Slashdot Mirror
Ask Slashdot: What's a Practical Response To the Equifax Breach?
In response to the massive Equifax cybersecurity incident impacting approximately 143 million U.S. consumer -- making it possibly the worst leak of personal info ever -- Slashdot reader AdamStarks asks: What steps can the average Joe take to protect their identity? Accepting Equifax's help forfeits your right to sue; it's the same with applying for protection at TransUnion (not sure about Experian). Extra services at those companies also cost money, but that's putting even more of your data in their hands, and it's not clear whether the protection/help they provide is worth it (leaving aside not wanting to reward bad behavior).
CLASS ACTION!
Then I say they forfeit their right to live. Off with their heads!
The average person is not an Equifax top exec that was able to cash out before the news got out.
Class-action will only transfer additional costs on to the consumers.
I vote to shut it down, have the FTC or somebody step in, and force a direct payout to the consumers, bypassing all the fucking lawyers.
Don't waste your time or money on their monitoring "services", which don't do much. Instead, freeze your credit with each of the agencies.
Krebs' "Dumpster Fire" post on the Equifax debacle is worth reading.
https://krebsonsecurity.com/20...
The security freeze prevents anyone, even you, from opening a credit account or getting a loan in your name, including yourself, until you lift the freeze.
You never know about a identity theft until after the fact and weird bills start coming in. Basically you agree to a PIN number. No new loans can take place in your name unless the applicant knows the number.
It's close to free but there may be a few $10 fees depending on where you do it: https://www.transunion.com/cre...
The credit reputation agencies don't offer it by default because their business model is to sell you fraud alert monitoring services. Logically, if there's a freeze, there's nothing for them to monitor. This is the cheapest and best solution.
Second, stop giving Equifax your money.
Third, class action suit.
PS: Krebs on Security has a great piece that's now a few years old but shows why credit freezes are good and the other crap sold by Equifax and their peers are more or less useless in comparison: Transition and Experien promote have little value: https://krebsonsecurity.com/20...
---- The above post was generated by the Turing Institute. Maybe.
...don't respond to the breach by forcing users to go to a phishy-sounding "equifaxsecurity2017.com" web site (I've actually had phishing e-mails directing me to go to "paypal2017.com" and such. Worse, don't direct them to a THIRD site that doesn't even have a valid certificate, causing Chrome, Firefox and other browsers to scream "Dangerous and Deceptive Site!!!!" with a big red warning screen.
Lastly, don't force them to join your crappy credit monitoring site in order to find out if they are part of the breach... and thereby forcing them to renounce their ability to sue you.
The clueless executives need to be fired, and probably anybody on their IT staff with "security" in their title or job requirements.
Seriously, besides the waving the right to participate in a class action lawsuit, which might net you a fucking nickel in a decade, you are fucked, and what's the response, sign up for security?
cause security obviously works
how bout you actually watch and keep up with your shit, like you should be doing anyway ... I dunno about you, but I am not so filthy rich that I dont keep track of what I buy, and check on the card (yes card not cards) at least once a week to make sure everything is as it should be
That sad story could be used to ask for political change.
There are countries where knowing someone's SSN is not enough to get a credit on his behalf, why US residents could not enjoy similar protection by law?
Time to end the three credit reporting cartels and while we are at it end fico.
CREDIT FREEZE
What steps can the average Joe take to protect their identity? Accepting Equifax's help forfeits your right to sue; it's the same with applying for protection at TransUnion (not sure about Experian). Extra services at those companies also cost money, but that's putting even more of your data in their hands, and it's not clear whether the protection/help they provide is worth it (leaving aside not wanting to reward bad behavior).
Here is a good guide on freezing your credit: http://clark.com/personal-fina...
There is no reason for the vast majority of people to leave their credit open. Seriously, most people apply for new credit maybe once every few years, if that. Leaving your credit open is simply asking for trouble.
As they say, an ounce of prevention is worth a pound of cure (or their SI equivalents if you don't like conventional weights and measures).
basically everyone with a bank account or water bill is affected. This is an industry altering breech. There is no reason to believe you have any ability to do anything about it.
I am not being defeatist, this will cause necessary change in the entire industry.
Heavy fines from the FCC for such breaches no matter the cause, and/or impose standard operating procedures based on best practices.
Twinstiq, game news
A good response would be for laws that make companies that collect data financially responsible for misuse of that data. Either internal misuse or misuse through the information being leaked or stolen.
