Hacker News new | comments | show | ask | jobs | submit login
Cybersecurity Incident Involving Consumer Information (equifax.com)
1044 points by runesoerensen 5 months ago | hide | past | web | favorite | 532 comments



Suppose Alice is a "victim of identity theft". BigBank gives $10k to Fraudster as a loan, thinking that Alice is the actual recipient. Experian, Transunion and Equifax report this loan as a debt which Alice owes to BigBank.

Who is the real victim? The credit reporting agencies want to convince people that the consumer is the victim, and so Alice bears the burden and risk of clearing her name. But it is the credit reporting agencies inflicting this upon Alice. BigBank is the victim who lost money, and BigBank bears the responsibility for making the mistake of giving out a loan in Alice's name. The Fraudster committed a crime against BigBank, not against Alice. It is Experian, Transunion and Equifax, by holding this fraudulent loan against Alice, who are victimizing Alice.

The idea that Alice was victimized by Fraudster is a concept being perpetuated by the credit reporting agencies as a way to absolve themselves of responsibility, and place the burden upon the consumer, and to avoid realistic identity-verifiction which might slow or complicate the practice of issuing large amounts of debt to the general public.


Precisely. In no way was Alice's identity stolen - that's tautologically impossible. Rather, the bank was defrauded by the criminal - Alice is of not a party to whether or not the bank recovers from its own loss. Alice's ownership is entirely unaffected, though the bank's internal processes might not reflect that - again, their problem, not Alice's.

Further - this rat race, where I have to give ever more intimate details about myself to verify who I am, "for my own protection", seems to only ratchet away my privacy until there is nothing about me left unpublic. Facebook, Banks, Airbnb, Credit Card companies, Telephony companies have ALL given me that line when I resist providing SSN, DoB, or whatever mine-able nugget they're looking for this month. Every time I give out a new kind of private information it inevitably leaks - defeating their point of having asked me - all the while my privacy is left scorched while they move on unconcerned to the next piece of my private life. It's uncomfortable.


> In no way was Alice's identity stolen - that's tautologically impossible.

I see this as you being too strict with your definition of "identity".

We, as people, have multiple identities. We have one with our government, another with our employer, another with our friends, another on pseudonymous websites, etc.

"Stolen identity" in this sense means Alice's attributes (the ones which Big Bank uses to identify a person) have been compromised by a 3rd party. It's not that all of Alice's identity has been compromised -- only a subset of her identity. Sadly that subset almost entirely consists of "something you know" (which the internet usually also knows) rather than "something you have" (like a government-issued ID) or "something you are" (biological traits).

I totally agree about the rat race. I think the credit bureaus are complicit in keeping the burden of credit identity low and the availability of credit reports high in the US, both of which lead to perverse incentives for {credit bureaus, consumers, creditors, governments, etc}. But they aren't alone. Credit card systems {VISA, Mastercard, AMEX, Discover, etc} and credit card merchants have done the same, causing the US to fall far behind other developed countries in consumer security.

Additionally, I've heard horror stories about the effort required for consumers to "prove" to credit bureaus that their identity was stolen. It sounds a lot like the insurance company's policies in The Rainmaker.


> I see this as you being too strict with your definition of "identity".

> We, as people, have multiple identities. We have one with our government, another with our employer, another with our friends, another on pseudonymous websites, etc.

Which is not relevant here, as this is not about different sets of attributes pointing to the same body, but about the exact same set of attributes being claimed to only possibly be pointing to one body (hence they supposedly identify Alice) while it is claimed at the same time that they can be replicated by a "thief", which necessarily implies that they don't identify Alice, and hence are not an identity, therefore tautological impossibility.

For example, it is claimed that being able to say the DoB of Alice is an attribute that identifies Alice's body. Then, it is also claimed that somebody else saying Alice's DoB supposedly is an act of stealing her identity, and that the set of such people is non-empty. Which means that being able to say Alice's DoB is not actually an identity in the first place, much less one that could be stolen.


Right, and this is the point where we, as computer system / information security / software (whatever, but) professionals switch to using the word "authentication", and stop being obtuse about the ambiguity in the multiple definitions of the word "identity".

> For example, it is claimed that being able to say the DoB of Alice is an attribute that identifies Alice's body.

And then we say that the stating the DoB authenticates anyone to make changes to Alice's account.

And then we say this is a terrible idea. And then we are in agreement.

And then we don't have to say completely unhelpful nonsense like the following:

> Then, it is also claimed that somebody else saying Alice's DoB supposedly is an act of stealing her identity, and that the set of such people is non-empty. Which means that being able to say Alice's DoB is not actually an identity in the first place, much less one that could be stolen.

If these credit bureaus insist on conflating the word "identity" with "authentication" then it is up to us, computer / information / system / security professionals to correct this error and continue with more clarity.

Not not to start a one-sided (credit bureaus aren't listening) philosophical argument that nobody was really talking about in the first place. This isn't about ontology, and it never was.

(Ontology is the field of philosophy that asks the question what "is" is, a.k.a. "identity" and it's very interesting but also very much irrelevant to this incident and the problem it poses to badly designed authentication systems)

An important part of our jobs is being able to clearly explain such computer security and authentication concepts to a layman. That includes properly framing the question. Digging into a philosophical argument because you feel you can argue your way around a particular word that is used, only feeds pedantry.


> Right, and this is the point where we, as computer system / information security / software (whatever, but) professionals switch to using the word "authentication", and stop being obtuse about the ambiguity in the multiple definitions of the word "identity".

Except it's nonsensical to switch to "authentication" when the discussion is about how the term "identity theft" is misleading. It's not "authentication theft", it's "identity theft", and that is exactly why it is misleading.


The point is that it is NOT "identity theft", even if that's what people call it. It is more aptly "authentication theft/fraud".

The original point of this comment thread was that the credit reporting agencies want to keep it confusing so that it's not clear who exactly was the victim of the crime, so it's not obvious that the system sucks.


Yes, I agree, and I might have slightly misread what tripzilch wrote to mean that we should avoid the term here in this discussion, which I objected to. Towards the general public, it totally should be framed as an authentication failure, yes, I agree.


I think my point would be that, by discussing the minute semantic / philosophical points of the concept of "identity", you're still letting them frame the discussion that way. It's a word that they choose to describe something which it isn't. First is to just not go along with it, not to dig in and try to beat them on their own territory (if you succeed, you won nothing).

For the same reason I won't go into discussions about the finer moral points when stealing is wrong or not, if the topic is copyright. Especially not get carried into far-fetched analogies such that it is okay if a starving family steals the blueprint for a 3D printed load of bread or whatever.

In that sense, the term "intellectual property" is actually similarly problematic as "identity theft". While it evokes the connotation of "property", intellectual_property is actually just a legal term that stands on its own and derives nothing from the common concept of "property" except where explicitly defined as such.

Except that identity_theft is, afaik, not a legal term. I believe it stems from the idea of the loss of an interconnected number of (mostly electronic) credentials, an adversary could use to, in a sense "become you", and wreck one's life. This then became a serious fear, that was (in the public) not quite blamed on terrible security practices of powerful entities, but on the ever-growing interconnectedness and electronicification of all aspects of our life. In fact literally about the fear that the large amount of data about us in these computer databases, would some day mistaken to be us and identify, regardless of its truth in the real world. But identify_theft has always been painted as a sort of "curse of the modern age", our penance for living in an ever automated society, kind of typical Hollywood morality story.

Except these credit companies seem to be just focusing on the "wreck your life" part, twisting the definition around, that suddenly a security failure with their authentication/credential system gets to be blamed on the general societal menace of identity_theft, mainly because their error has the capability to wreck one's life.

I'm pretty sure Baudrillard or some other person in critical theory / semiotics has written some interesting stuff about this. Now that is a philosophical discussion on this topic that I would actually find worthwhile.


> while it is claimed at the same time that they can be replicated by a "thief", which necessarily implies that they don't identify Alice, and hence are not an identity, therefore tautological impossibility.

Attributes can be replicated -> attributes don't identify Alice

Why do you consider this implication necessary? It sounds nonsensical.

Counterexample: to verify an identity, the verifier must possess a replication the identifying attributes. If replication implies non-identity, then identity verification becomes impossible.

Note that we're speaking of identity in the context of a technical implementation.


> Why do you consider this implication necessary? It sounds nonsensical.

Because it is implied by the definition that is implied by the concept of "identity theft".

Let's assume we define "identity" to mean "any set of attributes of Alice", so widening it essentially as far as possible. Then "is a human", being an attribute of Alice, would become an identity of Alice. Using that definition in the context of identity theft would then lead to the following sort of justification: Alice is responsible for paying back this loan because the person that we gave this loan to was a human and we identified Alice by her attribute of being a human to be the person we gave this loan to.

That doesn't make much sense, does it?

The whole justification for calling it identity theft, and thus blaming the identified person, hinges on the implication that whatever attributes are being used to "identify" Alice do imply that it is in fact uniquely Alice who has those attributes. It only logically works if you can say "those attributes are the attributes of the person that we made the contract with, and they are unique to Alice, therefore Alice is the person we made the contract with", not if your claim is "those attributes are the attributes of the person that we made the contract with, which are shared by a whole bunch of people, therefore Alice is the person we made the contract with".

> Counterexample: to verify an identity, the verifier must have replicated the identifying attributes. If replication implies non-identity, then identity verification becomes impossible.

Erm ... no? Just two obvious examples:

In order to check that you are the person on a picture I have of you, all I need is the picture, no need to have a replica of you.

In order to check that you are in the possession of a private key, all I need is the corresponding public key, not the private key.

Also, if it were the case that identity verification were in fact impossible ... what would be your point then? You don't like the (hypothetical) fact that it is impossible, therefore it is possible?

> Note that we're speaking of identity in the context of a technical implementation.

Actually, we kindof don't. We are really talking about a legal implementation, where there really is no requirement to do anything as a "technical implementation"!?


The original parent posited that we have multiple identities, as in: multiple sets of attributes, each of which uniquely identify us within a certain context.

> Let's assume we define "identity" to mean "any set of attributes of Alice", so widening it essentially as far as possible. Then "is a human", being an attribute of Alice, would become an identity of Alice.

> That doesn't make much sense, does it?

If Alice is the last surviving human being in the universe, it does.

If Alice isn't the last surviving human being in the universe, than the premise of "is a human" as an identity is already nonsensical (because it no longer identifies), hence also any conclusions you derive from that premise are also nonsensical.

> In order to check that you are the person on a picture I have of you, all I need is the picture, no need to have a replica of you.

You haven't checked that it's me, you've checked that it is someone who looks like me.

Within any given context, that may or may not be treated as my identity. Hence, we're back at multiple identities, each in their own context.

> In order to check that you are in the possession of a private key, all I need is the corresponding public key, not the private key.

Which says nothing about identity, only about possession. Whether this possession is taken to be sufficient proof of identity again depends on the context.

> Also, if it were the case that identity verification were in fact impossible ... what would be your point then? You don't like the (hypothetical) fact that it is impossible, therefore it is possible?

Do you believe this hypothetical example to be true? If not, what's your point?


> The original parent posited that we have multiple identities, as in: multiple sets of attributes, each of which uniquely identify us within a certain context.

In which case it's just not a refutation of the tautological impossibility at all. Either something uniquely identifies someone, or it does not. Uniquely identifying someone while at the same time being (trivially) being replicated by somebody else is just a contradiction.

> If Alice is the last surviving human being in the universe, it does.

Seriously?

> If Alice isn't the last surviving human being in the universe, than the premise of "is a human" as an identity is already nonsensical (because it no longer identifies), hence also any conclusions you derive from that premise are also nonsensical.

Which is exactly why "was able to tell us the DoB of Alice" as an identity is nonsensical, and hence any conclusion of the form "therefore, Alice's identity was stolen" is nonsensical as well, correct.

> You haven't checked that it's me, you've checked that it is someone who looks like me.

Which contradicts the claim that the verifier does not need a replica of you how exactly?

> Within any given context, that may or may not be treated as my identity. Hence, we're back at multiple identities, each in their own context.

Which still cannot be stolen. So?

> Which says nothing about identity, only about possession. Whether this possession is taken to be sufficient proof of identity again depends on the context.

Which contradicts the claim that the verifier in a context where it is taken to be sufficient proof of identity does not need the private key how exactly?

> Do you believe this hypothetical example to be true? If not, what's your point?

My point is that I am responding to your argument that was about an implication from that hypothetical case.


> Let's assume we define "identity" to mean

... seriously, just stop.


So the only way around this is to disregard information about a person other than information that 100% without a doubt identifies that person making a purchase is who they say they are? I am just genuinely curious.


No. It's to accept liability when you make a mistake. If a criminal tricks a bank into giving away money and debiting some random account, the victim is the bank, not whoever happened to own the account.


Around what? The fact that the term "identity theft" is nonsensical? There is no way around that, it just is.

As for fraud: There probably is no easy way around it. But that doesn't mean it's not fraud.


I was not saying either really. I was asking what sure fire way we have other than a number / name for identity.


Well, there is biometry, with the simplest form being a picture, if you want to somewhat reliably identify people.


While I thoroughly agree with everything you've said on the subject thus far...

How does being in possession of a picture, or any other biometric data, help? These data are reproducible, like any other attribute that supposedly identifies only-Alice.


Checking the possession of a picture is not biometry (that would be possession-of-a-picture-metry). Making a picture is biometry (measuring the body, essentially).

The hard problem with biometry is proving to a third party that a certain identity is responsible for a contract, but identification with biometry (convincing yourself that the person before you is the same person that you enrolled earlier) at least works a lot better than asking for essentially public information.


Here's a typical story.

Online loan firm gives money to someone. Months later, they default, so they call who they think is the holder of the debt. That person has no clue what they are talking about. Finds out through first ever credit report they are defrauded. Victim calls loan firm, who requests lots of proof of existence as well as a police report, before they will help them. Process takes weeks. Victim finds out they signed up at Equifax during hack. Now they are in worse shape.


All financial companies are required to have you SSN for reporting income for taxes and also report money movement under the anti-money laundering laws(AML). Know your customer(KYC) requires a financial company to gather documentation and information to verify your identity and to ensure your not on any list of people we're legally not allowed to provide services eg terrorist watch list.

You don't need to provide a SSN to get cell service or provide real information. Lots fraud is done through tethering through burner phones.


Seems KYC as used in the real world doesn't do a very good job of verifying whether the "customer" is Alice or the fraudster... It'd be nice if _that_ requirement had enough teeth to reduce the ability of the financial institution to claim Alice is "the victim"...


Curious how would you verify a user? Right now standard solution is to use public records(LexisNexis), credit history(Experian), fraud detection networks(early warning). Along with a bunch reputation providers around IP(Maxmind,Socure), email(emailage), address. Also government based ID and utility bills etc. This isn't cheap and can costs $10+ to run all these checks.

Even government can't verify people and its problem because people give other people's SSN and DOB when they get arrested which is the worst type of identity theft as it can lead to the victim getting arrested or not getting a job(criminal record showing up in background check).


You ask for their ID card or passport. If you want credit history, you ask for their last year tax sheet.


how about having photo on the credit file. this would solve so many problems.


> You don't need to provide a SSN to get cell service or provide real information. Lots fraud is done through tethering through burner phones.

Don't give them any stupid ideas. This year Germany did exactly that: Require proper identification for purchased SIM cards. Lot's of people used that opportunity for some extra cash by selling pre-activated SIM's through Ebay, after the requirements had been changed.

Too bad they also introduced Euro roaming, so people are still free to buy their anonymous SIM's in other EU countries and use them in Germany.

I guess those are the consequences of a future where your mobile device is used for your personal authentication everywhere by everybody. [0]

[0] https://www.nytimes.com/2017/02/13/business/dealbook/banks-l...


I've worked a bit in the industry and around the industry, the worrying thing for me is that it doesn't seem to be working for anyone apart from equifax/experian/call credit.

I have separately worked with one of those companies with a client and their IT staff were utterly incompetent (I won't say which). Loads of different sites, lots of little fiefdoms, utterly inconsistent security policies on each site, blaming everyone but themselves because only half their sites could access a video on a major commercial video provider (not-youtube). We ended up having to host it on AWS cloudfront as none of them had blocked it yet. Their sharepoint could only host a 50mb file, which made their CEO look like a blockhead in the 20 min high def video.

Utterly incapable of hosting a simple video file so all their staff could access it in 2010.

