Note the new edit on the blog post: They silently corrected the sample data for Bill Gates, changing his state from WI to WA. Major red flag; if it was wrong in the original data just keep it that way and release a few more samples for verification.
Cool, this is good news as it means I might actually be able to find out my credit score.
I recently sent in an application to Equifax to get my credit score along with all the security documents, proof of address, passport, drivers license, registered mail etc. and they rejected my application because I didn't provide a hydro bill. Unfortunately, I live in an apartment and I don't pay hydro, so I sent in a copy of the lease agreement instead but that wasn't good enough :(
Same here.. I applied for a loan and they found that Equifax doesn't even have my report (although the other two do). After countless phone calls they agreed to start the investigation and then the hack happened. The whole concept of private credit bureaus (that to multiple ones whose data dont match up) is fucked up. I think the federal govt should step in an put a stop to this.
The federal government is the reason it is this way-- the FCRA "Fair credit reporting act" is what give this bureaus virtual immunity from liability for propagating false information and the like. This is a great example of where regulation is anti-consumer because the regulations that pretend to protect consumers provide very little protection for consumers and a great deal of protection for the CRAs.
Regardless if it's FAKO or FICO score that you are looking at, they are calculated on the same credit history in your credit report (as far as I know). So, even if the scores are calculated in different ways it's reasonable to expect a high VantageScore 3.0 score will also show as a high FICO score too, even if the numbers aren't exact.
Does anyone know the specific differences in how these two scores are calculated?
FICO is an acronym for Fair, Isaac, and Company. Their "FICO Score" is a piece of software that they make and sell. I'm sure the details are a little more complicated than I'm making it sound, but it's essentially software which is sold. Just like any software, there are different versions - and it's possible to get stuck on an old version if you don't pay for updates. There's FICO 98 (from 1998), FICO 04 (2004), FICO 8 (2008) and FICO 9 (2014). [1][2].
The FICO Software is a scoring engine which will produce an output based on the input you provide it. The three big credit bureaus collect data about you and feed it into the FICO Score software. Even if they all have the same version of the FICO software, because each bureau might have slightly different data on you, your score may be different from each one. Presumably, the FAKO companies also have the FICO Score software, but a much more limited set of data to feed into it - thus making the score less reliable to someone looking to issue you a loan (Big Bank).
At least, that is my understanding of how it works - admittedly, I may be mistaken and welcome corrections.
I've read in another thread here on HN that we also don't know the factors that go in. Someone listed off things like company title, marital status, # kids, car make/model kind of stuff. No idea if they were full of BS, but there's no requirement that the score is based solely on items in your credit report. We can probably (hopefully?) be sure that no race or race-correlated factors are included. (And same for other protected classes.)
You can also get it for free from (at least) American Express and Discover if you have a credit card from them. I'm sure there are other card issuers that give it to you for free as well.
And Mint (owned by quicken) so you don't even need to open a new account or ding your credit. They do, however, serve you ads based on your data -- mostly credit card offers.
CreditKarma does it for free, if you're in the US (no idea about outside the US). So does mint.com. So do many other credit card companies. I now have 6 or 7 credit scores, all curiously different (though within certain range of each other).
Because there are lots of different scoring algorithms. There are several different ones from FICO themselves (so there is no single one FICO score), and they have several competitors that have different algorithms. Even when using the same algorithm, you will have a different score for each credit report.
True but my experience they are all within the same range. If you get "good" score on one of them, you'd get the same on others. They may emphasize slightly different things but there's not that much difference. Also, nobody really checks that score with a point accuracy - there are ranges, but I'd be very surprised if the difference within range, say 750 to 765, means too much.
Yeah, they are usually are similar. The thing is, for many underwriters, if you ate even 1 point below their range on even one report, you will be rejected. Usually there are things most consumers can do to boost their score by a few points, though, reasonably quickly.
I actually kinda hope all the data is made public, as that would (at least hopefully) force people to stop treating knowledge of someone's SSN as valid proof of identity, and lead to a better situation overall.
