The hack isn't just SSNs - it includes address history, date of birth, drivers license number - everything reasonably necessary to establish identity. Not sure why the focus is SSNs, any solution needs to be even higher. This is about companies stockpiling our personal information and us having little say in the matter.
In particular, I've observed reliance on address history, recently. I had a forced pension cash-out, from a place I last worked years ago, and that has since been sold to / merged (and perhaps remerged) into a different entity.
In short, the pension cash-out was handed over to a third party. And a primary factor that party used in establishing that I was indeed the beneficiary, when I called to discuss the details, was to ask me questions about my address history.
In fact, where did they get these details? From an outfit like Equifax, or from the same set of data brokers from whom Equifax acquired them.
The mitigations against such a breach are so obvious -- technical "lockdown" aside. Data rate/query limits. Ongoing auditing that targets anomalous data flows and data rates for mandated attention. Etc. Etc.
You don't have to have "perfect" technology. In fact, you should expect and plan for never having perfect technology.
It shouldn't have been too hard to pick up such a sweeping outflow of records; it should have become apparent that the request channel was (systematically, once you analyse and determine the specific system being used) working its way through the U.S. population.
As for Equifax, if I had my druthers, this would be a corporate death sentence. They've demonstrated a fundamental breach of trust and a fundamental incompetence.
Criminal investigators should squeeze them like hell, flipping smaller fish to fully determine the chain of command and responsibility that decided upon and implemented this catastrophic neglect.
As for the shareholders? Well, ultimately they bet on a company that has demonstrated itself a complete failure. They were happy to take the profits, including the greater profits made by not paying for proper systems and staffing. If their investment now evaporates -- well, I'm getting to the point of simply saying, "So be it."
A few shareholder "disasters", like this, and there will be a lot less pressure for laissez faire short-term profit maximizing, and a lot more for oversight -- internal and external -- and regulation that prevents them from being screwed by incompetently or corruptly negligent management.
Date of birth and address history (in addition to SSN of course) are often used by financial organizations to verify user identity online and on the phone.
Recently I called to report a lost credit card, for instance, and the operator read through a list of 10 addresses. I had to confirm which ones I'd lived at at some point in my life, in order to verify my identity.
I have had previous addresses also used as a identity check. Fortunately I knew the one that I have never lived at that is on my credit reports. Trying to fix the mistake was not worth the time to me. Hopefully that does not bite me in the ass someday. Maybe the credit bureaus could check your credit rating and, if it is high enough, let you correct your credit report without much hassle. :)
Wouldn't it have been simpler and more secure to ask you for the address? I can rattle off all the addresses I've stayed at in the last 15 years with ease.
I couldn't. I am a city dweller living in a climate where almost like clockwork a post-two year rent hike makes me decide to move. not only that, being on a grid system every address tends to be some 4 digit combination of numbers very similar. Was that 1124 or 1421 10 years ago? I'd have to sit and picture the cross streets to figure it all out.
When applying for credit, especially online, have you not been asked to verify some current loans from a list, or to pick out a past address from a list of addresses? I know I have. That data also enables credit.
And any central database of this information is vulnerable to a one time leak. One period of vulnerability and potentially this information is out there forever. Once that happens automated identity verification becomes much less reliable/convenient and there will potentially be a need for a more Turing-complete and/or hardware dependent process.
In 2008, the Federal Trade Commission created the Red Flags Rule, which required businesses and organizations to collect personally identifying information from their customers, even if not necessary for service. This put Social Security numbers into the hands of utility companies, telecom providers, doctors and countless other unreliable custodians.
This is the first I've heard of this, and it's a different characterization than what one finds on e.g. Wikipedia (excepting the last section of that page). Still, I believe TFA. It's remarkable how often the impetus to "do something" leads to precisely the wrong thing being done.
A couple of people who handled Red Flags compliance for medical practices have told me they're only required to do some kind of identity verification, which can be as simple as checking a driver's license. They store SSNs to make it easier to report and collect on delinquent accounts.
Yes we know. Often it has links to authoritative/reliable/substantive sources. I was particularly interested in seeing those for the last section [0] I referenced above, because it's the one that actually agrees with TFA, but at this time that section is effectively unsourced. So even though this idea about the red flags rule comports with my prejudice about how regulation typically works, I am currently unable to confirm it. Can you point to a meatier consideration of whether this rule purportedly intended to decrease identity theft actually had this particular effect of increasing identity theft? One thing that makes me suspicious of this idea is that I can clearly remember giving a false social security number to the phone company when I moved in 2004, which was before 2008 when TFA claims the rule started and 2011 when wikipedia claims the rule started.