Then the companies would have a decision to make either collect the data and take effort to secure it, or don't collect the data.
There's absolutely no excuse that credit freezing / thawing should cost anything. Some states allow for fees while others don't.
Interesting how some things are under federal law and yet often those that can hurt consumers aren't. For example, many credit card issuers get around state usury laws by incorporating in South Dakota and doing business across state lines. For example, in Pennsylvania, a person can't charge more than 18% annual interest (may be lower). Yet, a credit card company that operates from abroad, despite conducting business in Pennsylvania, can. Charging interest rates as high as they want; 20% is common with some credit cards upwards of 36%.
Rambling on, but one can find numerous examples of legalized corruption. As for what the people can do, writing letters, etc to politicians representing their area and contacting the attorney general of their state may help influence legislation, though often little match against big money interests, who often write the laws.
If one wants more immediate compensation, they could max out their credit cards, not pay, and then work out a settlement for 25% - 50% or so off. One's credit scores will tank for awhile, but is a little way to get back at the system. More immediate than waiting for any class-action settlement that could take a decade or more to work its way through the courts and likely only pay out in coupons and maybe double-digit cash that might be enough to buy a value meal.
The government should issue everyone a new Social Security Number. And when they do so, they should add a digit so that we don't run out anytime soon (or start using a mix of letters and numbers). This is a great time to think about what a good replacement would be. For example, there could be a short form of the number that is sufficient for tax reporting, with four random additional digits that are used when applying for credit. If there is ever evidence of fraud, you would receive a new random four digits. (This would be a bit like having a credit freeze for everyone.) I'm sure other people will come up with new and interesting ideas.
Of course, this means changing all the financial software that has the SSN format hard-coded. I'm fine with that. It would be a bit like Y2K all over again for developers.
And make Equifax pay for the expense of issuing the new numbers (which probably means forcing it into bankruptcy, doing a new IPO, with the government receiving all the proceeds from the stock sale).
You mean this LifeLock?
The world's burning. Moped Jesus spotted on I50. Details at 11.
nice idea. you go ahead and try to get a data broker to actually delete stuff and not maintain a record on you. good luck with that.
Change your name to a base64 representation of some child porn, then send the feds after them?
I'm not a security guard. I'm a security monitor. I let people know when there's a robbery.
There's a robbery.
Nuke them from orbit. It's the only way to be sure.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
The SSN, passport number, or, for all practical intents and purposes any government issued number is NOT a secret. There are ways to get those numbers, be it through breaches like this one, or other means.
The SSN is not a Secret. Is just a number issued by the government to identify you more easily to the Social Security.
Again, the SSN is not a secret. Nurses, Doctors, Clerks see the number as a matter of routine...
Your passport number is not a secret. Clerks, security guards and border patrol agents, both in your country and abroad see it on a regular basis.
Driver license numbers are not a secret.....
ID Numbers (for countries which issue ID Cards) are not a secret....
You get the drift....
Maybe, just maybe, the Goverments and companies will stop treating these numbers (be it the SSN in the USoA, the Cedula or DNI, or what have you ) as a "Secret", and recognize that these are just ID numbers, not secrets, and we move towards a real secret when needed, in the form of, perhaps PIN+SmartCard, or some other mechanism.
I know, is a loooooong shot, but dreaming is free....
*** Suerte a todos y Feliz dia!
Good luck with not being in that dataset. Just checked my against one of the other two today, and they have my checking account on file, and one loan from the same bank.
You don't freeze your cards, you freeze your credit at the 3 major shitholes - Trannyunion, Equifux, and Suxperian.
Let me delete my data... can't keep it safe, you can't keep it at all.
Once they lose 30% of their data they might start being a little more careful about their cash stream. I lied, I will let them keep one bit of data:
USER DELETED DATA DUE TO 9/7/whatever breach and make it non-derogatory in the FICO scores.
When I applied for a house loan, my credit report had 17 negative items on it that weren't mine. Several were from doctors, a hospital, a dentist, and for unpaid property taxes. I haven't been to a doctor since the army forced me to over thirty years ago. I don't own property so the unpaid property taxes were bogus. Wells Fargo denied my house loan, and I lost the property I had put a deposit on. I talked to a lawyer, and he laughed when I asked if I had a case against Experian. Apparently you can't hold them accountable for publishing bad information.
