
The Equifax disaster points to a much bigger problem - petethomas
https://www.washingtonpost.com/opinions/the-equifax-disaster-points-to-a-much-bigger-problem/2017/09/21/4bd683da-9ee3-11e7-9083-fbfddf6804c2_story.html
======
snarfy
> In the wake of the Equifax breach, Congress should require stronger
> cybersecurity measures at credit reporting agencies, as well as for any
> company that stores large quantities of sensitive data about individuals,
> even if those individuals are not the company’s customers.

Yes, they should, but that's not what they are doing. They are doing the
opposite. [1] It doesn't matter what the majority want Congress to do when
they don't listen or care and instead do what their special interests tell
them. The 'bigger problem' the article mentions is not that the laws are
tilted towards the corporations. It's that they will continue to be tilted
towards them due to corruption.

[1] [http://www.latimes.com/business/lazarus/la-fi-lazarus-
republ...](http://www.latimes.com/business/lazarus/la-fi-lazarus-republican-
credit-agency-bills-20170919-story.html)

~~~
snsr
What. the. fuck.

[http://www.latimes.com/business/lazarus/la-fi-lazarus-
republ...](http://www.latimes.com/business/lazarus/la-fi-lazarus-republican-
credit-agency-bills-20170919-story.html)

> _The FCRA Liability Harmonization Act is particularly noxious. Authored by
> Rep. Barry Loudermilk (R-Ga.), the bill would cap actual and statutory
> damages for class actions involving credit agencies at $500,000, and
> completely eliminate punitive damages.

Loudermilk said Friday that his bill “is aimed at curbing frivolous class
action lawsuits against businesses under the Fair Credit Reporting Act,” which
contains many of the rules for credit agencies._

~~~
ams6110
Not to defend this congressman, because I've never heard of him and I don't
know anything about him, but frivolous lawsuits are a thing, and though you'd
expect a judge to recognize them, by the time it gets to that point a lot of
time and money has already been wasted.

And not to defend Equifax, because how can you, but a lot of people make their
living there and in general corporations deserve reasonable protection under
the law just like individuals do. After all most of them are net positives for
society: they provide employment, benefits, and many support their local
communities in a variety of other ways.

~~~
Clubber
>but frivolous lawsuits are a thing, and though you'd expect a judge to
recognize them, by the time it gets to that point a lot of time and money has
already been wasted.

Yes, but I would guess, more frivolous lawsuits are filed by corporations
looking to silence critics or competition more so than ambulance chasers. They
certainly have deeper pockets.

~~~
tfandango
And, I guess we should have some faith in our legal system to ultimately sniff
out frivolous lawsuits and dismiss them. I understand that there's a cost to a
lawsuit on both sides but it seems this could be (and possibly already is in
the form of counter suits for costs) addressed.

~~~
Clubber
> guess we should have some faith in our legal system to ultimately sniff out
> frivolous lawsuits and dismiss them.

Hah. I'm not sure I would go that far.

------
AndyMcConachie
Just as a point of reference, in The Netherlands there is a central agency for
recording the debt of people who mostly have fallen behind on payments. They
only record debts that last longer than 3 months and of those delete all
record of them after 5 years after being paid off. It is forbidden for this
agency to record that you have a mortgage unless you fall behind on payments.
Only negative information is stored on borrowers. If you pay your loan down on
time nothing will be stored about you.

Also, it is forbidden for information in this agency to be used for
identifying purposes by banks and the like. This means considerably less risk
for me as a citizen, and it also means the information is less valuable for
hackers. Mortgage interest rates are currently 1-2 points less in The
Netherlands than they are in the USA, so there's no correlation I can see
between America's vampire capitalism credit model and cheaper loans.

~~~
ensignavenger
That is interesting. Do banks have any way of telling how much debt someone
has? Are credit cards very common there?

Many Americans have so much debt that lenders are very interested in the whole
picture when they consider making a new loan.

Old debt do drop off American credit reports, too. For most bad marks, they
only stay on for 7 years (10 for bankruptcy). I don't know how long paid off
loans are reported, but they generally have no negative impact (but might
impact privacy). see this blog post [http://blog.readyforzero.com/how-long-
does-a-bad-mark-stay-o...](http://blog.readyforzero.com/how-long-does-a-bad-
mark-stay-on-your-credit-report/)

EDIT: Even though bad marks are supposed to stay on only for seven years, the
industry is very scummy and will often try to keep the bad marks on your
report longer, requiring you to take action sometimes to actually get it
cleared off. The CRA's and debt collectors don't follow the law, and we
certainly need better enforcement of the laws.

~~~
cr1895
>Are credit cards very common there?

Much less prevalent than in the US. There are much fewer cash back/air
miles/etc credit cards...actually, literally the only I'm sure exists is that
for the department store De Bijenkorf. There may of course be more I haven't
seen before.

Debit cards are the dominant payment method. Credit cards are most useful for
things like hotels abroad, online shopping abroad (w/n Netherlands there is
the iDeal payment system for online shopping). It's not uncommon to find shops
that will not accept them.

~~~
ensignavenger
If there is substantially less consumer debt in the Netherlands, that could
explain the difference in credit risk. It could be small enough there that
banks just don't worry about the total load, and trust consumers to fully
disclose things on their loan application.

------
njarboe
I think the false "identity theft" idea that the banks have promoted has
started to really get people confused. The idea that a person can own the
facts about their behavior toward others, when you think about it, is very
strange. In theory a credit report is just a report from people you have
borrowed money from on how well you repaid the loan to them. I don't think
anyone would feel that they should legally be able to prevent people from
telling other people how they have truthfully interacted with them.

I don't think most people feel it is unfair or immoral to release
"unfavorable" information. If one didn't pay back a credit card, most
reasonable people think, "OK that's true and on my report. My bad." What
people think it is deeply wrong is for a fraudster to get a loan from a bank,
the fraudster does not pay, and the bank libels them by sending a false report
to the credit agency saying they defaulted on the loan. This agency and bank
have no penalties for propagating the libel/slander and this libel will hurt
the person in many ways. Everyone knows that getting this libel to stop is
very difficult and the credit agencies and banks don't care about fixing the
errors. The run-a-rounds people go through are legendary. People fear getting
libeled by banks and other issuers of credit, so much so many buy insurance
for "peace of mind". The credit reporting agencies are like Ticketmaster, a
company set up to take the heat and misdirect the anger when some other entity
is screwing you. Ticketmaster plays front man for the concert
promoters/venues/bands whereas the credit agencies play front man for the
banks.

~~~
hammock
>I don't think most people feel it is unfair or immoral to release
"unfavorable" information

I feel your overall argument, and you should know your idea here is not
exactly accurate. For instance, in Europe there are actually laws against
unfavorable information.

[https://en.wikipedia.org/wiki/Right_to_be_forgotten](https://en.wikipedia.org/wiki/Right_to_be_forgotten)

~~~
njarboe
I'm in the US where these credit reporting companies are and "identity theft"
is a big fear. Is there a similar problem in Europe? For example do you see
ads on TV and the internet for insurance against "identity theft"? Things do
drop off your credit report in the US, even bankruptcy after 7 or 10 years, so
people do have a general idea that some past mistakes should not haunt you
forever. But never get a felony in the US. You will truly discriminated
against for life.

------
Nanite
Ok so: a third party (Equifax) has collected sensitive personal data on
citizens without their consent and is asking a fee to prevent other third
parties from accessing this information. isn't this technically blackmail?

~~~
KGIII
Assuming you're serious, probably not. Intent matters and they aren't
threatening to release the data, only monitoring if someone else uses the
already released data.

I am not a lawyer, this is not legal advice. Before deciding to blackmail, you
should consult a qualified attorney in the appropriate jurisdiction.

~~~
bogomipz
No, the fee they require you to pay to lock your credit profile has nothing to
do with them monitoring anything. They require you to pay money in order to
stop doing something you never authorized or asked them to do - releasing your
credit profile to anyone who asks.

While blackmail is a specific case of extortion where unfavorable information
is released, what the agencies do by requiring you to pay for protection(the
freezing of your credit)seems to qualify as extortion.

"What Is Extortion?

Most states define extortion as the gaining of property or money by almost any
kind of force, or threat of 1) violence, 2) property damage, 3) harm to
reputation, or 4) unfavorable government action."

I think you could make a case for number 3 - gaining money for threat of harm
to reputation. Your credit score is very much your financial reputation.

source: [http://criminal.findlaw.com/criminal-
charges/extortion.html](http://criminal.findlaw.com/criminal-
charges/extortion.html)

~~~
gm-conspiracy
Also, it seems like it could fall under RICO:

[https://en.wikipedia.org/wiki/Racketeer_Influenced_and_Corru...](https://en.wikipedia.org/wiki/Racketeer_Influenced_and_Corrupt_Organizations_Act)

One could argue the disclosure timing and executive stock sales (pre-
disclosure) could constitute investor/securities fraud, as well.

~~~
jfindley
It's not RICO. [https://www.popehat.com/2016/06/14/lawsplainer-its-not-
rico-...](https://www.popehat.com/2016/06/14/lawsplainer-its-not-rico-dammit/)

Unfortunately, there's no law I'm aware of that's going to help you here -
although there /possibly/ should be a law governing ownership of someone
else's private data, that's not currently the case, as far as I know (IANAL).
It's also not immediately obvious to me how you'd construct such a law without
causing problems for many other areas of the financial system.

~~~
gm-conspiracy
I meant criminal, not civil.

Whether Jeff Sessions thinks so is another story.

------
stanleydrew
> A credit report could be stored in an encrypted form so that it could be
> thawed only with a key held or managed by the consumer.

This is a nice idea. In practice the keys would have to be accessible via some
kind of password to make them usable to ordinary people. And then those
passwords would need to be re-settable via email or phone. There are security
issues with that I guess, but we'd probably be better-off than we are now.

~~~
ghthor
This isn't true. Almost all "ordinary humans" manage to keep and use a pair of
physical keys to there home, among other things. We only need a physical key
with one simple piece of software that provides the key when asked for it, the
user says yes by physically pressing a button on the key, and the key is
"connected" (phy or wless). This isn't because ordinary humans can't use and
manage protecting a key, it's a UX problem, and IMO a simple UX problem that
hasn't been solved because it will destroy the major technological incumbents
major source of revenue.

~~~
chimeracoder
> Almost all "ordinary humans" manage to keep and use a pair of physical keys
> to there home, among other things

And what happens when someone loses their encryption key? This happens often
enough with house keys that there are entire businesses set up for emergency
locksmith services.

~~~
athenot
> _And what happens when someone loses their encryption key?_

DigitalLocksmith.io (YC S2018)

Jokes aside, this is why combining accessible and strong cryptography is hard.
Certainly not impossible but hard. And historically, not at all within the
competency of companies like Equifax.

------
featherverse
Yeah, human beings en masse are stupid. And they are ruled by thieves, and
they never do anything about it.

That is the single _biggest_ problem facing the human species.

------
DontSueMeBro
As an American currently in the middle of an EU-GDPR implementation I am
envious of the level of protection EU citizens will receive. Fortunately,
there will be some collateral benefits when companies (such as mine) decide to
apply GDPR to all their customers, not just their EU customers.

A 3 minute intro to GDPR for those unfamiliar:
[https://youtu.be/n5WJOncaHt4](https://youtu.be/n5WJOncaHt4)

------
otakucode
When the article got to mentioning encryption... I do not understand what they
are proposing. How would it be possible for the customer to hold the key
necessary to decrypt the credit record? Credit records are not read-only.
Other parties have to be able to submit additions to your credit record, like
if you fail to pay your water utility bill or something. So how exactly are
they going to append to your locked credit record? Would creditors have to
contact the customer and get them to provide the key in order to encrypt a new
addition?

~~~
haikuginger
Public-key encryption. The report item could be encrypted with the customer's
public key, but to read the report after it's added, the customer would need
to provide access to a private key.

------
tylersmith
This article completely fails to address the main issue: conflating identity
and authentication. If credit reports required some sort of attestation of
secret knowledge in order to apply for things the issue would be dramatically
lessened. A social security number should be no more damaging to know than
someone's email address.

~~~
semi-extrinsic
What you really need is a standardised login portal for government and private
services that deal with personal information. Then you can have multiple
service providers for the actual login, e.g. your bank's proper 2FA login,
YubiKeys etc. We've had this for years in my country (with ~2% of the
population of the US) and it's working great. Typically the SS number is used
for identification, and you have password + one-time code on top of that.

~~~
tylersmith
I disagree. Centralizing the data and the access control would only create
more issues. If somebody got into your account they'd have the keys to your
life. We need to embrace decentralizing data and access control along with
healthy security habits like proper secret generation and frequent rotation.

