Hacker News new | past | comments | ask | show | jobs | submit login
Myequifax.com Bypasses Credit Freeze Pin (krebsonsecurity.com)
450 points by deanmoriarty 42 days ago | hide | past | web | favorite | 192 comments



Equifax has the unique ability to collect the most private information available, even when they have never or will never interact with that person.

I think the entire credit system needs to be changed. If credit bureau's can't be responsible then citizens should get a choice in the matter. These companies have us by the balls and we have no recourse. It's a monopoly complete with price fixing and everything, except the price is privacy and you don't get any options.

It reminds me of an episode of Hotel Hell I saw where the front desk stored all guest credit card numbers, expiration date, and security code in a white lined notebook unlocked behind the counter. Gordon Ramsay walks up to an unstaffed counter, grabs the book, and walks off with it.

Now imagine that the hotel blatantly admits to not giving a shit about your credit card details, and you don't have the option of checking out and taking your business elsewhere.


I'm normally not a fan of congressional hearings where everyone is trying to grandstand, but this one was particularly good.

The congresswoman asked the Equifax CEO to provide his birthday and social security number publicly for the record. He of course refused and when asked why, he said because that is sensitive information.

All the while, Equifax attorneys are arguing in court that there is no harm in leaking private data like SSNs and thus they shouldn't be held liable for any damages.

https://www.fastcompany.com/90312551/watch-a-congresswoman-d...


That's all well and good, but what was the concrete result of the hearing? Nothing actually happened and Equifax continues merrily along doing what it's always done.


Congressional hearings are about informing law makers (and also for grandstanding). They are not intended to provide immediate results in the way a trial would. The results if any will be in the form of legislation at a later date.


Results can come a lot sooner and more incrementally than that. For example, there were congressional hearings very recently involving Michael Cohen and merely days later, document requests were issued as a result of the statements he made during he hearing.

So where are the inquiries? Where are the task forces? Where are the subpoenas? Where are the subcommittees? It's been over a year. Are you confident with "changes will come at a later date"? Seems to me like changes will happen never.

http://fortune.com/2018/09/07/equifax-data-breach-one-year-a...


Oh I'm not at all confident changes will come. If the hearings aren't convincing enough to members of congress then nothing at all will happen. It seems like that was the case with congress as it existed at the time of the hearings. Perhaps things are different now that we are post-election and the makeup is different.

My point is one shouldn't expect immediate effects from a congressional hearing. They are merely the start of a long process that can get derailed at many points along the way.


To a non-american, the promptness and lack of even thinking or hesitation with which Michael Cohen answered and the swift "results" it produced make it seem almost certain that the questions from AOC and others were were pre-coordinated "set pieces" designed to provide some kind of "parallel construction" justification for the requests. I wouldn't put much store by these things.


Wow, that’s one hell of a conspiracy theory.


Equifax CEO did not commit crimes. Can’t say the same about Cohen and inquiries spawned off of his testimonies.


If I recall, they sold tons of stock before the leaks leaked.


That's all well and good, but what was the concrete result of the hearing?

Some politicians got an opportunity to issue strong statements that they can later leverage during reelection?


If only there were some kind of oversight by a government agency made to protect consumers from these types of things when the market based approach fails. This type of agency or bureau would be there to protect people when there was no legal recourse otherwise and establish rules so that corporate entities and businesses were beholden to someone. Meh, I'm sure the market will sort it out since you can just take your credit to another provider right?


You seem to be describing the CFPB?


I think he missed the sarcasm tag...


All that would be required for reform, I think, is a small revision to the FCRA. Remove their near-immunity from libel law and let our famous hunger for civil suits do the rest.


I've heard about artists being told to destroy their artwork for obscenity or copyright reasons, but how many companies have been court ordered to purge their databases in the US?


Here's a clip of the Hotel Hell episode featuring the credit card book: https://youtu.be/0dtZ7a8K1Ow?t=136


A real-life attack based on this kind of hole was discussed at https://www.reddit.com/r/personalfinance/comments/ay7aoy/ide... : someone says that an identity thief who knows all their knowledge-based question answers (because they have a copy of a credit report, no doubt) keeps somehow removing the freeze and committing more fraud.


Some KBA questions don't show up on your credit report, that being said, they can still be guessed with some certainty if you know the person.

Some examples either me or my husband have gotten:

-What month was [person] born? [person] was my mom and one option was "I don't know [person]." Luckily they didn't ask the date, because I don't know that, but I do know the month.

-Which of the following people are/were you associated with?, my ex-roommate as one of the answers. Makes sense to connect us if we had the same address at the same time.

-Which of the following people are/were you associated with?, my ex as one of the answers. This one baffled me because we never lived together and never had a bank account or loan together.

Which town did/does [person] live in? Where [person] was my husband's brother. Of course, useless if everyone still lives in their hometown.

I've also been asked about the previous cars I've owned, which are from DMV and insurance databases, not credit reports.

The entire concept of KBA is flawed and pretty shitty all around.


I once had a nightmare set of one where I was setting things up over the phone and had to do KBAs, and asked me who held my Auto Loan. A. Who has my loan has changed since I got it originally. B. The options they gave were (Names changed) Wachovia, Ally Bank, Ally Bank Inc, Ally Bank of New York, where the original lender was Wachovia, and I know it got sold to Ally at some point.

I literally have no way to know which one of these they think is correct. At least 2 of them were correct at some point, depending on how up-to-date the data was, and the last three were indistinguishable, even when looking at my actual statements for my loan... So I failed out of my KBAs 4 straight times because they kept giving different variants of the same question, just with different sets of answers, until I could venn diagram out which one must be right because it was the only one that came up in all 4.


They really are piss poor low hanging fruit level of effort. I once I got a question asking which car I owned with four answers and I had owned two cars listed...

Then, of course, what if you get a question about your sister when she's toxic and you've cut her out of your life. Or even just naturally lost touch with her over the years.


I had something like this happen to me while getting a phone plan. I have great credit, and was working for a well known silicon valley tech company with great pay, but because I couldn't remember the exact month I started a job over 25 years ago, I could only get a prepay plan. It was almost amusing.


The TransUnion questions in particular seem to have a reputation online for being confusingly unanswerable. I've been presented with sets where not one of the available answers was correct, and I had no idea what they expected of me. Of course I "failed", twice in a row.


Here's a fun one for you!

When I was a kid I was briefly a ward of the court. During that time, I had an official address that was not where I actually lived, and somehow the credit bureaus got ahold of that information.

So whenever I need to answer the suite of questions for identity verification, if I get the "which of these places have you lived", there's a good chance I won't know the answer, because I was a kid and never actually lived there.

So when that happens, I guess at one of the addresses, inevitably get it wrong, fail my own identity verification process, and need to jump through a ton of hoops to either re-try the process and hope I don't get that question, or verify my identity another way.


Does that address show up when you request your credit report by mail?

It should be free (apart from postage).


>I've also been asked about the previous cars I've owned, which are from DMV and insurance databases, not credit reports.

I've had online car insurance instant-quote systems show me a list including both my current and previously owned cars with just a name and address, so that's encouraging that it's being used as a critical authentication measure.