I've also worked with a company one of those companies acquired for $100 million+, holding millions of people's personal details in the UK, with some very sensitive data. Some of the worst IT engineering I have ever seen, a bunch of tools written by the worst out-sourced IT teams I have ever seen (if you've ever worked with C#, these idiots made a project per .cs file. Yes, PER CS FILE. They also wrote the worst SQL I have ever seen, all of the stored procedures seemed to be duplicated but the duplicates had op_ before them. I eventually realised the op_ stood for optimized! They were still terrible and half the program used one set of SQL, the other half the optimised. Whenever I re-wrote one of these 'optimised' queries, I usually knocked it from seconds to milliseconds. Outsourcers in the naughties really did suck that bad, young 'uns).

We've given up huge amounts of privacy, but the scores are utter bullshit and the 2008 crash show what a load of nonsense they are.

A friend even told me at uni he'd got a £1000 loan out to get a good credit rating. You just put the money in an account, pay the capital off every month, lose a little bit of interest and in 2 years you have a shiny credit rating even though it means zilch.

equifax/experian/call credit basically get given all our personal spending habits for free, sell it on to everyone else for crazy money, don't add anything to the economy and as far as i can tell, are a huge security hole.

EDIT: Another anecdote on how incompetent these people are, a couple of years ago someone used my details to scam a few free phones. I got alerted to it when I started receiving insurance contracts for those phones in the post. The phone companies sorted it pronto, almost immediately admitting they'd been scammed, but I wanted to make sure my credit rating hadn't been trashed. In the UK these agencies must provide you with a credit report for a nominal fee so you can check for incorrect details, so I applied to the big 3.

One of them accused me of trying to hack their system because I'd forgotten a security question, eventually told me to fuck off after passing through various layers, then sent me a letter saying they'd detected a hacker trying to access my details. No, you idiots, that was me. Still never got my report from them.

Yes, they still use security questions.


You just put the money in an account, pay the capital off every month, lose a little bit of interest and in 2 years you have a shiny credit rating even though it means zilch.

I don’t really get that - doesn’t it mean that the person who took a loan is relatively responsible and was able to pay their loan back on time?

Any system can be gamed, but I don’t get the impression that credit agencies are attempting to eliminate all risk - after all, it’s obviously possible that someone who has had perfect credit for years might simply run away with your cash! But the system doesn’t have to be perfect, or detect all outliers, to have value.

It seems intuitively obvious that lending to someone who is frequently late with credit repayments is riskier than lending to one who isn’t, and this is the mechanism by which that information is shared.


For £100 you get a shiny credit rating for no risk. That'll get you a mortgage for £100,000s.

In the 60s/70s it was about knowing your bank manager, so he knew you'd be able to pay. I appreciate that it probably benefited a certain type of person, but the new system probably has the same prejudices built in. Now it's all about the ephemeral and easily game-able credit score. Until a few years ago you would get negatively scored for not having a landline.

These scores are utter bullshit, they're simply about if you haven't screwed up yet, they're not actual assessments of your ability to pay or the risk you've exposed yourself to.

Again, I worked in the mortgage industry before the Northern Rock collapse, brokers used to be able to go to those guys and openly fudge people's incomes by calling them self-employed, they had a good credit score so no-one blinked an eyelid, get 105% mortgage, and then lo-and-behold, the bank collapsed. Yes, part of it was that they lost their access to easy bank credit, but another part of it was they lent to hugely risky people.

As a slight-side, my bank was willing to lend me crazy credit card money a few years ago because for 10 years I never missed a payment. In reality in those ten years I went through a patch of being the most business-un-savvy freelancer ever, selling myself at a stupid rate and not putting enough aside to pay my tax bill, to the point where I had to get a loan from a parent to pay it. I was flat broke, almost bankrupt, and these people were willing to lend me almost 9 months of my income.

I was not a good risk.

But because I paid on time for X years before, I was to the credit agencies.


> I was not a good risk.

Banks are using actuarial science to make loans. You were (possibly) an outlier. That doesn't matter. All that matters is that their risk models work in aggregate. If they're right enough of the time, they profit. It doesn't have to be perfect.


They had to be bailed out, remember?


> In the 60s/70s it was about knowing your bank manager, so he knew you'd be able to pay.

You do recognize how terribly inefficient that is, right? In this day and age its all about scale. Expecting a bank manger to have financial profile of all the clients using his firm is impractical.

For all it's faults, the credit reporting agencies are providing a service. It's not perfect and I think it's best they could do with the information available to them. I expect they will improve their score though once they start incorporating signals from social media and other sources.


In reality the new credit agency model's been tested once, and it failed.


You do recognize how terribly inefficient that is, right? In this day and age its all about scale.

Is it, tho'? It is well known that IT doesn't improve productivity[1]; all the benefits of automation get swallowed up in the extra people needed to support and maintain it. So we can assume that the ratio of bank employees to bank customers has remained constant over time. So actually there's no reason for bank's not to operate the old personal-relationship model; they would need to employ the same number of staff to do it, just locate them in branches rather than at head office.

[1] http://www.computerweekly.com/opinion/McKinsey-Why-IT-does-n...


> I was not a good risk.

But you were- you had access to a parent with money to bail you out.


> I don’t really get that - doesn’t it mean that the person who took a loan is relatively responsible and was able to pay their loan back on time?

That's probably the reason why it would increase one's credit rating in a positive way. I have no doubts about these systems being broken in such a way that they consider people who take on credit, paying it back in time, as more "credit-worthy" than people who never needed/wanted to take up a loan.

A bank obviously wouldn't want to miss out on the first group of people, why they couldn't care less about the second group of people from which they make no money in the form of interest.

It's also interesting how these kinds of rating systems seem to be "broken" all over the world. In Germany there is "Schufa", which is not a bank but basically a private company with a de-facto monopoly position in regards to credit ratings in Germany and they are quite infamous for mixing up people and thus giving them a negative rating, often without the people noticing until it's too late and their negative credit check denied them access to a rented flat/credit whatever, after which it's their responsibility to get in touch with Schufa to clear up their misidentification.


> In Germany there is "Schufa", which is not a bank but basically a private company with a de-facto monopoly position in regards to credit ratings in Germany

Just for anyone from Germany reading: There are multiple, less well known agencies that are used by banks and others as well. They are definitely worth keeping an eye on. I will only mention Creditreform Boniversum, Arvato Infoscore, and Bürgel.


What Alice is the victim of is slander, not fraud or identity theft. The bank lent some money to someone who claimed to be Alice (though the bank only relied on the fact that that person knew Alice's SSN as proof of that fact). Then when the bank didn't get paid back, they told a bunch of credit check bureaus that Alice was a credit risk. This was a lie about Alice, which has a material impact on Alice's reputation. The credit agencies then go ahead and repeat that slander.


This is a great description of what is going on with "identity theft". I don't usually like changing the name of something to try to push an agenda, but calling "identity theft" "bank slander" would be good idea.


So presumably a class action law suit against the reporters for slander? Might depend on specifics of the law... Maybe it's time for a better credit reporting agency startup.


Especially if a very large class action law suit was started from this.

Calling all identity thief peeps....


You mean slander by banks, not slander of banks. The term you propose is ambiguous.


Defamation laws differ by state, but in NY for example, I believe libel (slander refers to oral defamation) requires that the perpetrator knew, or should have known, that the statements were false.

The question would then become whether the bank's identity verification procedures satisfy that burden. I think it would be a difficult endeavor, but it would be good to see it tested.


Yes, libel is correct.

They absolutely should have known it was wrong -- their business is lending money to people! If their procedure is insufficient, they should have fixed this.

I would love to see the banks sued for libel, a massive class action suit. There are real monetery damages it one could put a number on, and the difference between a bad and a good 30 year mortgage will be a big number.


Well, yes, Alice is the victim of slander, and the bank is a victim of fraud. But the important point is that neither of those imply that Alice is responsible for anything.


I haven't dug too deeply into this, but a defamation claim under state law would probably be pre-empted by the Fair Credit Reporting Act. You mostly can't sue them unless you can prove they defamed you with malice or with willful intent.

https://www.law.cornell.edu/uscode/text/15/1681h

In this case, maybe you could have a shot by arguing that since the bureaus know that like half the population's information was stolen, they are acting with reckless disregard for whether their statements are true if they don't now do additional investigation to confirm the identity of the subject of their statements in order to mitigate the effects of the breach.


Hmm, I guess you could call it slander if the person and the dossier were perfectly interchangeable. But all the institutions know is that someone has been failing to pay back loans that were issued based on the information in a dossier. After a series of fraudulent loans to "Alice Doe, SSN 123-45-6789" (the file, not the person), when some random shows up at Yet Another State Bank and tries to take out a loan under the same credentials, the credit reporter is right to warn of the risk. They don't know if Human Alice is a risk, but Paper Alice definitely is.


That distinction holds up only if real Alice isn't inconvenienced in any way.


She would be inconvenienced, but that doesn't mean she was slandered.

If someone steals Alice's car and commits a hit-and-run, she will be inconvenienced when the cops show up at her door, but the person who reports her plates won't be committing slander.


But if a newspaper reported that Alice was a murderer because her stolen car was involved in a hit and run, that would be libelous.


If they said they had received word that the car was registered to Alice, that wouldn't be libelous. If they said she was the driver, that would be libelous. If she was charged with murder and they said she was an alleged murderer, that wouldn't be libelous.


Wow, I learned a ton from this comment. I would have never come up with this on my own.


Technically since the defamation is written rather than spoken, it is libel, not slander. :-)


"Now back when I worked in banking, if someone went to Barclays, pretended to be me, borrowed £10,000 and legged it, that was "impersonation", and it was the bank's money that had been stolen, not my identity. How did things change?" https://www.lightbluetouchpaper.org/2017/08/26/is-the-city-f...


Brilliant Mitchell and Webb from the comments there:

https://www.youtube.com/watch?v=CS9ptA3Ya9E


Agreed. Thought experiment: suppose instead that Fraudster convinced Alice that he represented BigBank, and so Alice was duped and gave her money to Fraudster thinking she was depositing into BigBank.

The only thing she could expect from BigBank was politeness while explaining to her that she was duped. If it's a very friendly bank, she may tie up a manager for a couple hours, but that's it. If she keeps coming back, she'll soon be escorted out by security, or the cops.

Now, what if she started falsely telling others that BigBank took her money, and that significantly affected BigBank's reputation? Are we talking jail time, or just civil penalties?


> Now, what if she started falsely telling others that BigBank took her money, and that significantly affected BigBank's reputation? Are we talking jail time, or just civil penalties?

Probably not jail time, and perhaps not civil penalties. Even civil defamation in US law generally requires knowing falsehood or reckless disregard for the truth, not just mere falsehood, and criminal defamation, where it exists, tends to have high . Unless the bank had provided concrete evidence so solid that it was unreasonable for her not to believe their denial of responsibility, there likely be no legal wrongdoing.


An even more analogous experiment would have Alice take out a mortgage with BigBank, then receive a fake notice of debt reassignment to BiggerBank, which is actually Mallory. Alice makes mortgage payments to Mallory for many months. Now BigBank is wondering why Alice fell behind on her mortgage.

Who's the victim?


> Are we talking jail time, or just civil penalties?

Jail time could be a possibility depending on jurisdiction. In the US, a handful of states have criminal defamation statutes - https://en.wikipedia.org/wiki/Defamation#Criminal_defamation...


This is actually quite eye-opening. Thank you for that.


This is very clearly what's going on. Fraud is uncommon enough and the cost of fraud to the banks is smaller than the cost of reducing the velocity of money and loan-making, so the problem will never get fixed so long as it depends on the banks to initiate the fix.


Work at a financial firm and have built a bunch of identity theft detection features. Curious what your fix would be. Identity theft and friendly fraud losses are in the tens of billions annually and identity verification services is a huge industry.


I've never talked about this with anyone who knows the industry so it may be stupid in some obvious way, but I would gladly accept the inconvenience of having to go to my bank in person, carrying official ID, when opening lines of credit, if it would make the whole process secure. Banks could serve the process of relatively slow but reliable authentication for specific financial transactions, and communicate those authorizations to each other. Individuals who need more flexibility could opt out or do something more complicated, at the cost of some risk.

There's some cost to this, but I still suspect quite a few people would accept it.


My information was used to open a fraudulent mortgage loan, then when I asked my bank to not allow opening credit lines or transfers online was told "we can't do that!"


Time to fire your bank.


Thats how traditional banks work. You walk in Chase with your government ID to open up an account. It doesn't work. You can get high quality forgeries of government IDs made in China and there's no public DB to verify information on the card. RealID requirement for states to open up their driver license DBs only applies to government agencies(eg: TSA).

Also would you want to go in person to signup for paypal, venmo, etrade, betterment etc?


> Also would you want to go in person to signup for paypal, venmo, etrade, betterment etc?

Honestly, maybe that wouldn't be such a bad idea. A well-designed system would probably wind up contracting the post office for ID verification for online services (since in my country at least, they do a pile of random related stuff).


Some thoughts in response to comments:

1. The bank should capture the ID you used the first time you entered and do comparisons. They should also capture your ID when you come in again. This will raise the difficulty of impersonating you and the risk the criminal takes.

2. One thing I didn't think to say, because my bank only exists in North Carolina: geography should matter. If you live in a particular city, opening an account from another state should be seen as suspicious, and merit greater checks. This is the kind of thing some people should be able to relax, but it's probably a good default for most of us.

3. Should I have to go to my bank for PayPal, Venmo, Betterment, eTrade, etc? Those cases don't all sound the same to me. But here's what I'd consider: how often is a person going to need to do this, and does the activity involve requesting credit? We've currently optimized almost exclusively for convenience at the expense of security. I'm proposing that we shift that balance a bit.


This is basically what Vanguard does if they get suspicious about your account security. Basically you have to show up at a notary with photo ID and get a form notarized.


>carrying official ID

It's probably not hard to forge a social security card and birth certificate if you have the relevant information. From there, a state ID (or maybe even passport) should be possible to get. I don't believe there is any biometric security on either. A determined identity thief might go that far.


> A determined identity thief might go that far.

This is the old "because a solution is not 100% effective, it's not good" chestnut. This solution would cut down on the theft by over 90%, I'd venture, probably more like 98%. There is huge difference between perpetrating a crime from the safety of a computer and physically walking into a bank to commit it.


$16 billion was stolen from 15.4 million U.S. consumers in 2016, compared with $15.3 billion and 13.1 million victims a year earlier. In the past six years identity thieves have stolen over $107 billion.

http://www.iii.org/fact-statistic/identity-theft-and-cybercr...


The thief would have to physically resemble the victim's photo, height, age, gender, etc, which is some added defense in depth. For instance it would be hard for most males to pass themselves off as a typical female.


> The thief would have to physically resemble the victim's photo

Why? Show up to a government station with your birth certificate, SSN, some telephone and utility bills, and they'll take the thiefs picture and put it on an identity card with your name on it.


That sounds incredibly bad for a first-world country. If that was the case, I'd argue that the entire country is in collapse. As you then have no control over foreigners impersonating locals and manipulating something as serious as elections, never-mind bank-fraud.

Edit: Point being, this needs to be fixed ASAP if you are to move your country into the future. Fix the regulatory/state hurdles that prevent it from happening, and get yourselves National Identification that's secure. Things will flow positively from there.


They don't use the SSN to check for prior IDs issued by other states and/or the Feds, and compare the applicant's photo/gender/age/height/eye color, etc to them first?


There's no network between all the systems.


About twenty five years ago a bank allowed someone to cash checks with my name on them with all the correct account info on them as well, but was a different race and gender than I am (the banks had video of the customer). They did this about a dozen times for checks for what I assume was just under the amount that would flag it (about $2000) to empty my account over the course of about an hour, using different drive throughs at different branches in Houston, I lived in Austin at the time and had never visited a branch in Houston.


The big architectural flaw is that when I as a consumer prove my identity to company A, that gives company A enough information to impersonate me to company B. Or equivalently, it can give a rogue employee at company A that power, or anybody who hacks company A's database.

The solution is asymmetric cryptography, wherein identity is tied to a public/private keypair, and I can prove I have the corresponding private key without giving the other party the ability to impersonate me. Ideally, the government wouldn't know my private key, either, rather they would just give their own attestation that a given public key is owned by a person with a given name, DoB, SSN, and biometrics.

Along similar lines, any financial account would have its own keypair, with moving money out of the account requiring signing with the private key.

