Equifax Breach

[Anymouse]

Gee, only about the 10th time somebody broke into a data base with my info. The topper was the Chinese Government breaking into OPM and stealing my entire life history in my Security Clearance file.

This! They got mine too.

Of course, the conspiracy theory side of me wonders if the folks that are really doing the hacking are the people in the credit protection industry. Lets face it, every time one of these hacks becomes public, they get a **** ton of business.

 

[RJM62]

FCRA law dictates that you may receive a free credit report once a year from each of the 3 reporting agencies. I stagger mine and pull one every 4 months from each agency. Companies that charge for their reports are ripping people off.

I'm talking about the freeze charges, not the credit reports. For New York residents, a first security freeze is always free. Subsequent freezes, lifts, or thaws can cost $5.00 each. But all freezes, lifts, and thaws are free if someone has filed an identity theft report with any law enforcement agency or with the FTC. New York also requires that requests for lifts made by phone or Internet be processed within 15 minutes.

One thing to be aware of is that if a lender's pull is blocked due to a freeze, the application has to be voided and a new one started. Even if you lift the freeze, all subsequent pulls connected to an application that's already hit a freeze will also be blocked.

Rich

 

[RJM62]

Now there is an article where if you sign up for the Equifax Trust ID that is "complimentary" that in the terms of use agreement, if you agree, then you can not sue them.. gotcha, sign up and then there is nothing you can do to us,.

Several class action suits already in the works, let's guess, the settlment will be complimentary Trust ID, for you, lawyers get millons

They have "clarified" that the prohibition applies only to the TrustID service, not the breach itself.

https://www.washingtonpost.com/news...efore-you-check-equifaxs-data-breach-website/

NYS Attorney General Eric Schneiderman is taking credit, which may actually be true in this case. He's a tough SOB when he wants to be. I know that when Equifax was giving me the runaround and I called the AG's office, they were on them like stink on ****.

Rich

 

[denverpilot]

There is a system called PCI certification from the banks for credit card handling which has STRICT rules on how data has to be protected. i.e. the datacenters have to have security cameras and strict access controls.

PCI is a complete joke. The banks and their partners are completely exempt from it, and it is NOT codified in law.

That said, things that are codified in law aren't any better.

I've done a large scale PCI certification. It was an exercise in checking off boxes by some expensive PCI examiner who had ZERO clue about actually securing anything whatsoever. I wouldn't trust PCI to keep a pencil secure.

Proof? We had at least one visit from the FBI investigating a significant credit card data breach while we were 100% PCI compliant. It happened. They charged the person who did it. We changed some software to make it harder to do what he did.

PCI is just a money-making Ponzi scheme the financial industry came up with for the "security" department and a whole lot of contractors. I've noticed a few of these companies are already going under as they lose customers who aren't mandated to follow PCI. Some forms of PCI a company can completely disregard if they simply agree to pay higher than normal credit card transaction fees. The card issuers DO NOT CARE.

They don't even enforce those threats quickly if a company is making them transaction money. I know of one place that put off their PCI cert for three years by simply claiming they didn't have time/resources to do it. Credit card transaction company was fine with that.

This is like paying "protection" money to the mob.

Cartel describes the big three credit reporting agencies more accurately than Mob, but yep.

Said I'm not impacted. Not sure whether to believe them or not at this point.

You have zero reason to do so. Ever. They don't work for you. Keep that in mind. Equifax wants personal data of people to sign them up for a service to protect their data, data they've already shown they're not responsible enough to be handling in the first place.

Sounds like a brilliant plan. Now they have a "business relationship" with you and can spam you monthly to buy their untrustworthy and useless products.

I'm affected and froze my reports at all three agencies today. For $10 per. Bastards.

Fees to freeze credit should be illegal.

The "monitoring" service is useless. It will tell you what you should already know from watching your own account statements and turning on spending alerts with you financial institutions directly plus pulling your free annual credit reports.

Monitoring provides zero protection from damages. None.

Why anyone would enter into a business agreement (even "FREE!") with these ass-hats, I have no idea.

 

[BillTIZ]

I have the monitoring service through USAA. Never a bad report. My information has been hacked so many times it's ridiculous. Company servicing military retired TriCare, hacked. Government OSI hacked, yes I am a govt contractor. And that's just two of at least 4 in the last 10 yrs. Opened two new credit accounts in the last 6 months, home remodeling. Instant credit, no issues. Barely a blip from the monitoring service.