> my ex as one of the answers. This one baffled me because we never lived together and never had a bank account or loan together

Yikes. Where did they get that from? I wonder if they also collected tons of info from FaceBook like it seems everyone else has.


This was around... Oh... 8-9 years ago and I'm still trying to figure it out. It's honestly bothered me since then. I just really want to know how they connected us. I'm not mad they did, I just want to know how.

We never had an insurance policy together or anything else like that either.


It could have come from the other side. If they listed your address for something (because she didn't want to list their own, or for any number of reasons), they could possibly determine that you lived together from that. Or some database got mixed up and used some shipping address for something they ordered to your residence as a home address. Having them associate you with them isn't all that weird.

What's weird is that they get this information from random sources and use it for verification without verifying it's actually accurate first. That's just bonkers.


Did you list them as the beneficiary of any retirement accounts or insurance policies, or maybe as an emergency contact somewhere that reports to credit bureaus?


Emergency contact, that's possible...

Beneficiary, certainly not, I was in college, broke as fuck, and living on student loans, didn't have any sort of assets to speak of (besides a $900 car), no retirement accounts or insurance policies (besides the minimum liability insurance required by the state).


I've never taken out a loan of any kind, so 90% of the time the answer to all KBA questions is "none of the above".

That's aside from the fact that Equifax's site has never worked right for me anyway, and doesn't accept my information. Never been able to pull my report online from them. The other two major agencies work fine.


> the data being asked about in these KBA quizzes is culled from public records

Yesterday, when opening a savings account with a major US financial institution, one of the KBA questions asked for my Zodiac sign. The other two were about a mortgage and the year I was born (±1 year). I do not understand why any competent institution would find these secure and it appalls me that is all the information needed to open an account in my name.

Edit: Here is the screenshot https://i.imgur.com/Mr8gOOA.jpg


That looks like Ally Bank. --BUT, it isn't, per the reply below. It's Discover, though Ally asked me the same zodiac question in what looked like the same font.--

They won't open a joint savings account for my wife and I because my wife doesn't have a phone bill in her own name "for verification." (We've been on the same Southwestern Bell/Cingular/AT&T, recently T-Mobile, family plan for the past, oh, fifteen years, and it's under solely my name because of employer discounts.)

When I mentioned this to the rep, she told both of us--we were all on speakerphone--that my wife could send in a copy of her driver license. Except Washington doesn't require us to get new licenses when moving and the address on both of our licenses is both the same...and four years out of date.

I get the need for ID verification but funny how we never run into this problem when my wife wants to borrow money in her own name. No one has ever cared about her license or a phone bill when she's taken out credit cards.


Oh, and one more thing: This is the same bank that called me the other day to inquire about our application and--even though they called me--their representative got mad when I wouldn't give him the last four digits of both of our Social Security numbers and our dates of birth and Mother's Maiden Name / Security Answers from the application.

When I pointed out that a) he called me and b) this is, quite literally, exactly how scam calls trying to steal money go, he got upset at how I wouldn't "believe him." I told him that's exactly what a scammer would say and hung up.

My "private" information has been leaked to other governments and various malicious actors at least six times, just in 2018, so I'm a little more wary than I used to be and that pissed me off.


I had a similar issue with Chase calling me, as a follow up to fraudulent charges on my card. They were asking for basic identifying information, but I didn’t feel comfortable so I hung up.

I then called Chase and asked if it really was them that called, and they confirmed it was actually them. But then they also apoligized and resumed the previous call from where I hung up.

It was just nice to not be judged for being cautious.


That's pretty atypical for Chase - whenever I get a call from them, it's always something like "Please call the number on the back of your credit card to solve this issue."


I've had Chase call me, text messages requesting that I call Chase, e-mail messages requesting that I call Chase, and both e-mail and text messages asking me to reply with a specific letter or number to verify a purchase.

I have multiple Chase accounts in multiple tiers (business, etc...), so my guess is what kind of contact you get depends on the nature of the account.


TBH it’s not the banks fault. Our governments stance on taxes, terrorism and drugs has caused this. Due to the need to verify citizenship, verify that you aren’t a terrorist and verify that you are a drug lord laundering money the banks are forced to jump through all of these hoops to give you an account.


I mean, I get that but why is it not a concern when I want to borrow money? Or, even more relevant, when my wife wants to borrow money? She has multiple credit cards with tens of thousands of dollars in borrowing power in her own name and has had and paid off two loans, all while not having a telephone bill in her own name or even being on the deeds to the properties we've lived in together.

I see it less as CYA and more as "we can make money off of you so the requirements are relaxed because we're making money"--that is, lending money that she'll presumably pay interest to borrow--versus "oh shit you want to put $1,000 in an account and our bank pay you better do the fifteenth degree."


> the need to verify citizenship, verify that you aren’t a terrorist and verify that you are a drug lord laundering money

One day these requirements are going to get out of hand. :D


Heh. I’m not saying they are or aren’t out of control. My point is that when the government creates all of the requirements, and the onus is on the banks to verify it all. At risk of penalties from the government. Then you get these kind of stories. People see it as overkill. The banks see it as CYA.


I basically agree with you on the issue; I was just making a cheap joke about the supposed requirement for the bank to verify that you are [as opposed to aren't] a drug lord.


Washington state doesn’t require this?

It says it does here: https://www.dol.wa.gov/driverslicense/moving.html


It's Discover, not Ally.


Oh, they use the exact same font. Fair enough; I'll add a disclaimer at the top but Ally did the same thing to me (same zodiac question).


The bank itself is probably not doing the KBA; they're buying and integrating a KBA dialogue solution from one of the vendors. So might be the same software / font / question bank at work.


Correct about the software most likely, but Discover uses FF-Meta [0] and Ally uses Lato [1]. They are admittedly quite similar.

[0] https://fonts.adobe.com/fonts/ff-meta

[1] https://fonts.google.com/specimen/Lato


I think what rlucas is saying is that the reason the font might be the same is that the bank implemented the solution straight up; without any of the styling that would usually be applied. I've definitely seen this and worse before, so it's not exactly out of the realm of possibility.


Zodiac sign? Seriously? I don't know what mine is because that is not a belief system/religion I subscribe to so I had to Google it. Turns out my birthdate must be on the border because different sources have it as a different sign. They might as well ask what color my aura is.


Better than the SS administration who ask "Where were you when 9/11 happened" or "Where were you when JFK was assassinated"...Took a screenshot of these but cant find it now. My method is picking the common questions like "what street did you grow up on" and assigning it a random/not true/or another question such as "I don't know what my favorite street is"


These are so called "security questions" for that account; the great grandparent is talking about "knowledge-based authentication," which is a different thing entirely.

The "security questions" you choose your answers, in "knowledge-based authentication" the questions and answers are generated based on the information on your credit reports and other databases, such as insurance databases. You don't make up answers, they already know the answers.


> Static KBA, also referred to as "shared secrets" or "shared secret questions", is commonly used by banks, financial services companies and e-mail providers to prove the identity of the customer before allowing account access or, as a fall-back, if the user forgets their password.

Wikipedia refers to "security questions" as "Static KBA".