Consumers don't use the credit reporting database, we have very little access to it besides restricted annual or paid for reports. The real users are the B2C companies like retail banks, cell phone companies, apartments, background checkers, etc. These B2Cs use the db in both read and write modes with little verification. The main incentive of the reporting agencies is to make it very easy for B2Cs to read and write to their db. Any strong encryption scheme would have to take into account the needs of the B2C's. Nothing is going to happen unless congress demands it because their is no market incentive to secure it. The data is already known to be frequently inaccurate but businesses don't care, they'd rather have a bunch of false positives than one deadbeat customer.
The Republic of Estonia uses such a system to identify members of its e-Residency program, even with no physical presence. Each e-resident has a public numerical key that serves as a unique identifier, and a corresponding private key that is never revealed.
So an example to emulate then!
Except: Estonia suffered an embarrassing blow to its much-vaunted ID cards that underpin everything from electronic voting to online banking [...] a security risk that affects almost 750,000 ID cards and that would enable a hacker to steal a person’s identity.
The article only says they found a "security risk". I wonder what that is, and how it would allow identity theft if they are actually using public/private keys. Did Estonia secretly backdoor their encryption?
Is there a link to this that's not behind a paywall. Very interested in understanding the flaws of such a system, as a 2 key system seems like the most viable and secure way to establish identity.
It's something that people don't talk about much, but just the allowed existence of credit agencies violates human/civil rights.
These companies earn revenue by selling access to a database of all humans, which ranks each of us as to how valuable/risky we are to profit off of.
Many companies are starting to make hiring decisions based on this data, and obviously whether or not you are worthy of a loan has been much of the purpose of a credit rating (and these loans are necessary for nearly everyone in the US, unless you're exceptionally wealthy).
Disputing an unfair or illegal mark against your credit is an absurd process with very little recourse.
This is far worse than what the NSA has done, in my opinion, and it continues without much criticism.
Obviously this giant hack of Equifax is a very serious issue. But why should these credit companies be allowed to keep this kind of data about us anyway?
In just the UN's universal declarations of human rights:
Article 23, section 1 and 2, and possibly 3: as to being judged by employers based on a credit score.
Article 25, section 1: It is not possible to afford housing without a loan, and most of the variables of a loan (and even more importantly: whether you are able to secure a loan in the first place) are entirely determined by a credit score. Note that ~75-90% of Americans are unable to purchase a home without a loan: https://en.wikipedia.org/wiki/Wealth_in_the_United_States#St...
More from Article 25, section 1: Many of the other rights given in this document (like food, clothing, medical care) are also not achievable without smaller loans (like credit cards, also unattainable without a decent credit rating or a significant amount of accrued wealth).
I'm sure there's plenty more, this is just what I've seen at first glance. But I want to thank you for making me aware of this amazing UN document. It's kind of amazing the number of economic rights this document secures for all humans.
Here's article 23, which is not relevant to credit scoring:
> Article 23.
> (1) Everyone has the right to work, to free choice of employment, to just and favourable conditions of work and to protection against unemployment.
> (2) Everyone, without any discrimination, has the right to equal pay for equal work.
> (3) Everyone who works has the right to just and favourable remuneration ensuring for himself and his family an existence worthy of human dignity, and supplemented, if necessary, by other means of social protection.
> (4) Everyone has the right to form and to join trade unions for the protection of his interests.
here's article 25, which is not relevant to credit scoring:
> (1) Everyone has the right to a standard of living adequate for the health and well-being of himself and of his family, including food, clothing, housing and medical care and necessary social services, and the right to security in the event of unemployment, sickness, disability, widowhood, old age or other lack of livelihood in circumstances beyond his control.
> (2) Motherhood and childhood are entitled to special care and assistance. All children, whether born in or out of wedlock, shall enjoy the same social protection.
Exactly. Depending on apartment, it may be possible to pay 1 to 2 months rent up front if you don't have a decent credit rating. But most Americans do not have this kind of money.
> Depending on apartment, it may be possible to pay 1 to 2 months rent up front if you don't have a decent credit rating.
Right, but often not because landlords aren't just concerned about rent but recovering damages in excess of any deposit. (And both advance rent and damage deposit requirements are often regulated, as well.)
So since anyone who has access to the breached info can impersonate nearly anyone in the country...
1) Are we about to see the end of "Name, DoB, last four" as an authentication? (Damn well should if anybody can be me now)
2) Are the credit reporting agencies discredited as a business model? The other two are likely either hacked already or about to be, and given this standard of reporting we wouldn't know till months from now anyway.
Can't trust em, don't use em, don't trust anybody that does.
#1 seems almost certain if the spilled data really is as extensive as it seems. The government would be all but forced to go to some other mechanism (or at worst just open up a new space of numbers and give everyone a 12-digit "SSN+"). It's possible that the "possibly affecting 144M customers" bit is spun though and that only a tiny fraction of that ever left the datacenter.