The state of cryptography today is way too obtuse for this to work right now, but I think it could be made more user friendly with specialized hardware to hold the keys and perform the encryption.

The idea that SSNs are secret, but we hand it out to half a dozen organizations is absolutely ludicrous.


Verify that person's biometrics against the national database? I know that's what's happening in South Africa, a third-world country:

http://www.htxt.co.za/2015/09/16/this-is-how-banks-and-home-...


Banks carry the risk like they do for credit cards, consumers carry $100 of the risk and the risk to their credit rating.


Change the way checks are issued/redeemed. Right now the customer is on the hook for 7 years because a check isn't cleared until it goes back to the bank that issued the check . The customer thinks by seeing the money in the account the check was good and can clear a sale. The reality is the bank can take that money back if it is later determined to be false/fake.


> customer is on the hook for 7 years

7 years? Are you sure it's not something like 7 days?


It takes 7 years for a bankruptcy to clear your credit record in the USA.


Not just bankruptcy. Banks and businesses contract with check verification companies such as ChexSystems. I had a friend who bounced a check and it took him a few weeks to reimburse the bank. By then the bank closed his account and reported him to Chex, who put a 5 year hold on his ability to get another checking account through any bank that used Chex verification (> 90%), essentially blackballed.


That may be so, but the GP was talking about the time it takes checks to clear. IIRC, uncashed checks aren't even valid after 180 days, let alone 7 years.


Ten, I think. Ten years. Or should I dispute that with the credit-reporting agencies?


Negative credit information falls off after 7 years from date of first delinquency.

Always dispute negative credit items; more likely than not, it won't be verified and is usually removed. Otherwise, wait 7 years and then dispute again.


Paper checks are going away. Some of the online banks don't even support them. ACH allows only 60 days to claw back the money(disputes) and with same day clearing requirement we can get rid of 2 day holds.


What are they being replaced with? Yeah, as a young renter I went years without using a check. When buying a home last year I had various inspectors during the process. After buying, I've had electricians, plumbers, contractors, locksmiths, and other consultants. I think one gave me a bill and accepted credit card. The rest preferred checks (to be fair, I didn't seek other forms).

I've tried all sorts of p2p methods over the years. All of the banks are too confusing, obscure, or too limited (i.e. only within their bank). Paypal and credit cards charge a not-insignificant fee. Venmo or Square Cash work fine if your group of friends accept them--but more than half the time, they don't for me.

I often do ACH transfers between my own accounts, but the first time I set it up a cringe a little bit and cross my fingers. It sucks waiting the 2 or 3 days waiting to see something. I can't see small businesses accepting ACH as payment because they want something in hand. If we had the setup I've heard about in Britain or Europe, I can see checks going away, but with as much churn as I've seen in this space in the 20 years since Paypal, nothing seems to stick.


> I've had electricians, plumbers, contractors, locksmiths, and other consultants. I think one gave me a bill and accepted credit card. The rest preferred checks

Try cash? I use cash for almost all transactions like that and have never been turned down :-)


Cash is nice, but the the main point of banks is that I don't have to carry a bunch around. I honestly didn't even use an ATM or carry cash for years. I started carrying cash only when my job reimbursed me for parking (and they only accepted cash). It's also nice for bookkeeping. I can write the account number or purpose on the check itself.


For some, it might be walmart. Previously, on hn https://news.ycombinator.com/item?id=8361329


Exactly.

Eve lies to bob, and tells Bob she's Alice. Bob asks Claire, who says Yes, that's Alice." Bob gives Eve money, and Eve runs off.

This should not be Alice's fault, responsibility to solve, or problem to deal with. It is, because Bob is much, much more politically powerful than he ought to be.


>It is Experian, Transunion and Equifax, by holding this fraudulent loan against Alice, who are victimizing Alice.

I think you're confused. It's BigBank that's falsely placing a debt burden on Alice. The credit reporting agencies are only reporting what they are told. Imagine if Alice doesn't care about her own credit worthiness. Let's say she has no debt, and no intention of acquiring debt. What happens if criminal tricks BigBank? They say, "Alice, you owe us this money." Alice tells BigBank, "No, prove it or pound sand."

What happens then? BigBank goes to the court and tries to get a judgment against Alice for the money owed. If Alice isn't aware of the proceeding, the judge will grant BigBank's request, and now Alice will owe BigBank the money stolen by criminal.

BigBank's poor authentication and the judicial branch are the ones doing the real harm to Alice. If anything, the credit reporting agencies are providing value to Alice by warning her before BigBank goes after her in a secret proceeding and makes the debt hers.


What actually happens:

1. Alice does have debt, and does intend to acquire debt in the future, like most people. The presence of this fraudulent debt in her credit report makes credit more expensive and hard to get.

2. Before filing suit and going to court, BigBank makes persistent but usually polite attempts to collect. But when she says "that wasn't me" they don't believe her, because lots of deadbeats say that sort of thing too.

3. Perhaps BigBank sells the debt to a collection agency, which is far more aggressive and (willfully?) ignorant of laws regulating how and when they can contact Alice. Perhaps they call Alice's employer, threaten to garnish her wages (even if they legally can't), or lie about Alice's ability to contest the debt.

4. If Alice is determined enough to keep fighting and go to court, she has still sunk significant time and money into fighting this. It's unlikely she'll be compensated fairly for that.

I agree the credit reporting agency is in some ways helping Alice, and would add that these agencies probably do reduce the rate of fraud overall. But they also have a responsibility to do a good job minimizing errors. We can't expect them to never make a mistake, but they should have some skin in the game when their inaccuracies hurt a credit applicant.


Step 3 is the insidious part. If Alice files a paper with the reporting agencies, they're required to remove the false report. But the collection agency will just as persistently file an equal but opposite paper to reinstate. The reporting agency is legally caught in the middle of he said, she said. And if asked for proof? The collection agency says BigBank told them Alice owed it, and sold them that debt. So now the originator of the loan has harmed the collection agency as well as Alice.

Don't kill the messenger. The credit reporting agencies are doing what they are obligated to do in that business. There needs to be penalties for BigBank beyond the money BigBank lost in the scam perpetrated by criminal.

Blaming the credit reporting agencies for bad credit reports is intellectually lazy. Blaming them for garbage computer security is much more appropriate in this story. A more interesting discussion here would be about the technical details of the hack.


If the credit reporting agencies wishes no responsibility then for all practical purposes they are a database table, nothing more. In that case they must offer their services on the same lines as AWS or Google Cloud. That is guarantee is only on infrastructure uptime and availability and not the quality of information. Note even in this case, a level of liability regarding security is on them.

If you wish to provide a service with a level of guarantee, responsibility and liability comes along with it.


It isn't BigBank warning her.. it is the collection agencies, but that's just semantics.


That's exactly the point. BigBank isn't going to warn anyone. It's just going to seek judgement, or sell the debt to shady collectors and write off the difference.

https://www.nytimes.com/interactive/2014/08/15/magazine/bad-...

Think about the credit reporting agencies as a rather sloppy "master list" of who owes who money. It seems what is needed are stiff penalties for banks and collection agencies who falsely claim they are owed money. Until then, you can't live in peace. Someone is going to claim you owe them money if you have any money yourself.



The credit agencies report what has been told to them by BigBank. Once the fraud is detected BigBank should update them that Alice does not in fact have a $10,000 loan with them and it would then be removed from Alice's report. If the loan has been determined to be fraudulent and it has not removed from her credit report, BigBank is victimizing her not the credit agencies.


> then be removed from Alice's report.

That's a long process (5+ years sometimes).


If the creditor that reported an account to a credit agency then sends a request to have the account removed it happens right away.


There's a nice comedy sketch on this point by Mitchell & Webb: https://m.youtube.com/watch?v=CS9ptA3Ya9E


Clearly, both the bank and the individual are victims of the crime.

Generally speaking, the impact to the customer is usually greater, as bank business model aren't dependent on every loan being repaid. Consumers stand to lose money directly and lose the opportunity to access capital.

The credit agency or anyone else who has a breach is usually a negligent third party.


They are victims of very different things though.

The bank is a victim of fraud.

The individual is a victim of impersonation by the borrower, and slander by the bank and credit agencies.


The individual isn't in any way a victim of the crime. A bank used some information presented to them to conclude that they were dealing with Alice when that information was objectively not sufficient to justify that conclusion. That has absolutely nothing to do with Alice. Alice is victimized in the next step by the bank when the bank claims that it somehow is Alice's responsibility that they took someone else for Alice.


Not sure how the individual is victimised by the fraudster here. If the bank had a 100% success rate at detecting fraud with no false positives and no false negatives, then the individual wouldn't need to know and likely would never find out about the impersonation attempt.

The individual is victimised by the bank and the credit reporting agencies by their spread of misinformation.


In some countries when you sign out a loan and a card you get picture snapped. but then this measure would stick banks with loans and not the consumer.


"Mitchell & Webb Sound - Identity Theft"

https://www.youtube.com/watch?v=CS9ptA3Ya9E


This may damage Alice's reputation temporarily however, once the bank determines that it has been defrauded, it should make the loan information inaccurate.

I believe the Fair Credit Reporting Act allows Alice to remove inaccurate information from the report?


Agree with your point on Experian absolving itself, but there are many scenarios in which Alice is also the victom of the thief. With enough info about someone, you can steal digital assets too.


This argument is akin to splitting hairs. The fraudster who applied for the loan against BigBank was at fault. The BigBank accepted the Fraud and reported it to the credit agency. The Credit Bureau reports/includes the data provided by BigBank; it's what they do.

If there is a dispute between what BigBank says and what Alice says, it's not necessarily so easy to resolve, and that's the position the Credit Bureau has to deal with.

To absolve the fraudster of the primary fault is ridiculous. That said, this is the problem with difficulties in identity verification, we all want privacy and security at the same time. While they are not mutually exclusive, having both is much more complicated than one or the other.


If it was on the BigBank to always prove that their identity was indeed stolen, it would quickly become unmanageable. People would commit fraud in the opposite direction, by getting a huge loan from some a bank and claiming that their identity is stolen. I'm sure it would be easier than stealing someones identity to do it, and it would obviously involve some necessary actions to avoid being caught but this would drive loan rates through the roof for the average citizen to make up for all the fraud occurring. I agree with you ideologically, but in practicality i do not believe it would work.


This would obviously drive the BigBank to collect some better evidence that the person applying for the loan is who they say they are, which is exactly the incentives we want here.


In that case banks would just have to verify who they were giving money to before they start handing out loans. That doesn't sound particularly unmanagable to me.


I wish I could remember details, but a cofounder or single digit employee of a acquisition Equifax made, elected to forgo their earn out, because they were opposed to working in any capacity for Equifax. I think that they were somehow bullied into revealing their reasoning, to escape penalties in contract (which in any event were unlawful in the UK, I heard this from a employment attorney friend who has super reported cases, ie those which established new law). They were immediately snapped up by a startup in VA. Equifax managed to suppress their credit file completely. Preventing them from even renting a apartment for at least a year, and I believe it was a year before they had been even recognised by a US reporting agency and could open and operate a checking account. This was picked up by The Register, which still was then still Mike Magee's baby, so honourable 1., 2.. I can't find a link from my phone, but even if you never believe me the actual events happened, I bet you had a thought that you would not be surprised if it happened more often.

1.(added to qualify that adjective "honourable" which I apply to individuals not companies, and individuals who risk sacrifice without burdening others. My career is in advertising and I am truly impressed when publishers are able to maintain standards that are able to raise their costs of sales. (a large publisher may not lose a account, but the sale often consumes expensive energy, even only to explain why policies exist. I work far from such high sensitivity issues, as does the company I started around the time of this recollection.)

2. last I spoke to Mike, he was telling me how he simply was never issued his shares in "ElReg" and he was long enough into The Inquirer to think that Limitations applied. But Limitations 80 runs from the time of discovery of tort, not the event of tort. Before the chance arose to catch up, and establish facts, Mike had passed away. RIP a great man and two great journalistic servants to the IT community. I did not establish the facts that were alleged, therefore my statement is hearsay, but protected by the statutory defence of genuine belief, and I had always faith in my source.

Edit: italics removed from footnote, earn out replaced phypo earnings, and great man replaced good man. Mike was exceptional and altruistic to a fault.


very well said!!


Bigbank is the only one in your scenario that actually has monetary loss since they lent out the money and most likely will never get it back. In identity theft, the company has the financial loss. FBI won't investigate unless its over 250k in losses as well.


You certainly can quantify the monetary losses to Alice too. When her credit rating is shit and she buys a car or home, the banks are expert at placing those rates and can tell you exactly how much more she pays. What is more difficult is calculating the loss of what she doesn't even do due to bad credit, like she might not be able to rent the same apartment, she might not even try to buy a car.

She may not have to pay that bank loan back but that doesn't clear her credit up immediately.


Fraud isn't limited to credit. My dad had someone open a savings account in his name and transfer a significant amount of money via ACH. He only found out because he got a welcome or from the bank!

The police investigator told him that the particular fraud that he was a victim to was impacting >500 people and >$5M


Pretty twisted world where provable financial loss is the only or main measure.


> It is Experian, Transunion and Equifax, by holding this fraudulent loan against Alice, who are victimizing Alice.

Credit Reporting agencies report the data passed to them by companies such as banks. In your scenario BigBank thinks it's given a loan to Alice, and when they don't get repaid, report that to the CRAs. Alice is a victim of the thief because her identity was appropriated to secure the funds. BigBank is a victim of the thief because they were defrauded. The CRA is a victim because they were just reporting the information that was provided to them in good faith by their customer BigBank. So saying that the CRAs are "victimizing" Alice is completely false.

Alice bears the burden and risk of clearing her name, just as a victim of car theft bears the burdens of reporting the crime, getting another vehicle, dealing with the any outstanding loans, etc. These burdens are inflicted by the thief, not the bank or CRA.

> perpetuated by the credit reporting agencies as a way to absolve themselves of responsibility, [...] and to avoid realistic identity-verifiction which might slow or complicate the practice of issuing large amounts of debt to the general public.

This completely misunderstands the role of a CRA. The CRA doesn't have to verify identity, it's up to the credit grantor to ensure they are dealing with the person they think they are.


Your comparison is bullshit. I have control over how I secure my car from being stolen. It's complete nonsense to equate that to me being responsible for a bank's failure to protect themselves against fraud where I have no power whatsoever to influence how the bank secures itself against fraudulent loan applications.


Your statement is nonsense. Regardless of your efforts, the best you can ever hope for is to minimize the chance of your car being stolen. You can never prevent it completely. If your car is stolen in spite of your best efforts, are you at fault? Do you still have to deal with the consequences as a victim of that theft?


When someone takes out a loan in someone else's name, the only theft that truly occurs is the imposter stealing money from the bank it duped.


Which thus makes it equivalent to a scenario where you have no power to influence things whatsoever?


Which makes your statement (that you have sufficient control to prevent the possibility of theft of your property) completely invalid. You can do everything right, and through no fault of your own have things go wrong.


> Which makes your statement (that you have sufficient control to prevent the possibility of theft of your property) completely invalid.

Luckily, I didn't say that.


> I have control over how I secure my car from being stolen.

Really? Those were your exact words, in the context of claiming that your ability to secure your car made the comparison to identity theft invalid.


Yes, really. Having control over how I secure my car does not in any way imply that I can guarantee success. However, as a matter of fact, you can essentially get arbitrarily close to that, it's just a matter of your effort. Which is in contrast to banks being defrauded and blaming me for it, where I can not do anything about how the bank protects itself against the fraud.

The problem is that the power to do anything about the problem and the blame is not aligned, which leads to a situation that is equivalent to the bank leaving the key in the ignition of the unlocked car, not allowing you to change anything about that setup, and then expecting you to foot the bill when the car inevitably does get stolen.


Do you really not understand the difference between having control over something and being able to guarantee it?


I strongly encourage anyone in the US to put a full credit security freeze on all three credit agencies. When a credit freeze is in place, you still have access to all of your existing loan accounts and whatnot (e.g. credit cards), but lenders cannot access your credit to open new accounts unless you want them to.

It's not difficult nor expensive to do, and the freeze lasts until you decide to revoke it. Whenever you need to allow access to your credit (credit check for rent, taking out a loan, etc), you can temporarily lift your credit freeze for a small fee. The fees associated with this are going to be much cheaper than any of the professional "identify protection" services that exist out there, and the freeze is significantly more effective at protecting you.

