Storm coming and nobody is worried.

[Lsbcal]

...
Sorry for the rant, but it seems nobody is listening. I feel helpless that all of our dollars are digital and will be so easily hacked.

...

From past posts I think you are a smart guy and have taken several precautions. Is this just free floating anxiety? I can sympathize with that feeling but the rational side of me says that I've taken much better then average precautions like mentioned above ... credit freezes, 2 factor authentication, pretty secure computer, etc. That's the only way I know of dealing with the anxiety.

 

[Fermion]

From past posts I think you are a smart guy and have taken several precautions. Is this just free floating anxiety? I can sympathize with that feeling but the rational side of me says that I've taken much better then average precautions like mentioned above ... credit freezes, 2 factor authentication, pretty secure computer, etc. That's the only way I know of dealing with the anxiety.

Yes, we have taken some precautions like credit freeze and a secure computer that is only used for financial sites (no web browsing or downloads on that one). I have 2 factor authentication at some sites but not all (not all offer it yet).

I do not think the average Joe is taking these precautions though and actually they are going even more digital with paying for items via cell phone. My wife works at a software firm with people making big bucks who do financial transactions on their phone. A significant number of them use 1111 for their phone password and their other four digit codes because it is easy to remember. These are people making $250k+ a year in the software industry where they should know better!

 

[calmloki]

I use my mother's birthday - January second, 1934. Nobody would guess that.




(not really - saw that last night and got a chuckle)

 

[mpeirce]

I do not think the average Joe is taking these precautions though and actually they are going even more digital with paying for items via cell phone. My wife works at a software firm with people making big bucks who do financial transactions on their phone. A significant number of them use 1111 for their phone password and their other four digit codes because it is easy to remember. These are people making $250k+ a year in the software industry where they should know better!

Luckily financial apps are getting smarter about security.

I do check mint on my iPhone, but it requires TouchID to use it.

One good thing about TouchID is that it makes using a long alphanumeric "PIN" to unlock my iPhone or iPad much less onerous since I rarely need to type it in.

 

[Lsbcal]

I'm always trying to find the right level of security and probably overdo it. Because of something Audreyh1 said on this thread, I went in and added a few new alerts to our credit card account and reviewed the other alerts.

 

[gauss]

I know that different financial institutions have different regulations that apply to them.

In the case of FDIC banks -- aren't they responsible if they transfer funds to an unauthorized recipient if you notify them promptly of the error?

In the case of credit cards I believe that you have 60 days to notify them of unauthorized purchases which by law they must reverse.

With IRS refund fraud, (ie someone claiming a refund on your account before you file your taxes), I believe that the IRS will make you whole although it may take a few months.

With credit freezes applied at the credit bureaus, no one except a few named exceptions (ie law enforcement etc.) will be able to pull a credit report on you and open up new credit accounts.

That all being said, my biggest remaining concerns are
- 401k accounts
- IRA accounts
- after-tax brokerage accounts

In my case that is where the majority of my funds reside and I am not sure about the legal protections in these cases.

I find it interesting that the Lifelock insurance strangely does not mention these types of accounts specifically in their fraudulent withdrawal coverage, but merely "checking, savings, money market, or other financial accounts" -- sounds like those are already covered by the regulated banks as described above.

-gauss

 

[meierlde]

I use my mother's birthday - January second, 1934. Nobody would guess that.




(not really - saw that last night and got a chuckle)

Actually if one's mother is deceased, one can likley find it in the Obituary, or on find a grave if the dates beyond years are engraved on the stone. It is amazing how much info is found in Obituaries. The maiden name, the childrens names, where they live etc. So mining old newspapers for obituaries could assist in identity theft. (Also where she was born and in some cases her parents names).

 

[gauss]

Actually if one's mother is deceased, one can likley find it in the Obituary, or on find a grave if the dates beyond years are engraved on the stone. It is amazing how much info is found in Obituaries. The maiden name, the childrens names, where they live etc. So mining old newspapers for obituaries could assist in identity theft. (Also where she was born and in some cases her parents names).

Not sure if the original birthday comment was tongue-in-cheek or not, but just for the sake of caution I share the following:

Doesn't the Social Security Master Death List contain dates of birth? I know that they now suppress SSNs for the first ten years or so after death but I think everything else is open.