I really hope that's the outcome here. I also think this should pave the way for real legal consequences for moronic data security. Individuals are banned from using computers when prosecuted, what about "no internet for companies who've proven they can't use it responsibly"
> real legal consequences for moronic data security
This could go really wrong if we let non-tech savvy regulators dictate tech stacks, specific hashing/encryption tools. Could work well, but just has a lot of potential to go very wrong.
Given that risk, as much as I don't want to live in an overly litigious society, letting the risk of lawsuits drive good security may be preferable to putting security in the hands of a few faceless government officials who themselves face no repercussions for getting the regs wrong.
"This could go really wrong if we let non-tech savvy regulators dictate tech stacks, specific hashing/encryption tools. Could work well, but just has a lot of potential to go very wrong."
Engineers, capitalism, private business have utterly, completely, fully and in totality failed.
This is not a little failure. Not a medium one. Not a large one.
This is a foundational, cataclysmic failure of the most epic proportion.
I think the time for voluntary private action has passed.
If developers, their managers, their stakeholders, and their shareholders took security and privacy remotely seriously, we would not be here.
We are here.
It is time to admit the full and complete failure of private software companies to protect data and privacy, and time for government to create a criminal schedule for management and developers who perpetuate criminal negligence.
I believe only 2 things will solve this:
1) Massive financial loss for shareholders -- they speak 1 language, US Dollars. If we say a US Citizens data is worth $100,000, then the fines would be large enough to literally destroy any firm who dared play loose with security. If there is no existential risk, there is zero motivation for compliancy. Only existential risk matters to shareholders. The rest is Cost of Doing Business.
2) Criminal liability for management and developers of products which violate security and privacy due to criminal negligence
Without this, you can all but guarantee that your full identity is kept in plain-text and has already been stolen.
I agree that we should work to determine if there was criminal negligence and prosecute to the highest degree possible, but I find it laughable that you talk about how engineers, capitalism, and private business have completely failed.
The DNC was hacked. The FBI and CIA have had their web sites hacked. The OPM had >22 million people's personal info stolen by Chinese hackers. The NSA itself has had major incidents where essentially cyber weapons were leaked. Those are just SOME of the ones we know about.
Let's stop pretending like government is any more capable, or even as capable, of protecting data than competent corporations. When was the last time Facebook or Google had massive data breach? It's not about 'the corporations maaan' it's about competency and the limited consequences of screwing up so bad.
Exactly this. I don't know where people get the idea that government would do this any better. I think the best regulators could do is make SSNs obsolete. A solution where knowing every possible private data point about a person is useless when attempting to steal someone's identity.
Indeed, I have had my personal data compromised more by government agencies than private (at least, as far as I've been officially/personally notified).
Problem is, on what basis is a person's "private data" worth $100,000, or will the exposure thereof cause damages of $100,000? The average person's entire net worth is only a fraction of that.
There is such a thing as punitive damages but in most civil cases a company or individual is not going to be held liable for more than actual damages.
What is "really wrong" in your definition? I would say this breach is about as "really wrong" as you can get.
The threat of lawsuits already existed before this hack. Look at the multi-million payout Target paid after their credit card breach (and they say it cost their company ~200mil). So that was STILL NOT ENOUGH to change Equifax's behavior.
Improved government oversight/regulation of this industry is more than overdue. This is a national security issue and we should not have our data (and the means of protecting it) held hostage by private companies.
Samy Kamkar too for writing the Samy MySpace worm.
From Wiki:
>Samy Kamkar, the author of the worm, was raided by the United States Secret Service and Electronic Crimes Task Force in 2006 for releasing the worm.[4] He entered a plea agreement on January 31, 2007 to a felony charge.[5] The action resulted in Kamkar being sentenced to three years probation with only one computer and no use of internet,[6] 90 days community service, and $15,000-$20,000 USD in restitution, as directly reported by Samy Kamkar himself on "Greatest Moments in Hacking History" by Vice Media's video website, Motherboard.
It can be a punishment for certain crimes- or as an extended punishment after jail. Things like stalking where a computer was a primary method, valid threats made on a computer, etc.
> Bouk, Dan. How Our Days Became Numbered: Risk and the Rise of the Statistical Individual (pp. 232-233). University of Chicago Press. Kindle Edition.
