Damn, we're fucked
Click to check out all the links
https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/
QuoteWhy the Equifax breach is very possibly the worst leak of personal info ever
by Dan Goodin - Sep 8, 2017 3:09pm JST
It's a sad reality in 2017 that a data breach affecting 143 million people is dwarfed by other recent hacks—for instance, the ones hitting Yahoo in 2013 and 2014, which exposed personal details for 1 billion and 500 million users respectively; another that revealed account details for 412 million accounts on sex and swinger community site AdultFriendFinder last year; and an eBay hack in 2014 that spilled sensitive data for 145 million users.
The breach Equifax reported Thursday, however, very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs or both and will remain so indefinitely.
Hacks hitting Yahoo and other sites, in contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And in most cases the damage could be contained by changing a password or getting a new credit card number.
What's more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population. When children and people without credit histories are removed, the proportion becomes even bigger. That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come. Besides being used to take out loans in other people's names, the data could be abused by hostile governments to, say, tease out new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which exposed highly sensitive data on 3.2 million federal employees, both current and retired.
Amateur response
Besides the severity and scope of the pilfered data, the Equifax breach also stands out for the way the company has handled the breach once it was discovered. For one thing, it took the Atlanta-based company more than five weeks to disclose the data loss. Even worse, according to Bloomberg News, three Equifax executives were permitted to sell more than $1.8 million worth of stock in the days following the July 29 discovery of the breach. While Equifax officials told the news service the employees hadn't been informed of the breach at the time of the sale, the transaction at a minimum gives the wrong appearance and suggests incident responders didn't move fast enough to contain damage in the days after a potentially catastrophic hack came into focus.
What's more, the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax and its format looks like precisely the kind of thing a criminal operation might use to steal people's details. It's no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.
Meanwhile, in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks.
It was bad enough that Equifax operated a website that criminals could exploit to leak so much sensitive data. That, combined with the sheer volume and sensitivity of the data spilled, was enough to make this among the worst data breaches ever. The haphazard response all but guarantees it.
This is why Ed buys silver.
Do any of the other links say that it was the worst leak of data ever?
What you posted is an article that this is "very possibly the worst leak of personal info ever". A material qualifier that unsurprisingly didn't make it into your thread title.
Quote from: alfred russel on September 08, 2017, 06:49:01 AM
Do any of the other links say that it was the worst leak of data ever?
What you posted is an article that this is "very possibly the worst leak of personal info ever". A material qualifier that unsurprisingly didn't make it into your thread title.
No need for journalistic wishy-washyness. I'm calling it like it is.
You don't have a right to
credit debt anyway. You have a right to access to
credit debt.
Quotethree Equifax executives were permitted to sell more than $1.8 million worth of stock in the days following the July 29 discovery of the breach.
DAT MAKES ME SMART
Don't know if its the worst ever but if the facts in that article are even close to being true, it's going to be gold rush for plaintiff's lawyers.
We simply do not spend enough resources on data security.
We don't spend a tenth what we should be - and there is no organization around it, no standards really, and no oversight.
Companies in general have little incentive to spend the kind of money that they ought to spend on data security.
This is a problem that requires government support. We should be spending, literally, billions a year on researching how to fundamentally secure data in a systematic way. But we don't - instead we have a hodge podge of individual companies with a mess of competing data integrity standards, all sharing the same basic problem that no one company has the resources or incentives to fix.
The free market isn't going to solve this problem in a fashion we can live with, as breach after breach after breach after breach of private and public sector data stores have shown.
This is one of the most important issues of our time, and we are barely paying any kind of focused attention to it.
Quote from: alfred russel on September 08, 2017, 06:49:01 AM
Do any of the other links say that it was the worst leak of data ever?
What you posted is an article that this is "very possibly the worst leak of personal info ever". A material qualifier that unsurprisingly didn't make it into your thread title.
Every knowledgeable person I have heard or read on the topic agrees that it is the worst ever, by quite a large margin.
Do you have links to authoritative sources that say it was not the worst ever?
Quote from: Berkut on September 08, 2017, 08:09:17 AM
We simply do not spend enough resources on data security.
We don't spend a tenth what we should be - and there is no organization around it, no standards really, and no oversight.
Companies in general have little incentive to spend the kind of money that they ought to spend on data security.
This is a problem that requires government support. We should be spending, literally, billions a year on researching how to fundamentally secure data in a systematic way. But we don't - instead we have a hodge podge of individual companies with a mess of competing data integrity standards, all sharing the same basic problem that no one company has the resources or incentives to fix.
The free market isn't going to solve this problem in a fashion we can live with, as breach after breach after breach after breach of private and public sector data stores have shown.
This is one of the most important issues of our time, and we are barely paying any kind of focused attention to it.