Speaking of the SS Administration, I ran into an annoyance with them when trying to get a replacement SS card. They would not accept any ID for which the name did not exactly match the name in the records.

So, for example, if you always went by "Ron Weasley", having your driver's license , your utility bills, your apartment lease, your animagus registration, and so on all under that name, but your name in their records was "Ronald Weasley", you would be out of luck.


I often use "None Of Your Business Street." Works every time.


Lie about which is your sign. If the bad guy knows your birthday, they will guess the wrong sign.


This is one of those questionnaires that is generated based on your credit report and other items related to you identity. So it's extrapolated from your birthdate and probably makes it ever-so-mildly more difficult for robots to get it right than it would if it just asked for your birthdate.


And now you have to keep all of your lies straight.


Absolutely; use a password manager. This is the least bad way to go for these types of "security questions": give a plausible, but wrong, answer.

Correct is too easy to guess.

Obviously wrong will be recognised by the customer service representative, who is a kind person, and will help you out by just disabling the question (anecdotes galore for this, to the point we can call it data).

Lie, in a believable way. Put the answer in a password manager. Open your password manager up before calling any CS rep. Be a star in the security theatre. :)


Password managers solve the storage part of making security questions secure, but there's still the question of generating sufficiently random answers in the correct format.

I look forward to password managers including generators for your birth date, family tree, childhood friends, favorite color and maybe also social security number, name and address if those aren't actually required for anything. Then you can have a value for your mother's maiden name that isn't incredibly common, but nonetheless looks like an actual person's name.


I save my security questions in a password manager and just generate it. Though I've thought about instead giving answers that would serve as a message to customer service rep to actually validate it in cases of someone trying to impersonate me.

Q: Where were you on New Year's Eve in 1999? A: demand-exact-answer-over-phone


They arent asking you questions they dont know. They will ask you questions about the color of your car or streets you lived on, and they know the answers.


Someday someone will write a password manager equivalent for keeping track of one's lies.


They already know the answer from your credit report and other databases... If you answer incorrectly then you get denied opening a bank account online and you'd have to jump through extra hoops, either going to a branch or mailing documents.


Sounds... not right. What is the date?


I just now Googled Scorpio (found a sign that isn't "mine", as an example) and saw dates that varied by up to 19 days on the tail end of the Scorpio range.

Depending on the sources I scanned on the first two pages of results, the cutoff is somewhere between November 2 and November 21.


Well what is it?


No one thinks this is actually secure, it's security theater.

The thing is, the cost of identity theft of consumers to credit reporting companies is less than the cost to actually adopt secure methods to judge one's credit.


You’re exactly right. It’s the same reason we’re required to sign checks then the bank promptly ignores the signatures. It’s cheaper to handle the fraud than check the signatures, but it makes us feel good to do it anyways.


I wish - a few years ago I was trying to pay for rent with a cheque and it bounced. I ended up sending another cheque, having that one get rejected, go into the bank and give them a new signature sample, and then have the next cheque be rejected as well due to the signature.

Apparently my bank checks cheques.


Yes, Indian Banks too check Signatures on anything submitted to them.

I once had to deposit cash in my own account but in different city in India. It was free if I deposited it, but fees for anybody third party. Cashier told me my signature doesn’t match with whats on file and thus either I need to re-sign or need to pay fees.

Here in US I have seen policies in Stores saying we accept check, but we will onetime use the account & routing number on check to pull the amount. I am so confused if by merely giving someone a cheque they are able to “pull” money from just two numbers, and can do it for any amount & any number of times.


> I am so confused if by merely giving someone a cheque they are able to “pull” money from just two numbers, and can do it for any amount & any number of times.

That is exactly how checks work. It's optimized for happy-path, with a big mess of a process to handle fraud. The cash equivalent would be to carry a bucket with all your money and when you pay, you present your bucket so that the shop can pull out the amount you and them agreed on.


"Optimized for happy-path" is true, but it also reveals something pretty neat about the American financial / business climate.

"Default trust" actually works in our economy. And because of that, friction can be low and things Just Work.

Default trust / happy-path optimization in turn works because of the backstop of a strong legal system, fairly clear precedent, and reasonably well defined property rights. Think: UCC across states; standardized Delaware Chancery precedent; etc.

One reason I'm not a cryptocurrency or smart contracts believer is that the robust exception-handling backstop we have in the US is a mostly-invisible but super-valuable resource.


You can expand that to other systems. For example you can walk onto a city bus in many cities without proof of payment. It is assumed the vast majority of people will have paid by tapping their transit card somewhere, or purchasing and activating some mobile-based e-ticket. Same with many commuter trains. The result is faster more streamlined service for everybody.

I find the cryptocurrency "space" fascinating for reasons like this. Because cryptocurrency gets rid of so many of societies long-evolved backstops, it is a perfect demonstration of why our society is structured the way it is and shows exactly what happens when we remove many of its features (eg: removing "trust" is very expensive).


I was initially taken aback by Moscow's gates for the subway but in restrospect they make sense and fit that model. They are (were?) gates that default to open, and stay open if you insert the token/pass. Otherwise they slam shut right in front of you. During rush hour, it's brilliantly simple as the gates just stay open as people pass through. (As a tourist, it was more "interesting" to get the occasional misfire and have it slam right in front of my legs, but that's a different story.)


> "Default trust" actually works in our economy. And because of that, friction can be low and things Just Work.

Does it though? I think there's a reason we've stopped accepting cheques - cheques were the best "easy" way to transfer relatively large sums of money at once, now that we're past that and have more secure credit and debit cards cheques are becoming banned. I don't think it was optimized for "happy path" per say, but just for convenience and was the only technology we could manage at the time.


>> "Default trust" actually works in our economy. And because of that, friction can be low and things Just Work.

> Does it though? I think there's a reason we've stopped accepting cheques

That's a very specific issue but this is a pretty general fact. With respect to checks, people still write and accept checks, we just have more convenient payment methods. Also checks are still the easy way to transfer large sums of money at many banks. More generally though, just look at how much can be done with a signature under penalty of perjury, and how relatively rarely these are forged. The trust-based system really works decently well in the US.


I just realized something -- the cryptocurrency-maximalist and antivaxx movement are born of a similar phenomenon.

Humans are great at rallying and pushing and making change when they see identify something as wrong in their direct lives. We work as hard as possible, and develop solutions (vaccines, a strong legal backstop). Then, all is well, and the problems we solved are no longer part of our lives because the system works.

Years later a vocal minority becomes very suspicious (they're inflating away my wealth!, autism!) and tries to overhaul the system. Then they learn why we do things the way we do (scams/manipulation/etc, measles) the hard way.


....and only all exists because people believe there's no alternative.


Well yes, but in India it does not work like this. If I give you a cheque for X amount, you cannot use those numbers mentioned on cheque leaf for any more txns. You can get only that X amount with only that cheque leaf.


The "one-time use the account and routing number on the check to pull money" is utilizing the data from the check to perform an ACH pull. There's a specific process called an EFT [1] where merchants can perform an ACH transaction in lieu of a received paper check.

[1] https://www.occ.gov/topics/consumer-protection/depository-se...


Canada? Or Common Wealth? Judging from how you spell “cheque”. Signatures still mean something in some countires, just not the US.