> In the case of Lange’s unemployed lumber worker, we find a man who might have opted for a tattoo because it could identify him in the case of an accident. After all, he did dangerous work. Or, as he paid money into the Social Security system, he may have wanted to ensure he’d one day be able to redeem his annuity, that he would not forget his number. Neither explanation, however, encompasses his evident pride in his number, his willingness to show off for Lange (who undoubtedly encouraged him, maybe posed him).
> Was he proud to have been, as the New York Times had put it, a “holder” of a Social Security number? Possessing such a number meant a promise of future income, protection for himself, and— after the just-completed 1939 amendments that included expanded support for families— protection for his wife and future children against his old age or death. 76 Maybe he felt pride in the New Deal, in a government committed to him and his family, and advertised that pride on his bicep. Or perhaps, his tattoo displayed a workingman’s pride in his gender and class identities. Possessing such a number signaled his status as an industrial worker. Such status mattered in a bean-picking camp where most pickers had been excluded from eligibility for Social Security. Possessing an account set this unemployed lumber worker apart, probably even from his bean-picking wife.
You missing the point. A single person exposing their SSN right now will suffer, but if everyone's SSN is accepted the companies would have to acknowledge that SSN is no longer secret (in fact it never was intended to be secret).
This whole mess could be trivially fixed by credit bureaus introducing a PIN for every person and require it for opening a new credit line (issue is whether they could keep it safe, but at least it would resolve this problem).
They even already have such mechanism in place, which is done through freezing the file. The problem is that for some crazy reason we are charged when we are trying to protect ourselves.
The number itself doesn't tell you much. The score of someone who was constantly indebted can be high as long as they always paid on time. Higher than for someone who earns >$100k per year and never needed to take on debt. Obviously very low scores tell you that something's likely wrong (if the data is correct), but medium to high scores without the credit report don't say much about a person.
This seems a bit like replying to a suggestion that the world would be a better place without nuclear weapons by telling the other person to unilaterally disarm.
Maybe the hack occurred on an api reporting server? The examples look like logs of api requests to something that generates PDF versions of credit reports, like an API a bank might use to access credit reports.
When you get your report it goes through a process of "generating" the report which you then download as a PDF. This could be logs from that generation service.
If the hackers got unrestricted access they may have found the API's logs and just copied them along with the PDFs?
If I were the real hacker, I would prove it by leaking information that wasn't already public.
If I were someone pretending to be the real hacker, I would show a screenshot of SSNs that I could find with Google (e.g. Kim Kardashian, Donald Trump, and Bill Gates).
Maybe. If I were the real hacker wanting to prove it, I'd maybe leak a few celebrities without previously leaked SSNs. I think at least one of them would unintentionally verify it for the public by getting upset and ranting on Twitter. If that didn't work, I'd try something else.
Disclaimer: I'm no expert on security. I just like applying my things-I-might-do technique.
Doesn't necessarily work. In my late teens I got confused about what my SSN actually was, and entered it wrong when opening a bank account / credit card. Worked fine.
I realized my mistake a few years later and went through quite the endeavor to fix it.
If I were trying to prove I had the data, I would pick a very rich but private street, say in Bevery Hills or Jackson Hole, and release all data from all people who lived there.
You miss the point. It's not about protecting yourself from credit fraud. It's about every one of your snooty neighbors knowing your financial situation. And you knowing theirs.
I wonder as well. I think we all forget how important credit reports are in giving banks comfort to lend (not that this is the only way to do it, but it seems that this is the current way). If people can default on a uncollateralized loan with no ramifications, no bank would lend and the credit engine would shut down.
If you think about it from the bank's perspective though, why would they lend you any money if you were likely to default and they would have to sue you to get money back. That would mean that the cost of your loan would go up for them and therefore, your borrowing rate goes up tremendously.
Humans don't have an innate right to borrow money. It's a service provided by financial institutions for a fee. I don't think credit reports are the best solution (far from it) but they definitely improve your ability to borrow money, at least if you have a good one. :)
>Humans don't have an innate right to borrow money. It's a service provided by financial institutions for a fee.