With #2, nothing is going to change. The credit agencies business isn't identifying people (as we are discussing, they outsource that to the government), it's tracking credit activity. And that works extraordinarily well from the perspective of its customers (the banks). If Equifax dies, Experian and TransUnion will just see more business. If they all die, the banks will find some way to do this for themselves.
I don't know about that. The OPM hack was even worse in terms of data released. Seriously, it included actual images of peoples fingerprints ffs. Along with all biographical information of the people submitted to receive a security clearance background check. I think it may have hit fewer people, but I expect the result will be the same: 18 months of free credit monitoring and after that we pretend that somehow your SSN and all other details must no longer be a threat to you being out in the wild. Sure, in 30 years when someone digs it up and ruins your life with it, why make that OPM agency liable for it? I'm sure they hired top-notch security guys, paid them handsomely, and structured things such that not even the president of the USA could contravene their practices, right? Right?
Oh, a computer was involved. So hire the cheapest person you can find who can half make it work, let even the low level managers do whatever they want, and when it gets hacked blame somebody else. It's computers. NOBODY knows how they work!
The Equifax dump (again, if it's really as described) is literally 10x larger than OPM. It's true that the OPM data was "worse" by abstract ideas of personal privacy, but not that the breach is worse from the perspective of "will drive government action".
Again, if there are really 144M valid SSN/name/address tuples out there in the wild, then very soon banks will simply no longer be able to authenticate applications for new accounts. They'll be swamped with fraud (remember that by US law, credit card fraud is their liability, not the consumer's), and demand action by the government to fix it.
The pervasive want of private corporations to stockpile our private information is a huge concern as well. There's hardly any reason they should store anything beyond name and contact info.
Before the digital age, a stash of nine-digit numbers could be kept reasonably secure in a locked filing cabinet behind closed doors. So long as consumers volunteered the numbers judiciously, most people could make it through life without ever suffering a theft of identity.
Old guy here. The reason I know my SSN by heart is that it was my student ID number in college and had to be given at the beginning of each semester to get my course list, later for grades, etc.
I had a credit union account from the 80's and as of the 90's my SSN was printed on each monthly statement.
Both were before the "digital age" and neither could be considered "in a locked filing cabinet" nor under my control.
You don't even have to be that old to remember this time.
I went to a well-known university and they used SSNs as student ID number until roughly 2001-2002. The first half of my university career, my SSN wound up on every Scantron sheet, exam blue book, and term paper I handed in. It was printed on the front of my ID, and even after they recalled old IDs and replaced them with non-SSN cards, the magstripe track data still had your SSN on it because some old dining hall POS system or something like that hadn't been converted.
It was like fish in a barrel for fraudsters, just root around in the trash after finals week and grab people's term papers. I had quite a few friends who discovered that during the time they were attending college, someone had opened a cell phone (or a credit card, in one person's case) in their name.
This was before the days of the free annual credit report law. So these folks never pulled their own files, and only discovered the fraud years after graduation, when they went to apply for a car or home loan and got denied.
And both were probably illegal at the time. When Social Security was created, people were concerned about it becoming a de-facto national ID system, and it was illegal to use SSNs as an ID for anything other than taxes and Social Security Biz.
Medical insurance companies commonly broke the law but skirted it by saying it was "optional", and of course not telling anyone about the option. At least several times when I applied for insurance, I filled in "Assign ID" and had to correct the first level agent who insisted that I needed to provide and SSN. Patiently insisting that they needed to escalate the call, the first higher-level agents who knew would immediately accept it.
This sort of sloppyness confusing an IDentifier with an authentication has now gotten us into a world of trouble.
Heh, it actually changed while I was in college. As a CS student, one of the required courses was a 'Computers and Society' course which was basically sort of like a 'where ethics meets technology' course, talking about the social impact of code and computing. The kind of thing many people today seem to have need to attend. But anyhow, during it we mentioned 'hey, why are our student IDs, used everywhere, our SSNs? Isn't that unsafe?' and we actually ended up getting it changed.
Didn't stop some professors from continuing to use them. I had one prof who would use the last 4 digits (oh, only the last 4, those aren't the most important ones or anything) as a way to post psuedoanonymous grades after tests.
I've done a lot to try and build my credit and protect my identity by restricting the information I give out. Now I can do nothing to protect it now besides hope someone doesn't target me.
Anyone have ideas on how to ensure an identity is not stolen?
> Also known as a security freeze, this tool lets you restrict access to your credit report, which in turn makes it more difficult for identity thieves to open new accounts in your name. That’s because most creditors need to see your credit report before they approve a new account. If they can’t see your file, they may not extend the credit.
I've never done this, but it sounds effective - although if you want to open another line of credit, you'll have to temporarily suspend the freeze.
It's not really effective. It can help, but a surprisingly large number of businesses will actually never actually run your credit. They will just keep your information on file and then when the scammer doesn't pay the loan, they start reporting the delinquency to the credit reporting agencies. And in that case, the freeze doesn't apply.