Agreed. it should be illegal for any organization to hold personally identifying information (SSNs, DOB, DL numbers, or the like) without meeting strict federally-mandated security precautions that make such data breaches very, very difficult. Equifax was hoarding personal information for its own profit, without the owners' permission (assuming that you actually own your own private data, which is, unfortunately, not legally clear), and apparently without even the incentive, other than bad press, to protect it.
I can see liability lawsuits coming, but I am not sure on what basis they will succeed. Can lawtalkers talk here about the obligations Equifax had, and to whom?
Attended a presentation yesterday at Federal Fantasyland on the safety and security of biological agents in high containment laboratories, how important it is for national security and public health to take security seriously when it comes to little laboratories with little vials filled with little bugs that are not found in nature. The presenter was an accomplished PhD in the field, the kind that gets on C-Span talking to Congress.
Brought the PowerPoint in on a flash drive from Best Buy and used someone's laptop to get it on the presentation browser. :bleeding: A complete and total violation of basic computer security policy, but nothing happens. Labs are a priority, but laptops aren't, and you see it every day. That's why the Chinese have everybody's fingerprints, clearance requests and tax returns.
Quote from: Berkut on September 08, 2017, 08:09:17 AM
We simply do not spend enough resources on data security.
We don't spend a tenth what we should be - and there is no organization around it, no standards really, and no oversight.
Companies in general have little incentive to spend the kind of money that they ought to spend on data security.
This is a problem that requires government support. We should be spending, literally, billions a year on researching how to fundamentally secure data in a systematic way. But we don't - instead we have a hodge podge of individual companies with a mess of competing data integrity standards, all sharing the same basic problem that no one company has the resources or incentives to fix.
The free market isn't going to solve this problem in a fashion we can live with, as breach after breach after breach after breach of private and public sector data stores have shown.
This is one of the most important issues of our time, and we are barely paying any kind of focused attention to it.
Agreed.
The problem is that it is easy for a manager to point to low costs, and hard for a manager to justify higher costs because of spending on good data security even if available (and boast of a *lack* of breaches happening during his or her watch).
Quote from: grumbler on September 08, 2017, 08:23:58 AM
Agreed. it should be illegal for any organization to hold personally identifying information (SSNs, DOB, DL numbers, or the like) without meeting strict federally-mandated security precautions that make such data breaches very, very difficult. Equifax was hoarding personal information for its own profit, without the owners' permission (assuming that you actually own your own private data, which is, unfortunately, not legally clear), and apparently without even the incentive, other than bad press, to protect it.
Congress should look into passing an act about corporate and auditing accountability, responsibility, and transparency or something like that.
Quote from: Malthus on September 08, 2017, 08:35:13 AM
The problem is that it is easy for a manager to point to low costs, and hard for a manager to justify higher costs because of spending on good data security even if available (and boast of a *lack* of breaches happening during his or her watch).
That's where the carrot and stick of regulatory compliance kicks in. When preventive costs are considered optional, the option for Not Spending Money will always be chosen.
Quote from: Eddie Teach on September 08, 2017, 06:45:15 AM
This is why Ed buys silver.
And gold. I can buy off the Huns.
Quote from: grumbler on September 08, 2017, 08:17:51 AM
Every knowledgeable person I have heard or read on the topic agrees that it is the worst ever, by quite a large margin.
Do you have links to authoritative sources that say it was not the worst ever?
Dan Goodin didn't say it was the worst ever in the article Tim posted.
I'm not contending this was not the worst leak ever. I just think that if you are going to start a thread with the only comment, "Damn, we're fucked", the thread title should reflect what the article says. If Tim titles a thread "The Sky is Blue" (or more likely "The Skie is Blew"), and posts a link to an article about how water is wet, with just the comment, "Damn, we're fucked", I'll still complain about the thread title. The accuracy of the statement doesn't change the failure to a) reflect the contents of the article, or b) introduce the topic for discussion.
Not to go all Mono on us, but does this stuff really matter? I agree it is annoying if my name, address, and social security number are leaked, but does it really negatively impact me in a serious way?
Quote from: alfred russel on September 08, 2017, 09:26:00 AM
Not to go all Mono on us, but does this stuff really matter? I agree it is annoying if my name, address, and social security number are leaked, but does it really negatively impact me in a serious way?
(https://www.viralviralvideos.com/wp-content/uploads/2017/04/68138992-1.jpg)
Quote from: grumbler on September 08, 2017, 08:23:58 AM
I can see liability lawsuits coming, but I am not sure on what basis they will succeed. Can lawtalkers talk here about the obligations Equifax had, and to whom?
Cases usually get brought alleging state law violations, including consumer protection laws or business practices laws - some of which are quite broad - or state common law claims on theories like negligence, breach of contract, quasi-contract, or unjust enrichment.
The usual defense approach in these cases is to move to dismiss for lack of standing on the ground that there is insufficient evidence of injury. A 2013 Supreme Court case is often interpreted to suggest that some proof is needed of actual identity theft or economic loss - that can be difficult to show as the bad guys usually don't publicize their bad acts. In this case - however - given the depth and breadth of the info - social security, drivers license numbers, birth dates etc - there is a better chance of convincing a court of injury.