When a company leaks your social security number and personal details, which almost certainly will happen at some point if it hasn't already, then opening fraudulent accounts in your name isn't the only risk you face, but it's an obvious and dangerous possibility that can ruin you financially or make you spend a considerable amount of time and energy fixing the situation.

For every person in the US with kids, I also strongly suggest that you freeze their credit as well. There's no good reason for your 13 year old to take out a loan, but identity thieves don't care about how old their victim is.


At this stage, if you have to pay the company that leaks your own data to prevent it from harming you, it starts to sound like protection racket.


It is a protection racket that shifts the risks and costs from the financial system to consumers.


Same with chip and pin here in the UK


At least you get the pin as well. We just have chip, and it does ~nothing.


I have heard of no cases where liability has been shifted in that way.


There is strong evidence for it here: http://www.cl.cam.ac.uk/~sjm217/papers/oakland14chipandskim....

And regardless of whether you claim the evidence is inconclusive, it is simply not acceptable to dismiss a known vulnerability in something important by saying "I don't know of any case where it has been exploited yet."


That's explicitly not what I said.

I know that flaws have and will continue to be discovered in those authentication systems, and also that a theoretical shift in liability occurs. Any bugs will need to be fixed, and that's important. But you can't ignore the situation in practice – liability is not being shifted, and all UK banks and credit card providers are pretty happy to refund fraudulent transactions regardless.


It is good to hear that UK banks are apparently no longer shifting liability, but this case, and others, show that banks were shifting liability until it was irrefutably demonstrated that the system was not as secure as they claimed. 'Liability shift' is not a term invented by conspiracy theorists: banks were explicit about this being a primary goal of EMV, so it does not require a leap of faith to accept that it happened. Sadly, neither is a leap of faith required in accepting that the banks' first response to evidence of weaknesses was to deny their exploitability.

Does your statement about UK banks no longer shifting liability apply in cases of fraud against merchants?


They only refund credit card transactions if suspected with fraudulent. Debit card transactions are held and investigated. I've had a card ripped and lost £500 permanently because the bank decided I had made the transaction. I had to small claims them to get it back. I have seen at least three other people lose against the bank.


Exactly. All it does as far as I can see is flag the transaction as card holder present. The PIN is easy to steal as well evidenced by the number of fake reader heads and cameras found attached to ATMs as well.


I recently did this and highly recommend IdentityTheft.gov for assistance. It has tons of great resources/guidance for dealing with identity theft and other credit issues.

https://www.identitytheft.gov/


Direct link to phone numbers for security freeze: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...


This will make a great addition to the /r/personalfinance wiki! Thanks for posting it!


Happy to help! I was really surprised how well the site works. A bit more about my experience here in case it could also be useful (though the post is admittedly a bit scatter brained): https://chrxs.net/articles/2017/03/23/responding-to-identity...



I can't agree with this more. I was the victim of identity theft many years ago. I my case the data leaked from an employee at my company's payroll dept! There was nothing I could have done to prevent it. Anyway I did this many years ago and have not worried about it since. There is some small hassle because people run credit checks for weird reasons that have nothing to do with trying to get a loan or line of credit. For instance when I got promoted to a certain level at my last company they ran one, and while they didn't run them when I got hired, I think later they started doing them as part of "background checks" for all new hires. The other hassle is sometimes the credit agencies change the way you "unfreeze" and I've had some problems with that, or the people running the check don't actually know which of the three credit agencies they are using. However for the once every four or five years hassle it is definitely worth the piece of mind for me. In many cases you can "temporarily" revoke it for a week or 10 days.


I'd phrase this more as, "I was impersonated by someone, and a third-party compounded the problem by lying about it to others. Now, to avoid that problem, I pay protection money to that third-party and waste my time jumping through their hoops."

I do the same thing, BTW, because the alternative is worse. But it is a protection racket offered by the very people causing the problem.


I think that pretty much is exactly how I felt about it at the time. One thing I haven't seen mentioned is the fact that this "remedy" was actually a requirement imposed (at least in California) on the credit agencies by the government, and it wasn't always that way. So for several years instead of this, I would have to actually go check (all three) credit agencies getting my "free" report (since I was an identity theft victim). Of course I still had to ask for it, they didn't just send it to me. So yes it was the least bad alternative. If a large enough people actually signed up for this it would actually destroy the credit agencies business model, because instead of working by default, they would be broken often enough that people would do other, more reliable solutions. I think they may already be happening in some cases. For instance when my son moved into his first apartment, I had to put my name on the lease. I told them my credit was locked and they said they don't use the credit agencies, they had some other check they did. So yeah, no love for credit reporting agencies from me..


So if an identity thief has enough of my information to potentially open a new line of credit, wouldn't they also have enough information to reverse the freeze?

In other words, is a freeze enough to stop new accounts from being created?


You get a unique long pin code when you freeze the account. You need that to unfreeze it. There is some "recovery" procedure, I think you need a notary or something


And that unique long pin definitely isn't stored in plaintext in the next column over in their database, right?


At least it's only in one database, and not all of them, like SSNs are...


At this point it's about doing that one thing the other 1 million won't. It might be surmountable but do you figure the adversary is going to have the incentive to surmount it?


"don't worry, your 12 digit pin is securely encrypted with md5"

/s


md5? They use triple ROT13.


Sounds like such a freeze should be the default state.


That doesn't sound very profitable.


Anyone know if there's a way to get your free credit report if you can't answer the questions for the free one?

The computer says no, and the phone number just sends a letter that says no. I tried to to buy one from my bank, but as far as I can tell they only sell subscriptions...


You could see if Credit Karma works. I think it is mostly a free interface to Trans Union though.


Funny enough, it also provides your Equifax report.


Each of the credit reporting agencies has a process for requesting your credit report by snail mail. The form is hidden away on the various websites, but it has generally worked for me when the online form didn't work (it turns out another person's delinquent loans and CCs were in the report that they were using to test that it was me).

Not as free, since you need to buy envelopes / print the forms / photocopy your ID / get stamps / wait X weeks, but as free as it gets when the online system doesn't work.


http://annualcreditreport.com/ is the "official" site for this, per the FTC [0].

There's info on that page on how to proceed to get yours via snail mail (along with a link to the form).

[0]: https://www.consumer.ftc.gov/articles/0155-free-credit-repor...


there is! https://www.annualcreditreport.com/ i use it every year along with being a regular credit karma user.


credit karma


Why not just shift the presumption of liability (absent verification) to the financial institution instead of the consumer? Loan issuers can hire skilled professionals to do credit verification, so why should consumers bear the risk for their lack of due diligence?


"just"

Consumers would love this. Financial institutions would not. Guess who wins this battle?


> Consumers would love this. Financial institutions would not. Guess who wins this battle?

And everyone thought SOPA and PIPA were done deals, that is until the great internet SOPA/PIPA blackout day that resulted in so many calls to congress that the congress critters backed down.

If enough voters could be motivated appropriately to contact their congress critters requesting jail time for the Equifax executive staff that clearly did not stress security sufficiently, there would be some change that would occur.

Remember, money (donors) only help the congress critters to pay for the costs of the election. They still have to get those voters to actually vote for them. So there's still a way to influence their viewpoint. It just takes _way_ more than a few handfuls of voters calling/writing to reach the point where they actually pay attention anymore.


For sure, and that's precisely the problem.


Wow. Equifax's Credit Freeze line is just dead. Must be getting slammed right now.


Their signup process for the credit freeze involves entering your SSN which is not obscured at all. It's increasingly obvious how this could have happened -_-


Care to elaborate?


Shit-tier security practices


Also just tried to pull a credit report for Equifax via annualcreditreport.com and received a messages a condition exists at this time not allowing my report to be pulled and instead gave me mailing instructions.


I did this about 8 years ago, and have only needed to temporally unfreeze it 3 times. Besides the big 3, I also froze reporting from Innovis.

The only unforeseen hangup from frozen credit reporting I've run into is with car rentals. With a few exceptions, most car rental companies (at least in the US) run your credit. Everything else was pretty predictable.


Do they refuse you rental?

Here in UK they verify address via utility bills, cross-check with drivers license (verified by gov agency, DVLA). They maybe only take card payments too, no cash?

I'd expect that to be enough, given they force you to take out expensive insurance, that must cover them, surely. What's the credit report going to get them at that point?

(It may be even stricter now, don't know.)


I just changed to one of the rental companies that doesn't require pulling credit.


> Besides the big 3, I also froze reporting from Innovis.

Why Innovis? Who typically uses their reports?


Same people that pull from the other 3. It's not as commonly used, though its usage is trending upwards from what I understand.


Can you call and it get it unfrozen immediately if it needs to be run?


To unfreeze it entirely it looks like it can take no longer than 3 days. Unfreezing it for specific parties it sounds like is less money and perhaps takes less time but that will depend on the company.

Source: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...


Law limits it to no more than three days. My experience has been that it mostly takes place within 12-24 hours.


I did this about 2 years ago with all 3 of the major agencies and in addition to the benefits described in post and comments, my junk mail volume dropped considerably. I don't know if it's always the case but this did not cost me any money.


This is actually a major inconvenience. You won't be able to apply for credit cards or get a loan to buy a car if you have a credit freeze. You have to unfreeze and re-freeze each time you apply for a credit card, and this costs about $30.


It depends on your situation. I've done this for the last 3 years, and have only had to lift the freeze a 2 times, both times actually for job offers (it's pretty routine for companies to run background checks on new hires, which includes a credit history check). It does cost ~$30, but can be done online, and takes little time. You can also reduce the cost by asking whoever wants to legitimately check on your credit history, which reporting agency they will be checking with. Then you only need to lift the freeze for that agency, and for that entity asking for a report.

If there isn't some handshake/ack mechanism like this, I'm not sure how you cut back on fraudulent activity. I can see the case for making the credit agencies eat this cost and provide these services for free. That would probably require an act of congress...

Edit: You could also ask a potential employer to eat the cost of unfreezing to check your credit history, or ask them not to do the check at all (especially if it's not really relevant to your job). Either request seems reasonable to me, although I haven't tried that, I'm betting at least most employers would pay for the unfreeze.


It's definitely not routine for employers to do credit history checks except in certain narrow roles (and even illegal in many states). You absolutely should not unfreeze it for an employer unless they can provide justification for needing credit information.


How often to you apply for credit?

It is, in any case, far less of an inconvenience than not paying the protection racket, having someone impersonate you, and having the credit oligopoly lie about you because of it, leaving you to somehow clean up their mess.


Some folks churn, so they apply for credit several times a month. It's not a very small niche community either.


It is a small niche relative to the credit-using public at large, and there's no reason to accommodate them at the expense of everyone else.


No one asked anyone to accommodate anyone.


How often do you apply for credit? In the last 5 years I’ve done it zero times...


I have one credit card that I got in my twenties, and have never taken a loan. I'm wondering too what these people are doing.


What stops the would-be identity thief from removing the freeze before opening a fraudulent account?


A credit freeze gives you a PIN that they'll ask for before the freeze can be lifted.


Does a credit freeze stop you from accessing your free credit scores (e.g. CreditKarma, Mint etc.)?


No it won't prevent you from accessing your free credit scores.


You've sold me, now tell me how to do it


You have to place the freeze on each of the three credit agencies individually. In most states it's $10 each, but it can vary state to state.

https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo...

https://www.transunion.com/credit-freeze/place-credit-freeze

https://www.experian.com/freeze/center.html


I think you are missing something. Here's what's needed to initiate your TransUnion freeze:

To set up a security freeze with TransUnion, please visit our online form. You should be prepared with the following types of information: 1. Your full name, including middle initial and suffix, such as Jr., Sr. II, III 2. Social Security Number 3. Date of birth 4. Current address 5. All addresses where you have lived during the past two years 6. Email address 7. A copy of a government-issued identification card, such as a driver’s license or state ID card, etc. 8. A copy of a utility bill, bank or insurance statement, etc.

So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.

The problem is these companies, who non of us ever chose or nominated to collect our data, are careless with our PII. And until some accountability is added into the system, this will continue.

I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.


> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.

Nope. Ain't gonna happen. Financial crime pays, big time! No one goes to Jail. They usually have an investigation followed by a hearing in Congress (if it is "BIG" enough), then come back and pay a fine. Media will report the fine as "MILLIONS OF $" but the fine hardly makes a dent in the Bank / Financial institute's coffer.

W.r.t. this particular situation, here's a story that just broke.

Three Equifax Managers Sold Stock Before Cyber Hack Was Revealed (bloomberg.com) => https://news.ycombinator.com/item?id=15196309

It's called INSIDER TRADING.


If they did that because of this, the SEC will likely nail them for it.


Of the three letter agencies, the IRS and the SEC are particularly ruthless. They can only enforce what Congress will allow, unfortunately, so that leads to bigger fish not being fried up.


Equifax can handle its internal management and operations however it wants.

Externally, though, I want Equifax to have to pay a fine for every individual whose information was compromised. Identity theft can easily cause five figures worth of damage, so $10k per individual would be fair. Maybe as a warning shot we could lower this to... $1k? $100?

That's the only way to properly align incentives so companies will proactively defend against attacks like this.


This thing called "Identity Theft" does cause damage, but it's important to remember that if fraudsters trick a bank into thinking they are you, it is the bank's fault for failing to properly verify it was actually you. Doing so would cost them more money and it is much easier to do cursory checks instead.

No doubt fraudsters impersonating you is a hassle and you must spend some time and money dealing with it if you are targeted, but do not lose sight of why it happens and who is ultimately responsible.


But you still pay the fees from the banks failings, so it really does hurt everyone even when the bank eats it.


It hurts everyone foolish enough to still do business with the bank after they jack up their fees to pay for it. Or in jurisdictions where a small number of banks are given a monopoly, or competition is otherwise discouraged, it hurts everyone.


Yes and no.

If a "Too Big to Fail Bank" fails, we all pay. If a credit union in Utah messes up, their customers pay. Let banks compete on operational excellence.


I expect managers to go to jail, in addition to a financial kneecap that forces other companies to vigilantly pressure their management for security.

Well, maybe not expect. This is America... I expect infuriating golden parachutes. But I certainly hope for criminal charges and jail time.


$1k, $100, that's far too low in my opinion even for a warning shot.

As someone who has had their info leaked by two universities before, both of whom subsequently paid for multiple years of credit/fraud protection, the sheer pain and stress of having random credit cards frozen and need to be replaced is worth far more than that dollar amount of my time. This is potentially messing with people's livelihoods with long term lasting effects.

If monetary sums are given out, then I hope a fair amount is given out instead of a warning shot. Those tiny figures won't help at all and effectively send the message that companies are more important than the people they serve.


$100 per each individual would be 14 billion dollars... Which would definitely put Equifax out of business.


Perfect. If they're in the business of selling access to sensitive information and cannot keep said sensitive information safe, they should not be allowed to continue to leak that sensitive information.


$1k would mean a $146 billion fine in this case. Hardly a "tiny figure".


I would not doubt a class action lawsuit results from this, and I'd be very surprised if Elizabeth Warren didn't pursue congressional action against them (although not officers of the company unfortunately).


And then I'll get six months of free credit monitoring from Equifax? Oh boy!!1!

More seriously, this is a breach big enough that Equifax should honestly no longer exist as a company. So call it $100/incident, and I'm happy. Other agencies would still exist, and, although they're just as terrible, it might get them to kick their asses into high gear to fix their security.


Maybe, the suggested demise of Equifax, the extreme perpetrator of neglect in this particular case, should lose the ability to print money, much like Symantec and other ssl cert issuers (identity certifies) for their recklessness; perhaps that doesn't go far enough.

Maybe the whole commercial enterprise of credit reporting (and identity verification) needs to be dramatically reworked in a more modern, sane design, with different governance and oversight.


The NYT story states that they are already offering this to affected consumers: https://www.equifaxsecurity2017.com/potential-impact/ .


I went there and used the site and guess what? It doesn't work. It just said 'Thank You!' and gave me an enrollment date. It gave me no info as to if I was one of the people affected.


The number of affected people was 143MM, which I think is numerical shorthand for "everyone we've ever known about."


Likewise, WTF. I thought you were joking but nope, it returns this text:

-----

Thank You Your enrollment date for TrustedID Premier is: 09/13/2017 Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process.

For more information visit the FAQ page.


That means you are affected. If you enter a non-existent name and SSN, it will say that you are not affected.


Even better, they ask for your last name and the last six digits of your SSN to even check your potential impact. The problem is that the first three digits of your SSN are derived from your state of birth, so the last six give up basically the entire thing. http://www.ssofficelocation.com/social-security-number-prefi...

This whole system is so fucked.


The content of the landing page (since it appears broken, here's the content from Reader View):

Equifax Announces Cybersecurity Incident Involving Consumer Information

[Equifax CEO statement] https://youtu.be/bh1gzJFVFLc

No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases

Company to Offer Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers

September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

Read More


Did that https work for you? For me it redirects to plain http and then OpenDNS blocks it as a phishing site. Why are they using such a scammy looking domain, anyway? Why not just host it on their main site?

Edit: I'm abroad and just tried through a VPN and it worked. Don't know why I tried without it ...


Domain name was registered on August 22nd 2017...


[flagged]


Please don't post like this here.

https://news.ycombinator.com/newsguidelines.html


> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay.

The issue here is likely related to business units that were acquisitions, with the breached product in question having been developed pre-acquisition by a code farm staffed by interns in some developing nation. I spent a few years trying to unfuck some of those messes and moved on.

It's more a problem with their reckless growth over the last decade than anything. (ed) Due diligence is obviously lacking, but I can personally attest that nobody in senior leadership there willfully ignores matters of security once it becomes known.


We don't know if this has anything to do with any acquisitions - this is a conjecture, at best.

At any rate - I don't care. I never gave Equifax permission to collect my personal data. I certainly never gave them permission to store it in a way that it can easily be hacked. If you buy a 3rd party company, "unfuck" and harden their software BEFORE you let the data flow in.

Allowing data to slip out is negligent. If you're in the army, or the intelligence community, you get punished for this. It's about time the private sector felt some sort of accountability.


This so much. The stream of corporations passing the buck into a black hole of irresponsibility needs to end now. If people arent held responsible, they will continue to make these failings without pause. I hope everyone is writing their legislators and congresspeople right now. They listen more than even my disillusioned self thought. The just might have bigger incentives to act otherwise. But if they dont know, they cant even choose to be corrupt or not, they are ignorant by proxy. Communicate to your leaders, and remember their response when you vote.


The only real solution here is that we need consumer privacy laws similar to Germany's-- not more scrutiny of those who participate in the PII trade.

There is no reason beneficial to consumers to be collecting intelligence of this nature.


The best way to punish them is for us all to organize and create a Proposition that bans them from being a credit bureau, etc. If this passes in California, it will destroy them as a company.


The problem here is that they've expanded their core business to be so pervasive, they're no longer reporting on just your credit history-- they've also moved into the employment history, salary history, etc. space. So you kill their financial tentacle, they'll still be collecting intelligence for other purposes.


Not really conjecture:

> The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Since core business was unaffected (nobody hacked the mainframe), I guarantee you some crappy product they acquired got compromised.

And like it or not, you do give them permission to collect your personal data every time you authorize a creditor, utility or employer to run a credit check. Never sign up for utilities, loans, credit cards or get a job and then you'd have a case for privacy.


It could also be related to how they sell things. Given how commonly they redistribute this data I wouldn't be surprised if it turned out to be something like a customer portal where they can say it wasn't core because the attacker couldn't have altered data, etc.


Oh, good, it wasn't their _core_ business. What a bullshit copout - you acquire a company, you own it, warts and all. Who's worse, the crappy company or the company that acquires it and continues to operate it without fixing it?


You probably did if you have any sort of bank account or loan or job application or rent. It's pervasive in contracts/agreements that they report to partners and credit agencies.


I find it difficult to reconcile your second and third paragraphs.

I guess choosing not to prioritize security (vs profit or whatever) when making acquisitions is different than just ignoring it entirely.


If that were the case, then who approved the acquisition? Who did due diligence on it?

Suddenly letting a bunch of untrusted, poorly audited code run on your infrastructure is itself a massive security breach. And even that doesn't explain how data was extracted for two months with no one noticing.


>Preferably with their jobs

That's not nearly enough, considering the reach and impact this could potentially have. These people need to be getting life prison sentences before security is finally taken seriously enough by executives.


It's high time we had an equivalent law to Sarbanes-Oxley for security.

S-O made sure that when a C-level type guy signs a report, he knows his ass is on the line in case an illegal transaction just occur under his nose. If your company deals with PII, I want that data to be treated as important, if not more important, then company's funds. If you lose it, and you had any say in security (or lack thereof), you should do time.


> So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.

Sure, but TU already has all the above information anyways.


> So, if I hack TU, all I need to do is get the data of the people who asked for a credit freeze.

To what end? As has been pointed out they have all that info anyway so it's not like you're making the situation worse.

But more importantly, if your credit is frozen who cares? What are they going to do with your SSN? Get a loan? Get a CC? Buy a house?

That's the point of a freeze, it makes your PII less valuable.

The actual concern is about the PIN. Because surely they could go through the trouble of PIN recovery to unfreeze your credit and then make use of it. But considering the numbers game, its not worth their trouble vs all the unfrozen accounts.


> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay. Preferably with their jobs.

No. With jail. And go bankrupt.


Now there are news that they sold their shares last week.


/me sighs

The Equifax site appears broken in at least some browsers. Transunion wants me to sign up for an online account, and Experian charges a $10 fee in my state to place a freeze.

All three want to collect my name, DOB, SSN, etc. _again_ in order to sign up.

This is complete and utter BS. Credit reporting agencies are one of the greatest/worst rackets in the modern financial system.


"You could be at GRAVE RISK because we accidentally leaked your personal information. Please give us all of your personal information so that we can tell you if you were affected."

It's almost funny, in a way. What, so I can become affected if I'm not already?


I don't understand this. Equifax claims they just leaked my SSN, Drivers License, and other pertinent data to everybody. How would they possibly confirm that I am the one lifting the 'freeze'?


When you get your account frozen they provide a PIN to unlock.


And what happens if I call to unfreeze but have lost the PIN? Can I never get a loan again for the rest of my life? Or is there some way around the PIN - perhaps only requiring the already leaked information?


>>And what happens if I call to unfreeze but have lost the PIN? Can I never get a loan again for the rest of my life?

Exactly. There's no shot this "PIN" is like one-way a encryption passphrase. There is definitely a way around it.


You call them up... but this will probably no longer work b/c of the data breach. Otherwise you snail mail them a letter with a govt ID and they send you a new pin.


thanks for this info! saved me a lot of time hunting these links down myself


Unfortunately it appears freezing credit reporting is impossible in Canada, presumably because there are no laws forcing these companies to allow it here: https://money.stackexchange.com/a/54677


Calling a phone number is easier than signing up by web

https://www.transunion.com/fraud-victim-resource/important- contacts


Question for you: My card comes with Identity theft protection [1]. Do you think that's a good alternative to freezing credit completely?

[1] https://www.discover.com/credit-cards/member-benefits/securi...


It sounds like this would alert you to potential fraud, but not prevent it from happening. You'd still have the headache of undoing the damage, although that may be easier if you find out sooner.

If you freeze your credit, it basically prevents anyone from opening any new credit under your name. The reason for this is that any lender (car, mortgage, credit card, etc...) first would want to see your credit history, to determine how credit worthy you are. If they can't do that, they will not lend.

I'm waiting for the headline one day soon that hackers were able to unfreeze people's profiles and commit fraud under these accounts anyway. It's just another database entry somewhere, which says "freeze". All these systems are vulnerable and can be penetrated.


That's a bad idea I think. You are giving your card company proxy rights, and more data about yourself then they should have.


Dilemma: spend $30 on credit freezes or put $30 into bitcoins?


"Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers."

https://www.bloomberg.com/news/articles/2017-09-07/three-equ...

Edit: Also discussed here https://news.ycombinator.com/item?id=15196309


So, that should definitely get them busted for insider trading, no?


It depends...

Regulatory filings show that three days later, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.

The three “sold a small percentage of their Equifax shares,” Ines Gutzmer, a spokeswoman for the Atlanta-based company, said in an emailed statement. They “had no knowledge that an intrusion had occurred at the time.”

The timing is extremely suspicious. But - if they can prove they didn't know, they're in the clear. Of course a breech like this quickly goes to the board, and it's hard to imagine that the CFO and President of US Information Solutions wouldn't know.


> The timing is extremely suspicious. But - if they can prove they didn't know, they're in the clear.

Burden of proof for criminal cases is the other way around. They will likely spend lots on legal fees just trying to prove they didn't know about the hack at the time they decided to sell. They will likely end up settling out of court (guilty or not) because that's how the US legal system works.

Also important -- July 29 is when Equifax claims they noticed the issue.


What actually happens is that they get interviewed repeatedly. If they get caught in a lie (like Martha Stewart), they face criminal penalties for perjury. If they keep their story straight, they are acquitted.


I'm sure the SEC will get a copy of all emails, meeting schedules and chats of that time. If there was any phone call, meeting or email between one of these guys and someone with knowledge of the matter, it will be very hard for them to argue that they didn't know. Even if they weren't told details, they could've seen that the others were obviously dealing with something very serious.


under this justice department?


Oh wow. Will that be investigated? This isn't a world I know much about, but surely that's gonna be a problem?


> approximately 143 million U.S. consumers.

This was only a matter of time. We can rotate credit card numbers, but sadly not a SSN. I wish I could rotate my US social security number when significant exposure happens (this would be the 4th or 5th time in 24 months my data has been exposed).

Assuming legislation passed that allowed you to cancel an exposed SSN and get a new one, what would it take for that to happen? Surely it's not just the one agency (SSA) that would need to make the change, but multiple agencies would need to coordinate the change?

(And of course, I would be personally responsible for informing my banks, brokerages, loan agencies, etc of my new SSN)

Does anyone have insight into how this could work?


I think the true error in process is that a SSN is considered to be a secret, unique ID, and many (many!) institutions allow you to use it as a proof of identity.

It's short, guessable, would fail all of their own password requirements, and yet somehow it gets a free pass. I just consider my SSN to be public, and move about my digital life with that assumption. I don't go plastering it on walls, but if I encounter a business or process that uses by SSN instead of proper two-factor authentication (...a large number of credit-based companies and financial institutions, sadly) my trust in them simply plummets, the same as it would for the login I use on less secure forum sites.


Exactly. In the UK we have a National Insurance number, but it's stated over and over again that:

This is not proof of identity.

Anywhere it is referenced it is repeated that it should not be used as proof of identity and not given to anyone as such.

SSNs should be treated the same way, but that would require a culture change. Perhaps having 150m of them 'leaked' will bring about that change. Such a change could also be brought about through legislation making it not legal to ask for SSN as proof of ID (i.e. can only ask for SSN when required for the purposes it is intended for), but legislating such things is likely even further from your culture.


The problem is that you need a replacement, something that can actually be used as a solid proof of identity.

The countries that don't have comparable identity theft problems have done so mostly by using an ubiquitous government issued ID that's hard to forge and hard to obtain by someone claiming to be you. In USA there seems to be a strong opposition and a legal barrier for the government to make such an ID.

Not much else can be done - a simple test of a decent identity system is to ask if my spouse, mother or brother would be able to impersonate me - it's clear that nothing that relies on "something you know" can ever be sufficient, it must be "something you are", possibly together with "something you have", i.e., biometrics or a trusted photo ID.


Can you expand on the systems that are "hard to obtain by someone claiming to be you" and biometrics? In my readings, I've found that biometrics is not unique across a large population, it changes over one's life span (which means you wouldn't know when it has changed enough to update the system that stores it), changes with one's profession (like physical labor) and health, and that the error rates across a huge population even for iris scans are quite high.

For reference, India has a unique ID called Aadhaar that collects ten fingerprints and two iris scans to deduplicate across 1.3 billion people. It uses flawed technology (relying on a fingerprint for authentication or in very rare cases, an iris scan), insecure devices, and generally has a high failure rate due to poor infrastructure. Combined with poor technology, the privacy and security policies and measures are inadequate too. There have been plenty of personal information leaked in the last few years because of the government's obstinate stand that this ID be linked to everything - phone numbers, tax ID, bank accounts, and many more.

I don't think there is any solution, including biometrics, that will work to uniquely and unambiguously identify individuals across large populations. I also see more dangers for the populace with such schemes because submitted biometrics, once compromised, cannot be revoked or reissued (this is how the Aadhaar system works - it stores the biometrics as-is).


Biometrics alone aren't sufficient, but they're a reliable way to prevent identity theft if you have a secure record linking the identity to the biometrics - there will be people with similar faces and may be fingerprint matches, but fraudsters aren't going to easily find a thief that happens to look similar to you, match your fingerprints, and forge a document just to get a small loan or some electronics on your credit. The point is that biometrics can't be treated as "something you know", and the system should be designed in a way that these biometrics getting compromised isn't a big problem; I mean, my EU ID card has a chip with my fingerprints on it, but getting a copy of my fingerprints won't really risk "my identity", all they're good for is to prevent someone else using my documents if they steal it even if their face looks similar.

Getting such a secure record, though, generally requires a decent level of gov't infrastructure throughout all areas, and can't be built up quickly. Size alone isn't an issue - if it works for half a billion people in EU, then it'd work for a billion people elsewhere, but the infrastructure needs to be there.

I.e., you need a population where all or nearly all births have been properly tracked and reliably registered for a long time, so you can't build it faster than decades if it wasn't the case; you need a general low corruption environment where mass issuing of fake IDs by corrupt officials won't happen (a limited number of fakes by organized crime might be inevitable, but they won't disrupt the system); you need an effective policing system where everyone, including the most poor, would report stolen wallets and documents to be revoked; you need effective infrastructure where it's trivial for everyone giving credit or goods "on lease" to verify online the validity of some documents.

I'm not sure how it's in India, and I assume that some of these might be a problem, but for USA (as the original article) all these things are in place and such an ID would work if it was implemented.


SSN is a fine ID, but it cannot be used as authorization. I think that a government issued photo ID, such as a passport, is probably the current best bet if you require the other part to save a photocopy of it. Perhaps in this digital age you could have a system where you need to sign in with 2 factor authentication to verify any claims to authorize you.

Biometric is a very poor ID. With current technology we can fake fingerprints and iris, the two most commonly used biometrics. They also have the issue that you cannot change them, so if you do get compromised and flag it, then you cannot use that option yourself.


All the objections to creating national ID seem like ridiculous anachronisms given every other privacy-compromising measure that's been shoved down our throats.


Exactly. In the UK we have a National Insurance number, but it's stated over and over again that: This is not proof of identity.

Here in the US, our Social Security Act said exactly the same thing.

Guess what. It got used as a proof of identity.


Social Security cards used to say they weren't to be used as identification. They took that off because everyone ignored it and did what they wanted to anyway.


> This is not proof of identity.

What is it then?

I've seen it used as a quasi-password by car hire companies to access driving license history.


Do you see that thing above your post? "noja"? That's your identity. Your SSN on Hacker News.

What proves that it is you to Hacker News is what you type into the password field when you log in.


My username isn't a semi-secret number that I have to guard.


>What is it then?

It is the username you are issued by the government. It is solely used to identify you.


> It is solely used to identify you.

Not exactly. It's used to map your Social Security account to other records they have about you. It's not, by itself, identification.


In practice it is not solely used for that.


They can use it as a key to the database without treating it as proof of identity.

(I don't know that they do, it's just that the one doesn't necessarily follow from the other)


You're right it was never meant to be a unique identifier, we need a national identification card, link to a video about it.

https://youtu.be/Erp8IAUouus


Strange that this is being downvoted. The video is very relevant.

I get that many Americans are suspicious about our government, but the fact is that much of our credit / jobworthiness in the US is tied up in the Social Security card. I would rather it be something more useful, such as the Estonian National ID card -- which has smart features like digital contract signing.


Americans don't like National ID cards because we remember the Third Reich and the USSR.


Germany has rather more intimate knowledge of both of those, and they have national ID cards without sliding into authoritarianism...


I think it's more that Americans don't like national ID cards because they're paranoid about the Mark of the Beast and mistrust Federal power on principle.


I'm not sure I would proclaim that unironically in a discussion of a giant American company accidentally losing track of a database containing detailed personal information about ~1/2 the country.

I mean sure, it's not in your pocket. But are you going to move house in response to this breach?


The point is that your social is a fairly predictable number if you can figure out someone's birthday and hometown. I realize this wouldn't help in the case of equifax but it would help in other instances. It would also allow us to have voter ID laws that didn't constitute a poll fav but that's a totally unrelated issue.