 

[RJM62]

I have the monitoring service through USAA. Never a bad report. My information has been hacked so many times it's ridiculous. Company servicing military retired TriCare, hacked. Government OSI hacked, yes I am a govt contractor. And that's just two of at least 4 in the last 10 yrs. Opened two new credit accounts in the last 6 months, home remodeling. Instant credit, no issues. Barely a blip from the monitoring service.

I'm surprised to hear that. Practically everything I do credit-wise generates an alert on mine. I think I had to configure some of the alerts, though. I basically want to be alerted every time something changes, and I am. Whether it's worth the money or not is a matter of opinion; but the service does do what it claims to do, in my experience.

Rich

 

[RJM62]

PCI is a complete joke. The banks and their partners are completely exempt from it, and it is NOT codified in law.

That said, things that are codified in law aren't any better.

I've done a large scale PCI certification. It was an exercise in checking off boxes by some expensive PCI examiner who had ZERO clue about actually securing anything whatsoever. I wouldn't trust PCI to keep a pencil secure.

Proof? We had at least one visit from the FBI investigating a significant credit card data breach while we were 100% PCI compliant. It happened. They charged the person who did it. We changed some software to make it harder to do what he did.

PCI is just a money-making Ponzi scheme the financial industry came up with for the "security" department and a whole lot of contractors. IDE noticed a few of these companies are already going under as they lose customers who aren't mandated to follow PCI. Some forms of PCI a company can completely disregard if they simply agree to pay higher than normal credit card transaction fees. The card issuers DO NOT CARE.

They don't even enforce those threats quickly if a company is making them transaction money. I know of one place that put off their PCI cert for three years by simply claiming they didn't have time/resources to do it. Credit card transaction company was fine with that.



Cartel describes the big three credit reporting agencies more accurately than Mob, but yep.



You have zero reason to do so. Ever. They don't work for you. Keep that in mind. Equifax wants personal data of people to sign them up for a service to protect their data, data they've already shown they're not responsible enough to be handling in the first place.

Sounds like a brilliant plan. Now they have a "business relationship" with you and can spam you monthly to buy their untrustworthy and useless products.



Fees to freeze credit should be illegal.

The "monitoring" service is useless. It will tell you what you should already know from watching your own account statements and turning on spending alerts with you financial institutions directly plus pulling your free annual credit reports.

Monitoring provides zero protection from damages. None.

Why anyone would enter into a business agreement (even "FREE!") with these ass-hats, I have no idea.

Yeah, I have no intention of signing up for their service. I kind of wish they'd just go away. I did click through to find out if I was affected, but all I got was a screen telling me to check back on the 13th and finish the enrollment.

I do know from the Experian service that there have been pulls against Equifax, so I'm just going to assume that I was affected. I suspect that the only thing they check in determining whether or not an individual was affected is whether they have any data on them, anyway. If they know who you are, you were affected.

Rich

 

[denverpilot]

I'm surprised to hear that. Practically everything I do credit-wise generates an alert on mine. I think I had to configure some of the alerts, though. I basically want to be alerted every time something changes, and I am. Whether it's worth the money or not is a matter of opinion; but the service does do what it claims to do, in my experience.

Rich

I do this via the tools at the account holders. I always chuckle when I'm paying for something and the phone dings with a spending update before I've even left the cash register.

What else would I use a pocket computer (smart phone) for? Posting on PoA?

Setting up alerts is easy. Most people don't bother and then are surprised when an almost completely insecure (as a whole) electronic transaction system "surprises" them with illegal activities they didn't notice.

That plus a written budget makes it pretty easy to tell when something just went through that was fraudulent. My wife and I usually text each other about the same time when something does make it past the card issuer's fraud detection systems.

"Don't care but did you just spend $100?"
"Nope, was going to ask you the same thing."
"Alright, I'll call..."

Of course we haven't talked about the other form of scammer yet. The places like LifeLock and their ilk...

Loved that the CEO who always plastered his SSN on their advertising claiming he was safe because he used the service, had more than ten major incidents of identity theft (not to mention having his butt fired by the BoD and criminal charges) to his name... before that house of cards came tumbling down.

And people still hand them money...

 

[RJM62]

I do this via the tools at the account holders. I always chuckle when I'm paying for something and the phone dings with a spending update before I've even left the cash register.

What else would I use a pocket computer (smart phone) for? Posting on PoA?

