Slashdot Mirror
Ask Slashdot: What's a Practical Response To the Equifax Breach?
In response to the massive Equifax cybersecurity incident impacting approximately 143 million U.S. consumer -- making it possibly the worst leak of personal info ever -- Slashdot reader AdamStarks asks: What steps can the average Joe take to protect their identity? Accepting Equifax's help forfeits your right to sue; it's the same with applying for protection at TransUnion (not sure about Experian). Extra services at those companies also cost money, but that's putting even more of your data in their hands, and it's not clear whether the protection/help they provide is worth it (leaving aside not wanting to reward bad behavior).
CLASS ACTION!
ry.
The chance to fight this has long passed. You all asked for this. You all begged for it. Now, you've got it.
Then I say they forfeit their right to live. Off with their heads!
The average person is not an Equifax top exec that was able to cash out before the news got out.
Class-action will only transfer additional costs on to the consumers.
I vote to shut it down, have the FTC or somebody step in, and force a direct payout to the consumers, bypassing all the fucking lawyers.
Fucked you are.
Don't waste your time or money on their monitoring "services", which don't do much. Instead, freeze your credit with each of the agencies.
Krebs' "Dumpster Fire" post on the Equifax debacle is worth reading.
https://krebsonsecurity.com/20...
The security freeze prevents anyone, even you, from opening a credit account or getting a loan in your name, including yourself, until you lift the freeze.
You never know about a identity theft until after the fact and weird bills start coming in. Basically you agree to a PIN number. No new loans can take place in your name unless the applicant knows the number.
It's close to free but there may be a few $10 fees depending on where you do it: https://www.transunion.com/cre...
The credit reputation agencies don't offer it by default because their business model is to sell you fraud alert monitoring services. Logically, if there's a freeze, there's nothing for them to monitor. This is the cheapest and best solution.
Second, stop giving Equifax your money.
Third, class action suit.
PS: Krebs on Security has a great piece that's now a few years old but shows why credit freezes are good and the other crap sold by Equifax and their peers are more or less useless in comparison: Transition and Experien promote have little value: https://krebsonsecurity.com/20...
---- The above post was generated by the Turing Institute. Maybe.
...don't respond to the breach by forcing users to go to a phishy-sounding "equifaxsecurity2017.com" web site (I've actually had phishing e-mails directing me to go to "paypal2017.com" and such. Worse, don't direct them to a THIRD site that doesn't even have a valid certificate, causing Chrome, Firefox and other browsers to scream "Dangerous and Deceptive Site!!!!" with a big red warning screen.
Lastly, don't force them to join your crappy credit monitoring site in order to find out if they are part of the breach... and thereby forcing them to renounce their ability to sue you.
The clueless executives need to be fired, and probably anybody on their IT staff with "security" in their title or job requirements.
All of these problems are solved by the blockchain. It's time to start pushing for it.
Seriously, besides the waving the right to participate in a class action lawsuit, which might net you a fucking nickel in a decade, you are fucked, and what's the response, sign up for security?
cause security obviously works
how bout you actually watch and keep up with your shit, like you should be doing anyway ... I dunno about you, but I am not so filthy rich that I dont keep track of what I buy, and check on the card (yes card not cards) at least once a week to make sure everything is as it should be
That sad story could be used to ask for political change.
There are countries where knowing someone's SSN is not enough to get a credit on his behalf, why US residents could not enjoy similar protection by law?
Would Equifax be hurt if many people wrote asking to be removed from Equifax records? I pay as I go, have no use of or need for credit, so I am tempted to ask Equifax to delete all records of me.
Time to end the three credit reporting cartels and while we are at it end fico.
CREDIT FREEZE
What steps can the average Joe take to protect their identity? Accepting Equifax's help forfeits your right to sue; it's the same with applying for protection at TransUnion (not sure about Experian). Extra services at those companies also cost money, but that's putting even more of your data in their hands, and it's not clear whether the protection/help they provide is worth it (leaving aside not wanting to reward bad behavior).