The best defense to the Equifax breach, as it is to all the other data breaches, is to:
1. NEVER EVER click on a link in an email. Type in the web address yourself.
2. Check your credit card statements religiously.
3. Keep your antivirus and anti-malware software up to date.
Really, aside from the fact that it's Equifax being penetrated, what's the big deal? I get free credit monitoring because my wireless provider T-Mobile was hacked. I get free credit monitoring from somebody else because the U.S. Office of Personnel Management got hacked, revealing EVERY detail of EVERY security clearance applied for in the last 20 years. I got free credit monitoring from somebody else because a credit card provider got hacked.
Get paranoid about security. Already paranoid? Are you paranoid ENOUGH? Then let it go and live your life.
And public lynching.
In my dream world I would have Congress make a law to have the credit reporting agencies, financial institutions, or any business holding certain types of information by default to place a freeze on exporting/sharing that information.
Something like this:
For example, if a company collects social security numbers or driver's licenses numbers, then that company must by law place a freeze by default on all accounts and ANY information in that file can only be revealed by the owner of the SSN giving specific permission.
No contract to do business will be allowed that makes data sharing a condition.
The data-sharing permission can only be asked for after a period of some time, say, 90 days, and the default will be to not grant permission.
If a business needs to pull a credit report in order to grant me credit, write an insurance policy, or whatever, then the reporting agency will have to find some way to allow me to do a one-time grant of access.
LOL, on what grounds? The DMCA?
My military serial number is my SSN. (It shouldn't be, and didn't USED to be, and it's illegal, but it's the government and who's going to prosecute them?) For years, in order to write a check at the Base Exchange, we were REQUIRED to have our serial numbers - our SSNs - printed or written on the check.
For all those companies that want to use the last 4 of your SSN as a security code - you can demand that they assign you a different number.
This is actually hilarious. Someone please try this and let us know the results.
Right, because Bitcoin is SUCH a safe alternative. How many Bitcoin exchanges have been shut down at this point because of embezzlement or money laundering schemes? I've lost count. At least your bank account is FDIC insured in the US... with Bitcoin you're basically screwed because it's largely unregulated.
Oh, and there is nothing wrong with the blockchain technology itself. It's a great idea, but many of the developers building on it seemed to have built some pretty half assed and insecure solutions so far.
And how exactly does a freeze help, if the next credit bureau hack obtains all those freeze PINs?
SSN's you can use in bulk. But even knowing a freeze PIN you still have to pay real money - either to unlock it temporarily, or for good. That makes it less likely attackers would make use of it.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1) Freeze all three agencies
Or just freeze Equifax. If enough people do this, banks and lenders will have to take their business elsewhere.
Have gnu, will travel.
Accepting Equifax's help forfeits your right to sue;
Nope. New York's attorney general demanded they clarify the wording on this.
Stop reporting 143 million "customers" or "consumers" info was stolen. We are not their customers or consumers. We are their product and the victims.
Roll the dice. It's better than paying Danegeld to these guys to freeze your credit. Also, they want you to waive your right to class action. Hell no. I don't care if I don't get money from a CA. If CA lawyers can actually drive that PoS into BK, they deserve every cent they're paid. After that, we need to picket the appropriate government agencies; but fat chance of that actually working.
So roll the bones. It's the only practical "solution" even though it's not a real solution. In the event that ID theft actually robs you of a significant amount, do your best to hang it on these guys, not your own fault. Sue them independently for that, not as a member of a CA; but hurry because there will be a long line.
In an ideal world, the guys who sold their stock get perp walked and the company is shut down; but once again... fat chance. Come on, Trump, here's your chance to be Reaganeaque. Remember back then? Guys actually got perp walked. It hasn't happened in way too long a time.
The fraudster just calls up and says they forgot the PIN. The credit agency then asks him/her information which only you should know to confirm identity, then lifts the freeze or resets the PIN. Still, it is (or was) the best way to protect your credit. Unfortunately, the information they use to confirm your identity is probably what's been stolen in this hack. So whoever stole it can lift any freeze you put on your credit.
When the class action suit is settled you may have to prove you used them, not them hunting you down.
I have the results from Equifax I got from annualcreditreport.com as PDF's.
PROJECT MAYHEM
Burn the company to the ground, tar-and-feather all the executives, secure-erase all their data. Nobody deserves the kind of power they have, and obviously can't control.
" Your loan application has been approved"
WARNING: Smartphones have side effects--most of them undocumented.
Fraudsters can assemble so much of data, call the bank, ask for password reset and hijack an existing account. Before you can call back and fix the issue the money would be gone.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
The free market will not fix this situation because the people they collect the data on are unwilling customers for the credit reporting agencies. We have no choice to opt out let alone easily manage our data, and those who buy the credit scores (i.e. credit lenders) are not affected when there is a breach.
Usually, I'm not a fan of regulation, but this might warrant such. Trying to get better congressional visibility with a new petition:
https://www.change.org/p/rob-b...
tora
I put all my credit on credit freezes years ago. After numerous changes to Terms of Service which I did not have to agree to (because web site ..), the freezes were removed. The new terms allowed companies to charge me $10 or $15 for freezes with relatively short expiration dates.
New legislation should forbid companies from charging for security freezes or thaws if less than 3 each in a one year period.
New legislation should prohibit credit bureaus from including any arbitration or limits to sue for security breaches in their Terms of Service.
New legislation should mandate that companies include databases of consumer information as liabilities, not assets.
New legislation should require credit bureaus to have proof that all credit inquiries originated with a consumer request for credit, not indirect business opportunities (such as buying lists of consumers with x income, living in certain areas).
New legislation should require credit bureaus to notify consumers whenever someone tries to access your credit file for any reason.
New legislation should mandate that credit bureaus not pay any bonus and limit all compensation to any member of it's board of directors to no more than $100,000/year in any year in which a breach is discovered. That will force the boards to sit around and talk security until they get it done.
Make it one piece of legislation called "The stop f'ing the consumer with credit dossiers we can market excessively law".
Not that I'd advocate this but...now would probably be the absolute perfect time for people to find someone who can perform 'identity theft' on themselves, and max out their credit cards and other avenues of seeking loans, using the data released from this breach - and then stuff the banks with the cost of this.
The magic formula is L = 1,260 / W.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
>> Accepting Equifax's help forfeits your right to sue
I can't believe that this is true. It may say that in the agreement but I seriously doubt that it's actually legal.
This question is key to resolving this and other issues with personal data hoarders.
If personal data is owned by the person, then maybe it is copyrightable.
If you own the copyright on your personal data, then you could conceivable issue a DMCA "Takedown Notice" to all the credit reporting agencies.
This would wipe your credit file (Which has distinct disadvantages as you would no longer have a credit record). If you avoid financing things, then maybe
this would work out just fine.
If Equifax was holding toxic waste, and they failed to keep it secure and some of it leaked into the environment, what would our response be?
If they can't responsibly hold information secure, then take that information away from them.
Force them to delete all data which was "breached" so they can't lose it again.
If they're unsure what data was lost, then allow anyone to have "their" data deleted.
Monitor the company to insure compliance.
Indeed. And even with owning land, homes, and cars we can't trust the govt stealing those from us too under civil asset forfeiture law.
...just going to do a fraud alert. Do it with one of the big 3 and they notify the others to do it. Simple.
"Identity theft" is a complete sham. When some third party convinces someone to loan them money in your name, they have committed fraud and the whoever handed them bags of cash without making sure they knew who they were dealing with is an idiot who cannot be trusted.
Any attempt to collect the money from you is a second fraud since there exists no evidence you took the loan (because you didn't). If any credit agency accepts a negative statement about your credit worthiness from such an untrustworthy idiot and then reports it to others, they are committing libel. That is, they are reporting these things with a reckless disregard for the truth. That would include Equifax. They certainly should know by now that identity fraud happens all the time, especially since they just facilitated it in a big way.
So, the town's most pernicious gossip has just helped the town's most pernicious frauds to make up new and better lies and as compensation offers to monitor their own pernicious gossip about you for up to a year before they start charging you money to fail to protect you from themselves and their two equally bad buddies.
But only if you agree to not sue them after they stalked you for your entire adult life and then told everything they know to the most crooked people in town.
FDIC has protected all relevant checking and savings accounts since its founding. Why are you trying to claim otherwise?
When it can, the FDIC does try to pressure other banks to buy up a failed bank, and have the bank making the purchase make good the accounts. If that doesn't work, the FDIC pays.
Contribute to civilization: ari.aynrand.org/donate
Not supposed to. SSN is supposed to only be for the IRS. Says so in the charter. Virginia used to use the SSN for their drivers ID. They were forced to change when the Feds went after them. Same thing should be for all the medical stuff.