Equifax is hacked

Seen something interesting in the news or on the intertubes? Discuss it here.

Moderators: Zamfir, Hawknc, Moderators General, Prelates

KnightExemplar
Posts: 5492
Joined: Sun Dec 26, 2010 1:58 pm UTC

Equifax is hacked

Postby KnightExemplar » Fri Sep 08, 2017 4:53 pm UTC

For those who don't know, Equifax is a big credit company in the USA. In effect, whenever you take out a loan or open up a bank account... the bank will then double-check your information on Equifax. In effect, this allows Bank of America to see your "credit history", even if your last loans were from Chase bank.

In short: Equifax is one of the companies that determines your "Credit Score". Every single loan you've ever taken out in the USA has been tracked by Equifax. And they've been hacked. An estimated 143 Million Americans are tracked by Equifax, aka literally fucking everybody. This is the most serious hack I can think of, there have been larger hacks (such as Yahoo), but those were just usenames / passwords. Equifax seems to have lost everybody's social security numbers, addresses, and so forth.

https://investor.equifax.com/news-and-e ... -213000628

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.


Apparently, checking the Equifax page to see if you're affected has a little disclaimer in the corner: https://twitter.com/zackwhittaker/statu ... 4331142144

Those jackasses. Well, fuck.

Equifax expects only 182,000 are affected, but how much faith should we place on that? If you're in that pile of 182-thousand, then you're fucked. All your information is now out there. And Equifax, as one of the "Credit Score" gatekeepers, has all of our information anyway. So its not like we all aren't at risk here from their incompetence.

------------------

Also, the Equifax page is an advertisement for their credit monitoring service. And signing up for it waives your right to a class action lawsuit.

Image

So Equifax is a bunch of jackholes. They're trying to spin this into their advantage. For cripes...
First Strike +1/+1 and Indestructible.

User avatar
sardia
Posts: 5851
Joined: Sat Apr 03, 2010 3:39 am UTC

Re: Equifax is hacked

Postby sardia » Fri Sep 08, 2017 5:26 pm UTC

Jesus Christ.
Well, maybe this will spur some actual regulatory reforms with cyber security, oh who am I kidding, the Republicans are in charge.

KnightExemplar
Posts: 5492
Joined: Sun Dec 26, 2010 1:58 pm UTC

Re: Equifax is hacked

Postby KnightExemplar » Fri Sep 08, 2017 5:34 pm UTC

sardia wrote:Well, maybe this will spur some actual regulatory reforms with cyber security, oh who am I kidding, the Republicans are in charge.


I've always been pissed at the credit bureaus of America. Who the fuck decided that three for-profit companies should track everybody's loan information anyway and house all this important information?

Whenever people are all Anarcho-liberatrian, I think Equifax is a good fucking example of what can go wrong.
First Strike +1/+1 and Indestructible.

User avatar
CorruptUser
Posts: 8849
Joined: Fri Nov 06, 2009 10:12 pm UTC

Re: Equifax is hacked

Postby CorruptUser » Fri Sep 08, 2017 5:36 pm UTC

I have no loans but I have a couple of bank accounts and retirement accounts. Am I at risk from this?

KnightExemplar
Posts: 5492
Joined: Sun Dec 26, 2010 1:58 pm UTC

Re: Equifax is hacked

Postby KnightExemplar » Fri Sep 08, 2017 5:37 pm UTC

CorruptUser wrote:I have no loans but I have a couple of bank accounts and retirement accounts. Am I at risk from this?


Lets put it this way. Do you have a credit score?

And btw: Credit Cards count as a loan.

Cause the guys in charge of that just got hacked. They claim only 182-thousand are affected. So if you're optimistic, then no, you probably aren't affected. But anybody with any kind of financial service in America is basically tracked by Equifax. Honestly, I'd expect that you have an Equifax credit score even if you don't have a loan. But I'll have to look things up to make sure...

EDIT2: With regards to your specific question... its a bit unclear. Here's what I do know. Different banks don't necessarily report to all three agencies. Equifax, Transunion, and Experian are the three companies which track credit scores. You can order your "credit score" once per year for free from any credit agency (there is a federal regulation that forces the big agencies to give us a free credit check once per year).

EDIT: I'm seeing a lot of contradictory claims online. CNN reports 143-million are affected. Others are reporting the 182-thousand number. Obviously, this is a big difference in the number of people potentially affected. I think a bit issue is that when people are hacked, they don't really know how bad it is.
Last edited by KnightExemplar on Fri Sep 08, 2017 5:47 pm UTC, edited 1 time in total.
First Strike +1/+1 and Indestructible.