Setting up alerts is easy. Most people don't bother and then are surprised when an almost completely insecure (as a whole) electronic transaction system "surprises" them with illegal activities they didn't notice.

That plus a written budget makes it pretty easy to tell when something just went through that was fraudulent. My wife and I usually text each other about the same time when something does make it past the card issuer's fraud detection systems.

"Don't care but did you just spend $100?"
"Nope, was going to ask you the same thing."
"Alright, I'll call..."

Of course we haven't talked about the other form of scammer yet. The places like LifeLock and their ilk...

Loved that the CEO who always plastered his SSN on their advertising claiming he was safe because he used the service, had more than ten major incidents of identity theft (not to mention having his butt fired by the BoD and criminal charges) to his name... before that house of cards came tumbling down.

And people still hand them money...

I think we're talking about two different things. I have the purchase alerts set up, too, at the lowest amounts the issuers allow. If that's $1.00, then that's what I set it at.

What the monitoring service does is alert me if someone pulls a credit report or if something else happens that involves a credit bureau. I just now checked, and the Experian / USAA service has alerted me 19 times in the past three months. About half of the alerts were FICO score changes that went up or down, sometimes as little as one point. But the rest of the alerts were inquiries, new accounts, closed accounts, merged accounts, increased credit lines, and so forth. Those are the things I want to know about.

As an aside, another thing most people don't know is that practically any financial institution will allow you to set up a security word without which they won't discuss your account over the phone. I doubt that information finds its way to CRAs, so I'm glad I set that up on all my accounts before the Equifax breach.

Rich

 

[denverpilot]

I suspect that the only thing they check in determining whether or not an individual was affected is whether they have any data on them, anyway. If they know who you are, you were affected.

Rich

Yeah. The assumption that only a portion of their data is breached when they obviously have hideous data hygiene habits, and a culture that doesn't care at all, which is what such a large breach really shows... means there's LOTS of other holes in their systems. Probably a number of them they don't even know about.

Why would they care? They have a virtual monopoly. It's not like they're going anywhere after this due to any real competition.

Switch to TRW? The dumbest IT manager I have EVER met in two decades in the biz, came from there. Ten years at TRW prior to when I ran into her. She refused to let people patch production public systems for known root exploits being seen and reported as actively being used, in the wild. Said it had to wait for two weeks to go through a committee. Complete idiot.

And TransUnion? Right. LOL.

 

[denverpilot]

What the monitoring service does is alert me if someone pulls a credit report or if something else happens that involves a credit bureau. I just now checked, and the Experian / USAA service has alerted me 19 times in the past three months. About half of the alerts were FICO score changes that went up or down, sometimes as little as one point. But the rest of the alerts were inquiries, new accounts, closed accounts, merged accounts, increased credit lines, and so forth. Those are the things I want to know about.

I knew. I just don't find much value in that side of it. If someone takes out loans in your name, it's extremely easy to get that tossed.

FCRA gives them 30 days to fix it or you sic the lawyer on them. That's one piece of legislation surrounding all of this that actually works for the most part.

Well that and not using credit. It's pretty easy to point to accounts that have had zero balances for years and say, "Hmm... I think I see a pattern here..." if one gets all the way opened and has a fraudulent balance.

You can tell banks and credit unions are finally getting paranoid about their liability for fraud these days. Last time I wanted to change something on an account, they had a thumbprint reader and made me use it in the branch.

Downside: I bet they have as crappy security on the database that holds the thumbprint as they have on the same one that holds the SSN and an images of my signature.

They're far too stupid to separate these things and encrypt them with a key that only *I* hold, not them. But that's how it SHOULD be done.

 

[denverpilot]

This! They got mine too.

Of course, the conspiracy theory side of me wonders if the folks that are really doing the hacking are the people in the credit protection industry. Lets face it, every time one of these hacks becomes public, they get a **** ton of business.

Never attribute to malice what can adequately be explained by an entire industry of coders who have zero interest in security or the inconveniences that come with writing code with security in mind.

Let alone the execs who think business processes are run by the computers and not mandated by humans with brains long before the first line of code is written.

Or worse, scared to mandate common sense security requirements because it might bother some Prima Donna CIO who'd ask for a bigger budget -- instead of just pointing out that a filing cabinet and a locked room is more secure than the multi-million dollar systems their department runs.

If you don't keep the SSNs and the names in the same data store, and the two may only EVER meet after being unencrypted by a system that knows exactly who requested they be put together and logs it securely in yet another location... and the unencryption may not be accomplished by anyone without the customer present and something only the customer knows...