Canada. I've never heard of anyone but myself experiencing this issue though.


Apparently my bank checks cheques

One of mine, too; though only sporadically, it seems.

Now those people at the Board of Elections are hard-core about signatures. I've been hassled twice when trying to vote because my signature on their pad didn't match what is in their records.

I have a "good" signature, and one that looks like a doctor writing a prescription. I have no idea which one they're looking for.


I never understood the deal with signatures. Most signatures can be faked if analyzed by an amateur (every business). Sure there are experts who will spot fakes but how many of them are employed where signatures are verified?

I can tell you that I’ve faked a signature in harmless situations a number of times and nobody was the wiser.


I once forgot to sign a check completely, like totally blank signature line. It was cashed just fine.


I wonder if you could argue that that wasn't a valid cheque to the bank then. But then you'd be saying you were claiming fraud against yourself, so somehow you'd still end up the one in trouble.


Probably not. The Clinton-era law that relaxed check verification rules so that we could deposit checks remotely online moved a lot of the burden onto the consumer instead of the bank. That was one of the reasons it was opposed so loudly by consumer groups.


For one payroll, I completely forgot to sign a set of checks for 40 employees. Not one employee came back and said their check did not clear. Scary world we live in.


> the bank promptly ignores the signatures

You're technically supposed to sign and endorse the back of every check you electronically deposit; I have never done this since my bank offered mobile deposit and have never had a check rejected. It honestly just makes me sad.


They’re upgrading this to require you to write “mobile deposit for XYZ bank” as well, so that you can’t double-deposit without getting caught early on.


I mean, whats the point of signing the back of a check? Most businesses don't sign the backs of their checks. They use a stamp that has their business name printed in some ordinary font. At that point you might as well let the mobile app superimpose its own signature or have the ATM apply its own stamp.


My bank upgraded their branch ATMs to accept multiple checks at the same time for deposits. What surprised me was the displayed instructions said one did not need to sign the backs.


I guess the signatures are there in case someone complains? They can just pull the check and see if the signature is legit. But checking every signature is simply too much work.


It's my understanding (from hearsay) that they use software to look at signatures, and use that data as a fraud signal, among other data.


I know some banks actually do check them. Last year, my wife paid a contractor with a check from Ally, and the check bounced because the signatures were not close enough.


When I opened my mortgage they required us to share via email everything in plain text. We did not have a choice of lender. I told my wife that these people were going to be hacked. Within 3 months we got a letter saying all of our information had been exposed. Oh whale, nothing that wasn't already out there from the numerous other breaches that I had zero control over.


United Airlines asked me to fill in a bunch of crazy password questions a few weeks ago.

Things like "What's your favorite flavor of ice cream?" Well, I dunno. It depends on my mood.

Or "What if your favorite vacation destination?" Another bad question because my favorite today may not be my favorite when I get back from the next place.

Unfortunately they were all mandatory — there wasn't an option to pick only the sane ones; all ten had to be answered.

Most of them felt more like marketing trying to build a profile on me rather than IT trying to keep my data secure.


These are KBA questions, which are generated by a third party based on information on your credit report. For the types of questions you describe, I just use my password manager to generate random strings for each of those answers and make a note of what question each string matches with. To make sure the strings are not rejected for special characters I use passwords a la https://xkcd.com/936/


> For the types of questions you describe, I just use my password manager to generate random strings for each of those answers and make a note of what question each string matches with.

Can't do that with United.

The answers are drop-downs.

https://krebsonsecurity.com/2016/08/united-airlines-sets-min...


I wonder if anyone has gone through the password lists to see if "correct horse battery staple" shows up, and if so, how many times.


According to haveibeenpwned.com, they've seen "correcthorsebatterystaple" 114 times


I have a hard time believing that a KBA database would have GP's favorite flavor of ice cream.


That is incredible. There are only twelve signs. I mean why not just ask your birth month? And even then, incredibly easy to guess or to find out. I honestly want to know who came up with that security gateway and question them on how they thought that was secure.


Yea. I recently had two run ins with this exact same KBA system. One for a bank and one for a health insurance type thing. Both asked a question of which hospital was closest to me. How is it "KnowledgE" when I had to google map 4 different hospitals to figure out where they even were? One of two variations also listed two 'different' hospitals that were less than 2 blocks apart, leaving the 'closest' question up to a flip of the coin.


I used to work at a fintech and seen Kba providers ask questions that provide zero security like “what county was your 1 Main Street Santa Monica,ca address located in”


I wonder if these questions were less about identity validation and more about stopping bots from opening accounts? Either way, it's not the ideal solution, but one is a little better than the other. The chance of a bot guessing all three right is pretty slim, but at least if a real person did research and made educated guesses then it would slow them down considerably.


This is not a problem - it's a feature!

Whenever I'm confronted with surveillance-based "identification" and I'm unable to just choose a better option like receiving a letter in the mail, I make sure to only answer questions that can be directly deduced from the basic information I've already entered, or otherwise researched online (like the ones about what street is in what city). When confronted with questions about past addresses and whatnot, I make sure to answer "don't know" lest I confirm something they actually aren't so sure of.

I haven't had any problems as a result of doing this. I wouldn't be surprised if there is some "confidence" score based on how much the surveillance databases have actually recorded about you, and even if they aren't super confident will still supply a pass result to keep the client from losing customers.


They're not competent. That is the problem.


I remember being asked the name of a street I lived near once. I still don't know the right answer, but I think it was some official or unofficial name of I-80 or the 101 that no one calls it any more (e.g. Lincoln Highway).

I would rather be asked my Zodiac sign, although that is definitely weird.

You shouldn't have to spend time doing research on different versions of road names to prove my identity. That's absurd. I can imagine some dystopian future where I'm strapped to a chair and my kidnapper is demanding I answer to obscure names of highways as my only reprieve from torture.


I was also asked about my Zodiac sign. I was shocked. A credit reporting company using that is just appalling.


This is probably the way the business found to ask the same question as a date of birth while requiring an extra step from the user, which then:

* Decreases the number of bots able to get into your account

* Make it harder for a foreign agent with limited knowledge of English to do the same.

No, I did not write that question for you to answer.


IIRC there was a post here awhile ago about how you could refresh the pages and the options would change. Except, of course, the correct answer. Maybe someone else remembers and has the link.


It has nothing to do with security only plausible deniability.


If it’s not multiple choice, You can answer with random digits and keep your answers in a password manager.


Not only is it multiple choice, but there are only five choices.


I've literally noticed this myself last month when I went to temporarily lift my freeze to apply for a new credit card. I never got asked for the PIN, which I diligently save and securely store. I remember I was explicitly asked for it just a year ago (last time I had to do the same to open another card). I felt like an idiot.


They don't want to make it hard to use your credit report. The worse job they do with security theater the more money they make, and the easier it is for you to obtain credit products. If they actually applied any reasonable security, the friction of getting new credit would reduce new customer acquisition.

For my view, that's ideal: people should put real, explicit thought into obtaining new credit or debt products. It's too easy right now, especially with products like Credit Karma trivializing getting new credit cards.