Here is a good guide on freezing your credit: http://clark.com/personal-fina...
There is no reason for the vast majority of people to leave their credit open. Seriously, most people apply for new credit maybe once every few years, if that. Leaving your credit open is simply asking for trouble.
As they say, an ounce of prevention is worth a pound of cure (or their SI equivalents if you don't like conventional weights and measures).
... is to never have been in that dataset in the first place.
Yeah, this is a problem. We could have seen it coming and arguably governments should have and fixed it for everyone before it could become a problem. But we didn't, so we get to learn the hard way.
basically everyone with a bank account or water bill is affected. This is an industry altering breech. There is no reason to believe you have any ability to do anything about it.
I am not being defeatist, this will cause necessary change in the entire industry.
Lifelock is the best identity theft protection available. Signing up for identity theft protection from Lifelock is the single best thing you can do. You wouldn't pay a dental monitor to tell you if you have a cavity. No, you pay a dentist to diagnose and fix it. Lifelock will help you determine if your personal information is available on the dark web, detect if you've been a victim of identity theft, and then work at their own expense to undo any damage caused by the identity theft.
Heavy fines from the FCC for such breaches no matter the cause, and/or impose standard operating procedures based on best practices.
Twinstiq, game news
A good response would be for laws that make companies that collect data financially responsible for misuse of that data. Either internal misuse or misuse through the information being leaked or stolen.
Then the companies would have a decision to make either collect the data and take effort to secure it, or don't collect the data.
There's absolutely no excuse that credit freezing / thawing should cost anything. Some states allow for fees while others don't.
Interesting how some things are under federal law and yet often those that can hurt consumers aren't. For example, many credit card issuers get around state usury laws by incorporating in South Dakota and doing business across state lines. For example, in Pennsylvania, a person can't charge more than 18% annual interest (may be lower). Yet, a credit card company that operates from abroad, despite conducting business in Pennsylvania, can. Charging interest rates as high as they want; 20% is common with some credit cards upwards of 36%.
Rambling on, but one can find numerous examples of legalized corruption. As for what the people can do, writing letters, etc to politicians representing their area and contacting the attorney general of their state may help influence legislation, though often little match against big money interests, who often write the laws.
If one wants more immediate compensation, they could max out their credit cards, not pay, and then work out a settlement for 25% - 50% or so off. One's credit scores will tank for awhile, but is a little way to get back at the system. More immediate than waiting for any class-action settlement that could take a decade or more to work its way through the courts and likely only pay out in coupons and maybe double-digit cash that might be enough to buy a value meal.
The government should issue everyone a new Social Security Number. And when they do so, they should add a digit so that we don't run out anytime soon (or start using a mix of letters and numbers). This is a great time to think about what a good replacement would be. For example, there could be a short form of the number that is sufficient for tax reporting, with four random additional digits that are used when applying for credit. If there is ever evidence of fraud, you would receive a new random four digits. (This would be a bit like having a credit freeze for everyone.) I'm sure other people will come up with new and interesting ideas.
Of course, this means changing all the financial software that has the SSN format hard-coded. I'm fine with that. It would be a bit like Y2K all over again for developers.
And make Equifax pay for the expense of issuing the new numbers (which probably means forcing it into bankruptcy, doing a new IPO, with the government receiving all the proceeds from the stock sale).
It isn't that hard you should be already using it. If you aren't anticipating a REFI on your car/house/boat/helicopter/hovercraft/whatever.. you can ask the bank(s) that has/have your credit cards to freeze your credit. Once frozen you are safe from anybody opening a new line of credit. If for some reason you *do* need to open another line of credit you can unfreeze it again.
Peace.
FYI AFAIK this is only in the U.S.A.
for decades has never been punished, the big three credit reporting agencies will continue to knowingly publish bad information. They're not held accountable for their bad information. This is minor in comparison to how they've screwed us in the past.