Quote from: alfred russel on September 08, 2017, 09:26:00 AM
Not to go all Mono on us, but does this stuff really matter? I agree it is annoying if my name, address, and social security number are leaked, but does it really negatively impact me in a serious way?
Yes.
So two days ago I got a call from my credit card company, asking me if I was really spending $2987.48 with some unknown internet company in Spain.
Of course I was not, so they denied the charge and cancelled my card.
But I am sure there is nothing really to worry about around internet security.
Quote from: alfred russel on September 08, 2017, 09:24:12 AM
Quote from: grumbler on September 08, 2017, 08:17:51 AM
Every knowledgeable person I have heard or read on the topic agrees that it is the worst ever, by quite a large margin.
Do you have links to authoritative sources that say it was not the worst ever?
Dan Goodin didn't say it was the worst ever in the article Tim posted.
Tim never claimed he did. Tim chose the thread title, and probably felt it was a reasonable conclusion that he was presenting.
The contents of the article make that a supportable position.
I have no idea what your objection is here. If you think it is NOT the worst ever, then fine - make that argument. But Tim, or anyone else, is perfectly free to choose his thread titles as they see fit. There is nothing in his title that is unreasonable.
Quote from: Berkut on September 08, 2017, 10:38:06 AM
So two days ago I got a call from my credit card company, asking me if I was really spending $2987.48 with some unknown internet company in Spain.
Of course I was not, so they denied the charge and cancelled my card.
But I am sure there is nothing really to worry about around internet security.
I've had similar things happen to me. Not once have I been stuck with the charges (and in your example the sale apparently didn't even go through, so neither the card company nor the vendor was harmed). So...who cares?
Quote from: Berkut on September 08, 2017, 10:44:47 AM
I have no idea what your objection is here.
I've stated my objection. Sorry you struggle to comprehend.
Quote from: alfred russel on September 08, 2017, 11:03:46 AM
Quote from: Berkut on September 08, 2017, 10:38:06 AM
So two days ago I got a call from my credit card company, asking me if I was really spending $2987.48 with some unknown internet company in Spain.
Of course I was not, so they denied the charge and cancelled my card.
But I am sure there is nothing really to worry about around internet security.
I've had similar things happen to me. Not once have I been stuck with the charges (and in your example the sale apparently didn't even go through, so neither the card company nor the vendor was harmed). So...who cares?
Do you really lack the imagination necessary to understand why it is concerning that they were able to even run the transaction at all?
Quote from: alfred russel on September 08, 2017, 11:06:35 AM
Quote from: Berkut on September 08, 2017, 10:44:47 AM
I have no idea what your objection is here.
I've stated my objection. Sorry you struggle to comprehend.
Comprehending your objection certainly is a struggle.
Quote from: alfred russel on September 08, 2017, 11:03:46 AM
I've had similar things happen to me. Not once have I been stuck with the charges (and in your example the sale apparently didn't even go through, so neither the card company nor the vendor was harmed). So...who cares?
But someone does get stuck with the charge - either the credit card company or the vendor. To the tune of billions per year.
Guess who ends up paying that cost?
Quote from: The Minsky Moment on September 08, 2017, 11:27:44 AM
But someone does get stuck with the charge - either the credit card company or the vendor. To the tune of billions per year.
Guess who ends up paying that cost?
In this specific case it seems as though the charge didn't go through.
But in any event, is the downside that if credit card companies start losing too much money to fraud I'll suffer when they reduce the number of airline miles I get with a dollar of spend? Or in a really doomsday scenario credit cards cease to be such a viable business model, and we go back to using cash?
Credit card fraud losses mean the issuers or networks have to charge higher transactions fees which means higher prices.
Quote from: The Minsky Moment on September 08, 2017, 11:39:30 AM
Credit card fraud losses mean the issuers or networks have to charge higher transactions fees which means higher prices.
If the transaction fees are too high, then vendors can always have two prices: one for cards and one for cash (I believe the post 2008 financial reforms mandated that this be possible, but even if they did not, it is a relatively easy fix - much easier than truly securing all data).
Quote from: Berkut on September 08, 2017, 11:12:55 AM
Quote from: alfred russel on September 08, 2017, 11:06:35 AM
Quote from: Berkut on September 08, 2017, 10:44:47 AM
I have no idea what your objection is here.
I've stated my objection. Sorry you struggle to comprehend.
Comprehending your objection certainly is a struggle.
For some. I venture that there are some wise people on the forum that understood what and why I was objecting.
Quote from: alfred russel on September 08, 2017, 11:41:46 AM
Quote from: The Minsky Moment on September 08, 2017, 11:39:30 AM
Credit card fraud losses mean the issuers or networks have to charge higher transactions fees which means higher prices.