> They don't want to make it hard to use your credit report. The worse job they do with security theater the more money they make, and the easier it is for you to obtain credit products.

This is why we need to legislate these companies now, and re-incentivize them to do the right thing.


Can we just shut down equifax already?


What we ought to do—to tie into the "let's break up Google" story also being discussed right now—is make collecting and hoarding data about people incredibly risky. A leak of any size should be a "your company is finished" event. Much collection should simply be outlawed or at least placed under strict user control, GDPR-style.

It'd make the CRAs, various other financial institutions (credit card companies, banks), and the tech giants all stop doing a bunch of the most harmful crap they're getting up to. Or else actually pay what it takes to keep everything really secure, while ditching any data they don't absolutely have to have to operate.


It's the centralization, not the aggregation, that's the problem. If entities, even if under the umbrella of a single corporation, were organized based on datasets to aggregate this info, the risk and punishment could be commensurate.


There's some value in having a credit reporting system though. You don't want to make it too easy for someone to edit their credit history to make it look like they're more reliable about paying back their debts. (A good system might not look too much like our current system though.)


I will never unfreeze Equifax, regardless of what I do with the other credit agencies. I can't prevent them from collecting my information but I can prevent them from profiting off it.


Why can't they profit from the troves of info they have about you, and will continue to collect about you, if your 'account' is 'frozen'?


You're mistaken, they still profit by selling your data. It's just banks can't retrieve your credit report to open a new account when it's locked.


[flagged]


Ok and...? Seems like a valid line of conversation to me.


I agree, but this is not a helpful point form which to start a conversation. It's lazy and below the standards many expect from HN.

A better way to start this conversation (imo) would be to make reference to the many mistakes Equifax has made over the years and ask what is preventing Equifax from facing real consequences, such as being shutdown?

It's the effort that people place into having genuine conversations that keeps me coming back here and not just hanging around Twitter and Reddit. If someone wants to be lazy and still get online validation, there are communities for that and if you want to have a real conversation here, but don't have the time/energy to start it properly then all you have to do is wait a few minutes and someone who does, will.


So you want someone to write three paragraphs for what can be said in six words? I prefer the brevity.


No. I want no throwaway easily consumable venting.

Either take the time to contribute meaningfully or don't comment at all.

Anything else is pollution.


Yes, I'd like to see someone demonstrate that they put some thought into the idea of what happens when, say, credit reporting agencies are eliminated or curtailed. What would be the negative repercussions, etc.

In contrast to a low-effort farting of "break 'em up!" for karma. That doesn't bring anything new to the conversation.


It seems like you're arguing against a pithy call to shut down credit reporting agencies in general, when the comment at issue was specifically directed at the credit reporting agency that has the worst public track record for security and privacy. It's like if you had asked "but how will the economy function without accountants?" in response to the dismantling of Arthur Andersen, or asked how online banking could survive without Symantec SSL/TLS certificates.

The consequences of shutting down just Equifax are relatively mundane: lenders and other customers of Equifax take their business elsewhere, and Equifax's competitors have some motivation to be a bit better lest they suffer the same fate. The industry as a whole would get along just fine. The less realistic and more extreme hypothetical that you want to debate is irrelevant here.


It seems like you're arguing...

My argument was in my last sentence, in response to the defense of pithy comments that millions already beat to death six months ago. I'm arguing neither for nor against the shutdown of Equifax.


Except it doesn't address the problem at all. What happens when another negligent credit bureau pops up to replace it?


We shut them down, too.


We should really work on making personal data transactions illegal. I can’t think of a single company that I would be happy to hear that they sold my data to third-party. These companies provide no additonal benefits.

Equifax is the worst. You can call them and ask to buy lists of names, addresses and phone numbers of people matching certain financial criterias. Facebook would look dull in comparison if people knew the extent of the Equifax abuse of privacy.


> Equifax is the worst. You can call them and ask to buy lists of names, addresses and phone numbers of people matching certain financial criterias. Facebook would look dull in comparison if people knew the extent of the Equifax abuse of privacy.

Don't be silly. The long arm of Equifax has a finite length. We know where they get their data from and you have to at least pretend to "consent" to provide it to them by initiating a financial transaction. The Breach aside, there are federal laws (FCRA, etc.) governing willful dissemination of the data they have on you, and the scope of the data they collect is entirely financial.

None of this applies to Facebook/Google. There is no "consent" or opting-in to their lifestyle intelligence pool. You start building a dossier a few seconds after venturing onto the internet for the first time.

Your name ending up on a list of middle-to-upper-class sales leads is not a crime against humanity. There are many other ways to get the same data, starting with public records.


Your arguments seem to work both ways, for example: There is no "consent" with Equifax, they start building a dossier a few seconds after you venture into the open market. You at least have to pretend to "consent" to Google by initiating an HTTP transaction with a Google-associated property. And there are many other ways to get the same data (again, like public records)


> These companies provide no additonal benefits.

They provide safety for lenders, which allows those lenders to offer you cheaper prices. Is that worth it? Not sure personally, but I don't think it's fair to say that they are totally without benefit.


Safety for lenders... by allowing fraud to be cheaper than lending to real people?

I'm afraid I don't understand your logic.


I didn't say that Equifax was the ideal realization of what a credit bureau is supposed to be.


They'll probably be less negligent if they're forced to see Equifax's head mounted on a pike. Metaphorically speaking.


Exactly the line of conversation I'd love to see :)


> SSN and DOB data is widely available for sale in the cybercrime underground on almost all U.S. citizens. This has been the reality for years, and was so well before Equifax announced its big 2017 breach.

Again, I find that this only reinforces the fact that SSNs are not a useful identification system because there's nothing secure about them. Can someone explain where attackers obtain SSN/DOB data with such a widespread success rate?


The US government should replace SSNs. SSNs were never meant to be used this way.

Any good replacement should start with a set of APIs specifically targeting financial institutions/credit. Give the consumer a random, easily rotatable, numeric key (e.g. "14830-29928-8921-29"). The key + API can return a unique ID, but a unique ID cannot return its corresponding key (i.e. single directional flow).

The unique ID never changes for a given individual. If the consumer's key is lost, stolen, or breached the key can be re-issued and old one expired.

Make it illegal to store the numeric key itself in a database for long periods. Only the resultant Unique ID can be held. You'd never request from the consumer the Unique ID itself (otherwise it itself would become the new SSN); only their key for API verification.

Why is this a secure system? The information companies would store (Unique ID) is not the same information they need to process a new credit requests (Key).

Meaning the piece of information that identity thieves need to steel is short lived, and the long lived info cannot convert back to the short lived.


There was a good Planet Money episode on how it got to be this way. [1] The SSN maybe originally was not meant to be used this way, but starting around 1943, government agencies were required to use it when possible. [2] That's less than a decade after the first SSN's were issued.

1. https://www.npr.org/sections/money/2018/03/14/593620579/epis...

2. https://www.ssa.gov/foia/html/EO9397.htm


Aren't you basically just describing a more complex, weaker form of RSA SecurID hard tokens or Authenticator-app soft tokens? With a centralized API for validating a generated key vs identification details?

