
Equifax takes down web page after reports of new hack - SirLJ
http://www.reuters.com/article/us-equifax-breach/equifax-takes-down-web-page-after-reports-of-new-hack-idUSKBN1CH2F3
======
Posibyte
I feel like this has to do with Equifax basically not being punished in any
major way over the last breach. Their stocks are still priced reasonably well,
most of their board is still intact, and US citizens are still required to
work with them for credit reasons.

And the worst part is, I have no idea how I as a person could say "I don't
want to do work with Equifax because I don't trust them." And if anybody has
suggestions on that, I'm totally open, because if Equifax was a dripping
faucet, they'd be flooding the house by now.

~~~
rgbrenner
freeze your credit report with Equifax, and then if any company requests it,
they'll be denied (because you have to request it be unfrozen for them to
receive it).

If any company uses Equifax, you'll then be denied credit or they'll ask you
to unfreeze it.. either way, you can complain to them, and make it clear you
won't work with Equifax.

Of course, in practice, this will mean you'll get denied credit from any
company that has a contract with Equifax.

~~~
StanislavPetrov
Unfortunately you have no way to protect your tax returns from Equifax, which
now has a contract with the IRS thanks to the infinite wisdom of our
government.

[http://fortune.com/2017/10/04/equifax-irs-contract-
hackers/](http://fortune.com/2017/10/04/equifax-irs-contract-hackers/)

~~~
bogomipz
From your link:

>"The Internal Revenue Service signed a $7.25 million contract with Equifax
last month. The no-bid contract, first reported by Politico, is for Equifax to
provide the IRS with taxpayer and personal identity verification services. The
contract stated that Equifax (EFX, -1.34%) was the only company capable of
providing these services to the IRS, and it was deemed a “critical” service
that couldn’t lapse."

The IRS in the US needs Equifax to provide tax payer and verification
services? Seriously what does that even mean? The IRS bas no other way to
verify citizens?

~~~
Terretta
This is for something like the security questions when you reset your password
except based on your financial records.

    
    
      - Do you recognize this street name?
      - Have you bought from this store?
      - How many mortgages did you co-sign?
    

Answering a set of these “knowledge” based questions is considered
statistically probable proof that you’re you.

~~~
sneak
They’re derived from public records. Anyone who wants to hire the staff for
legwork and pay all the individual municipalities for access can compile the
same database.

------
noddy1
Solution to the Equifax debacle:

1) If the value of the individual damages related to this breach are in excess
of the market cap of the equifax company, all company stock should be seized
and distributed equally among those affected by the breach.

2) In the future, if a company controls this amount of sensitive data, they
should have mandatory breach insurance. This means that they are covered for a
government mandated amount based on the legal liability if all their data was
lost. This will mean that the insurers will do in-depth audits of the data
security of the company, and they will be incentivized year-to-year to ensure
their security practices are top notch. The present system incentivizes each
CEO to have a head-in-the-sand approach to data security where a hack is
considered a long-tail event unlikely to happen during the ceo's 3-5 year
tenure and therefore is not really worth paying attention to. In addition, it
would ensure that if the potential damage done if data is leaked exceeds the
value of the business storing the data, the insurance will be prohibitively
expensive and the company will not be able to continue with this line of
business - as it should be.

~~~
mattnewton
I don’t understand how that would work, do you mean liquidate the company? If
you mean actually take the shares from shareholders, wouldn’t the value of the
stock go to near zero? Who would buy stock that could do that? But I agree
with the general idea: they should go out of buisiness and whatever they have
should be sold to reemburse people affected.

~~~
leggomylibro
I wonder if the Feds could simply seize the company and issue treasury bonds
to shareholders to cover the costs of their stake at the market's price.
Eminent domain, or whatever legal term is latin for "we have the guns."

Then, yeah, liquidate everything and distribute the proceeds amongst the
victims. It would be expensive, but...so what? The budget is $2T, and if the
fine vastly outweighs the value of the company, then it is clearly a grave
situation that demands an unusual response.

Maybe they could actually issue a realistic fine, and let the company deal
with it. But the company would probably just distribute any remaining assets
amongst their executives, fire everyone, and declare bankruptcy or something.

~~~
idbehold
> issue treasury bonds to shareholders

who aren't members of the board

~~~
Spivak
There's really no reason to exclude board members other than spite. If you're
going to fine them then just fine them.

~~~
idbehold
Okay, their fine is the value of their stock/options in the company. I think
companies would care more about security if the board members were the ones we
make examples of in cases like this.

------
jgladch
We're just getting into an era where everything is hackable. We haven't even
begun to understand the ramifications...! Privacy has been dead for a long
time (did it ever exist?), but we're only just now being confronted with what
this means. We have a choice to make: make the world work for everyone, or
perish!

~~~
samfriedman
I agree: I think we have been blessed with a long period of innocence
concerning the security of our services and devices. A period that is now
coming to an end with increased attacks by increasingly powerful entities.

The dot-com-bubble showed us that businesses should not be valued simply
because they leverage hot new technology (hold your AI comparisons...). These
high-profile hacks and security failures will hopefully show us that
businesses should not be considered secure simply because they stack up to
other measures of value.

I would hope that in the future, a fault in a company's infrastructure
security is considered as seriously as a fault in its core business model.

------
g051051
Yes, this was discussed earlier today:
[https://news.ycombinator.com/item?id=15456221](https://news.ycombinator.com/item?id=15456221)

And debunked...it wasn't a hack of the Equifax web site, but a malware package
delivered by 3rd party analytics company, Fireclick.

~~~
tyingq
Not exactly. Equifax has hardcoded references to an akamai cache of a domain
(hints.netflame.cc) in their own pages[1].

That domain was owned by Fireclick (né Digital River) at one time, but changed
ownership on November 15, 2016. The current owner is a Thai national using a
personal Gmail address as the registration info.

Equifax should be responsible for what 3rd party domains it is referencing in
their pages.

[1][https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js](https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js)

~~~
g051051
That script was provided by Fireclick, so they're the ones that hardcoded it.
It even specifically says "Please do not modify this code".

~~~
tyingq
I'm not sure that bit matters, it's hosted on an Equifax server and served in
their pages. And pulling in a script from a very sketchy domain.

~~~
g051051
The script they hosted was legitimate. The Akamai content that it loaded, was
legitimate. But Fireclick let the domain lapse, and someone else is now
impersonating them and serving malware, and not just to Equifax, either. Why
is the story "Equifax hacked again" instead of "Akamai serving content from
known spammer site"?

~~~
tyingq
I'm reasonably sure the whole Fireclick infrastructure was abandoned, probably
years ago. So Equifax's part was not having some mechanism in place to remove
3rd party references for 3rd parties that aren't delivering anymore. I
strongly suspect that predated the change in ownership of the domain, which
was almost a year ago. The fireclick.com domain is gone. The parent company
(Digital River) doesn't mention offering any kind of analytics service.

So, yes, technically the vector wasn't directly an Equifax server. But it was
only a vector because nobody removed the reference.

Right now, they also reference crazyegg.com in their pages. If crazyegg goes
belly up, the domain will be dormant, and when it expires, somebody might take
it over. Does Equifax have an onus to deal with that, or can they blame
someone else?

~~~
g051051
I don't know, how can you reasonably defend from that sort of domain
hijacking/repurposing? We fundamentally have to trust DNS at some level, but
domain names are somewhat transient in nature. Is it fair to single out
Equifax here, or is this just an example of an unsolved problem in the
industry?

~~~
tyingq
Somebody used to log into the backend that showed them the statistics. Surely
they noticed when it disappeared?

Security scans also usually include breakdowns of 3rd party stuff.

But yes, there's ways it could go wrong. On the other hand, Equifax is one of
very few places that has so much important data. I'd expect them to be leaders
in this space, not lackluster followers. Subresource integrity, perhaps more
due diligence on partners...stick with bigger players for code that shows up
on your site, etc.

~~~
g051051
I'd have to guess that someone cancelled the analytics at the business level,
but never bothered to write up a change request to tell the devs to take it
out.

------
cag_ii
Something's doesn't sound quite right over at Equifax, I would have thought
that with the scale of the last breach a full and thorough audit of all
existing systems would have been a major priority!

~~~
appleiigs
Just a normal, slow moving, bureaucratic corporation.

But even if they were faster, I'm sure an audit of all existing systems is not
as simple as making sure all the doors and windows are locked around the
house.

~~~
yawz
You can hire a good group of independent pen testers or security companies,
and let them hammer your public facing sites. They don't lack the necessary
financial resources. At least they would have discovered that type of
problems. It's not difficult when there's a will.

~~~
ionforce
Knowing your vulnerabilities, fixing them, and caring about them at all are
all different things.

------
linarism
The incompetence is mindblowing. Could this be a good argument for software
engineers to get their professional license?

~~~
Arubis
It seems abundantly clear that Equifax's incompetence is _systemic_. Under the
presumption that they could have hired better engineers, I fully believe they
would have managed them into submission.

~~~
sidlls
The kind of licensing here would (or should) provide significant negative
consequences for malpractice, possibly including revocation or suspension of
the license (and therefore prohibition of working on projects requiring
licensed engineers) and even civil or criminal penalties. It also carries
credibility and protection: a licensed engineer has a duty to report
employers' attempts to circumvent rules like Equifax hypothetically would have
done, and legal protection for his livelihood when he does so.

It may not prevent truly unscrupulous or spineless engineers from
capitulating, but it's better than the current situation.

~~~
nrhk
Or you know punish the managers for once instead of the footsoldiers...

When Wells Fargo had their credit scandal the salesmen shouldn't have been
punished, their managers should've.

These things start at the top. When deadlines are pushed onto you, you don't
have time to write unit tests, refactor, update dependencies.

~~~
sidlls
Licensing empowers the engineer to refuse to do something that violates sound
engineering practice according to the license and have legal recourse against
retaliation.

It isn't perfect, and the imbalance of power will certainly still be an issue.
But that doesn't mean we shouldn't try.

~~~
camus2
> Licensing empowers the engineer to refuse to do something that violates
> sound engineering practice according to the license and have legal recourse
> against retaliation.

It would just put most legal liabilities on engineers vs the org. It's a great
way to protect management, that's the only thing it's going to do. That's
exactly how dumb traders end up being scapegoated with each financial scandal.
Any engineer who would dare report any wrong doing would be blacklisted for
life from the IT industry.

Business like Equifax already have legal requirements at the org level, let's
not shift all responsibility onto engineers.

------
kumarski
What % of Fortune 500 companies are already paying ransomware fees unbeknownst
to their users/customers?

------
ashark
The Web has gotten so much worse since we started putting serious stuff on it.
It's kind of a population-terrorizing monster, at this point.

Could we, like... not do that? I seem to remember the world turning just fine
when you couldn't push the right sequence of buttons and steal the personal
data of half a country's citizens from the comfort of your home.

------
Apocryphon
Is Equifax particularly bad for a credit bureau, or are the other guys just as
bad? This is cause for worry towards all of these organizations.

------
racecar789
After recently freezing credit at all three bureaus...Transunion does it
right. Free acct can toggle a freeze anytime. They show a little ad when
logging in, but that is fine.

Experian has no free acct login. Equifax will next year.

------
plandis
Where is the action from the federal government? Are any representatives
working on legislation for better data protection / handling regulations?

------
Simulacra
Someone must not be having a good day over at Equifax. Where is the breaking
point for a company like this?

------
pnathan
The credit services seem like a good candidate for nationalization or high
levels of regulation.

------
flachsechs
it's amazing how much the finance industry can get away with. like honest-to-
goodness amazing.

it's really impressive how these people can have such a death-grip on society.
honestly, i'm more curious than mad. how is such a thing even possible? i
mean, wow.

~~~
walrus1066
Well, these guys are simply too big to fail. Equifax cannot go bust, otherwise
loads of consumer credit (mortgages, car loans etc) would freeze up, causing
huge harm to the economy.

The market likely knows this, hence the stable stock price.

~~~
gaius
_Equifax cannot go bust, otherwise loads of consumer credit (mortgages, car
loans etc) would freeze up_

Nope - there are two others who will gladly take up the slack.

~~~
walrus1066
My company would be really hampered if Equifax went bust. We do use two other
credit bureaus, but some functions depend on data only Equifax provides.

We also use the different bureaus together for cross checking, often one
bureaus file will be out of date or have errors, while the other is fine. So
we'd have a much harder job of calculating risk if one of the big bureaus went
out of business, simply because we'd be losing a major data source that drives
our business.

I am very sure this case applies to other financial institutions as well.

------
whipoodle
Pretty sure this is just how it is now.