If the transaction fees are too high, then vendors can always have two prices: one for cards and one for cash (I believe the post 2008 financial reforms mandated that this be possible, but even if they did not, it is a relatively easy fix - much easier than truly securing all data).
There's a reason why most vendors don't do that - consumers don't like it.
But for the sake of argument, let's say the response to increasing fraud losses is that more and more vendors do it, and the spread between cash and credit keeps increasing. That means that the cost for the convenience value of credit goes way up. It also means that cash becomes a more prominent means of payment in the economy as a whole, which is not a desirable thing either.
Quote from: The Minsky Moment on September 08, 2017, 11:52:00 AM
There's a reason why most vendors don't do that - consumers don't like it.
But for the sake of argument, let's say the response to increasing fraud losses is that more and more vendors do it, and the spread between cash and credit keeps increasing. That means that the cost for the convenience value of credit goes way up. It also means that cash becomes a more prominent means of payment in the economy as a whole, which is not a desirable thing either.
#1: I pay for everything with a card, and never carry cash, because it is more convenient. I wouldn't like an increased charge for the credit option, but it wouldn't be the end of the world by any stretch.
#2: There is an alternative scenario where getting a credit card becomes a bit more burdensome. More is done than a quick online application to verify identity.
#3: If we shift toward a more cash economy, I tend to agree that would be a negative, but there are also current problems with consumer credit card debt. There would be benefits as well.
In summary, I agree with you that data privacy breaches are bad and can harm us all. But in the grand scheme of things, the negative effects don't seem so awful.
Quote from: alfred russel on September 08, 2017, 09:24:12 AM
Dan Goodin didn't say it was the worst ever in the article Tim posted.
I'm not contending this was not the worst leak ever. I just think that if you are going to start a thread with the only comment, "Damn, we're fucked", the thread title should reflect what the article says. If Tim titles a thread "The Sky is Blue" (or more likely "The Skie is Blew"), and posts a link to an article about how water is wet, with just the comment, "Damn, we're fucked", I'll still complain about the thread title. The accuracy of the statement doesn't change the failure to a) reflect the contents of the article, or b) introduce the topic for discussion.
I would agree with you if Tim was merely commenting on an article. If he points out a larger conclusion than is stated in one article of many to be true (rather than just probably true), though, the article certainly doesn't disprove his statement.
Frankly, you sound like you are just being pedantic for the sake of pedantry. There is plenty of evidence to support Tim's argument, and none (as you concede) readily available to dispute it.
Quote from: Berkut on September 08, 2017, 11:12:55 AM
Quote from: alfred russel on September 08, 2017, 11:06:35 AM
Quote from: Berkut on September 08, 2017, 10:44:47 AM
I have no idea what your objection is here.
I've stated my objection. Sorry you struggle to comprehend.
Comprehending your objection certainly is a struggle.
You are arguing with a Russian with at least one sock account.
a con artist doesn't see an issue with making cons easier? colour me shocked :D
Quote from: alfred russel on September 08, 2017, 11:42:57 AM
For some. I venture that there are some wise people on the forum that understood what and why I was objecting.
I don't think that anyone of this forum is from your planet, so maybe you should strive to communicate in our language and not assume that there is someone else here who speaks Stupid well enough to understand what and why you were objecting.
Quote from: alfred russel on September 08, 2017, 11:03:46 AM
Quote from: Berkut on September 08, 2017, 10:38:06 AM
So two days ago I got a call from my credit card company, asking me if I was really spending $2987.48 with some unknown internet company in Spain.
Of course I was not, so they denied the charge and cancelled my card.
But I am sure there is nothing really to worry about around internet security.
I've had similar things happen to me. Not once have I been stuck with the charges (and in your example the sale apparently didn't even go through, so neither the card company nor the vendor was harmed). So...who cares?
I use two specific credit cards to pay certain bills. Each time this has happened to me - and it's happened a couple of times - those bills didn't get paid on time because my cards have been cancelled and I haven't gotten the new ones yet to pay the bill. That adds up over time.
Additionally, when we ran the toffee shop, often the charge would go through initially, only to come back as a fraud charge after. The toffee would already be gone, which left us holding the bag. Plus, as we would have accounted for that sale in other ways, if it were a big order, it could leave us strapped in other ways.
Multiply all of that by 143,000,000.
A way to find if you are affected by the breach (maybe) (https://www.cnet.com/how-to/equifax-hack-find-out-if-you-were-one-of-143-million-hacked/)
It's a convoluted and unclear process. And I'm not sure I still trust Equifax with a website where I need to enter my social security number. But, it could be the only way for many of you to avoid potential nightmares later on.
Enrollment must be completed by november 21st, if you are affected.
Quote from: alfred russel on September 08, 2017, 11:42:57 AM
Quote from: Berkut on September 08, 2017, 11:12:55 AM
Quote from: alfred russel on September 08, 2017, 11:06:35 AM
Quote from: Berkut on September 08, 2017, 10:44:47 AM
I have no idea what your objection is here.
