Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Old 09-11-2017, 01:57 PM   #41
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 30,468
Quote:
Originally Posted by razztazz View Post
If they hacked essentially everybody's everything I cannot see how they wouldn't be able to unfreeze an account. They have everything they need to be a duplicate "You"
They can't without the PIN that was issued when you froze the account.

There has been no mention of PINs for unfreezing being compromised.
__________________
Retired since summer 1999.
audreyh1 is online now   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 09-11-2017, 02:39 PM   #42
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
harley's Avatar
 
Join Date: May 2008
Location: No fixed abode
Posts: 8,421
Quote:
Originally Posted by razztazz View Post
If they hacked essentially everybody's everything I cannot see how they wouldn't be able to unfreeze an account. They have everything they need to be a duplicate "You"
Just like passwords, pins are/should be kept in an encrypted format. Just getting the database with the pins shouldn't give them the ability to unfreeze your account. They'd need to be able to duplicate the encryption algorithm in order to reverse engineer the pin. They don't have that. So unless Equifax (or whoever) was incredibly stupid enough to store this type of information in plain text, it shouldn't be possible to unfreeze your account. And storing it in plain text would be so egregiously irresponsible that they would be wiped out in the eventual lawsuit.
__________________
"Good judgment comes from experience. Experience comes from bad judgement." - Anonymous (not Will Rogers or Sam Clemens)
DW and I - FIREd at 50 (7/06), living off assets
harley is offline   Reply With Quote
Old 09-11-2017, 04:27 PM   #43
Thinks s/he gets paid by the post
 
Join Date: Mar 2013
Location: Coronado
Posts: 2,603
Quote:
Originally Posted by harley View Post
Just like passwords, pins are/should be kept in an encrypted format. Just getting the database with the pins shouldn't give them the ability to unfreeze your account. They'd need to be able to duplicate the encryption algorithm in order to reverse engineer the pin. They don't have that. So unless Equifax (or whoever) was incredibly stupid enough to store this type of information in plain text, it shouldn't be possible to unfreeze your account. And storing it in plain text would be so egregiously irresponsible that they would be wiped out in the eventual lawsuit.
Encryption can be cracked, it's just a matter of time and CPU cycles; and if hackers were able to download an encrypted database then they have unlimited time to work on decrypting it. Encryption is not a silver bullet. That's why the best practice is to store PINs separately from the data they're protecting. We have no way of knowing whether Equifax uses best practices or whether the PINs were compromised, and I don't trust them to be forthcoming about this. I'm not convinced they even know.

Personally, I think it's likely that since hackers were able to get far enough into the network to steal personal data, then they probably had root or admin access via an exploit or misconfigured security setting and they got the encryption keys for that data as well. I really do not think we'll ever know exactly what was exposed, so it's best to assume that everything was.
cathy63 is offline   Reply With Quote
Old 09-11-2017, 05:09 PM   #44
Thinks s/he gets paid by the post
 
Join Date: Jul 2011
Posts: 1,004
Quote:
Originally Posted by cathy63 View Post
Encryption can be cracked, it's just a matter of time and CPU cycles; and if hackers were able to download an encrypted database then they have unlimited time to work on decrypting it. Encryption is not a silver bullet. That's why the best practice is to store PINs separately from the data they're protecting. We have no way of knowing whether Equifax uses best practices or whether the PINs were compromised, and I don't trust them to be forthcoming about this. I'm not convinced they even know.

Personally, I think it's likely that since hackers were able to get far enough into the network to steal personal data, then they probably had root or admin access via an exploit or misconfigured security setting and they got the encryption keys for that data as well. I really do not think we'll ever know exactly what was exposed, so it's best to assume that everything was.
This is our expectation or the hackers success.
savory is offline   Reply With Quote
Old 09-11-2017, 06:21 PM   #45
Thinks s/he gets paid by the post
Cobra9777's Avatar
 
Join Date: Jul 2012
Location: Texas
Posts: 2,382
Has anyone ever tried to change their SS#? I've read that it's allowed under a specific list of circumstances, one of which is being a victim of identity theft. I had a fraudulent tax return filed using my SS# in 2014 and filed a police report. I think that technically makes me a victim of identity theft, although I doubt it meets the SSA requirement. Anyway, I'm sure there are plenty of downsides to this, but just curious if anyone has done this or thought about it. I bet a new DL number could be obtained as well.
__________________
Retired at 52 in July 2013. On to better things...
AA: 55% stock, 15% real estate, 27% bonds, 3% cash
WR: 2.7% SI: 2 pensions, some rental income, SS later
Cobra9777 is offline   Reply With Quote
Old 09-11-2017, 07:03 PM   #46
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: May 2008
Posts: 5,365
Quote:
Originally Posted by Corporateburnout View Post
The only way for them to unfreeze your account with Equifax is if they got your pin number. You're still have some protection with the other two bureaus.

I did not hear if they were able to get that information.
Turns out Equifax was generating PINs which were basically a date and time stamp.

That is the case with my Equifax freeze, which I've had before.

It will take awhile but Equifax will probably be sued out of existence.

Basically they didn't spend money for the top IT and data security people. They used server software which had known vulnerabilities and didn't promptly patch them.
explanade is offline   Reply With Quote
Old 09-11-2017, 07:50 PM   #47
Thinks s/he gets paid by the post
 
Join Date: Apr 2005
Location: Midwest
Posts: 2,551
Quote:
Originally Posted by audreyh1 View Post
They can't without the PIN that was issued when you froze the account.

There has been no mention of PINs for unfreezing being compromised.
We have been repeated told in an endless list of situations that a "that" can't happen. But then it does. I used to work with a whole bunch of computer gurus, engineers etc in 1990s' We were talking about that new fangled internet thing. One of the non-computer engineers said he was afraid to "go online" because How does he know somebody out there isn't 'invading' his computer. The Guru Class regaled us with technical reasons why that wasn't possible. I knew it was a case of "Subject Matter Expert Failure." Like doctors telling Louis Pasteur it's evil spirits and divine punishment that causes disease. Two weeks later the new word was "cookie." Shortly after, "spyware later to be called "malware." If anyone has told you "They" can't do something nefarious because "it's protected," you are being lied to.

Yes. No mention of "pins" being lifted. Of course that could mean: They have been and they don't know it yet. They have been and they know it and are stalling waiting for this to drop off the front page.

If they broke in and stole all that data it's bordering on the merely hopeful to think they don't have or won't soon have the pins anyway.
razztazz is online now   Reply With Quote
Old 09-12-2017, 06:53 AM   #48
Full time employment: Posting here.
 
Join Date: May 2015
Location: Atlanta suburbs
Posts: 633
Quote:
Originally Posted by razztazz View Post
Yes. No mention of "pins" being lifted. Of course that could mean: They have been and they don't know it yet. They have been and they know it and are stalling waiting for this to drop off the front page.
I was thinking pretty much the same thing. If they knew of the hack problem and didn't tell the public for many weeks, they may choose not to tell the public about other things like PINs being hacked.
DEC-1982 is offline   Reply With Quote
Old 09-12-2017, 10:14 AM   #49
Thinks s/he gets paid by the post
 
Join Date: Apr 2005
Location: Midwest
Posts: 2,551
Quote:
Originally Posted by DEC-1982 View Post
I was thinking pretty much the same thing. If they knew of the hack problem and didn't tell the public for many weeks, they may choose not to tell the public about other things like PINs being hacked.
Ref this. A few years back, I believe, Target said they'd been hacked. It was one of the first super big hack jobs. But the thing was when they came out and said they had been hacked the actual loss of data had happened something like four years prior! So, all the people who started worrying about it had already been living life with their asses run up the flag pole for four years at that time without knowing it.
razztazz is online now   Reply With Quote
Old 09-12-2017, 10:24 AM   #50
Thinks s/he gets paid by the post
 
Join Date: Apr 2005
Location: Midwest
Posts: 2,551
Quote:
Originally Posted by harley View Post
Just like passwords, pins are/should be kept in an encrypted format. Just getting the database with the pins shouldn't give them the ability to unfreeze your account. They'd need to be able to duplicate the encryption algorithm in order to reverse engineer the pin. They don't have that. So unless Equifax (or whoever) was incredibly stupid enough to store this type of information in plain text, it shouldn't be possible to unfreeze your account. And storing it in plain text would be so egregiously irresponsible that they would be wiped out in the eventual lawsuit.
Lots of wishful thinking there. Lot o' "shoulds". The reality is at this time nobody knows what they did, how they did it, or what their capabilities are.

Quote:
And storing it in plain text would be so egregiously irresponsible that they would be wiped out in the eventual lawsuit.
In pursuit of The Bottom Line it's a risk they might have been willing to take. They have their protections. You and me? Not so much, as history thus far has proven.
razztazz is online now   Reply With Quote
Old 09-12-2017, 02:21 PM   #51
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 12,690
Quote:
Originally Posted by DEC-1982 View Post
I was thinking pretty much the same thing. If they knew of the hack problem and didn't tell the public for many weeks, they may choose not to tell the public about other things like PINs being hacked.
From what I read the bad guys were in the Equifax system from mid May to the end of July. That's 2 1/2 months to fish around for information. So, more bad news may be forthcoming as they find out what exactly the bad guys did in their computer system for 2 1/2 months.

Very sad. I fear this will not end well for many millions of us. Most likely those who can least afford to deal with the problem - elderly, low-income working people and underage minors (who may find out 5 years from now when they want to get their first car loan their credit is screwed.)
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 09-12-2017, 02:25 PM   #52
Thinks s/he gets paid by the post
 
Join Date: Apr 2005
Location: Midwest
Posts: 2,551
Quote:
From what I read the bad guys were in the Equifax system from mid May to the end of July. That's 2 1/2 months to fish around for information.
Yes, so even if equifax had the pins stored separately and did all those other security things (no reason to think they did) the perps knew that and there's no reason to believe they didn't proceed accordingly
razztazz is online now   Reply With Quote
Old 09-12-2017, 02:44 PM   #53
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: May 2008
Posts: 5,365
You know what would be nice is if banks and other companies stopped pulling credit reports from Equifax. Given what's happened, that would be the smart idea, to use the other two credit bureaus.

But when you apply for certain credit cards, you don't know which agency they're going to pull. The people who churn credit cards usually track which agencies they use but it's not completely predictable.

I've applied for a couple of cards and I got letters back from them saying I need to unlock my credit freeze for such and such agency. In those cases, I call the credit card bank and while I have them on the line, I unlock the bureau that they say they need to pull and they're able to get the credit report and then they've usually approved my application.
explanade is offline   Reply With Quote
Old 09-12-2017, 03:21 PM   #54
Full time employment: Posting here.
beowulf's Avatar
 
Join Date: Oct 2007
Posts: 771
When I do anything that needs a credit check, I lift my credit freeze at all 3 bureaus for 24 or 48 hours and then it goes back into effect. Since I only apply on line, that's been more than enough time for them to make a decision.
__________________
Mission accomplished - not necessarily ER, but certainly R.
beowulf is offline   Reply With Quote
Old 09-12-2017, 04:28 PM   #55
Recycles dryer sheets
gettingthere's Avatar
 
Join Date: Jul 2006
Location: Massachusetts
Posts: 179
for those who have done a freeze...

If I put a freeze on at the 3 major credit bureaus, do I have unfreeze all 3 if I apply for a loan or credit card or whatever, or will the lending institution tell me they need me to unfreeze just one particular credit bureau?
gettingthere is offline   Reply With Quote
Old 09-12-2017, 04:30 PM   #56
Administrator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: Chicagoland again!
Posts: 35,212
Quote:
Originally Posted by gettingthere View Post
for those who have done a freeze...

If I put a freeze on at the 3 major credit bureaus, do I have unfreeze all 3 if I apply for a loan or credit card or whatever, or will the lending institution tell me they need me to unfreeze just one particular credit bureau?
When I had to do an unfreeze for DM, they specified the credit bureau.
MichaelB is offline   Reply With Quote
Old 09-12-2017, 04:35 PM   #57
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: May 2008
Posts: 5,365
Yeah Chase will send you a letter in the mail that they can't proceed with your card application because of a credit freeze.

They give you a number to call in and they will tell you which bureau they need so I do it online while on hold or call back after I've unfrozen and they will look it up right away.
explanade is offline   Reply With Quote
Old 09-12-2017, 05:00 PM   #58
Recycles dryer sheets
gettingthere's Avatar
 
Join Date: Jul 2006
Location: Massachusetts
Posts: 179
Thanks. That makes the idea seem a bit less costly, at least.

It really sucks that these corporations can get away with being so sloppy with security on our data and leave us stuck with the cost to protect the data we never authorized them to have in the first place. Which, in the case of Equifax, means we pay them for their screw-up.

I wonder if I could get away with refusing to ever unfreeze my credit report at Equifax, and tell the lending institution to pick a different CB, or I will go elsewhere if they insist Equifax is the one they want to use.
gettingthere is offline   Reply With Quote
Old 09-12-2017, 06:10 PM   #59
Full time employment: Posting here.
beowulf's Avatar
 
Join Date: Oct 2007
Posts: 771
The temporary unfreezes and refreezes are free. Last time I needed to do it, I was told by my bank that they would not provide that info, so I just unfroze all 3 for 48 hours. Worked out fine. And yes, all credit bureaus suck.
__________________
Mission accomplished - not necessarily ER, but certainly R.
beowulf is offline   Reply With Quote
Old 09-12-2017, 06:47 PM   #60
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 30,468
Quote:
Originally Posted by beowulf View Post
The temporary unfreezes and refreezes are free. Last time I needed to do it, I was told by my bank that they would not provide that info, so I just unfroze all 3 for 48 hours. Worked out fine. And yes, all credit bureaus suck.
Maybe in your state. $10 in Texas.
__________________
Retired since summer 1999.
audreyh1 is online now   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Identity theft protection services Dash man FIRE and Money 34 01-18-2014 02:43 PM
Identity Theft Protection Service Idnar7 FIRE and Money 12 03-12-2013 03:34 PM
Identity theft protection work related. Notmuchlonger FIRE and Money 7 07-03-2009 05:50 AM
Identity Theft Protection services crispus Other topics 8 01-25-2009 09:39 PM

» Quick Links

 
All times are GMT -6. The time now is 08:17 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2021, vBulletin Solutions, Inc.