The only practical solution is to have a dedicated Equifax representative dispatched to each affected party, at their own cost. The representative is obligated to make every effort to personally find and contact the person whose data was lost then provide them with:
- Full protection / reimbursement from any future fraud
- 1 complete, heartfelt apology
- 1 earnest fellatio on the affected party, delegated family member, housepet, or neighbour's housepet
Nuke them from orbit. It's the only way to be sure.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
The SSN, passport number, or, for all practical intents and purposes any government issued number is NOT a secret. There are ways to get those numbers, be it through breaches like this one, or other means.
The SSN is not a Secret. Is just a number issued by the government to identify you more easily to the Social Security.
Again, the SSN is not a secret. Nurses, Doctors, Clerks see the number as a matter of routine...
Your passport number is not a secret. Clerks, security guards and border patrol agents, both in your country and abroad see it on a regular basis.
Driver license numbers are not a secret.....
ID Numbers (for countries which issue ID Cards) are not a secret....
You get the drift....
Maybe, just maybe, the Goverments and companies will stop treating these numbers (be it the SSN in the USoA, the Cedula or DNI, or what have you ) as a "Secret", and recognize that these are just ID numbers, not secrets, and we move towards a real secret when needed, in the form of, perhaps PIN+SmartCard, or some other mechanism.
I know, is a loooooong shot, but dreaming is free....
*** Suerte a todos y Feliz dia!
Federal law makes security freezes free retroactively from the beginning of time. Agencies refund any fees already collected, and collect no more. All credit is immediately frozen and must be unfrozen (for free) by the individual, temporarily only.
My plan:
1) Freeze all three agencies ($30 bucks)
2) Bill Equifax for $30
3) When they fail to pay the bill, file in small claims court for fees plus $30
4) When they fail to appear, you have a judgement.
5) Sell the debt to a collection agency
Let me delete my data... can't keep it safe, you can't keep it at all.
Once they lose 30% of their data they might start being a little more careful about their cash stream. I lied, I will let them keep one bit of data:
USER DELETED DATA DUE TO 9/7/whatever breach and make it non-derogatory in the FICO scores.
When I applied for a house loan, my credit report had 17 negative items on it that weren't mine. Several were from doctors, a hospital, a dentist, and for unpaid property taxes. I haven't been to a doctor since the army forced me to over thirty years ago. I don't own property so the unpaid property taxes were bogus. Wells Fargo denied my house loan, and I lost the property I had put a deposit on. I talked to a lawyer, and he laughed when I asked if I had a case against Experian. Apparently you can't hold them accountable for publishing bad information.
The best defense to the Equifax breach, as it is to all the other data breaches, is to:
1. NEVER EVER click on a link in an email. Type in the web address yourself.
2. Check your credit card statements religiously.
3. Keep your antivirus and anti-malware software up to date.
Really, aside from the fact that it's Equifax being penetrated, what's the big deal? I get free credit monitoring because my wireless provider T-Mobile was hacked. I get free credit monitoring from somebody else because the U.S. Office of Personnel Management got hacked, revealing EVERY detail of EVERY security clearance applied for in the last 20 years. I got free credit monitoring from somebody else because a credit card provider got hacked.
Get paranoid about security. Already paranoid? Are you paranoid ENOUGH? Then let it go and live your life.
And public lynching.
In my dream world I would have Congress make a law to have the credit reporting agencies, financial institutions, or any business holding certain types of information by default to place a freeze on exporting/sharing that information.
Something like this:
For example, if a company collects social security numbers or driver's licenses numbers, then that company must by law place a freeze by default on all accounts and ANY information in that file can only be revealed by the owner of the SSN giving specific permission.
No contract to do business will be allowed that makes data sharing a condition.
The data-sharing permission can only be asked for after a period of some time, say, 90 days, and the default will be to not grant permission.
If a business needs to pull a credit report in order to grant me credit, write an insurance policy, or whatever, then the reporting agency will have to find some way to allow me to do a one-time grant of access.