I've stated my objection. Sorry you struggle to comprehend.
Comprehending your objection certainly is a struggle.
For some. I venture that there are some wise people on the forum that understood what and why I was objecting.
What: Tim's existence
Why: that I don't get
Quote from: viper37 on September 08, 2017, 12:37:29 PM
A way to find if you are affected by the breach (maybe) (https://www.cnet.com/how-to/equifax-hack-find-out-if-you-were-one-of-143-million-hacked/)
It's a convoluted and unclear process. And I'm not sure I still trust Equifax with a website where I need to enter my social security number. But, it could be the only way for many of you to avoid potential nightmares later on.
Enrollment must be completed by november 21st, if you are affected.
Don't be so quick to do this...
https://www.washingtonpost.com/news/the-switch/wp/2017/09/08/what-to-know-before-you-check-equifaxs-data-breach-website/?utm_term=.661a7cff2899 (https://www.washingtonpost.com/news/the-switch/wp/2017/09/08/what-to-know-before-you-check-equifaxs-data-breach-website/?utm_term=.661a7cff2899)
QuoteWorried you may be affected by Equifax's massive data breach? The credit bureau has set up a site, equifaxsecurity2017.com, that allows you to check whether your personal information was exposed. But regulators are becoming concerned that the site could pose risks to consumers. As a result, you may want to think twice about using it. Here's why.
The website's terms of service potentially restricts your legal rights.
Sharp-eyed social media users have combed through the data breach site's fine print — and have found what they argue is a red flag. Buried in the terms of service is language that bars those who enroll in the Equifax checker program from participating in any class-action lawsuits that may arise from the incident. Here's the relevant passage of the terms of service:
AGREEMENT TO RESOLVE ALL DISPUTES BY BINDING INDIVIDUAL ARBITRATION. PLEASE READ THIS ENTIRE SECTION CAREFULLY BECAUSE IT AFFECTS YOUR LEGAL RIGHTS BY REQUIRING ARBITRATION OF DISPUTES (EXCEPT AS SET FORTH BELOW) AND A WAIVER OF THE ABILITY TO BRING OR PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION. ARBITRATION PROVIDES A QUICK AND COST EFFECTIVE MECHANISM FOR RESOLVING DISPUTES, BUT YOU SHOULD BE AWARE THAT IT ALSO LIMITS YOUR RIGHTS TO DISCOVERY AND APPEAL.
This language is commonly known in the industry as an "arbitration clause." In theory, arbitration clauses are meant to streamline the amount of work that's dumped onto the court system. But the Consumer Financial Protection Bureau concluded in the summer that arbitration clauses do more harm to consumers than good — and the agency put in place a rule to ban them.
"In practice, companies use these clauses to bar groups of consumers from joining together to seek justice by vindicating their legal right," Richard Cordray, the CFPB's director, told reporters in July, according to my colleague Jonnelle Marte.
For consumers affected by Equifax's breach, this is a live issue; there is already at least one class-action suit brewing against Equifax.
If the government is moving to bar arbitration clauses, then why is one in there?
Despite the CFPB's move to ban arbitration clauses, the rule has not yet gone into effect, according to the agency. That won't happen until Sept. 18, the CFPB said. What's more, the rule doesn't work retroactively, meaning that the Equifax legalese would not be covered anyway. The ban only affects contracts made after March 19, 2018, six months after the rule takes effect.
The CFPB said Friday that Equifax's arbitration clause was "troubling" and that the agency is investigating the data breach and Equifax's response.
"Equifax could remove this clause so that consumers can receive this service without condition," the CFPB said in a statement.
The future of the ban is itself in doubt; just after the CFPB approved the rule, House lawmakers voted to repeal it. The motion to repeal must still be voted on by the Senate and signed by President Trump to become official, but if it does, then the CFPB's regulation could be nixed.
On Friday, New York Attorney General Eric Schneiderman took aim at Equifax's arbitration clause, tweeting that his staff has contacted the company urging it to remove that part of the fine print.
"This language is unacceptable and unenforceable," the state's top lawyer said in his tweet. Minutes later, Schneiderman's office announced a formal probe into the Equifax breach. In a release, the state attorney general's office said Schneiderman had sent a letter to Equifax asking for more information. Among the questions were whether any consumer information has found its way to the "black market," according to a person familiar with the investigation.
A spokesperson for Schneiderman declined to comment on whether officials were investigating the sale of company stock by Equifax executives prior to the discovery of the hack.
So should I register with the Equifax site, or not?
It's up to you, but you should know going into the process what you're signing up for.
Friday morning, after social media users began complaining about the arbitration clause, Equifax updated its terms of service to give consumers an escape hatch if they do not wish to be bound by its language.
Here's how the opt-out provision reads:
In order to exclude Yourself from the arbitration provision, You must notify Equifax in writing within 30 days of the date that You first accept this Agreement on the Site (for Products purchased from Equifax on the Site). ...
