
The Equifax Hack Didn't Have to Be This Bad - gbarc888
https://www.bloomberg.com/view/articles/2017-09-08/the-equifax-hack-didn-t-have-to-be-this-bad
======
snomad
The hack isn't just SSNs - it includes address history, date of birth, drivers
license number - everything reasonably necessary to establish identity. Not
sure why the focus is SSNs, any solution needs to be even higher. This is
about companies stockpiling our personal information and us having little say
in the matter.

~~~
uobytx
The reason the focus is on the SSN is because it enables credit. Privacy is
important, but so is protecting your finances.

~~~
jmkb
Date of birth and address history (in addition to SSN of course) are often
used by financial organizations to verify user identity online and on the
phone.

Recently I called to report a lost credit card, for instance, and the operator
read through a list of 10 addresses. I had to confirm which ones I'd lived at
at some point in my life, in order to verify my identity.

~~~
nindalf
Wouldn't it have been simpler and more secure to ask you for the address? I
can rattle off all the addresses I've stayed at in the last 15 years with
ease.

~~~
bbarn
I couldn't. I am a city dweller living in a climate where almost like
clockwork a post-two year rent hike makes me decide to move. not only that,
being on a grid system every address tends to be some 4 digit combination of
numbers very similar. Was that 1124 or 1421 10 years ago? I'd have to sit and
picture the cross streets to figure it all out.

------
jessaustin
_In 2008, the Federal Trade Commission created the Red Flags Rule, which
required businesses and organizations to collect personally identifying
information from their customers, even if not necessary for service. This put
Social Security numbers into the hands of utility companies, telecom
providers, doctors and countless other unreliable custodians._

This is the first I've heard of this, and it's a different characterization
than what one finds on e.g. Wikipedia (excepting the last section of that
page). Still, I believe TFA. It's remarkable how often the impetus to "do
something" leads to precisely the wrong thing being done.

~~~
MicroBerto
Wikipedia contains a lot of political disinformation / "selective" content and
should not be used when looking for legal explanation.

~~~
jessaustin
Yes we know. Often it has links to authoritative/reliable/substantive sources.
I was particularly interested in seeing those for the last section [0] I
referenced above, because it's the one that actually agrees with TFA, but at
this time that section is effectively unsourced. So even though this idea
about the red flags rule comports with my prejudice about how regulation
typically works, I am currently unable to confirm it. Can you point to a
meatier consideration of whether this rule purportedly intended to decrease
identity theft actually had this particular effect of increasing identity
theft? One thing that makes me suspicious of this idea is that I can clearly
remember giving a false social security number to the phone company when I
moved in 2004, which was before 2008 when TFA claims the rule started and 2011
when wikipedia claims the rule started.

[0]
[https://en.wikipedia.org/wiki/Red_Flags_Rule#Red_Flag_Rule_a...](https://en.wikipedia.org/wiki/Red_Flags_Rule#Red_Flag_Rule_and_identity_theft)

------
guelo
Consumers don't use the credit reporting database, we have very little access
to it besides restricted annual or paid for reports. The real users are the
B2C companies like retail banks, cell phone companies, apartments, background
checkers, etc. These B2Cs use the db in both read and write modes with little
verification. The main incentive of the reporting agencies is to make it very
easy for B2Cs to read and write to their db. Any strong encryption scheme
would have to take into account the needs of the B2C's. Nothing is going to
happen unless congress demands it because their is no market incentive to
secure it. The data is already known to be frequently inaccurate but
businesses don't care, they'd rather have a bunch of false positives than one
deadbeat customer.

------
avid-infovore
_The Republic of Estonia uses such a system to identify members of its
e-Residency program, even with no physical presence. Each e-resident has a
public numerical key that serves as a unique identifier, and a corresponding
private key that is never revealed._

So an example to emulate then!