EDIT: Thinking about this more, it seems like a much harder problem than this quipped solution gives credit for. The agency wishing to validate a generated key would need to have enough identifying information to isolate a single row in the centralized database to validate the token. Because we don't want every token assigned to John Smith to validate every John Smith. So now this centralized database needs to have something that's unique to every single row... Or, in other words, the same problem as SSNs have to start with.


No, and the fact you think it is anything like SecureID means I did a poor job explaining it.

It replaces cardboard cards with a SSN on them, with a cardboard card with a longer randomly generated key on it. There's no electronics involved from the consumer's perspective at all.

The key is provided on your e.g. loan application. The financial institution sends that key to the government via API, and receives back a Unique ID assigned to you as an individual that never changes. The financial institution should then dispose of the key you provided them.

The Unique ID is essentially used like an SSN; but the major differences are:

- The consumer never provides it directly

- The consumer's version of it (key) can be rotated freely

- If the Unique ID itself leaks it has no value, since the API Cycle (i.e. Key -> Unique ID) is part of the system that financial institutions would use, supplying the Unique ID would just throw an error (since it isn't a valid key).

So it completely different from SecurID, and is more akin to SSNs with most of the core issues resolved. Issuing cardboard cards with numbers on them isn't inherently complex, and is what we're already doing.

The most challenging part is getting financial institutions to implement the API calls and update application forms. You'd also have to remain vigilant that they aren't storing the Keys themselves longer than absolutely necessary.


I'm with you, except for the part where we trust the middle man to please-pretty-please-pinky-swear delete the key. That, to me, makes it weaker than a token approach. With the token approach, the intermediate value has such a short useful lifetime that it's practically not a secret. The real secret -- the value required to duplicate the token -- remains with only the client and the centralized store.


I think that is mitigated by allowing the key to be rotated freely. The shortcomings over the token based approach are outweighed by being more practical to implement. If the issuing of a new key was an annual process, or even tied to something like drivers license/state id renewal, it would still be worlds better than what we have today.


If rotation is the secret sauce, then the best strategy is to rotate after every use. In which case, why not just build that into the system:

1. Client holds key.

2. Client exchanges key with central agency for token. Token expires after a short time period, making long-term storage and leaks useless.

3. Client gives token to company.

4. Company validates token with central agency.

And now we've reinvented OpenID. And SecurID is nothing but a piece of hardware that can perform (2) in a decentralized manner. We could maybe modify (4) to potentially be more useful for this specific use-case:

4. Company exchanges client identity token with central agency for a validation token that can be stored long-term. Validation token signifies that an identity token was received and exchanged, for legal purposes.

What I don't know is how to protect this validation token from becoming valuable beyond the above use-case. If it's proof of something, then it becomes valuable for that proof... So it would would have to be scope-limited in ways that make it useless for proving anything other than that exact exchange. Off the top of my head, obvious scope limitations are: client, company, and timestamp.


I agree that the client should generate a token and provide that to the company.

Bonus points: have tokens issued in XXX-XX-XXXX format so that existing systems don’t have to change anything- it’s still a SSN of sorts, just one time use.


> please-pretty-please-pinky-swear delete the key.

In the first post I said quite the opposite:

> Make it illegal to store the numeric key itself in a database for long periods.

Using actual electronic tokens is impractical due to the costs. Even assuming just $1/each we're talking conservatively almost half a billion dollars (inc. shipping), and the upkeep would be similarly high.

The proposal above 1:1 replaces the system we have and are already paying for while solving most of the major weaknesses.

Multiple smartcard-like systems have failed spectacularly in other countries, a SecurID-like token would suffer from many of the same issues.


In the end, you're really stuck between two places. Either you have something static, in which case it's got all the negatives of a static secret. Or, you have something dynamic, in which case you have to manage the infrastructure.

The only thing that makes SSNs bad static secrets is that you should basically assume yours has been leaked at this point. Like others have said in this thread, they're not bad identifiers, but they're a terrible choice for confirming identity.

Your system is just another static piece of data to keep secret. Which is where SSNs started when this crazy train kicked off. And no, "rotation" is not the secret sauce, because SSNs can already be rotated under certain circumstances.

I also don't understand how the "unique ID" doesn't have value. OK, you can't confirm an identity with it on the centralized system. But as far as I can tell, it basically serves as proof that you did confirm the identity. There's no way to distinguish between "obtained unique ID via the key and thereby proved identity" and "obtained unique ID via any other method and thereby did not prove identity".


> Either you have something static, in which case it's got all the negatives of a static secret. Or, you have something dynamic, in which case you have to manage the infrastructure.

I just described a system that is neither fully static nor fully dynamic. It has a static part (Unique ID) and a semi-dynamic part (numerical key) that can rotate as needed.

> Your system is just another static piece of data to keep secret.

Keys can be rotated as needed. For example with drivers license renews. The Unique ID is static but it isn't security sensitive.

> I also don't understand how the "unique ID" doesn't have value.

Because having it doesn't give you the ability to open a bank account, take out a loan, or receive a benefit. It is used by the financial institutions to tie actions to an identity, nothing more.

The actual validation of identity occurs with the key and API, the Unique ID is simply the result.

> There's no way to distinguish between "obtained unique ID via the key and thereby proved identity" and "obtained unique ID via any other method and thereby did not prove identity".

The action of retrieving the Unique ID is more important for verifying identity than the actual Unique ID itself. You could steal a Unique ID but that isn't useful, and there wouldn't be another way of obtaining one.


Please see my response here:

https://news.ycombinator.com/item?id=19341688

If the secret sauce is key rotation, then the best strategy is to rotate for every use. Building that strategy into the system basically results in OpenID. Take OpenID and allow the client to generate tokens offline, and that's SecurID.

And I still see value in the unique IDs, because they serve as a type of proof that key exchange has taken place. How does the bank go to court and demonstrate the the individual has validated their identity? The best way is to retain the key. Oh, but we're supposing that's illegal. So instead they'll show the unique ID and say, well then how did I get this unique ID?

I don't think you're applying enough hacker mentality to this. If we're going to approach this problem, let's approach it will the full capabilities that modern cryptography give us. There's no reason to share a secret with the company and extend trust to them; we already know how to securely share a secret between two endpoints (client and central authority) through untrusted middle men (company).


Please see my response here:

https://news.ycombinator.com/item?id=19341434

How are you paying for giving out half a billion SecurID-like tokens?

I'm talking about a code that can be printed on your driver's license, you're talking about a piece of electronics that has to be shipped to every person in the US, the logical differences are stark.


So every OpenID provider has issued millions of dollars in tokens? No, of course not. All the tokens allow is offline generation of secrets. But if you don't need offline generation, then you don't need expensive tokens. I specifically call this out in my linked response; I don't know why you're still stuck on it.

Also, soft tokens are a thing and are basically free to generate. I've got several loaded on my phone right now, and have the code backed up in my password vault.

Also also, printing secret codes on drivers licenses seems like an amazingly bad idea... Every bar bouncer I interact with sees that thing!


> All the tokens allow is offline generation of secrets.

Which negates the whole benefit of having short lived secrets, which was the whole crux of why you were suggesting it.

> Also, soft tokens are a thing and are basically free to generate.