You don't need one central register with intimate data of citizens. You can keep registers local to avoid widespread data breaches. It's still possible to verify the authenticity (e.g. for police) by requesting from the local register (electronically) but no one has access to all data at once.

At the same time, the system can be designed to only store the data necessary. Don't think it's necessary to store more information than for SSID.


As opposed to who?? Are you implying that the European countries successfully implementing these systems do not?

Also, if I recall correctly, the UN had to actually remind the US about the actual dangers of the Third Reich only a few weeks ago.


It's pretty much the flaw in not having a national ID scheme - everyone reaches for the next closest approximation, with no funding for security systems or refreshes to address flaws.

Because this is an issue the government should address seriously.


Even with a national ID scheme, I don't know of any country who has implemented a way to validate that the holder of the ID document is the person who is the person who the ID document corresponds to without the person being present so that their biometric data can be validated.


You can use many ID cards online with the chip in the card. This means you need to have access to the physical card and the PIN. Much safer than just having a number and it will be hard to steal 50 million physical ID cards.

Many banks use video chats to open accounts where you have to present the card via video. This can be even safer as you need the physical card and someone who looks like the person on the ID card. Since calls are recorded, I can imagine fraudsters are hesitant to use this process.


US government has been addressing this but states (which tend to issue the identity documents used widely) pushed back. Here in Montana I will shortly have to use my passport to get through airport security for this reason.


National ID has nothing to do with this. National Password is the problem here.


My hope is that with this breach, someone will finally be able to hit Congress over the head with a smart stick and make them realize this.


Good lucky. The people responsible for this will likely go on to work in the government.


I believe you CAN change your SSN https://faq.ssa.gov/link/portal/34011/34019/article/3789/can... . Especially if you have "cultural objections to certain numbers".


You can, but in very specific cases. The "cultural objections" bit requires documentation from a legitimate religious organization - you can't just say 123-45-6789 is the mark of Satan.


> you can't just say 123-45-6789 is the mark of Satan

Obviously you can't say it out loud, because you might evoke the wrath of the Old Ones.

Additionally, you can just engrave the surface your ID-card with the correct symbols in charcoal, a salted circle (actual salt, not the cryptographic kind), maybe some blood, and you should really be fine for most practical purposes.

I mean, this is not the Middle Ages any more. You can just Google this stuff.


> legitimate religious organization

I've seen variations on this for exemption from educational requirements, ID requirements, medical requirements, and the like.

It's always struck me as odd that one _can't_ give as a reason "I have rationally concluded, based on the evidence I present here, that I will take X course of action."

But one _can_ say "I have been advised to take X course of action by a group of people who pinky-promise that they are authorised representatives of a sky fairy who suggested X to a hallucinating man several thousand years ago."


It sounds like ssn is not fit for purpose.

If the gov is going to issue a 'secret number ' why not a 2fa device?


The SSN was never intended as a national ID.

It was originally created alongside the Social Security Administration, to track what individuals put in and what they take out. People only received one upon becoming employed.

Over time, the IRS realized that it could be used as a national ID, and adopted it for that purpose. They encouraged people to obtain one from a young age (even for their newborn children), and it was used to replace the original 'honor system' of 'How many children do you have?' tax discounts; now they'd need to register their child with a SSN.

Companies eventually began piggybacking on the number as a national identifier (due to our lack of one), and voila. We're left with an awfully insecure identification system that shouldn't be an identification system for much in the first place.

For anyone interested in more: https://www.youtube.com/watch?v=Erp8IAUouus, and the sources below the video.


The honor system didn't work. When they put in the SSN requirement, the number of children reported on tax returns dropped by 10% (from 77 million to 70 million): http://articles.latimes.com/1989-12-11/local/me-33_1_exempti...


Why do we need to number people anyway? People are very consistent with spelling their own names. This combined with a birth date and/or a birth city should be enough to uniquely identify anyone.

Think about passwords. A SSN is only nine digits, 0-9. JohnHarrySmith19900101NewYork is far more secure. And doesn't dehumanize the recipient.


This is definitely not reliable in large cities, and it would have privacy concerns not to mention failing to handle people who don't follow the same naming conventions you do or who don't have day-level precision on their birth date.

See http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-b... and especially http://latanyasweeney.org/work/identifiability.html

Numbers have the nice advantage of not assuming structure, character set, etc. and allow changes for edge cases such as someone escaping an abusive spouse — see the full list of reasons at https://faq.ssa.gov/link/portal/34011/34019/article/3789/can...


There are 8 billion people on Earth. You are a number sometimes. It's okay for {your passport, your driver's license, your social security card, your credit card, your bank accounts, etc} to treat your account as a number.

The SSN just acts as a (largely) unique identifier. In the US, it also serves as proof that someone is eligible to work in the country. It's also the primary key for the account which collects my Social Security earnings over my career.

You are asking the wrong question. Neither of the keys you identify, whether it be "123-45-6789" or "JohnHarrySmith19900101NewYork", is "secure". Perhaps the latter has more entropy, but it's not the equivalent of your password when you log into a website -- it's the equivalent of your username. When you fill out a federal form like your tax form, anyone who sees the form sees your Social Security number.

If we were talking about making Social Security secure, your Social Security card would be plastic/metal and have a chip in it, similar to an EMV chip. It would have a private key which can be used to sign digital contracts and can be used to generate login tokens. It's effectively a private key that generates different public keys for each interaction/transaction you need to perform with it. Right now, Social Security is entirely about "what you know" with an easy to fabricate "what you have" and has no "who you are" factors.


> People are very consistent with spelling their own names.

Is this true of all people?

> This combined with a birth date and/or a birth city should be enough to uniquely identify anyone.

For common names and large cities, probably not.

> JohnHarrySmith19900101NewYork is far more secure.

No, it's not; SSNs aren't passwords, and shouldn't need to be “secure” in that sense, but names aren't secret and birth dates and locations are easily discoverable (and the combination of all three is frequently publicly announced!), so this would be less secure.


> Is this true of all people?

Not even remotely.. My name has a space and an accent, it's always different. My wife's name is spelled differently on each of her birth certificate, drivers license, and social security card. And we have 'traditional' names.


> For common names and large cities, probably not.

Would be interesting to see statistics for that. It wouldn't be New York in this case, but for example Brooklyn or Queens. Even for the most popular name combinations, the number of people with the same name born on one day in one administrative area will be extremely low. Esp if you require middle names to be included.


Or you can just use a number. Because unlike names, you can assume one thing about individuals in a population and that is that they are countable.

You still just need 33 bits of information to identify any human on the planet, anyway.

(post-singularity, evolved into an ever-merging amorphous network of consciousnesses, we can use multidimensional fractal subsets of R^n, but we'll cross that bridge when we get there)


In Germany, this is how identification works to some degree. You have an ID card number but this changes with every card. There is a permanent tax number but this isn't used for anything but tax purposes.

In the end, identification can be done by name, birth date and place of birth. You'll find these requirements on many official forms. This is fairly unique and ties to birth certificates which can be obtained with this information. Even if all databases were erased, this data could restore registers (as birth certificates have a paper copy).


Not only was SSN not intended to be a national id, it was explicitly not supposed to be a national id.

In the era when SSN was established, Nazi Germany and its emphasis on "papers, please" was on the public's mind. SSN was intended to be used solely for tax purposes, not as a form of national identity. There were legal constraints on when government agencies can even ask for SSN, limited to legitimate tax purposes. Sadly, these protections have been whittled down over time:

https://www.bloomberg.com/view/articles/2016-09-15/this-loop...

> Federal law is supposed to protect the privacy of your Social Security number from government inquiries -- but apparently that doesn’t extend to a check on whether you’ve paid back taxes and child support. In a decision with worrying implications for those who oppose a single national identification number, a divided federal appeals court has rejected a lawyer’s refusal to submit his Social Security number along with his renewal of Maryland bar membership.

> The state says it needs Social Security numbers to make sure lawyers’ child support and taxes are up to date. The court’s majority said that was enough to fit the Social Security number under the federal law that allows states to use your number for tax purposes. That definition is so loose that it enables states to ask for your Social Security number pretty much whenever they want -- even when their records have been hacked.

Really, the government should make it possible for citizens to create an arbitrary number of different tax ids (SSNs), as many as they want. One for every firm they do business with, one for every employer, and so on.



Public-key crypto has been around since the late 1970s. Smart cards have been around since the 1990s. Two decades is nowhere near enough time for these sorts of changes to go through, you have to wait for all the past generation's lawmakers to retire/die and be replaced. Getting financial institutions to adopt new things that don't directly make them money is even harder.


The SSN is not issued by government as a secret number, but a necessarily-shared number between you, government agencies, employers, financial institutions, and many other parties.

The error is that many of the parties with which it must be shared treat it (for authentication purposes) as if it were a shared secret between that party and you (though they often don't do so for security purposes—and, as they often must share it with certain third parties, sometimes cannot do so) even though it is known to be a widely-shared non-secret.


The real problem is that SSNs are used double-duty as an identifier and authentication mechanism.

This has been predictably bad for security.



SSNs were expressly intended not to be used as identification or authentication. Thing is, there was not alternative that people were guaranteed to have. I get it on principle, we don't like government giving us tracking numbers. It just seems totally impractical not to have this though.


I really wish they would issue something like this. Or put a smartcard in my driver's license (I'm sure there are privacy implications to this though).


Even the level of standardization proposed for Real ID was met with enormous push back.

The long term solution is to figure out how to make financial companies feel the pain of fraudulent accounts. Like maybe when they open an account without doing a sufficient level of verification they should have to pay the victim of the fraud $5000 (in addition to covering any damages they cause).


Plus stronger regulation of how data is stored. Personal information is valuable - banks have security requirements, why not institutions like this?


If only someone could invent a way to verify their identity without sharing their secret key...

But in all seriousness, we need to find ways to make real identity authentication user friendly, a la Yubikey, and then drive companies to replace this insane SSN-based system.


So half the US population? Ugh.


It's about 2/3rds of 'working' Americans.


Requiring better proof of identity would create friction to consumer credit transactions.


Yes it would, and that (the extra friction) is exactly what should be done to fix the identity theft problem. It's far too easy to get credit in your name, so easy that it can be done by others.

But the change won't happen by itself unless a shift of liability away from the users makes it so that every company doing anything on credit sees that it obviously makes business sense for them to implement the extra friction (and suffer from it) because otherwise they are paying out money to fraudsters instead of trying to collect that from the impersonated people.


Sorry, what I meant was: that's not happening because the status quo is better for the people who make the rules. :)


Well, good. People buy too much junk anyway - having to jump through a hoop or two to do it would make people think - do I really need this?


Oddly, on their website equifax.com , they offer a solution to see if your identity is stolen by using a website created today called equifaxsecurity2017.com , which then offers the solution to 'enroll' which sends you to a website created a week ago called trustedidpremier.com . At which point you are to enter your identity information.

Um.


By enrolling in the free "Identity Theft Protection" you waive your right to "PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION" https://trustedidpremier.com/static/terms

It is a scam to get people to sign away their rights to sue the bastards.


IANAL, but I'm not sure that you are correct. The agreement refers to claims "arising from or relating to the subject matter of this Agreement or the Products", and the title of the agreement is "TrustedID Premier Terms of Use".

Doesn't that mean you're waiving your right to sue TrustedID, Inc. in a class action for grievances related to the TrustedID monitoring product, not your right to sue Equifax for the data breach?


Can anyone with a legal background or have connections to news outlets validate this? I read through the terms and this really does seem to be the case. However, I am certainly not in a position to decide this. It would alleviate my concerns if a trusted source could publicly report on how the impacted (pretty much everyone in the US) should respond to leak.


Aha, that explains why the site works so hard to gather your info and then suddenly loses interest in doing anything much else!

Shit I hope I don't miss out on like $3.37 of class-action BOUNTY!


Shit. I already submitted and should've read the fine print. I need to un-enroll.


If you look at the site ToS you can send an opt out to arbitration by mail to them within 30 days, at least for the Equifax general ToS


And trustedidpremier.com was registered a week ago. https://whois.domaintools.com/trustedidpremier.com


TrustedID is an identity protection company that's been around for awhile (many companies use them as the contracted company to do credit monitoring after a breach). TrustedID is actually owned by Equifax (who were just hacked.. irony), and so my guess is that "TrustedID Premiere" is a newly created offering from Equifax/TrustedID to deal specifically with this major breach.


Well, yes, this was in response to this incident. While they're just making a public statement now, we know from their own press release that the breach occurred in May.

Regardless, it's certainly prudent to be wary of these sites since they're pretty indistinguishable from phishing sites.


According to them it occured through July. That means it probably took them a month to figure out exactly what happened and how to disclose it.


Why must the consumer enroll in this? Why is it not automatic? They already pull all the strings with regard to keeping the consumer from taking out and keeping track of legitimate loans. Why must we go out of our way to prevent them from certifying and tracking illegitimate ones?


Most likely because Equifax is not providing the service and the actual provider will need to engage with each customer directly, despite the service being free.


I've now been enrolled in one or more "identity monitoring" services going back at least five years offered in recompense for various breaches.... at some point it becomes ridiculous.


Same. Starting with the PlayStation hack a few years ago. If it makes you feel any better, I get notified by that service every time I do anything that accesses my credit at all, usually within minutes, so, I guess it works as designed.


I also noted that it asked for the last 6 digits of your social. Could be they need more digits to avoid duplicates, but I've never heard anyone ask for 6 digits. Usually it's just the 4.

Honestly, they should have used a subdomain off of Equifax.com.


The bad thing about that is the first 3 digits are the location digits, so someone that has the last 6 digits can easily guess your full SSN if they know where you were born (or where you lived when you got your SSN).

https://en.wikipedia.org/wiki/List_of_Social_Security_Area_N...


This only works for social security numbers issued before June 25 2011. See https://www.ssa.gov/employer/randomization.html

Of course, this is cold comfort for adults today whose SSNs were issued around the time of their birth.


So, everyone above the age of 16 that wasn't a naturalized citizen/resident? I feel like most of them would have credit scores.


And not only do I have to give them personal information to check, I have to use google's sign-reading I'm-not-a-robot captcha - feeding a little of my intellectual capability to their self-driving car companies.

They keep taking...


Unverified cert too -_-


The plain domain yields a 404. Cert for me seems to be signed by amazon.

https://trustedidpremier.com/


What I mean to say is it's not validated* They should have hosted this on a domain associated with the company and validated the cert with the business


Not sure if anyone else suggested this, but people should file complaints to the CFPB about this:

https://www.consumerfinance.gov/

Not just about the hack, but the fact that their "check to see if you were affected by our shit" sites include a ToS that waives your right to participate in a class-action lawsuit.

https://trustedidpremier.com/static/privacy-policy


ToS link:

https://trustedidpremier.com/static/terms

To my reading, the arbitration clause may only apply to people who take the step of signing up for the credit monitoring they offer. But, of course, they are urging everyone to sign up....


This. And it doesn't even tell you if you have been effected.


Time for criminal penalties for the management team.

A breach like this will affect thousands of people monetarily and suck time from them they could have used elsewhere. If you've ever dealt with something like this, you know the hours it takes to rectify the damage.

The only way corporations will learn to appreciate data security is when management teams suffer criminal penalties.


We don't know how the security breach happened. Should Equifax be criminally liable for using software which contains a remote-exploitable buffer overflow vulnerability? Or for the actions of a corrupt employee who stole some data and sold it on the black market?

It's possible that Equifax did something really negligent and if so maybe there should be a class-action lawsuit against the company. But it's also possible they did all the things they should have done and still failed because security is really hard and maybe the attacker got lucky.


Isn't the traditional capitalistic argument that the people on top are the ones taking all the risk, which is why they should be making all of that money in the first place?

Note that I'm not making that argument, but trying to understand how this situation differs.


You take a lot of the risk but not all. If this was due to weaknesses in their IT then managers should be liable. But it's possible that they had one of the most secure systems in finance and still someone found a way in via undisclosed exploits. In that case there's nothing a manager could've done.

But since the core database wasn't hacked, it seems likely that someone had a database dump on a development machine which was outside the scope..


I don't think it's fair to be throwing any individuals under the bus like that. There's obviously been several failures at multiple levels but the company as a whole will have to face the consequences, not just a few managers it decides to use as scapegoats.


Well, except for this:

"Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers."

https://www.bloomberg.com/news/articles/2017-09-07/three-equ...