My military serial number is my SSN. (It shouldn't be, and didn't USED to be, and it's illegal, but it's the government and who's going to prosecute them?) For years, in order to write a check at the Base Exchange, we were REQUIRED to have our serial numbers - our SSNs - printed or written on the check.
For all those companies that want to use the last 4 of your SSN as a security code - you can demand that they assign you a different number.
My roommate works at Equifax, but even she couldn't help me cleanup my credit well enough to get a house loan. She wants me out of here. I have more than sixty bad items since I have a common name. None of them are mine since I have never paid a bill late.
It is ridiculous that credit agencies aren't held responsible for publishing bad information.
Cybersecurity and massive data breaches like this one are the responsibility of the NSA, not peons. The NSA wants things the way they are. The NSA wants us to have faith in them. So just do it. Pray to the NSA. The NSA has already cut off all of our arms and legs in a metaphorical sense when it comes to tactically defending ourselves cybersecurity-wise. Everything as a peon you might consider doing is a joke outshadowed by an assessment (that no peon has the intelligence information to make) of how much your fate rests in the NSA's hands.
In a decent society, we would all have been running our own home email servers like Hillary Clinton a decade ago, cryptocurrency would have flourished a decade ago, massive cryptocurrency heists would have happened a decade ago, and all of our personal FOSS top to bottom infrastructure would kick the living shit out of the crap we have available today. This is the NSA's baby. Ignore the crying. Or pray. Whatever.
My report shows almost a dozen closed chucking accounts with Wells Fargo. Obviously that isn't correct since they would have never allowed one person to open that many accounts. I got denied a home loan because of that.
No, you can't sue them, because they are required by federal law to periodically provide you the information they have on you when you request it. They then must follow more federal law to determine the veracity of any entry you dispute.
Unfortunately, it's your own fault that you were denied, ESPECIALLY because almost everyone knows you follow that procedure before buying a home even if you're not such a stickler you do it every year.
fingerprints too. The names of our first grade teachers and favorite pets as well. It's all a bad joke. Just pray to the NSA.
I lost a deposit on a condo since Bank of America wouldn't honor my preapproved loan because of bogus info on my credit report. That condo has since gone up $300k in value since then. I'm pissed I can't hold the credit agencies liable for the loss they caused.
Facebook is the next target.
Make huge donations to the NRA and the Trump 2020 campaigns. Only they have proven to be on the side of the American people.
Tar and feathering? Heads on pikes? Run out of town by an angry mob? I'm open to ideas. Funny how much less shit when down in those days.
I was denied a home loan because of incorrect information on my credit report. It sucks that the law doesn't allow us to fight back.
And how exactly does a freeze help, if the next credit bureau hack obtains all those freeze PINs?
SSN's you can use in bulk. But even knowing a freeze PIN you still have to pay real money - either to unlock it temporarily, or for good. That makes it less likely attackers would make use of it.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Identity Theft is a fiction created in order to keep you as a subservient slave. There is no such thing. Your identity cannot be stolen!
Someone may "impersonate" you and that may cause someone else to attempt to commit extortion against you.
You need do nothing except be ready to respond in an appropriate manner to anyone who makes extortionist claims against you.
I was denied a home loan because of incorrect information on my credit report. It sucks that the law doesn't allow us to fight back.
You suffered a measurable loss. Too bad the law protects credit reporting agencies. We should be able to sue for that.
Accepting Equifax's help forfeits your right to sue;
Nope. New York's attorney general demanded they clarify the wording on this.
Stop reporting 143 million "customers" or "consumers" info was stolen. We are not their customers or consumers. We are their product and the victims.
Roll the dice. It's better than paying Danegeld to these guys to freeze your credit. Also, they want you to waive your right to class action. Hell no. I don't care if I don't get money from a CA. If CA lawyers can actually drive that PoS into BK, they deserve every cent they're paid. After that, we need to picket the appropriate government agencies; but fat chance of that actually working.