Secure systems are really pretty easy if your company culture refuses to keep the connective information between sensitive data and non-sensitive data in the control of the customer.

The very last thing the banking systems programmers want is secure systems. Way too inconvenient for them. That's why they make a big deal out of garbage like PCI.

It gives the illusion they're doing something about it all to the customers so the customers don't start demanding the businesses lock up their data and hand the CUSTOMER the only key.

And then of course there's the problem of even the bank's own employees just claiming they talked to a customer and creating millions of fake investment accounts for commissions... cough, Welle Fargo, cough... who should have never been bailed out... anyone notice the news they quietly let out last week that they found an additional 1.5 MILLION fake accounts they didn't find in the initial investigation when the press spotlight was on them? Corrupt to the core. Not a single Board member has been held to task for any of their horrid oversight of the business. Beyond horrid. Criminal.

 

[RJM62]

I knew. I just don't find much value in that side of it. If someone takes out loans in your name, it's extremely easy to get that tossed.

FCRA gives them 30 days to fix it or you sic the lawyer on them. That's one piece of legislation surrounding all of this that actually works for the most part.

Well that and not using credit. It's pretty easy to point to accounts that have had zero balances for years and say, "Hmm... I think I see a pattern here..." if one gets all the way opened and has a fraudulent balance.

You can tell banks and credit unions are finally getting paranoid about their liability for fraud these days. Last time I wanted to change something on an account, they had a thumbprint reader and made me use it in the branch.

Downside: I bet they have as crappy security on the database that holds the thumbprint as they have on the same one that holds the SSN and an images of my signature.

They're far too stupid to separate these things and encrypt them with a key that only *I* hold, not them. But that's how it SHOULD be done.

I've actually been impressed by a few companies whose security caught fraud or potential fraud. Whether it was just luck or good practices, I can't say.

A few years ago, I went to California for a trip that was supposed to take a week. I charged the airfare to my PayPal business debit card. While I was there, I had to extend the trip by four days, and either there was no fee or I charged it to a different card.

A day or two after I was supposed to be home, I withdrew $400.00 from an ATM in San Diego. It gave me the money, but my phone immediately started ringing. It was PayPal asking if I'd just made the withdrawal. As far as they knew, I should have been back in New York, so the withdrawal triggered a flag. It was kind of creepy. But I was also impressed at the speed with which they caught it.

On another occasion, my credit union called me at about 5:00 a.m. to ask if I was attempting to buy jewelry from a company in Thailand on my business card. I wasn't. They cancelled all of my cards and told me they'd have new ones waiting for me at the branch. My business cards are registered with the CU for international online purchases, but somehow that particular purchase was suspicious enough that it triggered their system, was declined, and triggered a phone call.

Barclay's also called me once when an international charge went through for some very small amount (about a dollar and change). It was legitimate in that case, but they said it was a common practice for overseas scammers to run a very small charge to determine if a card was active.

This breach marks, I believe, the 12th time my PII has been compromised. I stopped counting a while ago. But other than for postage and other incidentals to clean up the mess and try to limit my exposure, I've never actually lost any money. Most fraudulent attempts have been blocked, and I was promptly reimbursed for those that went through. So in the big scheme of things, I guess I'm pretty lucky. I know people whose lives were destroyed by this sort of thing.

Rich

 

[denverpilot]

This breach marks, I believe, the 12th time my PII has been compromised. I stopped counting a while ago. But other than for postage and other incidentals to clean up the mess and try to limit my exposure, I've never actually lost any money. Most fraudulent attempts have been blocked, and I was promptly reimbursed for those that went through. So in the big scheme of things, I guess I'm pretty lucky. I know people whose lives were destroyed by this sort of thing.

I think the "life destruction" stage is essentially over for this stuff. It happened early on because everyone blamed the victims and had their collective heads in the sand.

At this point, normalcy has returned and you're never liable for fraud, just as it has always been. The card companies know their systems are chock full of huge holes and pretend they're doing something about it, but they rely on people thinking a plastic swipe is really a whole lot easier than just carrying cash.

The CEO of MasterCard has said flat-out that he wants a cashless world and will do everything he can to make that happen. They're even offering bribes in the form of Point of Sale gear to small businesses who will sign a contract with MC that they will NOT accept cash at their business. It's a bait and switch, of course. They'll buy $10K worth of PoS equipment and make it back with increased transaction rates later. There's no such thing as a free lunch. Even at a "plastic only" restaurant.

The card companies HAVE to keep up the charade that their systems are secure to meet their "all plastic rainbow unicorn fart utopia" world conquest goals.

The code and the systems are not good. Been having a laugh with a local merchant who knows I do IT stuff telling me about his two weeks of hell after his PoS system auto-updated a version of code and now it won't process any debit card transactions at all, because it never asks for the PIN. Everything has to be processed as credit. Thankfully for him, most debit cards are dual mode and it all comes from the same account not matter which way it was processed.

It's a very well known brand name on the cash register. He upgraded to it to handle chipped cards.

The business also has a fast food kitchen for pizza, calzones, fried foods, and other snacks attached to it. He about went ballistic when the new PCI rules said he couldn't hook a thermal tape printer in the kitchen that prints ONLY food orders for the cooks to the new PoS system via WIFI because that would be "insecure" -- so an Ethernet drop had to be run from one side of the building to the other to plug the pizza order printer into the system. LOL.

Someone might hack the wifi point to point device network and find out I like pepperoni thin crust pizza.

And while that's all nice and secure, the banks exempt companies like Equifax. Thank goodness the pizza printer is secure and the code doesn't even know how to ask for a PIN anymore with that whole "chip and PIN" security stuff. Hahahaha. Wouldn't want that to work properly or anything.

Guess what they did for a while when the pizza printer couldn't be used? Write the pizza order with a pen and walk it 35' across the building. Amazing how well that worked.

 

[denverpilot]

Of course, it's all moot talking about software security and processes when the hardware is not audited... and is implicitly trusted...

If the systems are literally rotten to the core........

 

[X3 Skier]

I'm beginning to think Equifax doesn't really exist and is just a huge scam run by ex timeshare salesmen.

Cheers

 

[RJM62]

My wife's ID was stolen a while back. Have no idea how it happened, but first clue was when credit card that she never applied for arrived.

We had to pay $10 each to the credit bureaus to have a freeze put on her credit file. Then another $10 each to have it unfrozen if needed in the future. That's complete nonsense. It should cost these turkeys nothing to freeze the credit. In some states it's free, but not the one where I live, unless you submit the request with a law enforcement report. In my wife's case, she didn't get one, because what would that accomplish except more bureaucratic paperwork? We just paid the $30 hush money to the credit mob and went on our way.

At least the IRS fraud prevention process was easier, and ironically felt less slimey.

I didn't even know about ChexSystems, and apparently neither did any of the banks which hold our accounts and sent us identity theft "advice" after we notified them of the fraud.

If you have minor children, you have to watch out for their information, too. Even more hush money out of my wallet.


JKG

ChexSystems is a pretty low-key outfit. Not all banks use them, but about 80 percent do. Some run a check at the time an account is opened, but others only check when the depositor actually orders checks. Apparently, opening up a checking account, but ordering checks from a company other than the one the financial institution uses, is one way that people who have been tagged by ChexSystems attempt to beat the system.

On the other hand, there are banks that target-market "second-chance checking accounts" to customers who have been tagged by ChexSystems for overdrafts (or less often, drawing against a closed account, which is considered more heinous than a simple overdraft). Use your favorite search engine to search on "banks that don't use chexsystems" or "second chance checking accounts." Marketing checking account services to people with ChexSystems histories has become a cottage industry.

There are two other companies that provide this data to banks: TeleCheck and EWS (Early-Warning Systems). Neither offers the ability to freeze one's file (at least not the last time I checked). They do allow incorrect entries to be disputed, however.

I was vaguely aware that ChexSystems existed, but it was the Deputy Sheriff who took my identity theft report who advised me to put a freeze in effect with them. She said that fraudulent checking accounts are a bigger problem than most people think.

She also made a few other suggestions that I wouldn't have thought about, such as photocopying vehicle registrations and carrying the photocopies in the vehicle rather than the original documents. The originals have a "point" value at DMV to establish identity if someone loses their wallet and needs a replacement license. Photocopies do not. She's also the one who told me about the "security words" that practically any financial institution will add to an account on request as an additional verification step during phone calls. The more common data such as mother's maiden name and last four digits of the SSN will likely be known to an identity thief. The security word, not so much.

It's a minefield out there.

Rich

 

[overdrive148]

Did the check yesterday at the Experian website. Said I was probably affected.

Around midnight my bank sent me an email asking if I made these charges at "local" areas for $1.00. I was coming back from Corpus Christi so I wasn't in the area.

Wonderful. Just wonderful. On the phone with Chase now.

 

[cowman]

I think the fact we allow this credit system to go on as is where a simple 9-digit number and some relatively public information about you are the keys to taking out loans/credit cards/etc is ridiculous.

I have wondered about how to create a better system. The one thought I had was what if to sign up for these things you had to show up somewhere in person and the company needed to have a short video clearly showing you agreeing to the terms/contract/whatever and if they want to claim a debt against you they need to present said video.

Of course with the growing capabilities in video editing that may not be rock solid for too much longer either...

 

[denverpilot]

Of course with the growing capabilities in video editing that may not be rock solid for too much longer either...

Now @SixPapaCharlie is going to use that PoA JibJab video to steal my identity. LOL.

 

[RJM62]

A friend of mine who's in a position to know about such things told me a little while ago that it seems the TrustID monitoring site set up by Equifax has also been breached already, but he doesn't know to what extent.

This article alleges that Equifax is returning "may have been affected" results for imaginary names using random strings of six integers as the last six digits of the SSN.

Rich

 

[RJM62]

I think the fact we allow this credit system to go on as is where a simple 9-digit number and some relatively public information about you are the keys to taking out loans/credit cards/etc is ridiculous.

I have wondered about how to create a better system. The one thought I had was what if to sign up for these things you had to show up somewhere in person and the company needed to have a short video clearly showing you agreeing to the terms/contract/whatever and if they want to claim a debt against you they need to present said video.

Of course with the growing capabilities in video editing that may not be rock solid for too much longer either...

It seems to me that a salted and hashed string derived from an algorithm into which responses to questions about a person to which the answers will never change would be a better way to go. Only the hashed result would be saved, not the questions themselves nor the answers.

Rich

 

[cowman]

It seems to me that a salted and hashed string derived from an algorithm into which responses to questions about a person to which the answers will never change would be a better way to go. Only the hashed result would be saved, not the questions themselves nor the answers.

Rich

Doesn't that boil down to just having a couple really long passwords though? I mean still better than 9-digits and easily guessable personal details.

What I'm thinking of with a video is more of a after the fact kind of security. Basically company XYZ sends a debt collector after you saying to took out a loan and must pay immediately so you can counter saying "No, this wasn't me. Provide a video of me taking out the loan or drop the claim." Burden of proving who took out a loan or or financial instrument should be completely on the lender and if they can't they have to drop the loan and any claims against your credit.

 

[azblackbird]

What I'm thinking of with a video is more of a after the fact kind of security.

My data center requires a thumb print, eye scan, and a password code before I can access my servers. I'm sure something similar could be implemented for loan docs or anything of importance that requires a verified ID.

 

[Palmpilot]

According to the California Attorney General's Web site, a credit freeze is free if you're over 65. I don't know whether that's specific to the state.

https://www.oag.ca.gov/idtheft/facts/freeze-your-credit

 

[cowman]

My data center requires a thumb print, eye scan, and a password code before I can access my servers. I'm sure something similar could be implemented for loan docs or anything of importance that requires a verified ID.

I'm all for adding security- almost anything would be better than what we have. However, I think something that those of us in the IT world seem to have a blind spot for is the human factor in all this. People need to be able to use it and the more security measures you put in the more legitimate users there will be who can't get access to what they need. There will be a call center, they will have something along the lines of the typical security questions and that will be the weak point. Most "breaches" or "hacking" are not done by breaking heavy duty encryption or passwords, they call up a human somewhere and trick/lie their way through to get "their" password reset.... that or tricking someone behind the firewall into clicking a link and installing their trojan.

Also given the nature of how this works it's pretty much going to have to be coordinated between various agencies in the US government, the credit reporting agencies, and oh yes... every financial institution. By the time they implement it someone will have it cracked, I'd bet money on it.

Again, none of that means we shouldn't try but I'm advocating a better level of identity protection for individuals. If some creditor is coming after you for a loan you didn't take out you should get an easy out not a legal battle. Burden of proof has to be on the lender.

 

[luvflyin]

I'm talking about the freeze charges, not the credit reports. For New York residents, a first security freeze is always free. Subsequent freezes, lifts, or thaws can cost $5.00 each. But all freezes, lifts, and thaws are free if someone has filed an identity theft report with any law enforcement agency or with the FTC. New York also requires that requests for lifts made by phone or Internet be processed within 15 minutes.

One thing to be aware of is that if a lender's pull is blocked due to a freeze, the application has to be voided and a new one started. Even if you lift the freeze, all subsequent pulls connected to an application that's already hit a freeze will also be blocked.

Rich

I just got done doing it. It looks like you can "unfreeze" a particular lender so you wont have to unfreeze them everytime they need an update. That was on at least one of them, pretty sure it was two and maybe the third can do it to.

 

[luvflyin]

According to the California Attorney General's Web site, a credit freeze is free if you're over 65. I don't know whether that's specific to the state.

https://www.oag.ca.gov/idtheft/facts/freeze-your-credit

Washington has the geezers free thing to. Here's the whole state list. https://help.equifax.com/servlet/fileField?entityId=ka137000000DSDyAAO&field=attachment__body__s

 

[RJM62]

I just got done doing it. It looks like you can "unfreeze" a particular lender so you wont have to unfreeze them everytime they need an update. That was on at least one of them, pretty sure it was two and maybe the third can do it to.

There's no need to unfreeze a lender once you have an account with them. They can pull reports as often as they want once they grant you credit. The same goes for sites like Credit Karma. Once you grant them access, they can keep pulling reports until you revoke consent. The three major credit bureaus can also pull from each other despite freezes if you subscribe to any of their 3-bureau monitoring services. My Equifax and Trans-Union were already frozen when I enrolled in Experian's service, and Experian is able to do the pulls just fine.

Specifically unfreezing a single lender before applying for credit may or may not work. Most banks and credit unions have separate departments for different kinds of loans, and they're considered separate lenders for CRA purposes. If you unfreeze the wrong one at the right institution, the pull will be blocked, and the application will have to be voided out and a new one started. All subsequent pulls related to an application that has been blocked once will be rejected, even if you've unfrozen in the interim.

Rich

 

[oldShar]

The "breach" affected 1/2 of the US population. Considering 1/2 the population are minors, pre-credit, guess who got "hacked"

 

[azblackbird]

Most "breaches" or "hacking" are not done by breaking heavy duty encryption or passwords, they call up a human somewhere and trick/lie their way through to get "their" password reset.... that or tricking someone behind the firewall into clicking a link and installing their trojan.

Yep... if I was the nefarious type, I'd be a multi-millionaire just because of those very facts you stated. It's like shooting fish in a barrel with some of the security protocols many of the larger companies have implemented.

 

[NoHeat]

The Equifax site did not tell me whether I was affected when I checked their website. It just told me that I should check back Sept. 13. For what? A "free" credit watch that they will then charge for, after 12 mos? And they had the gall to add, in a scolding tone, that I must not forget this date as I would receive no reminder.

What a pointless experience. I am certainly no safer after checking that site.

I'm just wondering whether there's any point in going back to their site on my appointment date of Sept 13.

 

[cowman]

Yep... if I was the nefarious type, I'd be a multi-millionaire just because of those very facts you stated. It's like shooting fish in a barrel with some of the security protocols many of the larger companies have implemented.

Even when there are protocols it doesn't take much to convince someone to step outside of procedure.

Also, this is a great read on the subject. This guy got almost everything he had hacked with social engineering techniques.
https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

 

[azblackbird]

Even when there are protocols it doesn't take much to convince someone to step outside of procedure.

That's what I'm saying. A company can have the strictest protocols in force, but it all boils down to human to human interaction and playing on other people's emotions. Most people have a tendency to want to help out their fellow man/woman... rules be damned. Con artists play on those vulnerabilities. I got conned a few years back by the old "gas can" trick. Dude carries around an empty gas can and goes around a busy store parking lot telling people he's on his way to pick up his paycheck but ran out of gas. Naturally a person wants to help out somebody who is down on his luck, so I flip him a Lincoln and head into the store. Next day I see him pulling the same trick at another store parking lot.

 

[BillTIZ]

I'm surprised to hear that. Practically everything I do credit-wise generates an alert on mine. I think I had to configure some of the alerts, though. I basically want to be alerted every time something changes, and I am. Whether it's worth the money or not is a matter of opinion; but the service does do what it claims to do, in my experience.

Rich

True, I think you do have to configure some alerts. I don't think I have done that. I do pull my free reports every other month and find nothing I do not expect to find.

 

[denverpilot]

My data center requires a thumb print, eye scan, and a password code before I can access my servers. I'm sure something similar could be implemented for loan docs or anything of importance that requires a verified ID.

Sounds like a co-lo. All of them have one glaring security flaw that's easy for anyone to exploit.

 

[RJM62]

Doesn't that boil down to just having a couple really long passwords though? I mean still better than 9-digits and easily guessable personal details.

Not really. The hash wouldn't even be known by the user. All they'd have to do would be enter the information they selected the first time they opened an account, which would be information for which the information would never change.

Which begs the question... Since the SSN is the key to so much identity theft, why in the name of all things holy would a CRA store it in plaintext, anyway? To facilitate debt collection?

Rich

 

[denverpilot]

Which begs the question... Since the SSN is the key to so much identity theft, why in the name of all things holy would a CRA store it in plaintext, anyway? To facilitate debt collection?

Cartel culture. Who's going to be able to fire them if they mess up? Anyone here calling up their banks and demanding they never use Equifax again? LOL.

Plus...

Debt is an addiction. Debt FAST is an even harder addiction. Addicts need their dealer.

 

[denverpilot]

Not sure what to think of it, but the Chief Security Officer for Equifax has pulled down that she was a Music major off of her LinkedIn account.

A screenshot from another source.

Why?

Nobody minds if you're a Music major with a Masters in it, if you also have the significant background and certifications to have made a job change to Security.

Something tells me Equifax is not happy about something that's going to come up in her professional educational background.

And where the hell was the Board on this one?

"Professional" with no job title listed at HP, Sun Trust Banks, and FirstData?

Something smells really fishy here.

I've been in telecom and IT since the early 90s and was even once a music major for a semester along with being an aviation major, and no way I'd be hired as the Chief Security anything at the third largest credit rating cartel company.

Her IT resume started at 2002 at HP. 2002 as you may recall, was the worst year for IT since HP was founded in a garage.

Nobody was hiring in 2002.

Something ain't right here.

That or massive financial firms are really hurting for applicants to run their Security departments.

(Not buying that last one. That's sarcasm, kids.)

 

[RJM62]

Barely-interesting article in the New York Times from Saturday:

https://www.nytimes.com/2017/09/08/...gencys-breach-means-regulation-is-needed.html

And Newser's take on that article:

http://www.newser.com/story/248415/equifax-shouldnt-get-away-scot-free-after-breach-it-will.html

The premise of the first article is that unlike the case with retail businesses and other companies that have been breached, stockpiling consumers' information is the core of Equifax's business, and therefore they should not allow to continue in that business if they are unable to safeguard that information. I think most ordinary consumers would agree with that.

Most experts say that any significant penalties against Equifax are unlikely, however. Indeed, Equifax is trying to parlay the breach into profit by funneling consumers into its lucrative credit-monitoring service, so the breach may wind up being a boon for the company; and so far, FedGov in all its branches has been pretty silent about the matter. The timing of the information and preoccupation with more pressing matters like hurricanes and such may be part of the reason; but it's hard not to speculate that most of Congress being whores to the banking industry is also one of the factors muffling their response.

I'm not too sure that Equifax won't be hit hard by this, however, for three reasons.

Firstly, this breach also impacts Senators and Members of Congress. They may not give a rat's ass about what happens to the rest of us, but when something affects them personally, they take notice. Even those members who have most submissively whored themselves to the banking industry (like New York's illustriousness Chuck Schumer) may take offense when their own PII winds up on the street.

Secondly, some state Attorneys General are getting into the game. Chances are that at least a few of them haven't sold themselves out to the banks and their associated cottage industries such as credit reporting.

Thirdly, I suspect that there will be enough consumers calling their banks and demanding that they no longer share their information with Equifax that a lot of banks and other financial institutions will take the path of least resistance and switch to another CRA. Its easy enough for them to do and doesn't make much of a difference in the end. All the CRAs peddle the same information; so switching from Equifax to one of the others -- especially when accompanied by feigned outrage on the bank's part -- can make a bank look like its standing up for its customers against the moment's big, bad wolf.

Of course, there's no guarantee that Experian and TransUnion won't also be breached. It doesn't surprise me that Equifax was the first based on the general ****tiness of their Web site (especially a few months ago, which we now know to be when the breach was active) and the manifest incompetence I encountered in my own interactions with them. Experian and TransUnion were more helpful, and their agents more pleasant to deal with and seemingly more competent; but that doesn't mean that their essential security practices are any better.

Rich