Hah, that's actually excellent news for those hoping for criminal consequences. It might be hard to put anybody in jail for their security negligence, but to me it looks like those three have served themselves up on a platter for an insider trading conviction.


> I don't think it's fair to be throwing any individuals under the bus like that. There's obviously been several failures at multiple levels but the company as a whole will have to face the consequences, not just a few managers it decides to use as scapegoats.

Why not?


How about a lot of managers, then?


Lovely. I just had to give Equifax a bunch of my own info after having my identity stolen[0]. When dealing with this, I was amazed at how technically inept all three agencies seem to be. Not to mention the extent to which they use SSN and other PII to "verify" during phone calls, and try to sell their credit monitoring services to you. This sort of thing should be provided for free by these companies if they are going to be managing such valuable data.

[0] https://chrxs.net/articles/2017/03/23/responding-to-identity...


By enrolling in the free "Identity Theft Protection" you waive your right to "PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION" https://trustedidpremier.com/static/terms

What a scam!


How can they prove it was me who waived that right if the data used to identify me was breached by them and potentially publicly available? The snake is eating it's own tail here...


Great point.

In my case, after entering the information on the "Potential Impact" page, it immediately informed me I was enrolled without actually informing me whether or not I was impacted! It basically looks like Equifax used their massive fuckup to generate business for a service they own that by its nature incentivizes them to have poor security to encourage people to stay subscribed!

Given the number of incidents that have at this point affected nearly every person in at least the US, what value does the data held by the big 3 have? Almost anyone can claim that any information held by Equifax now was the result of fraud.

And how does Equifax prove that data wasn't modified in their systems by an intruder?


If by that you mean one waives the right to sue Equifax over the data breach, that’s not what it says by my reading.

“Except as otherwise expressly provided in this Agreement, all claims, disputes, or controversies raised by either You or TrustedID, Inc. arising from or relating to the subject matter of this Agreement or the Products (“Claim” or “Claims”) shall be finally settled by arbitration”

But IANAL.


Hm, I tried using their tool to see if I've been impacted:

https://www.equifaxsecurity2017.com/potential-impact/

Which says it would tell me if I'm likely impacted, but instead it just gives a date where I can enroll in some free product, but no info on whether I'm likely compromised.

Anyone have a workaround? This is important to anyone that wants to identify if they've been "pwned."


I got the same page, but then I tried putting in a fake name and got:

> Thank You

> Based on the information provided, we believe that your personal information was not impacted by this incident.

So if you just get the enrollment date, I think that means you’re affected.


From the r/personalfinance thread, the site kicks back 3 different JSON status messages:

  "message-deferred": "Thank You -- Your enrollment date for TrustedID Premier is: xxxxxx Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process."

  "message-success": "Thank You -- Based on the information provided, we believe that your personal information may have been impacted by this incident. Click the button below to continue your enrollment in TrustedID Premier."

  "message-not-impacted": "Thank You -- Based on the information provided, we believe that your personal information was not impacted by this incident. Click the button below to continue your enrollment in TrustedID Premier"


So... later date means they don't know yet? Or you have been impacted and you're only eligible to enroll later?


I really don't know. If we take it at face value, I think it means they're unsure and will hopefully know more later (whatever date it kicks back). At least, that's what I hope, because I gave in and punched in my information and I received the deferred message.


You can proceed with the enrollment anyway, even if you receive that message, with any set of six digits and any set of characters for the last name and receive a message indicating that you're enrolled.

I watched the video of the CEO describing what Equifax was doing in response to the incident and he does not specifically name "equifaxsecurity2017.com" or "trustedidpremier.com" as the sites they've set up, only that they've set up a special website.


To that end: if you're an HN user with the last name "HHHHHH" and with a Social Security number ending in 000000, don't worry about enrolling. I very helpfully took care of it for you!


I don't think so:

"Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier. You will receive an enrollment date."


This site seems shady as hell. As well is the trustedidpartner.com which has no homepage that it refers you to. Seems like a phishing scam.


It is linked from the banner up top of https://www.equifax.com/personal/

"Equifax Cybersecurity Incident: To learn more about the cybersecurity incident, including whether your personal information was potentially impacted, or to sign up for complimentary identity theft protection and credit file monitoring, click here"

and that "click here" goes to http://www.equifaxsecurity2017.com/

So it'd seem legit, if rather silly to have its own domain.


I did the same - they are offering free identity theft protection to all US Consumers starting on some kind of rolling enrollment date beginning 2017-09-14.


A website registed a month ago with a simple DV certificate. Either the gentlemen at equifax are grossly incompetent, either this is a phishing website.


"Customers"? I'm not an Equifax customer - that is, I've never given them my name or any information, I've certainly never paid them for a service. Yet it wouldn't surprise me to learn I'm on their list. Why call me a "customer", I'm the product you sell to banks.


The linked article only mentions business customers (i.e. banks). And refers to us as consumers, which seems correct enough.


> Equifax discovered the unauthorized access on July 29

Well over a month later and they're just now getting around to telling people about a security breach that could affect almost half of all Americans...

How is this ok/legal?


Discovering a breach is only a fraction of what has to happen before customers/public should be notified of said breach. It's not very helpful to anyone if you put out a press release that just says "we discovered a breach but have no idea who, if anyone, was affected, we have no idea what was stolen, and we have no idea who did it." There have to be investigations that happen prior to any of that being known/released. Investigations to find this type of stuff out usually takes months, and typically involves the FBI or other agencies, which sometimes will actually ask you to keep news of the breach quiet if it might help them track down the perpetrators. You also want time to fix the issue before you go tell the entire world that there's a hole in your security.

I work in cybersec and I would actually say that under 1.5 months from discovery of unauthorized access to releasing this press release (and already having the equifaxsecurity2017 website up and running) is astonishingly fast work.


That seems reasonable, up to a point, but it also looks potentially self-serving and open to abuse (especially given the news about stock sales by insiders.) If a company in a position with this level of risk cannot staunch the leak within hours, it should be required to curtail its activities to the extent necessary to stop further leakage, until it has the proximate cause of the problem under control.

Nor should the instigation of credit monitoring be delayed until the investigation is complete. To pick a contemporary analogy, it would be like not informing the public of an approaching hurricane until its precise point of landfall has been determined.


Building off your analogy, you don't order mandatory evacuations every time you see a tropical depression form out in the Atlantic. It's only when the tropical depression actually turns into a hurricane and is on a collision course that you warn the public.

Data breaches are the same. If you put out a press release every time your infosec team discovered an attack, you'd be putting out releases every single day, multiple times a day, even though most of those breaches would turn out to be inconsequential after investigation. The public would become totally desensitized to them. That's why the investigation has to be done to determine if there actually is something to notify the public about.

Now, there's surely a point in the investigation where you "know" that the public needs to be notified, but you aren't completely done with the investigation yet. It would probably be in the public interest to notify then rather than waiting, but I think companies are scared to do this because many companies in the past have been lambasted by the public for doing just that. Apparently people don't like it when you release a statement saying "we had a major breach and some customers are affected but we don't know who yet", so it seems that companies are opting to get all the facts before saying anything.


You seem to be saying that, of the two analogies, mine is closer to actual practice.


The law gives them time to try to fix the problem before telling every hacker in the world about it.


In this context, there are two sorts of black-hat hackers: those who already know of the exploit, and those who do not. If it takes over a month to shut out the latter, then there is another problem.


Sadly, they use https://www.equifaxsecurity2017.com/ as their special domain for this case, which smells 9001% like phishing. I wonder if anybody at Equifax raised some concerns over that.


The whole concept of these credit agencies infuriates me. I didn't sign up for it. You have a dossier on me that I have no part of. If you F it up, you'd better bend over backwards to make sure it doesn't affect me.


This simply isn't true. The only way these agencies get your SSN associated with your personal info is by your agreement with a bank or similar organization to do so. It always happens with your express approval, even if you are not savvy enough to pay attention to what you're approving.


"You could avoid being in Experian's database by becoming an off-grid hermit in Montana" isn't really a great response here.

Bank accounts, cars, housing, etc. are necessities, and consumers have no power to negotiate in a lot of cases. Good luck getting your bank or landlord to let you opt-out of credit reporting.


Fear not. You can check to see if you were affected by visiting their site and giving them more personal data:

https://www.equifaxsecurity2017.com

/s

Maybe it doesn't matter much, since they've likely already got it. But, it feels a bit too soon.

An interesting side-note: That domain was registered about two weeks ago on 8/22/2017. Whois reveals not a single pointer to Equifax (e.g. equifax.com email address, etc.). It shows only DNStination Inc., and so is effectively private.

When you click the "Enroll" link, then "Begin Enrollment" button, it takes you to https://trustedidpremier.com, which was registered on 8/28/2017, using a different registrar (Amazon, with Whois Privacy). There's not even a reference to Equifax in the domain itself.

As of today, someone registered equifaxsecurity2018.com with a private (this time, Domains By Proxy) registration. Given the timing and the fact that this is a different registrar from the original, it's a good bet that's not Equifax. Or is it? Who knows?

And SSL-wise, these don't even appear to be using extended validation certs (FWIW). At least one is an Amazon cert, free to anyone who hosts on AWS.

They are virtually training people to be phished and creating another potential disaster with all of these additional domains, private registrations, etc.


This comment should be nearer the top.

Also, equifaxsecurity2017.com appears to be a stock Wordpress site. Equifax is a bunch of fucking amateurs. Their security culture is broken.


>Their security culture is broken.

That sums it up perfectly. This is not a mistake here or there, but a fundamental lack of appreciation for even the most basic principles of online security. It's like no one there is even thinking about the consequences of their choices.

Elsewhere on this thread, I commented on their reliance on an outside security firm to post-mortem this incident. That is ridiculous. They don't seem to understand that they are in the security business as much as anything else. They can't outsource this stuff. Their internal teams should be unparalleled.

You're right. It's absolutely cultural.


They got hacked years ago. I know this for sure because I'd used a unique email address to sign up on their website: equifax@<my name>.com

No one else had that email address. Guess what, I started getting phishing emails to that exact address.

Tried letting them know, but it went nowhere.


They've been hacked 3 times before. Like yahoo waiting years to tell anyone this is just scummy. I hope they make a law sending people to jail over this


This administration won't be doing shit about companies like this. We need to fix the political system if there's to be any hope of justice for these types of crimes.


Doing some junky googling, estimates for how many Americans have a credit card sits in the ~160-180million range.

In other words, when they say "143 million US customers" they really mean "the vast majority of Americans with a credit card".

Astounding.


About half of the country.


Given the average US household size of 2.53 [0], this affects far more than half the country.

[0] https://www.census.gov/data/tables/2016/demo/families/cps-20...


Oh nice. A company that does nothing but collect personal information. I’m already in their identity protection program, so I'm a little nonplussed at this.


Are you extremely surprised at this, or not at all? Just from context, I can't quite decide which it is.


I'm not at all surprised, but I am disappointed (to say the least).


Is anyone being punished for all of the massive security breaches which appear to be happening on a nearly daily basis?


I'm not a lawyer, and I don't know if what they've done violated the FCRA (Fair Credit Reporting Act). That said, doing a bit of research, if they've violated the FCRA knowingly, they're liable for actual damages, plus no more than $1,000 per incident, but also no less than $100 per incident. If it's just inadvertent negligence, then they're only liable for actual damages.

So, assuming each person whose info was compromised is a separate incident, willfully negligent violation could result in up to a company-shattering $143B fine, but no less than $14.3B on the low end. I imagine that that even the lower figure would be hard for them to absorb as well.

I have to imagine that class action lawyers all over the country are licking their lips, if there's an opening via FCRA. I'm not sure what the FCRA says about PII data security practices, though - it might just be having processes in place and the like.


This is a great point. Without heavy fines and penalties, it seems many companies are happy to be lax on security just quietly become another "victim" company. They just need their breach to smaller than Yahoo's (which is easy for most companies).


It's like the financial crisis. Crass incompetence isn't a criminal offense.


Well, they try to find and convict the hackers, of course. Or did you mean the companies like Equifax, or Target, or Home Depot that are the victims of the break-ins?


I mean the companies like Equifax. Is there nothing illegal about being careless enough to leak this much important information to hackers? I personally think they should be held accountable.


Putting aside the whole "punishing the victim" argument, the problem is that it's excruciatingly hard to draw a line between "being careless" and "you did everything right but it still wasn't enough", and thus it's really hard to punish someone for cybersecurity mistakes. I work in cybersec consulting, and it's certainly true that a large number of companies are simply not investing enough money/time/effort into cybersecurity protections, and are thus doing a disservice to their customers.

However, there are also plenty of companies that spend hundreds of millions of dollars, with massive cybersec departments devoted to protecting from breaches like this, doing pretty much everything they possibly can right, and they will still be hacked. Cybersecurity is incredibly difficult, incredibly expensive, and takes a really long time. And even if you get 99.999999% of your company completely impervious to attackers, it only takes that 0.0000001% of exposure to sink your ship. Cybersec is also constantly evolving, so it's nearly impossible to keep up with the latest attack vectors, etc.

Take the Target breach, for example: Target has a massive effort focused on cybersecurity. They actually have a cybersec research lab that some law enforcement agencies go to for help with cybersec issues. But the attack that hit them took them totally by surprise simply because it was a type of attack that hadn't really been considered, and thus was very very low on the radar (if there at all) when it came to protecting against it.

Now, companies in the US actually are held accountable (to an extent). Data breaches that result in HIPAA violations, for example, usually result in massive fines for companies. Violations of PCI-DSS will land you in hot water with the major payment card companies. Some states also have cybersec regulations that result in fines if you're found to be in violation of them during an audit. The problem, again, is that cybersec is constantly evolving and these regulations are years behind. The HIPAA cybersec requirements are actually pretty laughable, partly because of all the reasons listed above.


>and thus it's really hard to punish someone for cybersecurity mistakes

No. If you take it upon yourself to hold this information, you are accepting the responsibility for its disclosure. If you are not willing to accept penalty for this happening despite your best efforts, you should not be doing it.


So, what should we do? Should we just fire/jail everyone who has ever worked for a company that was breached? You realize that would be literally everyone, in pretty much every company ever, right? There's a saying in the cybersec world: "there are two types of companies: those who know they've been hacked, and those who don't realize it yet".

Cybersecurity is a field where there's already not enough good talent. And even the very best talent is still going to not be good enough from time to time.

It is simply completely naive and unrealistic to expect a company to be 100% hack-proof, and if you start punishing people for that, then you're just not going to have anyone taking the job at all, and you're going to have even less security.


Oh come on. Anyone here who is a developer has at least some experience with raising a security concern to business or management and having it shot down as not important enough to worry about. We all know companies still aren't taking cybersecurity seriously enough, and it's because the consequences for a breach aren't severe enough.


Accountable for what? That they're a target for hackers, who managed to break into their network? How is that careless? There's no such thing as perfect security.


This case seems a little different in that it's pretty difficult to not have your personal information in their system.

You roll in to Target or Home Depot, you decide to pay with a check, card or cash. You decide to give them your information or not. You decide if you want to go back after they mismanage your information. Can you opt out of Equifax's business and still get credit or loans? Can you even opt out at all?


You're assuming mismanagement...but there's simply no way to guarantee perfect computer security.


In some of these cases, the victims have been negligent with the data entrusted to them by consumers, who are themselves victims.


They may have meant the actual victims, in this case 146,000,00 Americans.


Why do you think Equifax (or Home Depot, or Target) is any less of a victim here?


I leave my home with a house sitter. The house sitter throws a kegger, and his guests cause six figures worth of property damage, including stealing the house sitter's laptop.

Who are all the criminal parties here?


So you're saying that companies that get hacked are "asking for it", or are complicit in the criminal activity? That's an incredibly broad stretch.


Yes, because they're too lazy or it cuts into their profits too much to implement correct security.


How does it take 16 days to go from buying this domain to getting to public disclosure?

https://www.equifaxsecurity2017.com/

whois: ... Domain Name: equifaxsecurity2017.com Registry Domain ID: 2156034374_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2017-08-25T08:08:31-0700 Creation Date: 2017-08-22T15:07:28-0700 ...


From the article: "No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases." Later on they say "The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers."

I am having a difficult time reconciling those two sentences.


Exactly, they're being shady as fuck. They're trying to confuse people into thinking that their information wasn't stolen but it was, just those particular databases weren't affected.


The Credit Reporting Databases likely have information on loans, accounts, history of delinquent debt, etc.