So roll the bones. It's the only practical "solution" even though it's not a real solution. In the event that ID theft actually robs you of a significant amount, do your best to hang it on these guys, not your own fault. Sue them independently for that, not as a member of a CA; but hurry because there will be a long line.
In an ideal world, the guys who sold their stock get perp walked and the company is shut down; but once again... fat chance. Come on, Trump, here's your chance to be Reaganeaque. Remember back then? Guys actually got perp walked. It hasn't happened in way too long a time.
The fraudster just calls up and says they forgot the PIN. The credit agency then asks him/her information which only you should know to confirm identity, then lifts the freeze or resets the PIN. Still, it is (or was) the best way to protect your credit. Unfortunately, the information they use to confirm your identity is probably what's been stolen in this hack. So whoever stole it can lift any freeze you put on your credit.
When the class action suit is settled you may have to prove you used them, not them hunting you down.
I have the results from Equifax I got from annualcreditreport.com as PDF's.
Your roommate is part of the problem. They have never been held accountable for knowingly publishing bad information.
Someone can get a credit card in my name if they have a few pieces of information. What the fuck? You want to 'deal with' data breaches? Make the data worthless. Bring back HUMAN INTERACTION. To get a credit card issued in my name, make me go to a real bank and meet with a real human and show some real ID. Pretty fucking simple.
Federal law protects them.
... and nuke the entire site from orbit
complain about it to your CO and JAG and to your congresscritters.
Void their business licenses, burn down the buildings, execute the executives
The real data breach is that they're allowed to aggregate my info and that businesses I deal with send my info to them
PROJECT MAYHEM
Burn the company to the ground, tar-and-feather all the executives, secure-erase all their data. Nobody deserves the kind of power they have, and obviously can't control.
" Your loan application has been approved"
WARNING: Smartphones have side effects--most of them undocumented.
Neither a borrower nor a lender be.
Fraudsters can assemble so much of data, call the bank, ask for password reset and hijack an existing account. Before you can call back and fix the issue the money would be gone.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
The free market will not fix this situation because the people they collect the data on are unwilling customers for the credit reporting agencies. We have no choice to opt out let alone easily manage our data, and those who buy the credit scores (i.e. credit lenders) are not affected when there is a breach.
Usually, I'm not a fan of regulation, but this might warrant such. Trying to get better congressional visibility with a new petition:
https://www.change.org/p/rob-b...
tora
I put all my credit on credit freezes years ago. After numerous changes to Terms of Service which I did not have to agree to (because web site ..), the freezes were removed. The new terms allowed companies to charge me $10 or $15 for freezes with relatively short expiration dates.
New legislation should forbid companies from charging for security freezes or thaws if less than 3 each in a one year period.
New legislation should prohibit credit bureaus from including any arbitration or limits to sue for security breaches in their Terms of Service.
New legislation should mandate that companies include databases of consumer information as liabilities, not assets.
New legislation should require credit bureaus to have proof that all credit inquiries originated with a consumer request for credit, not indirect business opportunities (such as buying lists of consumers with x income, living in certain areas).
New legislation should require credit bureaus to notify consumers whenever someone tries to access your credit file for any reason.
New legislation should mandate that credit bureaus not pay any bonus and limit all compensation to any member of it's board of directors to no more than $100,000/year in any year in which a breach is discovered. That will force the boards to sit around and talk security until they get it done.
Make it one piece of legislation called "The stop f'ing the consumer with credit dossiers we can market excessively law".
Not that I'd advocate this but...now would probably be the absolute perfect time for people to find someone who can perform 'identity theft' on themselves, and max out their credit cards and other avenues of seeking loans, using the data released from this breach - and then stuff the banks with the cost of this.
The magic formula is L = 1,260 / W.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
>> Accepting Equifax's help forfeits your right to sue
I can't believe that this is true. It may say that in the agreement but I seriously doubt that it's actually legal.
Anyone who looses that kind of data needs to go out of business... they are nothing but a NSA / FBI front any damn way
This question is key to resolving this and other issues with personal data hoarders.
If personal data is owned by the person, then maybe it is copyrightable.
If you own the copyright on your personal data, then you could conceivable issue a DMCA "Takedown Notice" to all the credit reporting agencies.
This would wipe your credit file (Which has distinct disadvantages as you would no longer have a credit record). If you avoid financing things, then maybe
this would work out just fine.
If a company in this business, and of this prominence fails so utterly and dramatically in this one task, there is absolutely no reason that company should be in business.
It is the classic case of "You had one job to do.."
As consumers the only sane approach is to utterly and completely boycott them.
Tell your bank and other financial institutions:
"If you continue to use Equifax, I am taking my business elsewhere"
They need to provide, via a reputable third party, lifetime Identity theft protection for everyone who's data was exposed.
I'd also hit them for a nice fine of say 10k to 25k paid out to each person who's data was exposed.
If Equifax was holding toxic waste, and they failed to keep it secure and some of it leaked into the environment, what would our response be?
If they can't responsibly hold information secure, then take that information away from them.
Force them to delete all data which was "breached" so they can't lose it again.
If they're unsure what data was lost, then allow anyone to have "their" data deleted.
Monitor the company to insure compliance.
"hopefully"? Fat chance!
...just going to do a fraud alert. Do it with one of the big 3 and they notify the others to do it. Simple.
"Identity theft" is a complete sham. When some third party convinces someone to loan them money in your name, they have committed fraud and the whoever handed them bags of cash without making sure they knew who they were dealing with is an idiot who cannot be trusted.
Any attempt to collect the money from you is a second fraud since there exists no evidence you took the loan (because you didn't). If any credit agency accepts a negative statement about your credit worthiness from such an untrustworthy idiot and then reports it to others, they are committing libel. That is, they are reporting these things with a reckless disregard for the truth. That would include Equifax. They certainly should know by now that identity fraud happens all the time, especially since they just facilitated it in a big way.
So, the town's most pernicious gossip has just helped the town's most pernicious frauds to make up new and better lies and as compensation offers to monitor their own pernicious gossip about you for up to a year before they start charging you money to fail to protect you from themselves and their two equally bad buddies.
But only if you agree to not sue them after they stalked you for your entire adult life and then told everything they know to the most crooked people in town.
you're wrong. My bank or water bill is not tied to that jewy shit at all.
I'm off the jew grid, unlike you slaves :)
The breach is bad, and it is likely there will be more. It is estimated that hackers stole over $400 BILLION last year. That is a lot of money to fund more hacking, further we have nation states sponsoring hacking, so the level and sophistication of hacking will only increase. I recognize that the "credit monitoring" agencies are a farce, however, there are legitimate options for cyber INSURANCE. You need to do your homework but those agencies can provide protection similar to auto or home insurance. for more info... http://commonsensehome.com/tag/computer-security/
Not trying to get you to buy anything - here is a pretty good list of what services are offered and if/how you can "DIY" the service. https://20somethingfinance.com/lifelock-review/
Keep safe out there, it will get worse before it gets better.
Not supposed to. SSN is supposed to only be for the IRS. Says so in the charter. Virginia used to use the SSN for their drivers ID. They were forced to change when the Feds went after them. Same thing should be for all the medical stuff.
If you are retired military get a new ID. They no longer have to use your SSN for any transactions including healthcare. I have a DoD ID number and a Benefits number for Tricare use on my ID card, no mention of a SSN. Had mine changed 3 years ago when my wife went to base to update her card.
Everyone is talking about credit card fraud & other banking issues. What about IRS tax fraud? Medical/insurance fraud? What other types of trouble can be caused with social security numbers and the rest of the info stolen? I think we need to be issued new social security numbers...
No, it absolutely was a "secret".
Initially, it was to be used for Social Security purposes and using it for any other business purpose was a violation of law.
I suspect, those laws are still on the books. Just (as many other things), general laziness on the part of the public has made it another security failure of compromise.