Except: _Estonia suffered an embarrassing blow to its much-vaunted ID cards
that underpin everything from electronic voting to online banking [...] a
security risk that affects almost 750,000 ID cards and that would enable a
hacker to steal a person’s identity._

[https://www.ft.com/content/874359dc-925b-11e7-a9e6-11d2f0ebb...](https://www.ft.com/content/874359dc-925b-11e7-a9e6-11d2f0ebb7f0)

~~~
unpwn
Is there a link to this that's not behind a paywall. Very interested in
understanding the flaws of such a system, as a 2 key system seems like the
most viable and secure way to establish identity.

~~~
taesis
Google's cache of the page [1] seems to work.

[1]:
[https://webcache.googleusercontent.com/search?q=cache:wP7nTG...](https://webcache.googleusercontent.com/search?q=cache:wP7nTGn-
RJ0J:https://www.ft.com/content/874359dc-925b-11e7-a9e6-11d2f0ebb7f0+&cd=1&hl=en&ct=clnk&gl=ca)

------
beebmam
It's something that people don't talk about much, but just the allowed
existence of credit agencies violates human/civil rights.

These companies earn revenue by selling access to a database of all humans,
which ranks each of us as to how valuable/risky we are to profit off of.

Many companies are starting to make hiring decisions based on this data, and
obviously whether or not you are worthy of a loan has been much of the purpose
of a credit rating (and these loans are necessary for nearly everyone in the
US, unless you're exceptionally wealthy).

Disputing an unfair or illegal mark against your credit is an absurd process
with very little recourse.

This is far worse than what the NSA has done, in my opinion, and it continues
without much criticism.

Obviously this giant hack of Equifax is a very serious issue. But why should
these credit companies be allowed to keep this kind of data about us anyway?

~~~
DanBC
> It's something that people don't talk about much, but just the allowed
> existence of credit agencies violate human/civil rights.

What human right is being violated, and what treaty is that right listed in?

~~~
beebmam
In just the UN's universal declarations of human rights:

Article 23, section 1 and 2, and possibly 3: as to being judged by employers
based on a credit score.

Article 25, section 1: It is not possible to afford housing without a loan,
and most of the variables of a loan (and even more importantly: whether you
are able to secure a loan in the first place) are entirely determined by a
credit score. Note that ~75-90% of Americans are unable to purchase a home
without a loan:
[https://en.wikipedia.org/wiki/Wealth_in_the_United_States#St...](https://en.wikipedia.org/wiki/Wealth_in_the_United_States#Statistics)

More from Article 25, section 1: Many of the other rights given in this
document (like food, clothing, medical care) are also not achievable without
smaller loans (like credit cards, also unattainable without a decent credit
rating or a significant amount of accrued wealth).

I'm sure there's plenty more, this is just what I've seen at first glance. But
I want to thank you for making me aware of this amazing UN document. It's kind
of amazing the number of economic rights this document secures for all humans.

~~~
dragonwriter
> It is not possible to afford housing without a loan

You can rent housing, but then that's based on credit ratings, too.

~~~
beebmam
Exactly. Depending on apartment, it may be possible to pay 1 to 2 months rent
up front if you don't have a decent credit rating. But most Americans do not
have this kind of money.

~~~
dragonwriter
> Depending on apartment, it may be possible to pay 1 to 2 months rent up
> front if you don't have a decent credit rating.

Right, but often not because landlords aren't just concerned about rent but
recovering damages in excess of any deposit. (And both advance rent and damage
deposit requirements are often regulated, as well.)

------
zentiggr
So since anyone who has access to the breached info can impersonate nearly
anyone in the country...

1) Are we about to see the end of "Name, DoB, last four" as an authentication?
(Damn well should if anybody can be me now)

2) Are the credit reporting agencies discredited as a business model? The
other two are likely either hacked already or about to be, and given this
standard of reporting we wouldn't know till months from now anyway.

Can't trust em, don't use em, don't trust anybody that does.

Oh joy.

~~~
ajross
#1 seems almost certain if the spilled data really is as extensive as it
seems. The government would be all but forced to go to some other mechanism
(or at worst just open up a new space of numbers and give everyone a 12-digit
"SSN+"). It's possible that the "possibly affecting 144M customers" bit is
spun though and that only a tiny fraction of that ever left the datacenter.

With #2, nothing is going to change. The credit agencies business isn't
identifying people (as we are discussing, they outsource that to the
government), it's tracking credit activity. And that works extraordinarily
well from the perspective of its customers (the banks). If Equifax dies,
Experian and TransUnion will just see more business. If they all die, the
banks will find some way to do this for themselves.

~~~
otakucode
I don't know about that. The OPM hack was even worse in terms of data
released. Seriously, it included actual images of peoples fingerprints ffs.
Along with all biographical information of the people submitted to receive a
security clearance background check. I think it may have hit fewer people, but
I expect the result will be the same: 18 months of free credit monitoring and
after that we pretend that somehow your SSN and all other details must no
longer be a threat to you being out in the wild. Sure, in 30 years when
someone digs it up and ruins your life with it, why make that OPM agency
liable for it? I'm sure they hired top-notch security guys, paid them
handsomely, and structured things such that not even the president of the USA
could contravene their practices, right? Right?

Oh, a computer was involved. So hire the cheapest person you can find who can
half make it work, let even the low level managers do whatever they want, and
when it gets hacked blame somebody else. It's computers. NOBODY knows how they
work!

~~~
ajross
The Equifax dump (again, if it's really as described) is literally 10x larger
than OPM. It's true that the OPM data was "worse" by abstract ideas of
personal privacy, but not that the breach is worse from the perspective of
"will drive government action".

Again, if there are really 144M valid SSN/name/address tuples out there in the
wild, then very soon banks will simply no longer be able to authenticate
applications for new accounts. They'll be swamped with fraud (remember that by
US law, credit card fraud is their liability, not the consumer's), and demand
action by the government to fix it.

But like I said, "if".

------
shmerl
Indeed. This pervasive usage of SSNs should be dropped.

~~~
AckSyn
The pervasive want of private corporations to stockpile our private
information is a huge concern as well. There's hardly any reason they should
store anything beyond name and contact info.

------
AngeloAnolin
"The only thing Social Security numbers should be used for is to pay our
taxes, which identity thieves are welcome to do."

Likely they may not be paying taxes, but have already found a way to
circumvent the system such that they collect something (aid, EI, etc).

~~~
prdonahue
Actually what they do is early filing to receive any refund that would be
coming to you.

~~~
MichaelBurge
Does the IRS lose money if they give the refund to the wrong person? Or is the
onus on you to find the criminal and sue him?

~~~
64738
Yes, they lose billions per year in fraudulent refunds.

------
jdhzzz
_Before the digital age, a stash of nine-digit numbers could be kept
reasonably secure in a locked filing cabinet behind closed doors. So long as
consumers volunteered the numbers judiciously, most people could make it
through life without ever suffering a theft of identity._

Old guy here. The reason I know my SSN by heart is that it was my student ID
number in college and had to be given at the beginning of each semester to get
my course list, later for grades, etc.

I had a credit union account from the 80's and as of the 90's my SSN was
printed on each monthly statement.

Both were before the "digital age" and neither could be considered "in a
locked filing cabinet" nor under my control.

~~~
ben1040
You don't even have to be that old to remember this time.

I went to a well-known university and they used SSNs as student ID number
until roughly 2001-2002. The first half of my university career, my SSN wound
up on every Scantron sheet, exam blue book, and term paper I handed in. It was
printed on the front of my ID, and even after they recalled old IDs and
replaced them with non-SSN cards, the magstripe track data still had your SSN
on it because some old dining hall POS system or something like that hadn't
been converted.

It was like fish in a barrel for fraudsters, just root around in the trash
after finals week and grab people's term papers. I had quite a few friends who
discovered that during the time they were attending college, someone had
opened a cell phone (or a credit card, in one person's case) in their name.

This was before the days of the free annual credit report law. So these folks
never pulled their own files, and only discovered the fraud years after
graduation, when they went to apply for a car or home loan and got denied.

------
tbrock
I'm very worried about this.

I've done a lot to try and build my credit and protect my identity by
restricting the information I give out. Now I can do nothing to protect it now
besides hope someone doesn't target me.

Anyone have ideas on how to ensure an identity is not stolen?