User avatar
sardia
Posts: 5851
Joined: Sat Apr 03, 2010 3:39 am UTC

Re: Equifax is hacked

Postby sardia » Fri Sep 08, 2017 5:46 pm UTC

CorruptUser wrote:I have no loans but I have a couple of bank accounts and retirement accounts. Am I at risk from this?

Three Equifax executives sold their stocks before the news came out. Yea, you're affected. Let's class action lawsuits these assholes. *

*In all seriousness, you can check by providing your last 6 digits of your social security to Equifax. Not 4 because the hackers have that already.

KnightExemplar
Posts: 5492
Joined: Sun Dec 26, 2010 1:58 pm UTC

Re: Equifax is hacked

Postby KnightExemplar » Fri Sep 08, 2017 5:48 pm UTC

sardia wrote:*In all seriousness, you can check by providing your last 6 digits of your social security to Equifax. Not 4 because the hackers have that already.


In all seriousness, that technically signs away your ability to class action lawsuit those jackasses. Because Equifax is a bunch of jackasses

Also, the first 3 of your social are determined by the location you were born. The next 2 are your "group number" and are very strongly correlated to when you were born. Uggghhhh, this whole system is a hot mess.

If the hackers have a date-of-birth, then they have a very good guess at what your middle-two numbers are.
First Strike +1/+1 and Indestructible.

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 25820
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: Equifax is hacked

Postby gmalivuk » Fri Sep 08, 2017 6:00 pm UTC

The entire idea of using SSN as some kind of "secret" information was fucking stupid to start with. It's not a secure numbering scheme, it's just supposed to let the government tell one John Smith from another, not be used as sufficient information to guarantee you're the first John Smith who's rich and always pays his bills and so of course we'll give you this $50,000 line of credit. Who else could possibly know his social security number?!
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

User avatar
sardia
Posts: 5851
Joined: Sat Apr 03, 2010 3:39 am UTC

Re: Equifax is hacked

Postby sardia » Fri Sep 08, 2017 6:17 pm UTC

KnightExemplar wrote:
sardia wrote:*In all seriousness, you can check by providing your last 6 digits of your social security to Equifax. Not 4 because the hackers have that already.


In all seriousness, that technically signs away your ability to class action lawsuit those jackasses. Because Equifax is a bunch of jackasses

Also, the first 3 of your social are determined by the location you were born. The next 2 are your "group number" and are very strongly correlated to when you were born. Uggghhhh, this whole system is a hot mess.

If the hackers have a date-of-birth, then they have a very good guess at what your middle-two numbers are.

It only signs it away if you complete the application. Checking it merely confirms that you're fucked. They also have an extraordinarily lame written letter only opt out from the lawsuit, 30 day time limit.

User avatar
CorruptUser
Posts: 8849
Joined: Fri Nov 06, 2009 10:12 pm UTC

Re: Equifax is hacked

Postby CorruptUser » Fri Sep 08, 2017 6:18 pm UTC

Will change my passwords tonight. Tempted to change my SSN as well, but you can only do that 10 times and It's an ordeal. I use credit karma, have for like 5 years now, checking every so often to see if any credit card accounts open in my name. I also have lifelock with the $100k insurance thing but tempted to cancel it. Even so, ugh.

As for SSN, yeah, it's about time it was not used for anything except government record keeping. But what's the best alternative? Biometric stuff like finger prints and iris scans? Not sure how that'd work.

KnightExemplar
Posts: 5492
Joined: Sun Dec 26, 2010 1:58 pm UTC

Re: Equifax is hacked

Postby KnightExemplar » Fri Sep 08, 2017 6:24 pm UTC

CorruptUser wrote:As for SSN, yeah, it's about time it was not used for anything except government record keeping. But what's the best alternative? Biometric stuff like finger prints and iris scans? Not sure how that'd work.


SSN and Biometrics are usernames, not passwords. SSN is a perfectly fine username. The problem is that people think its a password.

Biometrics are inferior as a username. They require dedicated, non-standardized equipment. They're also bad passwords because you literally leave fingerprints everywhere you touch. Its also very difficult to change a fingerprint, but possible to change your SSN.

The USA has no system of passwords or computer security at all. IIRC, Canada has a national identity program backed by two-factor authentication which solves the issue. So the USA can adopt something like that.

A security token is the easiest example of TFA. There are very cheap chips (~$0.50 per chip or so) that are cryptographically impossible to duplicate. The chips can prove that they're unique, and they're literally cryptographically impossible to duplicate. Since the chip is unique, you use it to prove your identity. If you have one of those new credit-cards with chips on them, you are already familiar with this technology.

