| Author | Message | ||
     Hootowl |
Go here to set up fraud warning on your credit report. http://www.equifax.com/CreditReportAssistance/ This was a massive breach. It's extremely likely that the bad guys have your SSN, driver license number, credit card numbers, and everything else they need to open lines of credit in your name. | ||
| Macbuell |
Screw monitoring. Just freeze your credit. | ||
| Hootowl |
A freeze carries a cost, and can be inconvenient, but is worth considering. A fraud alert forces the company running the credit check to contact you at the number provided before they open an account in your name. Probably enough for most folks. | ||
| Ratbuell |
so what happened, did someone get breached? or is this just a general warning? | ||
| Hughlysses |
^
| ||
| Greg_e |
Then Equifax damn well better put an automatic alert up for every single person they have data on, and do it for free! | ||
| Lynrd |
This thing is just beyond the pale. Equifax used *free* software, failed to secure it and got hit by a known vulnerability... yes, that happens. But asking users to use an Equifax website to feed in more information....erm, yeah, FU equifax and no thank you The closest analogy I can think of is a night watchman who was careless with the master key and the property was burglarized, then asks if they can have the key again to go straighten up after. Would you give it to them, or would you tell them to pound sand and you'll see them in court? I don't have to check if I'm affected...I know I am, so you can take that free year of credit monitoring, fold it until it is all corners, and cram it right where your body interfaces with your office chair. | ||
| Ratbuell |
Guess I'll have Finance pull my credit at work next time I'm in. Good news is my income sucks right now so my DTI is way off...I don't qualify for a damn thing on paper right now!! | ||
| Etennuly |
The only actual safety in the credit world has become screwed up credit. If you have money and don't use credit your score is high and all is at risk except for what is in the moonshine jar in the back yard. Everything is linked and cross linked. The bad guys are winning. If your stuff is paid for and you have no intention to borrow money and you pay up front for your needs the safest thing is the dumbest thing..... skip out on a small credit card, get a judgment against you by not showing up in court and let it ride. Your credit score will be just low enough to skim under the theives protocols and when the judgment redlight flashes they will not bother with you. Then if you need credit again go pay a settlement to fix the judgment and get a small credit card to pay payments on time for six months. buy your car or house and bury yourself again. | ||
| Pwnzor |
I've had my credit frozen for about 5 years now. It's really not inconvenient to me. | ||
| Froggy |
The way Equifax has been handling this is super shady, the "checking" website they setup was done really half assed and raised numerous red flags (including improper certificates), now I just saw this: https://krebsonsecurity.com/2017/09/equifax-breach -response-turns-dumpster-fire/ | ||
| Reepicheep |
Krebs reporting is as good as it gets. I've talked to him before, and my impression is that he is very fair and thorough in what he reports. He doesn't overreact, but doesn't under react either. The fact that they used "free" software isn't the problem. Open Source software can (and generally is) at least as secure as licensed commercial software. Often it is more secure. But obviously this was a colossal screw up somewhere, and really surprising from Equifax (who I have also dealt with, and who certainly puts the security screws to their partners to try and ensure security extends through their supply chain). They aren't as crazy as Experian though. And not to minimize the pain this will cause people, but remember these are criminals who are putting in a lot of work and energy to illegally steal information. So temper things a bit to make sure you aren't just blaming the victim. Look at it this way... How responsible are you if somebody breaks into your house and steals your guns and then uses them to murder somebody? If your gun was left on the front seat of your car on a city street over the weekend? That's one thing. Did the thieves wait until you went on vacation and then show up at your house with excellent counterfeit local utility vans and spend two hours with gasoline powered cutting tools and jackhammers to cut open your safe or simply remove the concrete floor to which you bolted it and take your guns that way? That's another thing. The target breach where they lost CC numbers is a good example. Target made some mistakes, but not big ones, and was for the most part following all the security rules the credit card cabal mandates. They ultimately had information stolen because their commercial off the shelf credit card handling devices, the ones they bought and deployed specifically to reduce risk and meet the PCI rules, were vulnerable to a worm that stole the credit card number from ram the moment it was scanned and while the device was changing it to a non reversible hash so it could be transmitted more safely. It was a crazy sophisticated attack. Just like with your gun safe, you can forever in hindsight play "coulda shoulda woulda" games. But at the end of the day every defense just raises the cost of an attack, there isn't enough time and money on the planet to make anything completely safe. Equifax certianly did make some mis steps on the response, but having done it, this stuff is a lot harder than you would think. The phishing warning was an easy trap to fall into... it was a brand new registered site that had trademark stuff that phishers are likely to use. A lot of it out of their control. In this case, Experian was forced into a situation they would not normally be in with an "instant response" mode. Mistakes were made for sure, but they weren't "how could this happen" type mistakes, they were "I can totally see how they would have been burned by that and I am not going to go take steps so it doesn't happen to us too if we are in the same situation" type mistakes. What to do? Who knows. So many identities have been breached so many ways I think it was already past time when everything has to fundamentally change. The reason is that all these identity verification schemes (and credit card payment schemes) rely on something that is supposed to be a secret (SSN or Credit card number) but which you have to share fairly widely as part of your normal life. It was doomed from the start, it just can't work at scale without a large amount of fraud. The way to fix it is with a private / public key pair. Basically, you have a secret you never share (your private key) and a signature you do share (your public key). There is scary complex math operations that then let somebody send you a challenge key of some kind, you take it and use your private key to prove you are you, and then you give them the result. They can use that result and the challenge they sent you, combined with your public key, and "prove" you have your secret key but without you ever having to give them (or anyone else) your secret. So long as everyone uses their own challenge string (which can be infinite), the response you used will never be useful again, and won't help an attacker. There are still ways to attack this, but it removes a lot of risk. This is basically how your HTTPS connection works when you use a "secure" website". This assymetric public key mechanism I describe is used to transmit a very short lived "shared secret" just to make it perform better, but the root of the whole think is that public / private key pair algorithm. | ||
| Hootowl |
Target breach...It was a crazy sophisticated attack. Yes. However, they were in the process of doing a POC on Fireeye. Fireeye was telling them that they were compromised, and they were ignoring it. Eventually they started removing the malware from the registers, but since they were ignoring Fireeye, they didn't find patient zero for a while, and it was putting the malware back on the registers every night. The registers do not have Internet access, but a machine that does have access also had access to the registers. So while they knew enough to put the registers in a DMZ, they didn't think too hard about what ports they opened and from where. Best practice is to only allow traffic out of the more secure network, and not into the network from a less secure network. Had they done that, their registers would not have been breached, and the machine that the bad guys used to carry out the attack internally would not have been able to retrieve the data and exfiltrate it. | ||
| Reepicheep |
That's true. And they should have had their contractor access portals multi factor authenticated, and patched them like they were internet facing. Because even though they were back office, they were Internet facing. I didn't know they were actively removing recurring malware infections from the registers. With or without Fireeye, that should have been a triple red alert. | ||
| Macbuell |
Just freeze your credit, people. It costs like $15 at each of the three credit monitoring companies and when your credit is frozen no one can open an account using your SS#. I've had mine frozen for years and it works. A couple of times I have forgotten about the freeze and tried to open an account or buy a house and they had to come back to me and ask me to remove to freeze. It is the most secure way to operate in this world. The only negative is that if someone does have your information, you may not find out about it. | ||
| Hootowl |
I'd sure like it if the not-so-secret-any-longer SSN were not used as an authenticator any longer. It's effectively a password. Thousands of people have, or have had, legitimate access to my SSN. Also...SSNs, by law, are ONLY to be used for social security administration. Why are they being used by credit card companies and banks as the secret code that lets them know it's really me? | ||
| Lynrd |
That is why I changed my social security number to have upper and lower case letters and special characters. I feel much more secure now. | ||
| Hootowl |
I changed mine to an androgynous symbol. It is now the social security number formerly known as mine. Doesn't matter. Thousands of government drones have access to it. And your HR department. And your IT department. And, if you are military, anyone who can lay their grubby little fingers on your service record. And Equifax. The very idea that SSNs are somehow sacred or secret is laughable on its face. I wish the banking industry would understand that. | ||
| Lynrd |
Well, since i just finished up a long credit repair cycle in the course of buying my building a couple years ago, I have super great credit and lots of reasons to figure that my info was not only captured, but would considered prime goods. I think Macbuell is right - and I am in process of freezing all accounts. it's $10 in CA, but Equifax just let it slide through, no charge. Damned white of them. Transunion is the worst of the bunch for me, other two are done. Listening to the hold music now... | ||
| Airbozo |
I fondly refer to this company as Equi-f u c k e d. The SO has been trying for 7 years to get them to fix a screw up that mixed her and her sisters credit info. To no avail. The worst part about this breach? The information these turds got will allow them access to your credit for decades to come... All they have to do is sit back and wait for the dust to settle before taking your identity. A credit freeze for life is the only option at this point. | ||
| Greg_e |
Maybe we need the government to start issuing new S.S. numbers which may only slow the thieves down but might be a start. | ||
| Hootowl |
They will use your SSN to file a fraudulent rax return also. Joy. | ||
| Reepicheep |
Hootowl is right. SSN as a shared secret for identity verification was born broken, and in fact was legally defined as not allowable to be used for that purpose, and then almost immediately got used for that purpose by government and industry alike. A shared secret simply isn't a secret. We need a revocable and replaceable private and public key pair implementation. That would have been impossible before, but with cheap technology these days, it is doable, and in fact your Chip'd credit card is already doing it... kinda... I'm kinda hoping all the recent breaches finally get everyone to the point where they understand the current system has to be replaced. It will be a long, slow, expensive, and painful process. But it's inevitable. | ||
| Hootowl |
Bill, we can't even agree that getting a state issued ID is something every citizen should be expected to achieve. Can you imagine the outrage at people being required to somehow obtain a key pair? (Yes, it would be stone simple and effectively free, but it would also eliminate a lot of crime, and we can't have that now, can we? Too many voters rely on criminal enterprise for their livelihood.) | ||
| Buellerxt |
How in the heck did this happen? Two Buellers I've had a good connection with, Hootowl, who was kind enough to help me get back on the road some years ago, and Reepicheep, who flew in and bought my Uly, are so darn knowledgeable and interesting to follow! Hey, Buellers in general, as compared to other forums I follow or have followed, are definitely a better group, but are those two pretty knowledgeable or what? And, I agree with them!  (Message edited by buellerxt on September 14, 2017) | ||
| Hootowl |
Bill...I've wrenched on your bike! We're like brothers now | ||
| Aesquire |
Reep, every time I get asked my SS number I tell them it's illegal to use as ID. Then they ask if I want to get paid or not. No wonder I disrespect government. | ||
| Buellerxt |
Medicare ID numbers are SS numbers!!! I was stunned. Here I'd been trying to keep it secret, not dealing with reality, I know, , and the government completely outed me when I turned 65! And yes, we've had fraudulent federal tax returns submitted under our names. Scary world. What to do? | ||
| Ratbuell |
I've frozen my stuff (well...2 out of 3, Experian keeps giving me a "processing error - please try again later"). My DTI is out of whack right now so I don't qualify for anything anyway at the moment but I want to freeze it all in case someone tries a medical trick (especially given my history), or if someone tries to file for a refund under my name. I'm not going to open any new loans; when/if I do, I have my passwords locked in the fire safe for un-freezing. And with MD only getting $5/bureau to freeze/unfreeze...it'd be silly not to. | ||
| Teeps |
Had the same problem with Experian, but the next day the freeze process completed. |