You must include Your name, address, and Equifax User ID, as well as a clear statement that You do not wish to resolve disputes with Equifax through arbitration.
This language helps address some of the concerns, but it requires consumers to remember to write to Equifax.
Meanwhile, there's something else that you should know if you do decide to use Equifax's website to check if you were affected.
The site demands even more information from you to prove your identity.
To make sure that the person checking the database is really you, Equifax's data breach site asks for your last name and the final six digits of your Social Security number. This is extremely unusual. While the site is legitimate, the fact that you must volunteer more of what would otherwise be private information may not inspire much confidence.
Is there anything else I can do?
You can still monitor your own credit by obtaining a copy of your credit report. Every year, you can request a free copy of your report from each of the three major credit reporting agencies. This means that you can effectively check your credit free every four months or so. You can also put a proactive freeze on your credit, which will prevent unauthorized use.
Quote from: The Minsky Moment on September 08, 2017, 10:06:29 AM
Quote from: grumbler on September 08, 2017, 08:23:58 AM
I can see liability lawsuits coming, but I am not sure on what basis they will succeed. Can lawtalkers talk here about the obligations Equifax had, and to whom?
Cases usually get brought alleging state law violations, including consumer protection laws or business practices laws - some of which are quite broad - or state common law claims on theories like negligence, breach of contract, quasi-contract, or unjust enrichment.
The usual defense approach in these cases is to move to dismiss for lack of standing on the ground that there is insufficient evidence of injury. A 2013 Supreme Court case is often interpreted to suggest that some proof is needed of actual identity theft or economic loss - that can be difficult to show as the bad guys usually don't publicize their bad acts. In this case - however - given the depth and breadth of the info - social security, drivers license numbers, birth dates etc - there is a better chance of convincing a court of injury.
In Canada, by way of comparison, there exists a statutory right to damages based on the federal
Personal Information Protection and Electronic Documents Act, if the breach was exacerbated by a failure to abide by statutory requirements. Though what kind of quantum you could get, I don't know. The statute expressly allows a court to award damages for "humiliation", so presumably you could get above and beyond mere proven economic losses.
QuoteRemedies
16 The Court may, in addition to any other remedies it may give,
(a) order an organization to correct its practices in order to comply with sections 5 to 10;
(b) order an organization to publish a notice of any action taken or proposed to be taken to correct its practices, whether or not ordered to correct them under paragraph (a); and
(c) award damages to the complainant, including damages for any humiliation that the complainant has suffered.
But of course they did
Quote
Three Equifax executives sold shares of the credit-reporting company worth nearly $2 million shortly after a massive data breach was discovered. The sales occurred before the company announced the breach to the public on Thursday.
http://money.cnn.com/2017/09/08/investing/equifax-stock-insider-sales-hack-data-breach/index.html
How come you guys get all those fraudulent charges on your cards? Don't you get sent an SMS with a one-time code to confirm online purchases? Don't you use a pin code for purchases on a store?
Quote from: Iormlund on September 08, 2017, 02:22:30 PM
How come you guys get all those fraudulent charges on your cards? Don't you get sent an SMS with a one-time code to confirm online purchases? Don't you use a pin code for purchases on a store?
No and no.
Quote from: Iormlund on September 08, 2017, 02:22:30 PM
How come you guys get all those fraudulent charges on your cards? Don't you get sent an SMS with a one-time code to confirm online purchases? Don't you use a pin code for purchases on a store?
When I can on the first one. Only when I am using my debit card on the second part.
Quote from: Iormlund on September 08, 2017, 02:22:30 PM
How come you guys get all those fraudulent charges on your cards? Don't you get sent an SMS with a one-time code to confirm online purchases? Don't you use a pin code for purchases on a store?
no and yes. although if its a small charge you can "tap" the card and theres a chip in the card that does magic with radio signals.
Man, why do horses even need fax machines?
Quote from: Razgovory on September 08, 2017, 03:47:35 PM
Man, why do horses even need fax machines?
How else will they tip off the bookies?
Quote from: merithyn on September 08, 2017, 12:18:09 PM
I use two specific credit cards to pay certain bills. Each time this has happened to me - and it's happened a couple of times - those bills didn't get paid on time because my cards have been cancelled and I haven't gotten the new ones yet to pay the bill. That adds up over time.
Okay, but you could still have paid by check. Also, half my bills are paid late because I forget, and nothing bad has ever happened.
Quote
Additionally, when we ran the toffee shop, often the charge would go through initially, only to come back as a fraud charge after. The toffee would already be gone, which left us holding the bag. Plus, as we would have accounted for that sale in other ways, if it were a big order, it could leave us strapped in other ways.
Multiply all of that by 143,000,000.
Okay--so toffee shops will stop accepting credit cards.
Quote from: Iormlund on September 08, 2017, 02:22:30 PM
How come you guys get all those fraudulent charges on your cards? Don't you get sent an SMS with a one-time code to confirm online purchases? Don't you use a pin code for purchases on a store?