Oh right, and "Two factor" authentication means that you then program your chip to respond only if your password or Pin-number is entered. So even if someone steals your chip, its useless, because they don't know your pin number. Funny story: credit card companies like the idea of the chip, but they thought that the American public was too dumb to use the pin-number part of the feature. So in practice, the credit card system is one-factor authentication. Granted: its pretty easy to just order a new credit card if one gets stolen. So I don't think its that big of a deal.

------------

Distribution of a standardized, government-issued, government-mandated security token wouldn't be too expensive. But I don't think its politically feasible.
Last edited by KnightExemplar on Fri Sep 08, 2017 6:34 pm UTC, edited 3 times in total.
First Strike +1/+1 and Indestructible.

Chen
Posts: 5274
Joined: Fri Jul 25, 2008 6:53 pm UTC
Location: Montreal

Re: Equifax is hacked

Postby Chen » Fri Sep 08, 2017 6:29 pm UTC

CorruptUser wrote:Will change my passwords tonight. Tempted to change my SSN as well, but you can only do that 10 times and It's an ordeal. I use credit karma, have for like 5 years now, checking every so often to see if any credit card accounts open in my name. I also have lifelock with the $100k insurance thing but tempted to cancel it. Even so, ugh..


Adding some sort of 2 factor authentication to your accounts would be best, though presumably you can turn those off with sufficient information too though. Not sure changing passwords is actually warranted here. They wouldn't have gotten those from Equifax.

Chen
Posts: 5274
Joined: Fri Jul 25, 2008 6:53 pm UTC
Location: Montreal

Re: Equifax is hacked

Postby Chen » Fri Sep 08, 2017 6:33 pm UTC

KnightExemplar wrote:The USA has no system of passwords or computer security at all. IIRC, Canada has a national identity program backed by two-factor authentication which solves the issue. So the USA can adopt something like that.


Uh if we have that I'm not aware of it. I have an SIN which is almost identical in function to a US SSN. There are more limits on who can require it to be provided for services though.

KnightExemplar
Posts: 5492
Joined: Sun Dec 26, 2010 1:58 pm UTC

Re: Equifax is hacked

Postby KnightExemplar » Fri Sep 08, 2017 6:39 pm UTC

Chen wrote:
KnightExemplar wrote:The USA has no system of passwords or computer security at all. IIRC, Canada has a national identity program backed by two-factor authentication which solves the issue. So the USA can adopt something like that.


Uh if we have that I'm not aware of it. I have an SIN which is almost identical in function to a US SSN. There are more limits on who can require it to be provided for services though.


https://www.forbes.com/sites/tomgroenfe ... 68c8605e06

Maybe its not as widespread as I thought??

But I've definitely heard of successful security token deployment in Canada. Its an issue of politics: standardization and distribution of chip cards (which cost money, which means some company will be favored and trusted). The technology exists however, and has for decades.

In effect: you prove who you are without giving up any information. The fundamental math is easy. Instead of asking for a social security number, you ask for every single number of the social security number to be multiplied together. (or some other "hard math problem" that jumbles up the original number). In effect, you can prove you have the number without ever actually giving up the number.

Now pass out computer chips that do this automatically, and also have numbers that are programmed in and never repeated. Make it impossible (or nearly impossible) to ever read the original number without breaking the chip. No one ever figures out what their "real number" is, but instead you use cryptography to prove that you have the card and/or chip. From there on out, its a matter of politics to ensure a decent system to replace lost cards and reporting of lost cards.

------------------

EDIT: An alternative solution... https://secure.login.gov/

Looks like the 18F team is working on "single sign on" solution across government services. Hopefully that gets popular? Here's the code for the website: https://github.com/18F?utf8=%E2%9C%93&q=identity

A centralized password-based solution would be an improvement over the status quo. But it would require that everybody has internet and an email address. I think a card-based solution would truly reach every American, so that'd be my preference.
First Strike +1/+1 and Indestructible.

commodorejohn
Posts: 962
Joined: Thu Dec 10, 2009 6:21 pm UTC
Location: Placerville, CA
Contact:

Re: Equifax is hacked

Postby commodorejohn » Fri Sep 08, 2017 7:28 pm UTC

And this would be exhibit #4,677 in the case for Why "Big Data" Needs to Die. It won't, of course, but God fucking dammit does it need to.

Idly curious, does a debit card count as a "credit card" for the purposes of this discussion?
"'Legacy code' often differs from its suggested alternative by actually working and scaling."
- Bjarne Stroustrup
www.commodorejohn.com - in case you were wondering, which you probably weren't.