Really makes you wonder what dataset this is, if it is apparently not consumer credit reports. And where did they get so much data on so many Americans?


I'd imagine the vulnerability allowed the "people" table to be accessed, but not the full list of credit report items for those people.

As for how they got the info, if you have a bank account, a landlord, a student loan, etc., Equifax knows who you are. Virtually any organization that extends credit or collects unpaid debts is going to be reporting that to the three agencies.


Good analysis over at Krebs on Security:

https://krebsonsecurity.com/2017/09/breach-at-equifax-may-im...


> Credit reporting agencies are one of the greatest/worst rackets in the modern financial system

Can someone notify me when the class action has been initiated?


If you want to win big, initiate it. Members of the class are likely to get something stupid like free credit monitoring from Equifax.


I don't care about the payout. Honestly, the lawyers can keep it all, so long as they score a $50,000,000,000+ payout.

Oh, and the ability to force them to delete 100% of the information they have on my and never be allowed to store another bit.


Sounds pretty likely. Sadly, I already have free credit monitoring from Equifax due to a previous identity theft incident. It's free for me, but paid for by another company that got hacked.


They are already offering exactly that. https://www.equifaxsecurity2017.com/


I'll bet $5 that signing up for their monitoring service comes with a class-action waiver sweetener.


> I'll bet $5 that signing up for their monitoring service comes with a class-action waiver

It does indeed.

https://trustedidpremier.com/static/terms


Please highlight the part where it specifically says one waives the right to sue Equifax over the data breach. Because the agreement is specific about what it covers.


How would one initiate this? Contact a lawyer?


Me too please.


Oh, hey, isn't that the corporation that is paid shit-tons of money by my potential landlords, employers, lenders, and for that matter anybody willing to pony up the cash, to determine if I can be trusted?

Kind of funny, isn't it?


>Equifax said that, it had hired a cybersecurity firm to conduct a review to determine the scale of the invasion.

I think most people are unaware of the depth of data Equifax has on them, beyond simple credit scores (e.g. health information).

Which makes the above quote from the article even more unconscionable. There should be no need for an outside firm to figure out what happened. They should have in-house expertise that is unmatched (although third-party audits ahead of time would be wise).


If it's online, it will be hacked and exposed. The new reality! Let's just try to limit what info we give to companies, knowing it will be leaked soon or later.


In the case of Equifax customer data was given to them by creditors. Customers had no say.


How can we hold Equifax accountable for this? They literally have one job, and have failed so miserably at this one job that about half of the US population has been exposed, regardless of their personal opsec.

Is this grounds for a class-action lawsuit?


Perhaps it is time for our companies and institutions to move away from social security numbers, credit cards, driver licenses and such stuff to having people authenticate using apps on their devices (or in person with biometrics).

iPhones now have the Secure Enclave, Androids have the Secure Element. You can store private keys there.

Authentication is done by apps signing challenges. This can be done in many ways, including oAuth, QR codes to authorize new devices etc.

Identity can be done by posting signed identity claims across websites, and adding/repudiating public keys in a personal scuttlebutt-type blockchain.

You can then easily sign into site X and prove your identity on sites Y and Z, without any sites necessarily tracking you between them.

Here is my semi-humble proposal for a decentralized, secure auth protocol that works with everything out there:

https://github.com/Qbix/auth

If you have experience writing tech specifications, please reply, I need someone to write the normative section of that protocol properly.


The problem with the SSN is it is an identifier and a secret. It's a username and password in one, you can't change it and you need it for any substantial financial transaction.

Ideally, we'd have both a public username and a private password that we could change for our financial identification. This would eliminate most of the problems with these big data breaches. The backup for resetting a forgot password would be to show up in person and do some sort of biometric scan. Biometrics have to be done in person at a government office though since they aren't secret and cannot be changed. There shouldn't be an over the wire API for biometric identification because then you've got the SSN problem all over again, a combined username and password that's even more public than an SSN that can't be changed.


These fuckers should literally be put out of business. They have one job, and they fail at it time and time again. They can't be trusted with our data. They need to be shut down. Does anyone know how to start a ballot measure in California to create a Proposition to stop using Equifax in California?


> Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection.

Really? "We lost your info. Sign up for our credit monitoring service!"


"We lost 100 million plus social security numbers, give us your social security number so we can keep you safe"


I note that equifaxsecurity2018.com is already registered, but equifaxsecurity2019.com is available.


Not anymore.


Yep. All three do this and it drives me nuts. This instance is especially terrible given that Equifax is the breached service.


What's terrible is companies using SSNs at all.


4 executives sold 1.8 million worth of shares randomly not on a pre scheduled basis 4 days ago likely after they realized the breach.

We need regulatory framework on cybersecurity and failure to adhere to it must result in mandatory jail time


Honest question from a European: how would this work if I moved to the US? Would I simply not get a loan because I don't have a credit score? Do I apply at private companies and give them all my loan history?

Here in my country the government (or some agency) keeps track of what loans you have, and when a new company wants to issue you a loan you access the API with information like "2 years, €50 each month" and then the program responds with 'approved' or 'not approved'.

Giving all of these private companies all this data seems counter to American values of independance etc...


Most European countries have credit agencies, just that they have different names. When moving country, you usually have to build up a new credit reputation. Even when you move within Europe. A clean history will mean that you can get some credit cards but bigger loans will often require a few years of history with at least a current account.


From https://trustedidpremier.com/static/terms

"By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed."

Sign for their TrustedID Premier and lose your rights.


Ok everyone: Someone here has enough free time to do this, and then buy an island with the proceeds.

Set up a web page that will automatically opt out of the settlement and file a small claims court suit against them seeking $1K in damages. $1K is lower than actual damage done (in wasted time) for most people. It is also lower than the cost of defending against the suit in court.

~143 million people were impacted, so that's ~ $143B in liability. Their market cap is $17B. Problem solved.

Even better, most victims never consented to doing business with them, so there cannot be any binding arbitration issues to get in the way.


>Exploited a US website application vulnerability >The information accessed primarily includes names, Social Security numbers... credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed

Was all this data available and accessible through the same application? I wonder how likely it was something incredibly trivial, like SQL injection, or whether they were truly targeted and infiltrated


This is why I'm not secretive about my SSN. My neighbor, roommate or a random passerby isn't the attack vector, it is the trusted institution.

I'm not going to post it here, but I wouldn't even mind saying it over the phone while standing in line somewhere. Its just not the real attack vector.

Result here shows that whispering it and writing it down on posted notes for a bank teller have zero bearing on your identity security.


This is very simple: the cost of this "incident" for Equifax is zero. As a smart business decision they are not investing (enough) in security and code quality because they don't need to.

Now if they knew that there is a $1000 fine per each stolen identity information, then the equation will shift and it will be a much better business decision to invest into protecting user data.


"Residents in the U.K. and Canada were also impacted." Yet Equifax is only providing lookup or TrustedID protection for Americans.


This entire thing is a joke and will continue to be a joke until we get laws that hold executives personally criminally responsible for breaches. Together with automatic forfeiture of personal assets. As long as there's no personal motivation from people who make hundreds of millions of dollars by sitting on a top of the pyramid nothing is going to change.


> The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers.

So what are they saying? Was all this information accessed or not accessed?


If it wasn't accessed, they would have been very clear about that. They're just mentioning "core consumer or commercial credit reporting databases", whatever those are, to dilute the horrifying message and confuse everyone.


The fact that they're using their press release, which lets people know how irresponsible they've been, to try and trick people into waiving their right to join a class action lawsuit against them is just the worst[0]. Sure, it may not hold up in court, but it's tricky and slimy and gross.

Credit Karma sent me an email this morning with the subject line "Your New Score" and I almost spit coffee all over my workstation. In fact my score only went down a point on Trans-Union, but it still was pretty scary to see in my inbox.

[0]: https://techcrunch.com/2017/09/07/equifax-data-breach-help-s...


Has equifax.ca also been affected? Does anyone have any intel on that? Now i'm worried


"Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted."

Fairly ambiguous and I trust that sentence about as far as I can throw it. I too am interested in the answer to this, both personally and as an employee of a company that uses their services.


>The company said that it discovered the intrusion on July 29

Why is this posted now?


[flagged]


Also if you sign up for our monitoring service you waive the right to a class action suit.


> Equifax is a global information solutions company that uses trusted unique data, innovative analytics, technology and industry expertise to power organizations and individuals around the world by transforming knowledge into insights that help make more informed business and personal decisions.

When they have no clue on what they are conveying about them to the people, these kind of clueless incidents do happen.


Everything you create online will get hacked. It will eventually just be accessible in a nice query-able format in the future. Your texts with your ex, your credit reports, your taxes, your shopping habbits, will all just be public one day. I understand people have a violent reaction to this -- but it is really becoming true. Mask who you are, hide what you do, send things that self destruct.


I have once gone so far as to write a preliminary claim for defamation and libel, and put the brief to clerks for barristers to indicate interest and availability.

My issue was swiftly resolved, but I felt the cold chill as replies came revised to note that overnight instructions for a separate matter were being notified to reflect the possible conflicts of interest the association rules require disclosed.

Barristers chambers can be used by opponent litigants, but with leave from the Master of Court, if not the Justice or Judge. I am thankful for my memory fading, and I actively discourage mistaking me for a authority. But I am not unwelcoming to inquiry from any request for anecdotal vignettes of IP and Companies Court cases, should be there need and understanding of my limitations. Laddie, LJ, was the solitary Lord Justice to ever resign the Queen's Bench. He was protesting the woeful incapacity of the Higher Courts to try specialised and particularly IP cases.

It was Laddie who handed down the scintillating condemnation of Manchester United soccer club for suing fans who knitted scarves in club colors.

Closer to home for many, Laddie is the one loss lamented by Patry, who wrote both testaments and the dead sea scrolls on US copyright and became a instrumental counsel to the growing young Google. Be unaware of this two names at your peril, in a litigious world of degenerate law for inventors and artists, and all who de novo create.

Edit, "bible" was a redundant word; separated paragraphs for clarity.


I expect this wont be the only bad news that is released today and tomorrow given the impending death and destruction coming this weekend.


Question: Is there any way to get a notification whenever a credit account of any sort has been opened in my name, WITHOUT freezing my credit or otherwise crippling/slowing/altering any process that exists? I just want a letter or email notification, not any other changes to anything. Ideally a free way, but paid if a free way doesn't exist...


So, can anyone tell me, why are there three credit agencies? Why not one, or thirty? Could I start a credit agency, just by judging that certain people are level 9000 reliable, and others are just level 100 reliable? I swear it's not slander, everyone I refer to is reliable, it's just that some of them have demonstrated exceptional reliability.


One would probably mean antitrust action or nationalization.

There are more than three - https://en.wikipedia.org/wiki/Innovis for example - but the big three are the ones with market power. Anyone can start one - but it's tough getting banks and landlords to use you, especially in the beginning when you've got no data. Massive barriers to entry.


Points to the wise, always keep your credit FROZEN. All three of the big credit firms make it simple to do and it has been easy to unlock when I wanted to do so. if I know I am going to want to use my credit for a new account I identify which one the bank/merchant/etc will use and unlock it for 48 hours.


There should be a way to freeze all 3 (and/or all significant) from a single web site, and it should be free. It's mind blowing to me that this isn't codified into law yet.

Actually, if someone did this (well) as a service I would probably even pay a small amount of money for it. Startup idea?


I find the section about the arse-covering website amusing in the way they cannot help but give it a stupid marketing speak name, and phrase it like it's some fantastic product they are providing rather than a desperate response to an existential threat!


> The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Oh good, sounds like Equifax's valuable data is safe, it's just that of their unwilling 'customers' that leaked.


Oh good, sounds like Equifax's valuable data is safe, it's just that of their unwilling 'customers' that leaked.

Don't worry, for $9.99 a month they'll help you clean the mess they made. I am being sarcastic, but I wouldn't be surprised at their audacity.


"Another potential complication for the company is that public filings show that three senior executives, including chief financial officer John Gamble, sold shares worth almost $1.8m in the days after the attack was detected."

quote from FT.com


They discovered this on July 29, the CFO and two other senior executives sold shares 3 days later. They are just now reporting it (when most of the news coverage is focused on the hurricanes). What are the odds they get their day in court?


Too big to punish?


Like the old saying... you owe the bank 10 thousand dollars? Your problem. You owe them 10 billion? Their problem.



It makes me wonder how they set up their security infrastructure. Were the hackers able to freely access their HSMs? Do they not monitor access? Would be nice if some form of RCA is made public.


>I apologize to consumers and our business customers for the concern and frustration this causes

What a cop out. "Concern and frustration" are not the problem here. Identity theft is.


I am dumbfounded that they are not waving credit freeze fees.


People should be asking just how Equifax ended up with any of your private information. Do you authorize anyone to share this sensitive information with them?


> Do you authorize anyone to share this sensitive information with them?

Almost certainly. Any time you've taken a loan, opened a bank account, rented a car, etc. you've likely agreed to it in the fine print.

Whether you had any choice in the matter is a far more important question.


So in order to see if my sensitive data was stolen from an Equifax database, I have to enter my sensitive information into an Equifax database.


"Your data wasn't taken! Don't worry, it'll now be lost in the next hack, so you can have your free credit monitoring then."


Did anyone understand what equifax is from their description in the article? I had to google it despite the "about equifax" paragraph.


143 million sounds like pretty much all of their data


As long as there are practically no penalties this will keep happening. Forty-four percent of Americans are affected in this.


Did they had to release the incident now by law, or did they choose the week so that the Irma weekend can blow over this?


One thing seems to be conspicuously absent from the press releases; is there any inkling of who might have done it?


One possible solution is to use the concept of the public and private keys we use for digital signing/encryption.

You can use my public key/public SSN to make inquiries about me and check my credit history. But to open an account or take out a loan etc, you also need my private key, private SSN, which is not stored once the account modification is done.

IMHO, this never going to happen, but seems like it could be a solution to these problems?


Nice for Equifax that this happened before GDPR is enforced and they would have been fined 4 per cent of turnover.


Wonder how much this would cost if it was European citizen Data under the GDPR...


This is where sovereign identity solutions on Blockchain show the way forward. For example check out Civic and Pillar. Non-disclosure: no commercial interest in them. We should own our own data and that must mean decentralised. All centralised data gets hacked - all.


> All centralised data gets hacked - all.

What, and no one ever lost their Bitcoins via a key breach?

Owning our own data has very, very significant security implications. The average human isn't technically prepared to be their own infosec department.


This is horrendously bad.


Can some form of biometrics prevent such incidents going forward?


No. Link says it was a vulnerability in their website, so adding biometrics would've probably just meant your biometrics would've been leaked alongside your SSN.


Most are falsifiable and they are hard to do over the Internet (and are easier to fake over the internet). Also you can't change the info if there is a breach


Biometrics are more useful as an enhancing measure to verify identity but not for gaining access. Once compromised, it's forever.

One can even fake DNA if you have enough time, money and expertise...


Only until someone lifts your fingerprints or the like. And those are also difficult too change.


not if the digital ID with biometrics was on a public ledger and only you had the key....


Is there a way to check if your information was exposed?


How did it take them over a month to report this?


How do you know if this affects you?


That's what I came here for too. They have a site (go to Equifax for a notification banner) but providing the information they want just tells me to check back later. From the text I would assume I wasn't impacted, despite the fact that it seems almost everyone who used the site would have been.

Edit: Seems that if you have a date you're impacted. https://www.reddit.com/r/personalfinance/comments/6yq36a/equ...


Have a date?

Thanks for the info will check it out, I suppose one saving grace for me is my credit is destroyed.

edit: that's funny "I know we just lost your SSN, but could you type it in again?" Also curious if by asking for the last six makes search faster, probably.

site to check impact: https://trustedidpremier.com/eligibility/eligibility.html

Edit that link (trusted) doesn't even say equifax in it, pulled it from Reddit, would be funny if it was a phishing site

Edit: this one looks more legit

https://www.equifaxsecurity2017.com/potential-impact/

Still not the main domain


seems to be linked to from the main equifax site : https://www.equifax.com/personal/ (see banner at top)


As far as I've understood, if you're an American with a credit card.


If you live/lived in the usa, and have ever had credit here, this affects you.


Any info on how they were hacked ?


DO NOT enter your information into their "have you been affected website".

If you enter your information, you agree not to sue them.


Is it enough to freeze credit?


The Spice will not flow.




Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: