in multiple people being assigned the same number.


This comes from the same source cited in the previous article. Look, I'm not claiming using the wrong number isn't a problem...it obviously is a problem. However you are missing my point completely, the problem is not with having unique numbers but with the lack of proof.

I still think the hotel room is very illustrative. People can give the wrong room number either accidentally or intentionally resulting in fraudulent charges to one's room, but that could be rectified by supplementing the unique room number with actual proof, like scanning the room card.


http://www.wptv.com/money/id-analytics-40-million-social-security-n..... mentions a non fraud example. Similar name, same birth date, ended up entered as the same number.

"
The government gave both babies the same Social Security number.

There are honest mistakes where Social Security numbers get mixed up in data systems.

The Social Security Administration said it was a mistake made in 1990 by the hospitals that created the Social Security record for two babies with similar first names, the same last name, and same date of birth.

The acknowledgement by the Social Security Administration finally ends a 25-year mystery.

"


That's a great example actually of how everybody makes mistakes, even the social security administration. They deserve criticism when they do. Still 1) it's nowhere near the "One in 7" statistic caused by people submitting fraudulent/incorrect id numbers cited in your previous links. 2) it's fixable in that new numbers can be assigned to the duplicate entities that were mistakenly given the same number.


While conceptually SSN supposedly being a unique number suggests it is great for a unique key, in practice it isn't, whether that be fraud, or the most likely, as concluded by the research mentioned, simple human error.


Any application that accepts an ID without requiring some kind of proof of ownership is fundamentally insecure. I feel like I'm reiterating the same point over and over again, but the problem isn't with the unique ids themselves, but with how they are being used.

Edited 2017-09-09 17:26 UTC

Reply Parent Score: 3

daveak Member since:
2008-12-29

You are missing the point. SSN are supposed to be unique. They are not. End of story. There is no problem in having a unique number. They just need to actually bloody be unique.

Reply Parent Score: 1