So now instead of buying every citizen in the US a token we're buying every citizen a smartphone or legally requiring them to have one? Seems problematic.

> Also also, printing secret codes on drivers licenses seems like an amazingly bad idea...

Then print them on a separate sheet of cardboard. Still a massive order of magnitude cheaper than what you're suggesting which could range from $0.5-20B+ depending on implementation.

I'm suggesting a more flexible SSN that solves the major issues we already facing. You're suggesting a token based system without actual tokens, smartphone apps without actual smartphones, and printed list of codes.


I'm suggesting a system where you prove that you know a secret by exchanging a token. You're proposing a system where you prove you know a secret by telling everyone who asks you for it and hope they forget it later. (And somehow think that this is a workable long-term system that resolves the problems of the values we have now which work exactly the same way...)

There's nothing about the former system that requires the things you are stuck on. (And I honestly think you're just being stubborn for some reason, because I'm pretty sure you understand the idea I'm conveying.) You could do it over the phone using a touch-tone system. You could do it through a website. You could do it with an app. You could do it with a hard or soft token. You could do it with a smartcard. The only requirement is that you are capable of telling your secret to the central authority in exchange for a token, in a way that it is very difficult for others to observe. Or, alternatively, to have come to an agreement about how to generate such tokens offline.

But the important part is that in the system I'm talking about, you get a secret value from a central authority. And then you don't tell anyone that secret except that same central authority. Everyone else sees temporary values that are useless if saved -- no pinky promises and laws required.


> And I honestly think you're just being stubborn for some reason, because I'm pretty sure you understand the idea I'm conveying.

Indeed I do, it is logistically absurd. I'm talking about replacing one piece of cardboard with a different, more secure, piece of cardboard that resolves actual problems we have today. You're talking about smartphones, tokens, calling in, and a million other complex workarounds all in the name of hypothetical security.

I'd love to see you try to explain your system to an elderly or disabled person. I can explain mine: "Instead of giving them your SSN card, give them this card instead." Done. One sentence. That's literally all they have to know.

Plus your scheme has a huge hole. The second you moved away from physical tokens (which you now seem to acknowledge is unaffordable) to smartphones and now regular phones, you need a way to authenticate who you are. Which means you'll be giving people credentials, which can then be lost, stolen, or requested from vendors creating exactly the same issues we started with.

In other words you've managed to create an expensive logistical nightmare that the general public will hate all in the name of hypothetical security benefits that won't even work in practice. Neat.


> Indeed I do, it is logistically absurd. I'm talking about replacing one piece of cardboard with a different, more secure, piece of cardboard that resolves actual problems we have today. You're talking about smartphones, tokens, calling in, and a million other complex workarounds all in the name of hypothetical security.

And you're talking about zero improvement in security stance. You could literally implement your idea by just making it illegal to store SSNs, because that's the only salient point where you've improved over current state.

> I'd love to see you try to explain your system to an elderly or disabled person. I can explain mine: "Instead of giving them your SSN card, give them this card instead." Done. One sentence. That's literally all they have to know.

Print card with secret. Give them card. Card has phone number on it. Call the number. It asks for what's on the card. You enter it. You get another number. Give that to the person asking.

Also print on the card to not give the card or the number on it to anyone.

> Plus your scheme has a huge hole. The second you moved away from physical tokens (which you now seem to acknowledge is unaffordable) to smartphones and now regular phones, you need a way to authenticate who you are. Which means you'll be giving people credentials, which can then be lost, stolen, or requested from vendors creating exactly the same issues we started with.

Physical tokens are a "something you have". So is a piece of cardboard. If there's no need to authenticate a hardware token, there's also no need to authenticate a number on a piece of cardboard. And there's no reduction in security stance by doing so.

Also, I make no acknowledgement of the in-/affordability of tokens. Rather, I assert that you can simultaneously support multi-modal methods of exchanging a secret for a token.

> In other words you've managed to create an expensive logistical nightmare that the general public will hate all in the name of hypothetical security benefits that won't even work in practice. Neat.

Really? My proposal is literally the same mechanism by which OpenID and web tokens work... And I'm done because I don't know how to work with someone who's idea of a good security posture is give away secrets to people who ask for them.


> And you're talking about zero improvement in security stance.

Rotatable consumer keys. Mitigating the danger of vendor hacks/leaks. Both at the main problems with SSNs today.

> You could literally implement your idea by just making it illegal to store SSNs, because that's the only salient point where you've improved over current state.

SSNs cannot be rotated. SSNs have already leaked. Stealing an SSN allows you to open accounts/credit/etc neither of which my proposal allows.

I'm wondering if you've even read my proposal. Either you haven't or you're pretending you haven't, in either case it seems bad faith.

> It asks for what's on the card. Also print on the card to not give the card or the number on it to anyone.

So this card of yours is identical to existing SSNs. SSN cards even contain that exact text. You need to go back to the drawing board (or just read my proposal and think about it a little).

> Physical tokens are a "something you have".

So now we're back to spending billions on physical tokens? How are you funding it.

> My proposal is literally the same mechanism by which OpenID and web tokens work...

OpenID won't scale to half a billion people, it isn't affordable or practical. Something you've already conceded, that's why you're talking about calling a phone number using your SSN-v2 secret.

> And I'm done because I don't know how to work with someone who's idea of a good security posture is give away secrets to people who ask for them.

We're on the tenth post and you still haven't even read my proposal, that isn't something in it, and you'd know that if you had taken the time to read it.

You really aren't discussing in good faith here.


> You really aren't discussing in good faith here.

This statement seems to be about the only thing we agree on. You keep shifting your goalposts or simply repeating "but rotation!" when I've already addressed exactly that.


So if everybody knows your SSN/DOB, I'd say that makes a very good identity system in the sense that we can all unambiguously refer to the same person. It's just not any use as a means of authenticating that you are the person who has that identity.


> So if everybody knows your SSN/DOB, I'd say that makes a very good identity system in the sense that we can all unambiguously refer to the same person.

If that was all it (SSN) was used for, a "unique-id", it would work ok for that usage.

The problem is that far too many companies also make use of SSN as a "secret only you know" to authenticate that you are in fact the individual identified by the SSN. I.e, your "login name" is identical to your "password". It is this miss-use that leads to the problems around SSNs.


It could be worse. At the pharmacy, they ask you for your date of birth whenever you go pick up a prescription. That's how they verify that you can pick it up. You can send a spouse or family member or friend or personal assistant to pick up your prescriptions, too: you just tell them your date of birth and the pharmacy will just give them your prescription drugs, no questions asked. And if they have your insurance on file, they'll run it through, too.

OK, fine, whatever, except this is the same even for controlled substances. Which is quite weird considering all the other regulations around controlled substances. One time I had to get rid of some excess oxycodone after a surgery, I ended up having to go into a little booth at the sheriff's department where they had a drop box and a sheriff's deputy sitting at a desk behind a window watching me. But all my wife needed to pick it up in the first place was my name and DOB.


I do agree with you, even though SSN/DOB can be used to identify a person, it should not be used to identify a unique person [1]. As you said, Identity should not be confused with proof of identity. Hopefully it will get better with time.

