Looks like Equifax was breached

[MRG]

I'm now over all my previous naive concerns about privacy and intrusiveness. They have beaten me down-- the crooks and the "helpful" IT security people. My cranial RAM has no room for more passwords and I'm fed up with the security hoops. I'm now ready to have the RFID chip inserted in my neck. I welcome it. Peace at last.

I luv you too!


One thing that's surprising to me is our focus on someone impersonating us through the application's front end. Most thefts are internal actors. I spent decades in the industry around security and audit and someone acting as me, through the application is my last concern.

I'm much more afraid of a data dump giving someone enough data to perform a wire from the system of record to a foreign bank. Never even logging on to the system of record. Course I'm often wrong.

 

[samclem]

I luv you too!.

Nuthin personal. But when someone thinks they are enhancing security by requiring passwords that are 16 characters, must be changed every 90 days, can't be too similar to any previous one, can't use 'keyboard geography" ttoo extensively, etc, etc, screen locks after 2 minutes of no activiyy, etc.then they just aren't using their heads. I'll bet 10% of the passwords in some of the most "secure" offices in the world can now be found on Post-it notes on the back of the mouse pads or keyboards. Sure, it is against the rules, but these people are just trying to do their jobs.
Maybe this should be in the pet peeve thread. Sorry.

 

[flintnational]

I'm now over all my previous naive concerns about privacy and intrusiveness. They have beaten me down-- the crooks and the "helpful" IT security people. My cranial RAM has no room for more passwords and I'm fed up with the security hoops. I'm now ready to have the RFID chip inserted in my neck. I welcome it. Peace at last.

 

[easysurfer]

Upon Furher Review ...

Okay, so I click on the EquiFax link to check if my info was compromised. Firefox flags the site a phishing and deceptive. I don't think the site is phishing since in the news. But still... .

Checked and got the result of, as Maury Povich says, "I am NOT the father".

In other words, looks like not impacted .

Read where the "check if impacted" message is a bit clearer on their website, so I went ahead and checked again. Looks like I am impacted after all . Folks who thought were all clear before when the initial news broke might want to check again.

At least now I have a class action lawsuit or two to look forward to .

 

[MRG]

Nuthin personal. But when someone thinks they are enhancing security by requiring passwords that are 16 characters, must be changed every 90 days, can't be too similar to any previous one, can't use 'keyboard geography" ttoo extensively, etc, etc, screen locks after 2 minutes of no activiyy, etc.then they just aren't using their heads. I'll bet 10% of the passwords in some of the most "secure" offices in the world can now be found on Post-it notes on the back of the mouse pads or keyboards. Sure, it is against the rules, but these people are just trying to do their jobs.
Maybe this should be in the pet peeve thread. Sorry.

We're actually saying the same things! Sorry for the confusion. My last 5 years I had all the silly password rules and a 6 digit RSA pin that expired every 30 seconds.

 

[jazz4cash]

Read where the "check if impacted" message is a bit clearer on their website, so I went ahead and checked again. Looks like I am impacted after all . Folks who thought were all clear before when the initial news broke might want to check again.

At least now I have a class action lawsuit or two to look forward to .

I wouldn't even trust them to actually know exactly who is impacted and who is not. Better to assume you are impacted and act accordingly.

 

[easysurfer]

I wouldn't even trust them to actually know exactly who is impacted and who is not. Better to assume you are impacted and act accordingly.

I was thinking along the same lines. They probably don't know which is the reason why they "generously" (cough, cough) offer the free monitoring for a year to everyone.

 

[Corporateburnout]

I wouldn't even trust them to actually know exactly who is impacted and who is not. Better to assume you are impacted and act accordingly.

That's exactly what I'm thinking. We didn't bother to check whether we're impacted or not. DW and I both have had our credit frozen for years and I monitor our accounts religiously so there is nothing else we can do at this point. I instructed my kids to obtain a copy of their credit reports from all three bureaus and immediately freeze their credit.

It's a little more difficult for the younger folks to deal with freezing and unfreezing every time they need to apply for loans but it's worth the aggravation in my opinion.