-gauss

 

[meierlde]

Not sure if the original birthday comment was tongue-in-cheek or not, but just for the sake of caution I share the following:

Doesn't the Social Security Master Death List contain dates of birth? I know that they now suppress SSNs for the first ten years or so after death but I think everything else is open.

-gauss

Further after 25 years one can get a copy of the death certificate with no ID.
But these don't give the family relationships downward (a death certificate does say who the persons parents were and where they were born)

 

[calmloki]

Why so serious? January second, 1934. 4 digit pin. pin would be?

 

[Fermion]

Why so serious? January second, 1934. 4 digit pin. pin would be?

8888

 

[Theseus]

As far as I'm concerned, when they say that they might as well be saying, "We sold it to hackers on the internet!" and maybe they did. I'd be willing to bet they could make considerable money under the table by selling customer information.

And they do reserve the right to do so! When logging into my banking account yesterday, a notice was posted that until I checked off the updated privacy and TOS agreements for the online bill-paying function, I wouldn't be able to use them anymore. In my usual harumph mood brought on by such things, I copied the 1,875 word, and 13,248 word agreements, respectively from the roughly 80 character by 6 line text windows and pasted them into a text file so they could actually be read. And I read them, and saved them for future reference. In a nutshell, they claim the right to "share" customer data for marketing purposes with "affiliated" business (defined as being under their ownership or control), and reserve the right to also share with others (I read that as profit from) customer data, although they do not do that now, and if they ever did desire to customers would be given an opportunity to opt out. Hmm, 'opt out', as in you can't use our services anymore if you don't say it's OK?

Oh, well - filed the docs, and agreed to the TOS. Don't care to go back to snail mail for paying recurring bills, but if I ever see an 'opt out' message disguised as 'We have a wonderful opportunity for you' I'll explore other options. But, the other options are pretty much using the same service from a different bank, which will undoubtedly be keeping up with the Jones and doing the exact same thing, or using a mega-bank credit card that has probably already been sharing data for profit for years. Of course, the shared data may be obscured by averaging or being supposedly non-identifiable, but will (or do they already?) hackers become so elaborate and sophisticated that combining legally available, for a price data with hacked identifiable data on a large enough scale expose us all to great economic peril? Part of me does consider the potential threat from geopolitical adversaries to inflict a mass economic disaster through an elaborate and intensive breach using a vast accumulation of data. Capitalism supports and defends making a buck with consequences sometimes unseen, which of course would be a painful irony if capitalized on by an adversary. </tin foil hat>

 

[mpeirce]

With IRS refund fraud, (ie someone claiming a refund on your account before you file your taxes), I believe that the IRS will make you whole although it may take a few months.

The state of Ohio started using an "identity confirmation quiz" when some folks submit income tax returns that are getting a refund.

IDQuiz

I haven't gone through this - we always work it so we pay a little - but apparently the local TV news folks are failing it left and right. Or so they keep joking about it on their newscasts.

 

[SJ1_]

I received my letter from Anthem about two weeks ago saying my data was hacked. The letter pointed out that my medical information was not compromised. Who cares about that? I would rather the hackers have my medical info than my financial info.

So they offer 2 years of credit monitoring. What's to prevent the hackers from sitting on the data for 2 years then using it? Plus my kids data was also hacked. What a PIA.


Sent from my TRS-80

Medical fraud is also on the rise:
..It soon became clear that someone else had used the elderly man’s health insurance card at the ER to ..

What's behind the dramatic rise in medical identity theft? - Fortune

 

[Brat]

...

Just received my chip CC but no one uses the other side yet. ...

You too?? I tried to use it today at a parking garage and the terminal couldn't recognize the 'strip'. I cut up the old card right after I activated the new one. I checked to verify that the issuer had activated it. Good think I had another 'old fashioned' Visa card or my life would be a re-run of the M. T. A.

 

[audreyh1]

I do not think the average Joe is taking these precautions though and actually they are going even more digital with paying for items via cell phone. My wife works at a software firm with people making big bucks who do financial transactions on their phone. A significant number of them use 1111 for their phone password and their other four digit codes because it is easy to remember. These are people making $250k+ a year in the software industry where they should know better!

Fermion - this is true with many situations, like in saving for retirement. The average Joe is usually very slow to come to terms with issues like this.

The recent tax fraud and Anthem hack made a lot of noise at first, even congressional hearings (on the IRS and state tax fraud). But like many media stories they quickly fade. And many people forget.

All each of us can do is take the actions we can to protect ourselves. If others aren't motivated to protect themselves, well there isn't much we can do.

Robert Cringely made an interesting prediction at the beginning of this year about 2015 being the year of security breaches. My husband told me in Jan, and lo and behold the shoes started dropping everywhere shortly thereafter!

The Anthem breach is enormous. It affects 25% of the US population. It is truly mind boggling, and yet it does seemed to have dropped off the radar very quickly. I don't think it will stay off the radar - too many folks are impacted.

Prediction #1 — Everyone gets the crap scared out of them by data security problems. In many ways this was set up by 2014, a year when, between Edward Snowden and Target, America woke up to the dangers of lax data security. Where this year is somewhat different, I feel, is in the implications of these threats and how they play out. There will still be data breaches and, though there will be proposals how to retool to avoid such problems in future, I don’t see those turning into anything real before 2016. So 2015 will be the year when people claim to fix your problem but really can’t. Watch out for those crooks.

2015 will also be the year when the bad guys start to see their own profit squeeze and respond by doing exactly the things we hope they won’t. To this point, you see, the folks who steal all this information have been generally wholesaling the data to other bad guys who use the data to steal our identities and money. Only the buyers aren’t really that good at stealing our stuff so the wholesale value of a million credit card numbers has dropped significantly. So rather than finding new careers like my own favorite, opening a frozen custard stand, the guys who stole our numbers in the first place are starting to cut out the middle men and going after our stuff themselves. Given these are the really smart bad guys taking over from the not-so-smart bad guys, expect things to get bad, very bad, with billions — billions — in additional losses for financial institutions, retailers, and even some of us. These are the events that will finally lead — in 2016 — to real data security improvements.

I, Cringely 2015 Predictions: It's about the money, stupid! - I, Cringely

He sees this as making the rest of us finally wake up and fix some things and real improvements. So maybe there is some hope? We shall see.

 

[tryan]

Every time I see the PW "restrictions" (e.g. PW must be 4-8 characters and contain a captiol and number .... blah, blah) - I think "great, they just told the hackers exactly what to test for and ELIMINATED BILLIONS of other possibilities ".

 

[ERD50]

Every time I see the PW "restrictions" (e.g. PW must be 4-8 characters and contain a captiol and number .... blah, blah) - I think "great, they just told the hackers exactly what to test for and ELIMINATED BILLIONS of other possibilities ".

+1000

I recently had one not accept my password because it had three of the same char in a row. So I removed one of them, and it took it!

PS - this was not a site I had big security concerns with, just a subscription thing or something. For those, I use a common easy pw - who would try to hack it? Just enough to meet the common requirement - some numbers, some upper, some lower case.

-ERD50

 

[Chuckanut]

Every time I see the PW "restrictions" (e.g. PW must be 4-8 characters and contain a captiol and number .... blah, blah) - I think "great, they just told the hackers exactly what to test for and ELIMINATED BILLIONS of other possibilities ".

One thing that helped the Brits break the Enigma machine and helped 'simplify' Turing's decoding machine was the fact that no letter could encrypt to itself. An 'a' could never be encrypted to an 'a', a 'b' could never encrypt to a 'b', and so on. That removed a huge number of possible outcomes.

 

[mpeirce]

One thing that helped the Brits break the Enigma machine...

It was the Poles (Marian Rejewski, Jerzy Różycki and Henryk Zygalski) who "broke" it initially back in 1932. The Brits built on the good work of the Poles.

 

[Chuckanut]

Very true the Poles did break the first Enigma machines. Which, by the way, were built by a private company for use by business. They were improved to the point where new ways were needed to break the codes. All in all its a fascinating story.

Anyway the point is still valid that the more one knows about the 'rules', the easier it is to break the codes.

Below is a tweet that leads to Steve Gibsons discussion of Enigma.

https://twitter.com/x/status/555102847927615488

 

[Whakamole]

I was subject to the Premera hacking, and I (and a bunch of my coworkers) are hopping mad. Same two year do-nothing credit watch plan, after which the crooks will go to town.

I used to work in computer security, as well as general compliance, this stuff isn't rocket science if you design things well and take basic precautions. For some of these I suspect an insider (think of how much an employee would make by selling PII), and there is no way any firm would want to admit that since it would freak out the nation and people with access to sensitive data would start needing to pass background checks like they should.