This would be fine, except those financial institutions get THEIR money from the fed discount window. If their service was entirely private, that would be one thing but having the government involved changes the concept of "rights", especially when the fed loans out money with the express reason that the banks will loan it out in turn.
Maybe a bit, but banks get a majority of their money from deposits. That's their business. Take deposits (pay low interest) and loan it out (higher interest) with some credit risk. The Fed window is a last reserve to protect them from a run on the bank. They could do their business without the Fed window but with a conservative loan-to-deposit ratio. The government doesn't want that because when a bank goes under, banks stop lending which shuts down the economy.
Courts don't report when you are habitually 30+ days late on your loan payments but still pay them off. Courts also don't report how much debt you have. It would also not have any positive information about you, like how many loans you've taken out but paid back successfully and on time.
From what I hear it will just be uncomfortable for customers. Banks will have to make sure that you're really who you are. Where you could open an account with SSN before you'll now need more proof that it's you. Meaning you'll have to supply more documents and more "security questions".
That could lead people to not open an account but probably won't deter people from taking out a loan. But will be a big annoyance for customers.
This looks like B.S. to me.
- Who would store date of birth as a string?
- If we are stringifying dob why is address still seperated?
- Why are the credit report reasource Ids in the thousands not 1M +?
- Why is the file size null but the file is listed with it's mimeType?
I know equifuckingsucks at security but this is a setup that would actually just be difficult to interact with from a data stand point
"If we are stringifying dob why is address still seperated?"
Enterprise.
"Why are the credit report reasource Ids in the thousands not 1M +?"
Enterprise.
"Why is the file size null but the file is listed with it's mimeType?"
Enterprise.
Be grateful you are in a position to be horrified. I'm currently fighting my way through a system that is not currently "Enterprise" yet, but was certainly headed full bore in that direction.
Anyone who has to work with the clowns in the credit reporting biz knows that this data is probably sitting on some COBOL-backed shimmed-out VAX talking to drum memory storage.
I consulted on a large healthcare data project with similar problems. Even "primary" keys were strings. Most tables had no indexes. (The developers routinely argued that they needed new servers with more RAM because they couldn't run multiple database queries at the same time. They already had 64 GB RAM.)
Yes! It had a lot of index-less tables. The you put an index on something and everyone treats you like a magician after you convince them the additional write is worth it.
Most days I worry I'm an imposter, but when I hear that there are groups of people running databases with no idea that indexes are a thing, I think maybe I should ask for a raise.
Some new interface so that they can claim they're "Fintech" to others while the core still runs on a mainframe. At least that's how banks manage to create nice apps while using a core system from the 70s.
Note: The value of BTC dropped more than 10% in the past 8 hours, so the value of the ransom just became much more affordable than before, although it's still higher than the middle of May when Equifax claims the breach began.
Just an aside, "ransom" is probably not the right word, since I presume they are not taking money to destroy or not release the data. They're selling the data to anyone, and probably will be happy to sell the same data many times over.
I was going to say "Nobody would know how to do this" but in reality, it's probably a bit more like "Not enough people would know how to do this" and if they're taking increments of 0.2BTC, they're hoping or expecting to get some real volume.
Making it just hard enough that anyone with a Coinbase account and a credit card can't just do it without actually running a full node of their own, would probably be bad for business.
This seems odd to say, but if they included a price for just a simple name+birth date query, there is probably a decent price point people would actually pay just to know if they are on there. Like if they have even just half of the names querying for their own identities for like $30 a pop, that'd be more than what they are asking for for the whole bulk.
Bitcoin and Etherium are used too much for money laundering. They need to be regulated. There is also so much energy used to mine the coins. More than many countries. We need to really think about what we get out of building a money a laundering technology primarily used on the dark net.
It's not the pile of debt that increases the score. It's the history of repaying that debt per its agreed terms that does.
While I'm not a fan of the credit bureau system, I understand the reasoning behind it. It's an efficient way for creditors to get access to the needed information. Lacking that, to allow the bank to evaluate your creditworthiness among other things you'd likely have to provide a list of references of past creditors and then your new potential creditor would have to validate those references individually: verify you had credit with them, verify you adhered to the payment terms, etc.