There is only one solution and that is identity theft insurance.
All other solutions that purport to protect your credit are futile. Although I think some are now offering insurance as part of their guarantee.
I use Zander identity theft insurance. If my identity is ever stolen, they are supposed to take over all the hassles of getting me right. As well as up to a million dollars in damages including legal fees if necessary.
I have heard good things from customers who had their identity stolen. But I can't personally vouch for how well their recovery services work since I havent experienced a theft yet.
SWIM used to have access to Equivax data from home. In the early 90s, you could log into Equifax, type in a strangers address, and get their credit history, social, bills, and prior addresses among other things. Access was through tymnet using an <account_id>+<password>. That is it. The account_id was a ~16 digit number. The password was a 1 alpha + 1 alphanumeric. In those days it was security through obscurity, so I presume. Get an account number and after 936, you are in. Given this recent breach has nothing to do with how Equivfax/CBI was run years ago, it does make me cringe a bit.
In the 80's it was even worse. A credit bureau was available on telenet (a simple dial up service that allowed terminal connections to services) and there was no password, just an account number. You could query any social security number and see joint account information by simply adding /ty-jp or something similar. This being the 80's, you'd see the needed credentials taped to monitors.
Well of course it didn't have to be this bad. But when criminal negligence for corporations remains unpunished in an industry for 40+ years, you're not going to have corporations that dedicate the time, let alone the money, to do things right.
It is, and is related to some of the discussion in the main Equifax hack threads.
The idea is that this information shouldn't be so sensitive because it isn't really secret in the first place. It also cannot be changed, so it doesn't really meet any reasonable criteria for authenticating information.
To quote the relevant top-level comment I had in mind:
>mikeash 2 hours ago [-]
>If we're lucky, this will be the best leak of personal info ever.
The primacy of the SSN in American society is idiotic. It's a "secret" that you have to hand out to dozens of different organizations. I've long thought that we should phase this out by committing to publish all SSNs (and the associated info, obviously, so it's not just a list of most 9-digit numbers...) which would force all these companies to stop treating it as confidential.
The system is dumb and works poorly, but worked will enough that there was no impetus to fix it. Some people got affected by breaches, and it sucked for them, but it was always a small enough group that most people didn't care.
Now that a majority of people's "secret" info is no longer confidential, maybe they'll realize they can't rely on it anymore.
OK, the odds of this actually coming to pass are not great. But I can hope.
I recently encountered an advertisement advising people to keep their Medicare card number secret.
So if the SSN stops being considered as a combination identifier/authenticator, other government agencies stand eager and ready to plunge headlong into the same mistake.
The way around it is to pass a law that requires government agents and agencies to consider identifiers to be public, and authenticators to be secret, and that nothing can ever be both. The government could require itself to publish indexes of names to SSNs and SSNs to names, such that no stretch of anyone's imagination would ever generate a presumption that knowing the number proves you are the person to whom it is assigned.
The ridiculous assumptions made in the credit and credit reporting industry that are held out to be reasonable should never be allowed to hold up in court.
Is the problem really government agencies or the many companies which tried to cut costs by misusing an identifier as an authentication secret? The law you propose seems like it would have no effect whatsoever unless it applied to the private companies which created and perpetuate this problem.
If SSN didn't exist then some equivalent (perhaps driver's license number and state? that would be convenient for non-drivers!) would be used, because the problem is actually at a different level. The way the laws governing banks and the credit industry are structured, it's possible to be on the hook for debt without a reliable proof of having agreed to that debt. If the laws changed to require that proof (e.g. creditors must have a video of the debtor stating "I am Alice Smith my birthday is July 1 1970 I live at 123 Main St in Springfield and I agree to pay $100 on or before January 1" or something similarly difficult to fake at scale), nobody would care about SSNs anymore. Of course that would introduce friction to the process, but with consumer debt at its current levels maybe that would be a good thing?
The point is that SSNs are perfectly good for what they were designed for. The problem arose when companies decided to treat a username as a password but weren't forced to absorb the cost of their negligence.
The point is these private companies are loathe to do anything that makes fraud harder or takes liability off the victims so yes, making laws is not only helpful it's the only thing that will ever work.
Canada does unfortunately. It's called a Social Insurance Number (SIN) or Numéro d'assurance sociale (NAS) but other than the name, it is mostly the same. And Canada is on the list of the countries suffering from the breach. This should be interesting.
Indeed. I wanted to see if I was on the list, but the site they set up to check looked pretty sketchy.
They've clearly demonstrated I shouldn't trust them with my SIN (not that I ever willingly did in the first place!) so why should I enter it again? Into a different domain, no less?!
Using much more nebulous and unreliable forms of PII as identifiers, in my experience, which leads to situations where you could query someone's report if you know their name and street address.