~~~
hvidgaard
NemId, as it is called in Denmark, is a paper card with many one time keys, or
a dongle that creates a new key every so often. Every time you login, or
perform a transaction in the online banking, you need a new and different key.
If they get access to your keys, which would probably be because you did
something stupid like taking a picture of the card, you can revoke access, and
there is a paper trail of every single time the adversary impersonated you.

How is that worse?

~~~
tylersmith
I'm not familiar with the system but centralizing critical data is strictly
less ideal than decentralizing it. If your key seed or the central server are
compromised everything is compromised.

Revoking keys is great but doesn't help after they've given full access.

~~~
jon_richards
>Revoking keys is great but doesn't help after they've given full access.

That's true in a lot of infosec, but in identification, you can revoke
_everything_ and wait for meat-space verification to start again.

~~~
tylersmith
Only once you've noticed it. Automated systems could be used but there's
always the potential for large impacts before automated systems recognize the
issue.

And if the keys are ID related you can easily revoke it. You can't revoke a
SSN, fingerprint, DNA, or a face scan.

~~~
jon_richards
>Typically the SS number is used for identification, and you have password +
one-time code on top of that.

Isn't that what this was addressing? The attacker has to get both your
password and one-time codes before you change either. All the ID related stuff
is used like usernames, not keys.

If an attacker does get both, you presumably go in to a government office,
have your fingerprints taken, choose a new password, and get given a new set
of codes.

------
Shivetya
it is not that someone has access to your credit history that is a problem nor
who manages this information. the real issue is that agencies extending credit
will lend without verification. it is not even credit agencies that do this,
to many companies allow charges against all sorts of accounts; an example is
spurious charges that sneak onto phone bills.

any company extending credit or charging a customer should be required to
reach a level of proof required by law, to the point I would think that above
a certain level of credit it requires a notary or such.

------
pgnas
Looks like Equifax gets a junk bond rating in the personal information
handling. This company should be shut down. 3.1B revenue and can't secure
data, not even really trying. Greed.

~~~
tudorw
Which company can secure data? Are we're just assuming it's viable and
reasonable, there are a lot more examples of failure than success, Sony,
Apple, AT&T, Snapchat the US Army,
[https://en.wikipedia.org/wiki/List_of_data_breaches](https://en.wikipedia.org/wiki/List_of_data_breaches)

I'm not really sure the protocol is up to the job, while theoretically it
would appear possible to secure data on the internet, the reality seems to be
that the complexity of the systems involved means there is no reliable
solution.

~~~
jv22222
Holy crap, that list of data breaches is incredible. And by incredible, I mean
really difficult to believe. If anything should be #1 on hacker news for an
entire month it should be that page right there.

~~~
KGIII
What is remarkable, and it pains me to say this, is that Microsoft isn't on
that list. With all the telemetry data they collect, they might have some good
data stored. I'm sure people are trying to hack it, even right this minute.

They seem pretty capable, so far, of keeping their own collected data secured.

~~~
tluyben2
Some of these breaches, for instance the Gmail/Google breach, might have not
been a breach of there systems at all. So far for that example (but there are
more), one could apply that to Outlook/MS and get identical results. Aka; hack
some service that has millions of emails/password (accumulated), filter all
gmail emails, try to login to gmail with that compbi and if it works, put them
into the list of 'hacked gmail accounts'.

Not trying to stick up for Google here, but, like MS, there seems to not be a
real breach there.

------
notgood
DNA should be the only fully trusted proof of identity. To apply for a credit
of any important amount (or any other important procedure) you should be
required to be pinched to extract a drop of blood and determine if you are who
you say you are according to the DNA database.

~~~
mkagenius
Just the application or would you want to get pinched every time you would
want to log in? Sounds really painful.

~~~
tylersmith
Not to mention changing your DNA if it gets compromised will be difficult.

~~~
Spivak
I think it's actually could be a pretty good system. It's a piece of
information that uniquely identifies you and even if it's totally public it
doesn't help someone impersonate you. Sure someone could easily produce a
sample of your DNA but they couldn't fake a fresh blood sample taken by the
person authorizing you.