For better or for worse today instead of an on-demand complete graph we've got a centralized cache. This serves the needs of the financial players better (read: cheaper) while putting the PII of consumers at more risk.
The point is that the credit score system is utterly dominated by past credit (and its repayment), even though other factors (like current wealth and income) are far more important in practice - and this leads to paradoxical and absurd situations where someone can be filthy rich, but have low credit score because they have zero credit history, never having taken a loan.
Many other countries don't have such a system, and creditors use your past and projected income as a basis for making decisions.
> other factors (like current wealth and income) are far more important in practice - and this leads to paradoxical and absurd situations
From the perspective of the finance industry, these "absurd situations" are so far below the level of noise that they are effectively theoretical. If you want to discuss "in practice": in practice the users of the US credit system have no "current wealth" worth speaking of (look up the median net worth of US households), and their ability to maintain their existing debt is the defining feature of their financial status.
Again, there are many countries - including First World European countries - that don't have the credit score system, or only have reports on non-payments (usually govt-run). They seem to be doing just fine.
Lenders in the US are just trying to maximize their risk-adjusted profit - there's no conspiracy here. If income alone was just as good as income + debt servicing history for making the statistical decisions required to maximize credit industry profits (decisions like whether or not to lend, at what rate, at what ratio to income/assets, etc), do you think the lenders would pay the overhead of the additional useless tracking? Are you suggesting that Equifax & Co. are pulling a fast one on the US lenders and their armies of actuaries and after all these years the lenders haven't noticed the uselessness of the product?
Not at all. My point, rather, is that the credit industry can still function pretty damn well without having access to aggregated credit history and scores, and so banning the practice altogether, or severely limiting the amount of data so collected, in the interests of public good (privacy protections etc), should be considered a viable option on the table.
Not only that. Celebrities that got money quickly often end up with debt or very little money. Having access indirectly via family members is no guarantee. For a bank, such a client can be very risky, much riskier than someone with a regular income.
I wouldn't be that surprised that she would miss lots of consecutive payments. Not because she didn't have the money, but because she doesn't care. 3 late payments in a row on a mortgage, credit card, etc, drags down your score a lot.
Or perhaps she had little credit history. I could see a scenario where most of her stuff is financed through an LLC vs her personal credit. If your business is solely "being popular", almost everything is a business expense :)
The concept of credit scores has a reason to exist, it's just our implementation is broke a million times over. There's nothing wrong with a business loaning you money having the knowledge aforehand that you don't pay your obligations on time.
If by "under the thumb of" you mean "using less than 30% of available credit and carrying some kind of balance". There's no need to apply melodrama to a simple matter of statistics to answer the question of whether someone can use credit responsibly.
A credit score is a signal to potential _new_ creditors about how likely you are to be able to pay back _new_ debts. A factor in credit FairISAAC is the proportion of your outstanding revolving credit you are currently using (more being worse, above about 30%). It could be a sign that your income is unable to pay down your debt (becoming a runaway debt problem).
All to say that just because you've been able to convince creditors to loan you $53 million doesn't necessarily mean your credit is good.
EDIT: see philipodonnell's reply to this post for an alternative explanation. I may have jumped the gun.
As far as I know credit scores are not part of credit reports as they do not show up when you request your credit report. If they were storing "credit score" as part of your credit report but withholding that information when you request a copy that would seem to violate the Fair Credit Reporting Act.
It wouldn't really make sense to store a credit score with the report anyways, it would only make sense to generate it on the fly only when a lender requests it. I'm assuming that different creditors report credit information on different days so it would be changing every time a creditor submitted information on that person which would be multiple times a month for someone with multiple accounts. And if the credit score algorithm was updated they would have to recalculate the "credit score" field on the entire database! This wouldn't really make sense from a technical perspective.
Furthermore, there's not just one "credit score," there's different algorithms for coming up with a credit score. One creditor may request FICO 8 and another one may request VantageScore 3.0 on the same day. Then another comes by and wants FICO 5. So even if they saving a credit score in the database I wouldn't think that they would have a field labeled as a generic "credit score" without any qualifier. It would be "FICO 8 score" or whatever algorithm was used to generate the score.