Chip technology only mitigates card-present fraud. Internet fraud is still a problem.
And there are still many millions of mag stripe-only cards that have not been replaced by chip cards.
America is in the Third World when it comes to payment methods, no sane person disputes that.
Quote from: The Brain on September 08, 2017, 05:55:25 PM
America is in the Third World when it comes to payment methods, no sane person disputes that.
Drug dealers around the world are grateful for it.
I checked the equifax checker. Both me and the wife might not be affected.
I will of course not believe that. Instead I will stockpile gold and guns.
My Equifax credit score went down 28 points last quarter. All because I had paid off my car loan.
QuoteEquifax Inc.
NYSE: EFX - Sep 8, 7:56 PM EDT
123.23USD Price decrease19.49 (13.66%)
How's it feel, assholes. Fucking die.
Quote from: CountDeMoney on September 08, 2017, 07:54:47 PM
My Equifax credit score went down 28 points last quarter. All because I had paid off my car loan.
QuoteEquifax Inc.
NYSE: EFX - Sep 8, 7:56 PM EDT
123.23USD Price decrease19.49 (13.66%)
How's it feel, assholes. Fucking die.
It's ok they cashed out a couple months ago before they told the public.
I hope I don't own that stock. BRB
Edit: NOPE
Quote from: 11B4V on September 08, 2017, 08:24:15 PM
It's ok they cashed out a couple months ago before they told the public.
But wait, there's more!
QuoteIn addition, CNBC commentators discussed today that an investor purchased 2,600 September put options with a strike price of $135, which are now in the money after today's nearly $20 per share drop. According to the commentators, the $156,000 investment is now worth more than $4 million.
Quote from: Ed Anger on September 08, 2017, 07:48:34 PM
I checked the equifax checker. Both me and the wife might not be affected.
I will of course not believe that. Instead I will stockpile gold and guns.
It looks like the Equifax checker is pretty random, and doesn't really tell you anything.
Equifax Breach Response Turns Dumpster Fire (https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/)
QuoteAs noted in yesterday's breaking story on this breach, the Web site that Equifax advertised as the place where concerned Americans could go to find out whether they were impacted by this breach — equifaxsecurity2017.com —
is completely broken at best, and little more than a stalling tactic or sham at worst.
In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat. In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.
Quote from: derspiess on September 08, 2017, 05:51:52 PM
Quote from: Iormlund on September 08, 2017, 02:22:30 PM
How come you guys get all those fraudulent charges on your cards? Don't you get sent an SMS with a one-time code to confirm online purchases? Don't you use a pin code for purchases on a store?
Chip technology only mitigates card-present fraud. Internet fraud is still a problem.
And there are still many millions of mag stripe-only cards that have not been replaced by chip cards.
You don't need special tech to mitigate Internet fraud. As I say, whenever you buy something worth above X you are redirected to your bank's page, where you have to input a one-time code you are sent to your mobile device via SMS.
It doesn't completely eliminate fraud, but they need to clone your phone number to do major harm.
More from the "Yeah, About That, Sorry But We'll Be OK" files...
QuoteEquifax Breach: Two Executives Step Down as Investigation Continues
By NICOLE PERLROTH and CADE METZ
UPDATED 10:47 AM
The Failing New York Times
SAN FRANCISCO — Equifax, the credit reporting agency, said Friday that its chief information officer and chief security officer were retiring "effective immediately." The announcement came one week after the company revealed that a cyberattack potentially compromised confidential information of 143 million Americans. On Friday, the company also provided further details about when it had discovered the breach and which part of its website had been targeted by hackers. But many details about the breach, who was behind it and the computer security defenses at Equifax are still unclear.
What We Know
• Hackers exploited a vulnerability in website software. They gained access to certain files containing names, Social Security numbers, birth dates, addresses and driver's license numbers. Equifax also said the thieves lifted credit card numbers for about 209,000 consumers. The company on Friday disclosed that around 400,000 British consumers may have also been affected.
• The breach was open from mid-May to July 29. That was when Equifax first detected it. The company said it had immediately worked to stop the intrusion, and the following week engaged Mandiant, an independent cybersecurity firm, to oversee an investigation into the scope and causes of the breach.
• Equifax is making personnel changes following the breach. On Friday, Equifax said its chief information officer, Susan Mauldin, and its chief security officer, David Webb, were retiring. The company said the changes were "effective immediately."
• The breach involved the company's web page for disputes. The company said the breach occurred in a public website application where consumers could dispute the accuracy of credit information collected by the company. The company said it noticed suspicious traffic to the application on July 29 and took the application offline the next day. It then patched the vulnerability in the application and put the application back online.
Continue reading the main story
• The hack involved a known vulnerability in software used by Equifax. The New York Post first reported that hackers had exploited a vulnerability in Apache Struts, a kind of open-source software that companies like Equifax use to build websites.