~~~
ReidZB
You can use a credit freeze:
[https://www.consumer.ftc.gov/articles/0497-credit-freeze-
faq...](https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs)

> Also known as a security freeze, this tool lets you restrict access to your
> credit report, which in turn makes it more difficult for identity thieves to
> open new accounts in your name. That’s because most creditors need to see
> your credit report before they approve a new account. If they can’t see your
> file, they may not extend the credit.

I've never done this, but it sounds effective - although if you want to open
another line of credit, you'll have to temporarily suspend the freeze.

~~~
itodd
You also have to pay Equifax $10 to do this. Insane, right?

~~~
dublinben
That sounds like extortion to me. Equifax are running a protection racket.

------
iblaine
SWIM used to have access to Equivax data from home. In the early 90s, you
could log into Equifax, type in a strangers address, and get their credit
history, social, bills, and prior addresses among other things. Access was
through tymnet using an <account_id>+<password>. That is it. The account_id
was a ~16 digit number. The password was a 1 alpha + 1 alphanumeric. In those
days it was security through obscurity, so I presume. Get an account number
and after 936, you are in. Given this recent breach has nothing to do with how
Equivfax/CBI was run years ago, it does make me cringe a bit.

~~~
technofiend
In the 80's it was even worse. A credit bureau was available on telenet (a
simple dial up service that allowed terminal connections to services) and
there was no password, just an account number. You could query any social
security number and see joint account information by simply adding /ty-jp or
something similar. This being the 80's, you'd see the needed credentials taped
to monitors.

------
otakucode
Well of course it didn't have to be this bad. But when criminal negligence for
corporations remains unpunished in an industry for 40+ years, you're not going
to have corporations that dedicate the time, let alone the money, to do things
right.

------
ErikVandeWater
Title not supported by article.

~~~
mfoy_
It is, and is related to some of the discussion in the main Equifax hack
threads.

The idea is that this information shouldn't be so sensitive because it isn't
_really_ secret in the first place. It also cannot be changed, so it doesn't
really meet _any_ reasonable criteria for authenticating information.

To quote the relevant top-level comment I had in mind:

>mikeash 2 hours ago [-]

>If we're lucky, this will be the best leak of personal info ever. The primacy
of the SSN in American society is idiotic. It's a "secret" that you have to
hand out to dozens of different organizations. I've long thought that we
should phase this out by committing to publish all SSNs (and the associated
info, obviously, so it's not just a list of most 9-digit numbers...) which
would force all these companies to stop treating it as confidential. The
system is dumb and works poorly, but worked will enough that there was no
impetus to fix it. Some people got affected by breaches, and it sucked for
them, but it was always a small enough group that most people didn't care. Now
that a majority of people's "secret" info is no longer confidential, maybe
they'll realize they can't rely on it anymore. OK, the odds of this actually
coming to pass are not great. But I can hope.

~~~
dboreham
Also note that other countries don't have this insanity.

~~~
smnrchrds
Canada does unfortunately. It's called a Social Insurance Number (SIN) or
Numéro d'assurance sociale (NAS) but other than the name, it is mostly the
same. And Canada is on the list of the countries suffering from the breach.
This should be interesting.

~~~
mfoy_
Indeed. I wanted to see if I was on the list, but the site they set up to
check looked pretty sketchy.

They've clearly demonstrated I shouldn't trust them with my SIN (not that I
ever willingly did in the first place!) so why should I enter it again? Into a
different domain, no less?!