 

[Texas Proud]

I was thinking along the same lines. They probably don't know which is the reason why they "generously" (cough, cough) offer the free monitoring for a year to everyone.

Does that mean it is like the commercial where someone comes in to rob the bank and the security guard says something like 'I am only a monitor, I do not do anything'?

This is going to be a muti-decade event... most of the info will never change so it being out there is not good...

 

[Corporateburnout]

This is going to be a muti-decade event... most of the info will never change so it being out there is not good...

So other than freezing your credit, monitor you CC accounts, Social security account, bank and brokerage accounts what else can we do about it at this point?

 

[easysurfer]

Does that mean it is like the commercial where someone comes in to rob the bank and the security guard says something like 'I am only a monitor, I do not do anything'?

This is going to be a muti-decade event... most of the info will never change so it being out there is not good...

The first message I got said something like "It looks like you are not impacted." The message now says something like "It looks like you may be impacted".

Guess in a roundabout way, they were saying the same thing, "Maybe got impacted" .

 

[audreyh1]

I wouldn't even trust them to actually know exactly who is impacted and who is not. Better to assume you are impacted and act accordingly.

Yeah, I haven't bothered to check after reading about all the new website snafus and totally unclear messages and am proceeding as if I were compromised.

Was planning to do that anyway - just needed the extra push.

I already have accounts at all of the institutions I would buy CDs from, and I really don't need any more credit cards. So it's finally convenient for me to freeze everything.

 

[audreyh1]

So other than freezing your credit, monitor you CC accounts, Social security account, bank and brokerage accounts what else can we do about it at this point?

Freezing your credit can prevent the things you would monitor for. Probably most of them. I already monitor and plan to freeze.

It's a pain to fix things after they've already happened. If I can prevent most of them from happening, I prefer that approach.

 

[easysurfer]

My credit already frozen from the time got hit by IRS transcript hack. Just went ahead and looked at recent cc statements and didn't see any funny business. Will sign up for that TrustedID Premier thing for one year of monitoring and see if my SSN is on sale on the dark web from this breach.

 

[Gotadimple]

My credit already frozen from the time got hit by IRS transcript hack. Just went ahead and looked at recent cc statements and didn't see any funny business. Will sign up for that TrustedID Premier thing for one year of monitoring and see if my SSN is on sale on the dark web from this breach.

I don't believe credit monitoring will tell you if your SSN is on sale on the dark web. It will only tell you when it has been used to establish credentials for credit, borrowing, etc. After the fact.

It's a monitor, not a protector/inhibitor.

- Rita

 

[Corporateburnout]

Freezing your credit can prevent the things you would monitor for. Probably most of them. I already monitor and plan to freeze.

Freezing will not prevent unauthorized charges to your existing CC nor would it prevent claiming SS under your name. That's why I monitor these accounts.

The only thing that I cannot monitor at this time is someone filing a tax return under my name.

 

[easysurfer]

I don't believe credit monitoring will tell you if your SSN is on sale on the dark web. It will only tell you when it has been used to establish credentials for credit, borrowing, etc. After the fact.

It's a monitor, not a protector/inhibitor.

- Rita

I do know what you say though about regular credit monitoring won't monitor the SSN.

But the TrustedID Premier thing has an offering called "Social Security Number Monitoring" which is supposed to look to see the number shows up for sale.

https://www.equifaxsecurity2017.com/trustedid-premier/

From the footnote:

3. SSN Monitoring attempts to scan internet sites where consumers’ personal information is suspected of being bought and sold, and periodically adds new sites to those it searches. However, the internet addresses of these suspected internet trading sites are not published and frequently change, so there is no guarantee that Identity Protection provided by Equifax is able to locate and search every possible internet site where consumers’ personal information is at risk of being traded

 

[Texas Proud]

So other than freezing your credit, monitor you CC accounts, Social security account, bank and brokerage accounts what else can we do about it at this point?

IMO, not much.... kinda have to wait and see.... with 143 million affected it will take many years to get to that many people... if ever...


But I think Equifax will have to cough up more than 1 year.... and also more than monitoring...

 

[audreyh1]

Freezing will not prevent unauthorized charges to your existing CC nor would it prevent claiming SS under your name. That's why I monitor these accounts.

The only thing that I cannot monitor at this time is someone filing a tax return under my name.

I'm not saying I don't monitor. I just plan to continue doing that in addition to freezing my credit.

I set up an SS.gov account which has a couple of levels of two-factor verification and should make it very difficult for someone to claim SS impersonating me.

I'm honestly not worried about my existing credit cards. I deal with CC fraud every couple of years. I have several things set up to minimize inconvenience, and I get alerts about charges, but I'm not on the hook for fraudulent CC charges and the credit card companies deal with the situation very quickly.

 

[explanade]

I hadn't heard of SS fraud.

Wouldn't the thieves make themselves vulnerable by giving an address for those checks, cashing them, etc.?

It leaves a paper trail.

I didn't know about 2FA for SS accounts. I did create an account at some point, not sure why I did. Now I'm going to look at turning on 2FA.

However, be aware that 2FA based on SMS is not as secure as other 2FA methods:

https://www.economist.com/blogs/economist-explains/2017/09/economist-explains-9

Hmm, I use my Google Voice number for 2FA in many cases. Of course the Apple ID 2FA requires possession of an iOS device but that only covers Apple accounts.

 

[Fermion]

I hadn't heard of SS fraud.

Wouldn't the thieves make themselves vulnerable by giving an address for those checks, cashing them, etc.?

It leaves a paper trail.

Well if I were doing it I would get all of my users to open up a mailbox at a UPS store or something.

They would then bring the checks to some location and pick up their dime bag or 500ml of JD.

Maybe even better, have them use the address at some vacant house or just any random house and start stealing the mail there about the time SS checks arrive.

If you catch these people, there just isn't much turnip there to even be worth squeezing.

 

[48Fire]

Maybe we should get new social security numbers Why not a new birthday, new first dog name, etc.

 

[easysurfer]

Today is assigned "sign up for TrustedID Premier" day. Enter the info requested and my name and info is in the hopper and being verifed .

Got a screen saying because of the volume, may take a few days to get a product activation email.

 

[MichaelB]

Info on the cause of the breach. Equfax was aware of the bug but had not yet undergone any remediation. https://arstechnica.com/information...caused-by-failure-to-patch-two-month-old-bug/

Thursday's disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof that the bug gave real-world attackers an easy way to take control of sensitive sites. An Equifax representative didn't immediately respond to an e-mail seeking comment on this possibility.

Today is assigned "sign up for TrustedID Premier" day. Enter the info requested and my name and info is in the hopper and being verifed .

Got a screen saying because of the volume, may take a few days to get a product activation email.

They were unprepared for the breach, now it seems they are equally unprepared for the remedy. Why is this not a surprise?

The NY Times reports today that Equifax execs are measured on financial results that exclude legal costs. (behind paywall).

Over the last three years, when Equifax determined its top executives’ incentive compensation, it has used a performance measure that excluded the costs of legal settlements made by the company. If it follows this practice after dealing with the costs of settling legal claims arising from the security breach, Equifax’s top managers will essentially escape financial accountability for the blunder.

 

[MRG]

Info on the cause of the breach. Equfax was aware of the bug but had not yet undergone any remediation. https://arstechnica.com/information...caused-by-failure-to-patch-two-month-old-bug/




They were unprepared for the breach, now it seems they are equally unprepared for the remedy. Why is this not a surprise?

The NY Times reports today that Equifax execs are measured on financial results that exclude legal costs. (behind paywall).

Who would have thought that exposing critical data through the internet with old broken open source could result in data leaks?

I has a great mentor who used the term malpractice whenever he heard of something that blatantly ignorant.

Their web support, data security and sr. management should be banned from ever being employed in the industry.

Quite honestly, this IMO, is indicative of much larger internal problems. If you own OPD, you have a responsibility for it's protection.