On Thursday, Equifax confirmed that the breach involved a bug in Apache Struts, and identified the specific vulnerability. This security weakness was publicly identified in March and a patch to fix it had been available since then. :lol:
The rules for commercial use of open-source software can vary. Generally speaking, open-source software is built collaboratively by developers inside companies, academia and even hobbyists, and is available for free or at a low cost. Different types of Apache software are widely used all over the world.
What We Don't Know
• It is not clear why the company's security methods failed to stop the attack. Equifax said that it was aware of the vulnerability two months earlier and worked to patch the bug then. It is not clear why this patch was unsuccessful, and the company said that it may release additional information as its investigation into the incident continues.
Avivah Litan, a security analyst with the research firm Gartner, said that the bug alone was not to blame. "You have to have layered security controls," Ms. Litan said. "You have to assume that your prevention methods are going to fail."
• The perpetrators of the Equifax breach have not been identified. A group of hackers calling themselves the "PastHole Hacking Team" has claimed responsibility, and threatened to release the data if their ransom demand of 600 Bitcoin — roughly $2.5 million — was not met. In posts and communications with security researchers, members of the team claimed they were able to garner far more data than they expected when they targeted Equifax.
• That doesn't mean this group of hackers was really responsible. Intelligence officials and security analysts in private industry said that while it is far too early to say definitively who breached Equifax, the leading theory is that the company was hit by a nation-state or hackers operating on a nation-state's behalf. They point to the sheer scale of theft, which most likely would have required a heightened degree of sophistication to pull off without being detected.
Other security experts said it would be smart to consider motivation and intent. "Are cybercriminals going to try and sell circa 150 million records in dark web auctions? That's nearly half the population of the United States," said Thomas Boyden, president of GRA Quantum, a company that specialized in cyberattack incident response. "Are there standard cybercriminals out there with the purchasing power for that type of data?"
Still, the detailed personal and financial information collected by a company like Equifax can be resold on the so-called Deep Web. It is much more valuable than credit card numbers, because it has a longer life span and can be used to access all kinds of other information, like bank accounts, loan details and medical records.
• Have these hackers struck before? Mr. Boyden and others said that the breach had many parallels with previous breaches of personal information by nation-states and their contractors. Such government-affiliated hackers compile giant databases of stolen information to see if there is material that can be used for espionage or perhaps even blackmail. Using data-sifting technologies, they comb through massive collections of information to find useful material.
Quote from: CountDeMoney on September 16, 2017, 10:47:12 AM
• That doesn't mean this group of hackers was really responsible. Intelligence officials and security analysts in private industry said that while it is far too early to say definitively who breached Equifax, the leading theory is that the company was hit by a nation-state or hackers operating on a nation-state's behalf. They point to the sheer scale of theft, which most likely would have required a heightened degree of sophistication to pull off without being detected.
Other security experts said it would be smart to consider motivation and intent. "Are cybercriminals going to try and sell circa 150 million records in dark web auctions? That's nearly half the population of the United States," said Thomas Boyden, president of GRA Quantum, a company that specialized in cyberattack incident response. "Are there standard cybercriminals out there with the purchasing power for that type of data?"
:bleeding:
I am glad to see that we still haven't escaped pre-9/11 thinking, and levels of deduction, when it comes to intelligence analysis.
MY GOD ITS FULL OF DATA FIELDS
If my personal financial data ever gets compromised, I'm sure that whoever steals it, be it terrorists, white-collar criminals, a foreign government, or just hackers doing it simply to be assholes, will get a good laugh.
I guess I shouldn't be annoyed now that I never knew the correct answers to my personal history questions on Equifax when getting my free credit report.
Quote from: dps on September 16, 2017, 04:06:28 PM
If my personal financial data ever gets compromised, I'm sure that whoever steals it, be it terrorists, white-collar criminals, a foreign government, or just hackers doing it simply to be assholes, will get a good laugh.
Yeah, whoever gets my financial identity, I wish them better luck with it than I had. :lol:
Quote from: dps on September 16, 2017, 04:06:28 PM
If my personal financial data ever gets compromised, I'm sure that whoever steals it, be it terrorists, white-collar criminals, a foreign government, or just hackers doing it simply to be assholes, will get a good laugh.
They could use your identity to raise your credit card limit, go on spending spree and left you hanging for the bill before you even realize what has happenned.
In case of simple fraud, it's easy to claim damages to your credit card company (though there's a hidden cost to it), but if they stole your identity, it could be a nightmare to prove you didn't do it.
Quote from: viper37 on September 18, 2017, 10:39:32 AM
They could use your identity to raise your credit card limit, go on spending spree and left you hanging for the bill before you even realize what has happenned.
In case of simple fraud, it's easy to claim damages to your credit card company (though there's a hidden cost to it), but if they stole your identity, it could be a nightmare to prove you didn't do it.
Good on them if they can make that happen. I sure as hell haven't been able to. :lol: