Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Breach Provokes Calls For Serious Data Protection Reforms (wired.com)

Posted by EditorDavid on from the identity-thief-crisis dept.

Equifax's data breach was colossal -- but what should happen next? The Guardian writes: The problem is that companies like Equifax are able to accumulate -- essentially, without limit -- as much sensitive, personal data as they can get their hands on. There is an urgent need for strict regulations on what types of data companies can collect and how much data a company can possess, both in aggregate and about individuals. At the very least, this will lessen the severity and size of (inevitable) data breaches... Without putting hard limits on the data capitalists who extract and exploit our personal information, they will continue to reap the benefit while we bear the risks.
Marc Rotenberg, president of the Electronic Privacy Information Center, adds, "we need to penalize companies that collect SSNs but can't protect [them]." Wired reports: Experts across numerous privacy and security fields agree that the solution to the over-collection and over-use of SSNs isn't one particular replacement, but a diverse array of authentications like individual codes (similar to passwords), biometrics, and even physical tokens to create more variation in the ID process. Some also argue that the government likely won't be the driving force behind the shift. "We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."
Meanwhile TechCrunch argues, "This crass, callow, and lazy treatment of our digital data cannot stand...": We must create new, secure methods for cryptographically securing our data... These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.

32 of 193 comments (clear)

  1. Mandate that SSNs are not proof of identity by Anonymous Coward · · Score: 5, Insightful

    An SSN is a good primary key in a database because each SSN should correspond to a unique person. It's a terrible way, however, for proof of identity. We essentially use it as a username, but also as a password, and a password that you're unable to change. Furthermore, by law, you have to provide it to banks and some other institutions to use their services. You need to share your SSN with your employer in order to get paid for your job. And you have to trust that none of these entities will mishandle your SSN.

    How about using the SSN for the primary key it is and doing away with it altogether for proof of identity. Mandate that financial institutions use other proof of identity such as one time use passwords and public key encryption. Devalue the SSN and, at the same time, replace it with a secure means to prove identity. The government does have a role, because they can and do regulate entities like financial institutions.

    1. Re:Mandate that SSNs are not proof of identity by Gim+Tom · · Score: 2

      The card says it is not to be used for identification. Which is now a joke. Maybe they should just publish everyone's SSN and loose the dogs of war er Law on those that do use it for ID.

      Being an old codger going back to the days of big iron and wide green bar printouts I can remember when old printouts with full SSN, NAME, ADDRESS and other information that is now considered sensitive was freely available for anyone to take home for their kids to color on. We even used the back at work to sketch out program and process flows. Some lawyer should be able to milk the use of SSN's for granting credit for some number of gigabucks to discourage such use.

    2. Re: Mandate that SSNs are not proof of identity by Monster_user · · Score: 2

      Nobody will remember the actual primary key, but everybody has to remember their SSN. So for looking up a record, it is the primary field to locate that record. Given it is as unique as the primary key, it is essentially the human readable version/alternative for the primary key.

    3. Re:Mandate that SSNs are not proof of identity by anegg · · Score: 5, Insightful

      Using an SSN (or other nationally valid identifier) for "identity" is one thing; using it as *proof* of identity (i.e., as an authenticator) is another. Any business using an SSN as an authenticator and trying to hang a debt around the neck of the person identified by the SSN should be laughed out of court.

      The burden should not be on the shoulders of the "identity theft" victim to prove the negative (that they did not get the goods/services the creditor is claiming that they got), but rather on the shoulders of the creditor, to prove to just whom they gave those goods and services. As soon as that is recognized in law, I think a lot of the "identity theft" problems will go away. It may be harder to obtain goods and services on credit, however.

    4. Re: Mandate that SSNs are not proof of identity by ls671 · · Score: 2

      And that's the problem; it is human readable and meaningful. Granted, you will have to lookup the primary key given a SSN in the protected table or database:

      SSN -> primary key

      Primary key is something like: bd3b546d7136432218858eff

      Then search for that primary key (foreign key) in other tables.

      That's exactly what we have to do in our applications. It is a little less convenient but security sometimes conflicts with "human readable".

      Bonus: developers that have access to prod data do not need access to the SSN for most tasks.

      Using SSN or other meaningful data as a primary key is bad security wise.

      --
      Everything I write is lies, read between the lines.
    5. Re:Mandate that SSNs are not proof of identity by msauve · · Score: 2

      "Sure. make SSN a unique key but using it has a primary key is always a bad idea."

      It's a perfectly fine key - for the US Social Security system. The issue is all the lazy-ass leeches who want to use it for anything else. Credit and medical industries being major violators.

      I haven't given my SSN to anyone who's not deducting SS from a payroll payment for about 30 years. On very rare occasion, I'll use the "last 4" for some things, but unless I'm being paid and they're adding to my SS account, that's all they get. That includes credit cards, mortgages, insurance, cell phone and other utilities - I've given it to none of them.

      And, when a previous employer gave it to an insurance company without my permission, I filed a formal ethics complaint for disclosing personal info unnecessarily. Didn't go anywhere. They were clueless and blew it off, but they don't exist anymore and I'm still around.

      Obamacare requires a Taxpayer ID, which is usually but not always an individual's SSN. One of the reasons it should be repealed.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    6. Re:Mandate that SSNs are not proof of identity by fustakrakich · · Score: 2

      The government does have a role, because they can and do regulate entities like financial institutions.

      You're wagging the dog. Financial institutions regulate the government.

      --
      “He’s not deformed, he’s just drunk!”
    7. Re:Mandate that SSNs are not proof of identity by AmiMoJo · · Score: 2

      Around here it is already the law that the company claiming you owe them has to prove that the debt exists. Unfortunately it doesn't always help.

      I had some company contact me with a debt I didn't recognize about a decade ago. I asked them to send me some proof, like a signed agreement, which obviously there is no way they could have. So they know that if they ever try to go to court they are screwed and will be laughed out, but it doesn't stop them sending me a letter every few months offering me some crappy deal on repayment.

      Worse still, if I had not responded it seems that a lot of companies try going to court on the off chance that the defendant doesn't turn up. If they consistently get no response they often chance it and try to get a default judgement, and the courts don't even bother to do basic checks like seeing if they have a valid signature (how could they?)

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:Mandate that SSNs are not proof of identity by bluefoxlucid · · Score: 3, Interesting

      The correct answer is to use UAF or U2F. The U2F keys all have UAF capability.

      You walk into a bank, present your ID (driver's license, etc.), and they can see it's you. Online, you tell them what car you had in 1999, where you lived 6 years ago, and which bank holds a current loan. One of these is stronger than the other.

      So what you do, you walk into a bank, present your ID, and then you take a brand-new, personally-owned, $20 security key to their terminal. You plug it in or wave it at the NFC, and it sends separate keys to Equifax, TransUnion, etc. Done. You now have an established trust with the credit reporting agency.

      When you open a new credit account, the bank checks the CRA for your history. If you have a hold on your credit, the CRA tells them no loans. Same deal: when the bank talks to the CRA, the CRA sends a challenge; you use your security key to digitally sign the response, proving your physical possession of the correct key, thus your identity. Generally this is RSA or elliptical curve; and the devices are non-cloneable.

      Lost your key? Call your bank and tell them. They'll put your trusts on hold with the CRA. You show up with ID and your key to re-establish trust. In the mean time, it's impossible to open a new loan account.

      People can't hack the CRA or the bank and steal your identity to open new loans in your name if there's no shared secret to steal. You have the only secret; you can prove you have that secret; and you can prove it without revealing the secret. An adversary can only steal the secret by stealing a physical device; and they use secure hardware that resists physical and logical attack, so cloning is destructive at best, and destructive attacks tend to completely-fail on these devices.

      That's the solution. It's the cheapest, most-effective, simplest option available today.

      --
      Support my political activism on Patreon.
  2. Bad tech journalism must die by geekpowa · · Score: 4, Insightful

    These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.

    About as insightful as the apper guy. Blockchain magic fixes everything. Also since when did the age of a company was a good predictor of an internal cowboy culture?

  3. as they say, "let the free market decide" by supernova87a · · Score: 5, Interesting

    I have a very simple solution for policymakers to implement:

    - Name + phone hacked = $2 penalty
    - Name + address hacked = $3 penalty
    - Name + SSN hacked = $5 penalty
    - etc., and combinations of the above, just multiply.

    Things would get fixed right quick.

    1. Re: as they say, "let the free market decide" by He+Who+Has+No+Name · · Score: 4, Insightful

      The free market has decided that since losing your PII to hackers effectively costs them nothing, they're going to keep cutting costs on data security.

      The free market does not prioritize the best interests of customers. It prioritizes profits. If repeatedly fucking over customers or allowing others to do so is profitable - and right now it is - then customers are going to need copious lube and ice for their buttholes for the indeterminate future.

  4. In other news... by sgage · · Score: 4, Funny

    ... horse escapes from wide-open barn! Farmer encouraged to shut the f-ing door!

    Bright godz, what a mess...

    1. Re: In other news... by Anonymous Coward · · Score: 5, Funny

      A large number of horses escape from a rented stable where the door was left wide open. To determine if your horse was lost, you must place another horse in the stable and agree to a binding arbitration clause regarding the loss of the new + original horse.

  5. Re:The ultimate ban hammer. by sgage · · Score: 5, Informative

    I'll believe that corporations are people when I see one executed. As the saying goes.

  6. Three executives dump shares by 140Mandak262Jamuna · · Score: 2

    Regulatory filings show the three Equifax executives — Chief Financial Officer John Gamble, U.S. Information Solutions President Joseph Loughran and Workforce Solutions President Rodolfo Ploder — completed stock sales on Aug. 1 and 2.

    Wait, that guy is named John Gamble? and he is the damned CEO?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Three executives dump shares by Krishnoid · · Score: 2

      We obviously need someone who can provide checks and oversight on his leadership. Someone so strongly invested in such a process that it would similarly be reflected in their own last name.

  7. Cost to Profit Ratio Too Low by IonOtter · · Score: 2

    Right now, it's in the best interests of the corporation to allow the details to be stolen.

    Assuming the customer even catches the theft, they're still responsible for the first $50 dollars. And if the company chooses to dispute the customer's claim, they might get more than that.

    The seller and processor all file claims with their insurance company, and get their money back.

    In short, everyone but the victim wins.

    Until that changes, this will continue to happen.

    --
    [End Of Line]
    1. Re:Cost to Profit Ratio Too Low by ichimunki · · Score: 2

      Really? The insurance company just pays out all the time and never denies a claim coming from a seller or processor? And they never raise the rates on the policy? Does the insurance company have a magic goose out back or something?

      --
      I do not have a signature
  8. innocent until proven guilty by at10u8 · · Score: 5, Interesting

    Penalties are aiming in the wrong direction because leaks will continue to happen. Better to change finance law so that the victim is presumed innocent until proven guilty. A victim should not be penalized. Rather, the lender who fails to perform due diligence and verify identity before extending credit should lose. That would be a powerful motivation for the finance industry to adopt new techniques that minimize their risk of losing.

  9. Account hijack is a bigger threat by 140Mandak262Jamuna · · Score: 5, Insightful
    Freezing credit lines does squat to stop the identity thieves from hijacking your accounts. They got social security number, driver license number and dates of birth.

    In no place this should be considered "credentials". But the US financial institutions pretend these are secret passwords.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  10. Fundamental principles of personal data by shanen · · Score: 4, Insightful

    (1) We should have control over our personal information, and no one should be allowed to collect it, sell it, and most importantly, use it against us or to manipulate us without our knowledge. I think that must start with the right to control WHERE that personal knowledge is stored (because possession is still 9 points of the law).

    (2) Those parts of our personal information that have become public should be visible to ALL of the public. As it might apply in an improved Slashdot, I would thus be able use that public information to save time by ignoring people with low reputations. No insult intended [to the authors of rather mindless comments on today's Slashdot?], but I'd prefer to spend as much time as possible consorting with people who are nicer and smarter than I am and zero time (or less) being distracted by trolls.

    (3) I'd be willing to help pay for such systems, both in terms of development and ongoing costs.

    Feeling like a broken record stuck on an old joke, but lots of detailed suggestions available upon polite request. Even nicer if you have some better ideas, but if you have nothing to say, then why don't you say nothing?

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
  11. From the No Shit Sherlock Instution by Snotnose · · Score: 2

    A) Equifax gets sued out of existence
    B) The Equifax Security Cxx is held personally liable, and faces serious prison time
    C) The other Cxx's are held personally liable, and get to eat based on how many cans they can dig out of trash dumpsters.

    Until something like this happens you and I are fucked, while the 1% glide along with no problem.

  12. High tech solutions by manu0601 · · Score: 3, Insightful

    It is weird to see proposal to introduce high tech solutions to fix the reliance on SSN: cryptography, biometry... All that solutions will have flaws

    Another option could be to look at the numerous other countries in the world, where knowing your SSN has never been enough to get a credit on your behalf, or to sell your house.

  13. Solution by thisisauniqueid · · Score: 5, Informative

    SSNs, birthdates and associated names should all be considered public knowledge, since none of them are revokable (or realistically revokable, in the case of SSNs and names). Relying on an SSN and/or birthdate as a password is madness.

    1. Re:Solution by AtomicSymphonic · · Score: 5, Informative

      Until our country's people come around to the idea of a secure National ID card, SSNs and passwords are all American industries are gonna get.

      It's still politically toxic for the American right-wing to even consider national ID. The solution is political. No amount of superior "wizz-bang" super-duper innovations in security such as blockchain will get these people off their seats. They're perfectly content extracting money from the corporation that lost their data and not much else.

      They don't want "big brother" to know who they are, except they already have a passport and a birth certificate...

  14. Encourage Simple Gov Regulation by Tora · · Score: 4, Insightful

    Regulation can be dangerous, but it seems this is a situation where it is called for: when a citizen's liberty is being trampled; and the Equifax breach will trample on people's liberty for decades to come – yet they are offering a pittance of one year's credit monitoring as if this will help for a lifetime of damage. Perhaps the EU's GDPR takes things a bit too far for the USA, but it can be used as a reference point, and we need something in our citizen's rights to their own identity in this modern world.

    There are many technical solutions available, but out the gate, it seems like we should be seeking some greater level of culpability on behalf of those holding this data, perhaps even considering the GDPR in context. We can at least ask that of our government. A petition has been started to at least raise visibility of this to congress. Start the dialog at the right levels, and hope it will not get steamrolled by lobbyists.

    --
    tora
  15. Witness the power of this fully functional lobby by hwstar · · Score: 3, Interesting

    Nothing will happen at the federal level right away because of this.

    The banks are too powerful. These are the same guys who pushed binding arbitration in consumer contracts of adhesion.

    States will need to take the initiative first. Let's hope that the banks don't have the power to pass a federal law to preempt the flurry of state laws which will come out of this.

    Death by a thousand cuts at the state level might prompt a 'watered down' federal update to the Federal Credit Reporting Act, but it will end up pre-empting any state laws with a decent set of teeth.

    Sometimes I worry about the rule of law and equal protection under the law in the US. It the banking cartel can rip off everyone by sidestepping the rule of law with binding arbitration, why can't a sniper take out a banker or two?

  16. Re:Donald Trump playbook by lucm · · Score: 2, Interesting

    When anyone accuses you of something you accuse them of it 10x.

    It's easier when your adversary is a corrupt, thieving, lying piece of garbage. At this point I'm starting to wonder about the real involvment of the Russians in the election; if they are indeed smart as chess players, maybe what they did was make sure that the Democrats picked the worst possible candidate instead of the guy that clearly embodies the real liberal values.

    But when it comes to Equifax, this comparison hardly applies because Equifax are not evil, they're merely incompetent, and have been for a long time. They're just like Diebold (the makers of those hilarious MS-Access based voting machines); once you start scratching the surface you just can't help but freak out when you realize how fucking retarded they are.

    --
    lucm, indeed.
  17. Re:Big targets, big money, relentless attackers by lucm · · Score: 4, Insightful

    It's not a matter of increased security, it's simply a matter of following known best practices and being diligent in applying patches and hotfixes.

    Equifax are complete morons. Last year they settled a lawsuit because of another security "breach": someone figured out that customers could login using a PIN made of the last 4 digits of their SSN and the 4 digits of their birth year. We're not talking about military-grade security being defeated by criminal mastermind. Those guys are complete and absolute incompetents.

    They could fix their entire set of weaknesses and prevent further exploits by reading the bullet points of a CISSP tutorial and following them. That's all there is to it.

    --
    lucm, indeed.
  18. Re: The ultimate ban hammer. by Reverend+Green · · Score: 2

    Hahahahahahahaha!

    So you wanna keep a couple hundred million dollars in a Somali bank? Oh my brother, have I got a great deal for you on a slightly used bridge...

  19. Re:Donald Trump playbook by NicknameUnavailable · · Score: 2

    But when it comes to Equifax, this comparison hardly applies because Equifax are not evil, they're merely incompetent

    Are you joking? They were the datamining scum-of-the-earth bastards before Silicon Valley even invented the term for it. Their entire business is founded upon the notion of putting people into indentured servitude via debt.