[1] - https://www.pcworld.com/article/3004654/a-tale-of-two-women-...


SSN on its own is sufficient for verifying identity. SSN coupled with a phone verification step is more secure for authenticating than DOB.


> SSN on its own is sufficient for verifying identity.

No. It's sufficient for identifying someone, but not at all sufficient (not even close) for verifying someone is who they say they are.


It's the difference between a user ID (be it a small integer or a long string) and actually authenticating to perform actions AS said user.

SSN as a user identifier - to uniquely describe an entity

Actual PKI including a secure public/private key with a signature from a trusted agent (like a government ID authority), and maybe also web-of-trust signatures? THAT is what is required to securely sign things.


Accurint is a big one. The people selling SSN lookups have big DB collections, but the primary source tends be realtime access to DBs like these.

I'd imagine it's trivial to pretend to be a cop and just purchase access to this stuff, not that it's going to be hard to hack most police departments either.


Having looked at getting Accurint and Clear back in 2013, I can tell you the process is not trivial but not comforting either.

On the non-trivial side: I was doing a startup where we sublet from a law firm. We had an on-site audit by someone who came in and we were cautioned that we had to have an independently locking door on our office. We also had to give a reasonably thorough explanation of what we wanted to do with the data and certify, as well as convince the auditor, that we would be using it for GLBA (anti-fraud in financial transactions) purposes.

We actually failed one of the audits the first time because some paperwork wasn't in place (I think we had changed the Delaware company name and not re-filed something, like our local jurisdiction foreign corporate registration, in the new name).

On the not comforting side: the sales reps for these products have full access and will let you do lookups and surf through on whatever. 100% unmasked details on any numbers you want. DMV, aircraft, SSN, judgments, etc., all linked and at the ready.

Also, GLBA is a giant Sherman-tank sized loophole that means that essentially anybody can fully legally use these databases as long as there's some cognizable financial transaction that you're protecting from fraud (even proactively / research wise).

See https://risk.nexis.com/AMLSolutions/help/GLBA_Permissible_Us...

So no, you can't just "pretend to be a cop" but if you actually go to the trouble of being some sort of fraud-prevention business, you can just go wild.


ID-Theft as a service with the source being stolen and otherwise illegitimately obtained data

https://krebsonsecurity.com/2013/10/experian-sold-consumer-d...

>An identity theft service that sold Social Security and drivers license numbers — as well as bank account and credit card data on millions of Americans — purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity.

>An individual who read a story about the operators of a similar ID theft service online having broken into the networks of LexisNexis and other major data brokers wrote to say that he’d gone back and reviewed my previous stories on this topic, and that he’d identified the source of the data being resold by Superget.info. The reader said the abbreviations matched data sets produced by Columbus, Ohio-based USInfoSearch.com.

>Contacted about the reader’s claim, U.S. Info Search CEO Marc Martin said the data sold by the ID theft service was not obtained directly through his company, but rather via Court Ventures, a third-party company with which US Info Search had previously struck an information sharing agreement. Martin said that several years ago US Info Search and CourtVentures each agreed to grant the other company complete access to its stores of information on US consumers.

>Founded in 2001, Court Ventures described itself as a firm that “aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.” Cached, historic copies of courtventures.com are available through archive.org.

>In March 2012, Court Ventures was purchased by Costa Mesa, Calif.-based Experian, one of the three major consumer credit bureaus. According to Martin, the proprietors of Superget.info had gained access to Experian’s databases by posing as a U.S.-based private investigator. In reality, Martin said, the individuals apparently responsible for running Superget.info were based in Vietnam.


SSNs are used widely enough that they can leak from anywhere. For example, my wife made an appointment with the eye doctor the other day and they needed to look up her vision care insurance. Since she's on my insurance, that means they needed my SSN. I asked my HR department what's up with that and where I can just get a plan number for the vision plan instead of having them look it up by SSN, and they said, "oh yeah, your plan number is just the last four digits of your SSN."

So, yeah. I bet you could obtain tons of SSNs from fucking Lenscrafters if you wanted to.


College and University databases.


If you require the PIN to lift a credit freeze, some people will lose their PIN and never be able to lift the credit freeze.

So there must be a workaround that relies on verifying identity, based on non-random information (e.g. no PINs, no passwords).

They've made it too easy, but until we can request that a credit agency blacklist an SSN and forget all associated information, this will keep happening.


> “We deployed an experience that embraces both security standards (using a multi-factor and layered approach to verify the consumer’s identity) and reflects specific consumer feedback on managing security freezes and fraud alerts online without the use of a PIN,” she continued. “The account set-up process, which involves the creation of a username and password, relies on both user inputs and other factors to securely establish, verify, and authenticate that the consumer’s identity is connected to the consumer every time.”

She tosses around the word security, but really what she is saying is that Equifax decided to make the experience as simple as possible because having people create accounts with them without the need for boosting CSR headcount is more important that securing those accounts.


I just made upper management aware at Equifax. Let's see how long this takes until they require the FUCKING PIN number to unfreeze your credit on their website. What a joke.


Thanks for posting this, please reply back and let us know their reaction. It might be popcorn worthy, or it might be 'meh' - either way, it is of interest to me and I suspect HN.


We’ll see.

>Equifax spokesperson Nancy Bistritz-Balkan said not requiring a PIN for people with existing freezes was by design.

>“With myEquifax, we created an online experience that enables consumers to securely and conveniently manage security freezes and fraud alerts,” Bistritz-Balkan said..


I lost my PIN since I moved twice after freezing my credit and apparently didn't store it in my computer. I was able to temporarily lift my security freeze without it, and I found it convenient but a bit unsettling. Glad I'm not the only one.


My guess is the pin is largely pointless anyway. This new system was put in place because a large number of people forget or lose their pin. This would require a support ticket every time. The new system is intended to reduce support costs.


Serious question: what’s to stop a startup or 2 or 3 from creating an alternative credit check system that’s not as horrendous as the current one, thus displacing the current overlords?


Only the difficulty of convincing financial companies to report to and pull info from your system.


Is there anything a regular individual can do to help get this company shut down?


Secure for thee, but not for me!


password policy for my.equifax.com is ... not best practice. at least they allow up to 20 characters. must include one special character from a set of ... FIVE. and those are the only allowed special characters.


Whenever they limit the number of characters to something small, it makes me wonder if they are storing the password in their database rather than some hash of the password.

I complained about this to my old bank (Wells Fargo) and they told me not to worry about it because I'm protected from fraud.


It generally means they're not handling it in a secure way. Worst case scenario is that if the checks you see client side aren't also server side someone might be able to inject things that run as... whatever the server side processes are.

Usually anyplace that has a limit less than 512 characters (often 1024, but some string buffers are small) or on the characters you can use, at all, isn't doing it right.


It generally means that yes. But sometimes it also has to do with CSR calls. eg, by not allowing spaces in passwords, you eliminate an entire class of PEBKAC errors.

I don't for a second believe that's why my.equifax.com is doing it. It's certainly not why there's a 20 character limit. (I personally use 64 char passwords wherever such long ones are allowed.)


When can we all agree that nothing connected to the internet is secure. Ever.

?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: