Looks like Equifax was breached

[Fermion]

The equifax pin is a joke. It is just the month/day/year you freeze your credit plus the time in hours and minutes.

So if you were to post you froze your credit today, I know a large portion of your pin already.

09122017

If you really said I just locked my credit a minute ago, I would then know your pin is something like 0912201710xx

It is no wonder they got hacked.

[explanade]

I don't know what law allowed these bureaus to collect personal data in the first place.

Maybe in the fine print when we apply for loans, open cell phone accounts, they get to send our data to the bureaus.

Clearly the bureaus have no laws governing them to protect that data. It sounds like Equifax took short cuts in IT and data security measures.

Now Equifax may get sued out of existence. Lawyers make money and consumers are still vulnerable.

My understanding is that in the U.K. and perhaps in other countries, private companies are not allowed to use govt-issued IDs or papers of any kind like the banks do with SSNs, which were created in the 1930s with no conception of an online world rife with cyber crime.

Maybe the Congress should be looking at a new ID system, which would be more modern and secure. Perhaps a system which would generate tokens or one-time use numbers that companies wouldn't store (or if they did it wouldn't do them any good as the numbers would no longer be valid).

But maybe the identity theft problem isn't big enough yet for people to demand changes. So the thieves know credit card numbers and have the data to apply for new cards under your name. But the banks issuing the credit cards shield you from liability for fraudulent transactions.

[Sunset]

Equifax generally spends about $500,000 -> $1M per year lobbying (bribing?) Congress to WEAKEN the laws around storing/notifying you about your information being hacked/lost/mis-used etc....

Equifax lobbied for more lax regulations ahead of massive data breach - MarketWatch

They want the freedom to be careless.

[Wheel]

https://www.transunion.com/corporate...ityFreeze.page

Does not give me much confidence when TransUnion can't even spell "Security" properly...

[Blue Collar Guy]

Quote:

Originally Posted by Fermion The equifax pin is a joke. It is just the month/day/year you freeze your credit plus the time in hours and minutes. So if you were to post you froze your credit today, I know a large portion of your pin already. 09122017 If you really said I just locked my credit a minute ago, I would then know your pin is something like 0912201710xx It is no wonder they got hacked.

Wow, +1

[Gotadimple]

Dirk Cotton write a retirement blog. Here is his comprehensive article on freezing your credit. He suggest 4 bureaus. See the article dated September 11.
The Retirement Café

[GrayHare]

Understandably, freezing requires you provide a bunch of personal information, some of which the freezing agency may not already have. That means you are giving out still more personal information that can be stolen.

It's difficult to know the best security approach because the amount of risk is unknown. For example, if a person does not freeze, is there an 80% chance that person will lose, oh, $10,000 during the next 10 years? Or is that risk 99%? Or 1%? I have no idea. How much does that risk change by freezing? Might freezing actually increase the risk because the process exposes more private information? Additionally, unfreeze PINs can be hacked and stolen just like any other data.

[Chuckanut]

Quote:

Originally Posted by Fermion The equifax pin is a joke. It is just the month/day/year you freeze your credit plus the time in hours and minutes. So if you were to post you froze your credit today, I know a large portion of your pin already. 09122017 If you really said I just locked my credit a minute ago, I would then know your pin is something like 0912201710xx It is no wonder they got hacked.

Good grief! I checked and it's true.

You can't make this stuff up!!

[easysurfer]

In that case, I'm announcing that I froze my credit with Equifax at the turn of the century. That's the turn from 18th to 19th century .

[GrayHare]

A breach on the scale of the Equifax one was far less likely around 1990 in large part because the companies were not connected to the Internet. The credit system still functioned then, though perhaps a bit more slowly. For security it might be time to return to that approach. No customer data online.

[imoldernu]

Hmmmm... square one. The security starts with the credit card company.

Is there any earthly reason why they should not be responsible for any loss, rather than the customer?

This Mother Jones short article makes sense to me. Even the current legislation pending for the CFPB keeps open the benefits to the companies.

Here’s Why I Hate Credit Reporting Agencies — And Why You Should Too – Mother Jones

Most here are too young to remember the time when credit cards didn't exist. I was working as a manager for Sear Roebuck at time... 1959, in a Catalog Store in Chelsea Mass. As with all other stores, the accounts were held on ledger cards, in files in each store. The Credit manager and store manager in each store was responsible for the the decision to offer credit, and credit limits were based on the type of merchandise the customer was buying... ie. a washer or a refrigerator had a higher limited than clothing, since they could be repossessed. Where credit was questionable, it was incumbent on the person seeking the credit to offer references... banks, car dealers, other local merchants, who we mutually shared credit experience with. An interactive relatively local system that was more common at the time.

While BankAmericard test marketed what we now know as credit cards is 1958, the Sears Revolving Charge (much later to become Discover) was introduced nationally in late 1959, and was the first widely used credit card at that time In effect the broad based "time payment" "ledger" accounts that were held in thousands of Sears stores across the country, provided the "ratings" basis for issuing the SRC accounts.

I recall vividly the panic of my own credit manager at the time, as she thought her years of service would be lost when her job was eliminated (which it wasn't), and she would not receive her highly valued Sears Profit Sharing plan.

(sigh) how did I get to this?

[Chuckanut]

Ugh, it's worse than we thought....

Using Time and Date limits the numbers that each position of the Pin can hold, thus reducing the total combinations possible.

Worse, computer systems love to date and time various transactions. So, if there is a date-time stamp created when your pin was created.... Not so good.

https://nakedsecurity.sophos.com/201...files-at-risk/

Quote:

Because of the way the PIN-generating algorithm works, any timestamped logs of your activity on the Equifax systems that are related to your freeze (computers tend to generate a lot of timestamped logs) are effectively improperly secured copies of your PIN. In other words, any PIN that’s generated like this just isn’t a PIN.

[bjorn2bwild]

According to the Sept. 11 update -

Quote:

1) Adjusted our PIN Generation for Security Freezes We understand and appreciate that consumers have questions about how a PIN is currently generated for a consumer initiating an Equifax security freeze solution. All consumers placing a security freeze will be provided a randomly generated PIN.

https://www.equifaxsecurity2017.com/

Also, this (don't know if this means free for thirty days, or for a thirty day window you can freeze at no cost) -
P.S. The tweet - looks like the freeze fee is waived for the next 30 days -

https://twitter.com/Equifax/status/907382924621819906

Quote:

In response to public outrage over its ongoing bungled response, Equifax stated on Twitter that it will waive credit freeze fees for 30 days.

https://techcrunch.com/2017/09/12/wi...t-freeze-fees/

[Huston55]

Quote:

Originally Posted by GrayHare Biometrics are coming, folks, solely because they will make everyone perfectly safe.

Fidelity is already using biometrics with voiceprint identification, in addition to 2-factor ID.

They also offer this guarantee, which is very reassuring.

Fidelity Customer Protection Guarantee
We're proud of the trust you place in Fidelity and want to ensure that you have peace of mind when doing business with us. That's why we offer this guarantee: We will reimburse you for any financial losses that result from unauthorized activity on your accounts.

[samclem]

I'm now over all my previous naive concerns about privacy and intrusiveness. They have beaten me down-- the crooks and the "helpful" IT security people. My cranial RAM has no room for more passwords and I'm fed up with the security hoops. I'm now ready to have the RFID chip inserted in my neck. I welcome it. Peace at last.

Quote:

"I love Big Brother." - Winston Smith

[MRG]

Quote:

Originally Posted by samclem I'm now over all my previous naive concerns about privacy and intrusiveness. They have beaten me down-- the crooks and the "helpful" IT security people. My cranial RAM has no room for more passwords and I'm fed up with the security hoops. I'm now ready to have the RFID chip inserted in my neck. I welcome it. Peace at last.

I luv you too!


One thing that's surprising to me is our focus on someone impersonating us through the application's front end. Most thefts are internal actors. I spent decades in the industry around security and audit and someone acting as me, through the application is my last concern.

I'm much more afraid of a data dump giving someone enough data to perform a wire from the system of record to a foreign bank. Never even logging on to the system of record. Course I'm often wrong.

[samclem]

Quote:

Originally Posted by MRG I luv you too!.

Nuthin personal. But when someone thinks they are enhancing security by requiring passwords that are 16 characters, must be changed every 90 days, can't be too similar to any previous one, can't use 'keyboard geography" ttoo extensively, etc, etc, screen locks after 2 minutes of no activiyy, etc.then they just aren't using their heads. I'll bet 10% of the passwords in some of the most "secure" offices in the world can now be found on Post-it notes on the back of the mouse pads or keyboards. Sure, it is against the rules, but these people are just trying to do their jobs.
Maybe this should be in the pet peeve thread. Sorry.

[flintnational]

Quote:

Originally Posted by samclem I'm now over all my previous naive concerns about privacy and intrusiveness. They have beaten me down-- the crooks and the "helpful" IT security people. My cranial RAM has no room for more passwords and I'm fed up with the security hoops. I'm now ready to have the RFID chip inserted in my neck. I welcome it. Peace at last.

[easysurfer]

Quote:

Originally Posted by easysurfer Okay, so I click on the EquiFax link to check if my info was compromised. Firefox flags the site a phishing and deceptive. I don't think the site is phishing since in the news. But still... . Checked and got the result of, as Maury Povich says, "I am NOT the father". In other words, looks like not impacted .

Read where the "check if impacted" message is a bit clearer on their website, so I went ahead and checked again. Looks like I am impacted after all . Folks who thought were all clear before when the initial news broke might want to check again.

At least now I have a class action lawsuit or two to look forward to .

[MRG]

Quote:

Originally Posted by samclem Nuthin personal. But when someone thinks they are enhancing security by requiring passwords that are 16 characters, must be changed every 90 days, can't be too similar to any previous one, can't use 'keyboard geography" ttoo extensively, etc, etc, screen locks after 2 minutes of no activiyy, etc.then they just aren't using their heads. I'll bet 10% of the passwords in some of the most "secure" offices in the world can now be found on Post-it notes on the back of the mouse pads or keyboards. Sure, it is against the rules, but these people are just trying to do their jobs. Maybe this should be in the pet peeve thread. Sorry.

We're actually saying the same things! Sorry for the confusion. My last 5 years I had all the silly password rules and a 6 digit RSA pin that expired every 30 seconds.