There's also other problems, I don't have my Equifax report in front of me right now but credit bureaus store alternative/former names which aren't included here. Like for me my reported names are FirstName LastName; FirstName MiddleInital LastName; and FirstName MiddleName LastName. All because different creditors reported my name slightly differently. If you change your name (like Kim Kardashian did - she's Kim Kardashian West now) it would report both your former name(s) and current name(s). I don't see any indication that this sort of information is included.
Therefore I very seriously doubt the authenticity.
(From a technical perspective "pdf" is not a MIME type, the MIME type of PDF files is "application/pdf")
You're assuming this is a database dump. It looks more like logs from the service that creates PDF versions of reports for download. That would have a more simplistic data structure that might look like this.
If it's a service request log, why service would have field requestId and then set it to null? Of course, you can expect anything from people that have admin/admin security on their employee portal, but looks weird. Also, street data have no field for apartment number - does nobody live in multi-tenant buildings? Of course, there may be optional field for this, but given how many null fields there are, it doesn't look like this API does optional fields. In summary, API response format could be anything, as I said, especially from people who do admin/admin, but on the fact of it it looks questionable.
Also, why credit reports for Donald Trump and Kim Kardashian were created at the same second and then modified at the same second? Probability of this happening as a result of natural client activity - i.e. just watching the logs of the active service - is zero. If the attackers had access to this service and initiated the requests, then why not show the resulting PDFs, that they supposedly also must have had access to if they had access to the API?
Also, quick search shows that SSNs of Trump, Kardashian and Gates has been published before. Which means this sample contains only the information that is in the public sources already, or is meaningless (like IDs). Thus, at least the JSON dump thing proves exactly nothing. Of course, if they published a previously unpublished SSN, we'd have hard time verifying it too, so not sure what could be a good proof here...
Very good point. I admit, I looked at the JSON pretty quick assuming it was a database dump export (obviously the database isn't a JSON file) and thought "this doesn't make sense" and didn't think about it much more.
I can't speak for the other points you raise, but I note that it says "Credit Score" rather than "FICO score" - all of the credit reporting agencies (and some third parties) have their own "Credit Score" product that they sell or otherwise provide - it's almost a scam in itself, in that they strongly suggest they are selling you a FICO score but instead give you their own internally-generated, presumably royalty-free number.
Since there's no cost associated with this, they may well generate one for everyone and store it with their data.
Yep! The difference between the two was a particular source of frustration for me.
Back when I was relatively new on the (full time) job market, I pulled my reports from annualcreditreport.com and it would tell me that my "credit score" is 720-740, and no negative marks.
However, I also had never taken out a loan before. So whenever I tried to do use that pristine credit (e.g. for a mortgage, credit card, or apartment), I had "no credit history" which appeared to the credit as toxic and subprime.
(Relatedly, when I got my first part time job and tried to buy a PS console with a check, Best Buy said it violated their "risk parameters" and wouldn't take it, though Walmart would.)
Agreed with this. I had no credit except a credit card until I was 30 and bought my first new car. All my other cars were family cars or bought from relatives. I worked during school so no loans either.
I'm curious to see what happens when I buy my first house. There was a huge chance I wouldn't have even needed the car loan but life happens.
Each agency has their own credit score.
In addition they will compute a Fair Isaac score on demand because FICO charges a royalty to compute the FICO. The royalty is the reason they dont giveva FICO with the free annual report.
>And if the credit score algorithm was updated they would have to recalculate the "credit score" field on the entire database! This wouldn't really make sense from a technical perspective.
This obviously depends on your real-time requirements on providing a credit score. If you need to be able to return any credit score in X milliseconds, and you need to be able to do this at certain throughput, and have load that's not distributed across the day, then you might choose to pre-compute data.
There are techniques you could use to ensure you minimise re-computes and you could also pre-compute values into the future and re-calculate them when new/unexpected data came in.
It might not make sense to do this in a general-case, but placing retrieval performance constraints on a system can lead to non-obvious pre-calculation/computation solutions.
Yeah, at best, that tool from Equifax is unreliable. People have put in fake users and SSN and still it's told them they were affected. At worst, it's just another way to get customers to sign up for a new service.
It's asking for the last 6 digits of SSN and name. Considering that is 1 million unique numbers, out of 146 million potentially compromised accounts, you could probably put any number in there and be reasonably sure of getting a hit.
This is a very good point and may explain this phenomenon. However, I'm not 100% sure that those numbers are equally distributed. Still, it may well account for the fact that random numbers still resulted in a hit. Good point.
This really pisses me off. It's only a matter of time before some random person opens up a cellphone, utlity, or bank account... or worse. Completely messed up.
Everyone American should be scared shitless at this incompetence. It's going to cost everyone thousands of dollars over their lives for credit fraud protection. Just another expense to add.
Not saying it would be great in the short term, but I wonder how it would play out if the entire database was made widely available. It seems like it would be a lot harder to enforce a debt if the borrower was originally identified based on "secrets" that were well known to be public at the time. Maybe then they would come up with a better authentication scheme than "what color was your first car?"
It would be an awful lot like the end of Fight Club. Destroy credit records, or reduce them to meaningless, either way the economy would collapse.
People can complain all they want about credit, but the reality is that it exists as a financial service because loaning things with interest is probably older than agriculture in human society. We've just gotten very good at risk assessment, and this going public would ruin our ability to assess risk for years.
Honestly, the credit industry ought to be the ones raging against Equifax's fuck up. If only all the other credit bureaus weren't on eggshells hoping they're not next.
So far, I have had three phones signed up in my name (essentially stolen from the suppliers), can't easily get a mortgage because I own my own company, somehow making me riskier than people who earn half my income, and in the past had my credit card limit extended to £10,000 without asking when I was almost broke.
To me that doesn't sound like they're good at assessing risk at all, they're just blindly following extremely simple algos instead of knowing their customers.
The records wouldn't be rendered meaningless any way, the fundamental of a credit report is how much debt you already have and if you ever miss payments or have judgements against you. Then a lender compares that to your income.
Maybe then enough people at the same time would pressure state and federal legislators to regulation suspicious data brokers and creditors (and/or address insufficient/broken authentication in new credit accounts).
The Target breach was the thing that finally catalyzed the move from magstripe ccs to EMV ccs. I think we are currently on the precipice of the point when we need to move towards a second factor of authentication ("something you have" or "something you are" in addition to the lots of "something you know" that the current credit bureau system uses).
What would happen if the DB was widely available and many many people just randomly and inexplicably opened as many ranom accounts as possible - it would cause chaos in the economy.
What would an accurate "what if" scenario like this look like?
That's the first five minutes. Then the market for new consumer credit would seize up, banking share prices would flip out, and talking heads on cable would have something new to hyperventilate over.
Overall, many thousands of folks would have their home plans/vacation/card-flipping/whatever plans screwed up, some thousands would have a more severe financial problem, the banks would muddle through, "we'd" rebuild the financial-surveillance system over again, and it would probably be less stupid in some ways at the cost of being more uniformly intrusive.
The thing is, up until now, there was a false sense of security that if someone didn't have your SSN, they couldn't open up financial accounts as you. And there was little being done to protect people whose SSNs are already disclosed in some way.
With such a large percentage of our social security numbers being potentially outright public, financial institutions need to stop assuming that an account holder is legitimate because they provide an SSN. And it is in their best interests to do so, since they end up on the hook in most cases for fraudulent accounts (after putting you through an awful process to prove it isn't yours).
For example, rather than letting someone sign up for an account with the SSN as a verification of identity, new credit accounts could potentially be considered probationary (or just outright not created) until a one-time code is mailed to the credit holder's established home address (based on their existing credits and payment history) as confirmation that the real person with that SSN authorizes that transaction. While such a step would not be completely impossible to defeat, it would mitigate attackers on the other side of the globe opening fraudulent accounts.
Agreed. If you used medical services in any significant way before 2010, your SS and birthdate was all over the place in insurance and medical records.
> It's going to cost everyone thousands of dollars over their lives for credit fraud protection.
In my mind, the Just thing to do would be for Equifax to offer ongoing fraud protection to all of their customers affected by this leak. (Gosh, that might be expensive!)
