Equifax Breach is Very Possibly the Worst Leak of Personal Info Ever (arstechnica.com)
The breach Equifax reported Thursday is very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. Dan Goodin of ArsTechnica writes: By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely.
Hacks hitting Yahoo and other sites, by contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And in most cases the damage could be contained by changing a password or getting a new credit card number. What's more, the 143 million US people Equifax said were potentially affected accounts for roughly 44 percent of the population. When children and people without credit histories are removed, the proportion becomes even bigger. That means well more than half of all US residents who rely the most on bank loans and credit cards are now at a significantly higher risk of fraud and will remain so for years to come. Besides being used to take out loans in other people's names, the data could be abused by hostile governments to, say, tease out new information about people with security clearances, especially in light of the 2015 hack on the US Office of Personnel Management, which exposed highly sensitive data on 3.2 million federal employees, both current and retired. Meanwhile, if you accept Equifax's paltry "help" you forfeit the right to sue the company, it has said. In its policy, Equifax also states that it won't be helping its customers fix hack-related problems.
UPDATE (9/9/17): Equifax has now announced that "the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."
Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally.
UPDATE (9/9/17): Equifax has now announced that "the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."
Bloomberg reported on Friday that a class action seeking to represent 143 million consumers has been filed, and it alleges the company didn't spend enough on protecting data. The class-action -- filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions -- will seek as much as $70 billion in damages nationally.
You're a moron.
No regulation would stop this.
Completely prevent it? No. But make the people who handle such data take it seriously? Absolutely.
Mandatory life in prison without the possibility of parole as well as the unconditional forfeiture of all assets (properties, money, stocks and options, etc.), public and private, for all who handle such data improperly, explicitly extending all the way up the chain of any company having access to the data and any company providing the software or hardware for the data, with no exception for assets handed to spouses, family members, trusts, foundations, etc., and the immediate dissolution of the companies at fault.
Annual (at least) audits for all institutions handling such data and a standing $10,000,000 bounty for anyone demonstrating a successful attack that leads to inappropriate access to protected data.
Now, who wants to run a credit bureau?
You want security against identity theft? Here it is: hardware identification. U2F devices--I hate them, rant in a minute--can identify a user without relinquishing a key. You want to know I'm who I say I am? Then I register with Equifax, I give them an identifying key, I authorize your credit check with my key. You can't hack that. It's unhackable, or else somebody has figured out how to break encryption that should not be breakable yet--in which case nothing is safe.
How do you initially verify someone is who they say they are to assign them a hardware device? Who holds the database of keys to know that public key X ties to individual X? Who generates the secret key? How is it loaded onto the device? What happens when someone steals your device? What happens when someone X-Rays your device or dumps it in liquid nitrogen or otherwise takes a really close look to extract your key or Oprah's key or Bill Gates's key? What happens when the factory making the device is infiltrated and the device has a backdoor put in, or the device you or your bank or whoever receives is intercepted by the NSA first, under the cover of a national security letter or simply an MIB with a gun?
So fuck off with your "unhackable" claim.
I would not be above passing legislation specifying that a person's credit history cannot be impacted by non-challenge-response, user-presence-based authentication in line with modern standards. That is: you have to have something that can be handled entirely in the open and still not allow impersonation, such as RSA or Ed25519 challenge-response exchange with a secure hardware device. These devices cost all of $20 at the lowest end.
You keep relying on that "secure hardware token". There is no such thing. "Secure hardware tokens" are simply computers that run a deterministic algorithm based on a secret key and time. Extract the secret key and you win. Further, the devices that cost $20 are made in China. In fact, nearly all of them are. (And being made elsewhere wouldn't help much.) And you THINK RSA and other algorithms can't be broken. We've seen secure algorithms come and go as weaknesses are discovered, backdoors are discovered, computational power increases, etc.
Lost your key? Call your bank; all banks are required to file a Lost Key hold for anyone with a credit account with them, which freezes all your credit. You have to show up to a bank, present valid ID (e.g. a real Driver's ID), and then prove you still have your key or provide a new key to re-establish a trust relationship between you and the CRA. No verbal verification; you physically come here and show me your ID, or you're full of shit and have a print-out of stolen Social Security numbers at your desk.
Ah yes, easy denial of service. Hello, Shit Ass Bank? This is bluefoxlucid, I've lost my key. I have a new one, and I'm coming down next week to prove it. Until then, please freeze everything. Kthx. Other than that it's air tight. I mean, ID checks really stop teens from