Chen
Posts: 5274
Joined: Fri Jul 25, 2008 6:53 pm UTC
Location: Montreal

Re: Equifax is hacked

Postby Chen » Fri Sep 08, 2017 7:37 pm UTC

KnightExemplar wrote:Uh if we have that I'm not aware of it. I have an SIN which is almost identical in function to a US SSN. There are more limits on who can require it to be provided for services though.


https://www.forbes.com/sites/tomgroenfe ... 68c8605e06

Maybe its not as widespread as I thought??
[/quote]

That article looks more like a private company that lets you add a 2nd factor of authentication to various accounts.

But I've definitely heard of successful security token deployment in Canada. Its an issue of politics: standardization and distribution of chip cards (which cost money, which means some company will be favored and trusted). The technology exists however, and has for decades.


I've had a security token for years for my work VPN in addition to these types of things for various online accounts and games. But there's not some sort of universal one or anything here in Canada. Things like the Canadian Revenue Service and the like all have separate login's and passwords. You don't use your SIN or anything to login there anyways. These can also have a 2 factor authentication but its in no way centralized.

User avatar
EdgarJPublius
Official Propagandi.... Nifty Poster Guy
Posts: 3556
Joined: Tue Oct 09, 2007 4:56 am UTC
Location: where the wind takes me

Re: Equifax is hacked

Postby EdgarJPublius » Sat Sep 09, 2017 4:06 am UTC

My understanding of the 140+ Million vs. 180+ Thousand number is that the smaller number is people who've actually had bank account/credit card information breached, while the larger is people who've 'merely' had their SSN + biographic data breached.

Could be wrong, obviously the story is still developing.

Chen wrote:Adding some sort of 2 factor authentication to your accounts would be best, though presumably you can turn those off with sufficient information too though. Not sure changing passwords is actually warranted here. They wouldn't have gotten those from Equifax.


A while back, security researcher Brian Krebs reported that a malactor was able to repeatedly access his paypal account and change login information/other details without compromising the 2FA by simply presenting his SSN and credit card number. The malactor was able to do this even after Krebs had been assured by Paypal that his account had been 'flagged' and would be monitored against future fraudulent action.

It's pretty likely that many other companies/institutions including banks, are not significantly more secure than that.

I know until relatively recently, my bank offered a 'two factor security option' that just asked you a random one of your security questions when you attempted to login. Now they offer 2FA via an SMS code sent to a verified mobile number, though I strongly suspect someone could still easily compromise my account via phone support social engineering.
Roosevelt wrote:
I wrote:Does Space Teddy Roosevelt wrestle Space Bears and fight the Space Spanish-American War with his band of Space-volunteers the Space Rough Riders?

Yes.

-still unaware of the origin and meaning of his own user-title

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 25820
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: Equifax is hacked

Postby gmalivuk » Sat Sep 09, 2017 4:30 am UTC

Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

User avatar
sardia
Posts: 5851
Joined: Sat Apr 03, 2010 3:39 am UTC

Re: Equifax is hacked

Postby sardia » Sat Sep 09, 2017 5:01 am UTC

commodorejohn wrote:And this would be exhibit #4,677 in the case for Why "Big Data" Needs to Die. It won't, of course, but God fucking dammit does it need to.

Idly curious, does a debit card count as a "credit card" for the purposes of this discussion?

Debit cards don't benefit your credit score, but don't worry, they still harvest your information. It's actually in your bank's disclosures that they do that.
Here are some actual guidelines on what to do that doesn't rely on Equifax. In short, it's pay a bunch of fees, and freeze all your shit. Then call all your Congressmen ASAP.
https://www.nytimes.com/2017/09/08/your ... o-now.html
Also don't expect any help from Equifax and Equifax fully intends to use this crisis to make money off of you.

reval
Posts: 76
Joined: Fri Sep 23, 2016 2:56 pm UTC

Re: Equifax is hacked

Postby reval » Sun Sep 10, 2017 4:54 pm UTC

The original purpose of the SSN was for Social Security, namely to make sure that "no SOB can take it away from them" (FDR). The point was to track your individual contributions in order to establish your irrefutable claim to benefits, because, politically, people seemed to care about your individual contributions.

When you go to a system of universal benefits, you don't need that anymore. The government doesn't even need to know who's receiving benefits, beyond trying to limit double dipping.

The danger of the SSN, of course, is that all the usual bad actors (in both the public and private sectors) have a massive incentive to misuse the SSN for identification purposes. It was not supposed to be used for identification purposes, beyond documenting contributions and claiming benefits. This danger was clearly understood and there was unambiguous legislation against it, e.g., https://en.wikipedia.org/wiki/Privacy_Act_of_1974.

The Privacy Act is still on the books, but meanwhile it has more holes in it than swiss cheese. The credit bureau malignancy had developed before people tried to tackle the problem, and they failed to crush Equifax and the rest when it would have been much easier to accomplish.

The point in history where the bad actors finally succeeded in breaking the Privacy Act was when they succeeded in tying State driver's licenses to the SSN. That effectively made the driver's license a National ID Card. That had never existed in the US in the past, but it's an essential prerequisite for a truly effective "show me your papers!" police state.

Americans used to understand clearly that they needed to prevent a National ID Card at all cost. But they forgot to pay attention, and the bad actors won. Now the enemy is much stronger, in both the public and private sectors. But Equifax and the police state will still lose, because they're wrong.

gd1
Posts: 73
Joined: Wed Nov 14, 2012 5:42 am UTC

Re: Equifax is hacked

Postby gd1 » Mon Sep 11, 2017 2:39 am UTC

Just minorly daydreamed of a scenario where there were no hackers, viruses, or spam. No need for antivirus, no spam folder, and you wouldn't even need a password for your computer. And then my antivirus quarantined something. Oh well.

User avatar
sardia
Posts: 5851
Joined: Sat Apr 03, 2010 3:39 am UTC

Re: Equifax is hacked

Postby sardia » Mon Sep 11, 2017 2:06 pm UTC

https://www.consumer.ftc.gov/articles/0 ... reeze-faqs
Placing a credit fraud alert is free, unlike those dirty fees for a credit freeze. They last for 90 days and you can renew. The ftc recommends you put a reminder on your phone that repeats every 90 days until Congress stops taking lobbying advice from the big three credit agencies.

User avatar
Grop
Posts: 1860
Joined: Mon Oct 06, 2008 10:36 am UTC
Location: France

Re: Equifax is hacked

Postby Grop » Mon Sep 11, 2017 2:44 pm UTC

gd1 wrote:Just minorly daydreamed of a scenario where there were no hackers, viruses, or spam. No need for antivirus, no spam folder, and you wouldn't even need a password for your computer. And then my antivirus quarantined something. Oh well.


But then so many people would have no job!

BoogieMan2718
Posts: 1
Joined: Wed Oct 25, 2017 1:32 pm UTC

Re: Equifax is hacked

Postby BoogieMan2718 » Wed Oct 25, 2017 1:36 pm UTC

This would make a great topic for a satirical XKCD comic considering that credit bureaus collect data on individuals outside their own desire to participate.

User avatar
Plasma_Wolf
Posts: 93
Joined: Mon Aug 22, 2011 8:11 pm UTC

Re: Equifax is hacked

Postby Plasma_Wolf » Thu Oct 26, 2017 2:02 pm UTC

I saw John Oliver's bit on this one or two weeks ago.

He included the fact that if you asked questions on Twitter, some Equifax Twitter account answered with a reference to a help website, Which was owned by someone who didn't have anything to do with Equifax (don't know if it was a satirical thing or someone with malicious intent).

So Equifax falls for these kind of things more easily than your grandparents, which is pretty sad.

Luckily, to prevent this, Equifax bought all the relevant urls and set up a proper help website.

http://equifaxfraudprevention.com

Oh wait :)

User avatar
orthogon
Posts: 2724
Joined: Thu May 17, 2012 7:52 am UTC
Location: The Airy 1830 ellipsoid

Re: Equifax is hacked

Postby orthogon » Thu Oct 26, 2017 2:25 pm UTC

Plasma_Wolf wrote:Luckily, to prevent this, Equifax bought all the relevant urls and set up a proper help website.

http://equifaxfraudprevention.com

Oh wait :)


I guess I'm missing the point, but surely a company can never buy "all the relevant urls"? There's a combinatorial explosion problem.
xtifr wrote:... and orthogon merely sounds undecided.

User avatar
Plasma_Wolf
Posts: 93
Joined: Mon Aug 22, 2011 8:11 pm UTC

Re: Equifax is hacked

Postby Plasma_Wolf » Thu Oct 26, 2017 9:48 pm UTC

That's true, but from a news item a long time ago, a game producer had registered about 15 different urls related to a game. If you're in this kind of trouble, the last thing you want is to confuse other people, so you want an official website, absolute clarity (preferably a pinned tweet in caps lock) which website it is and that other websites are fraudulent.

Then to be sure, you want the domain names like "equifaxfraudprevention", "equifaxfraudprotection", "fraudprotectionequifax" etc. to be yours and redirect to the official website.

The first item on here (I found this webstie through the trump presidency thread) https://whatthefuckjusthappenedtoday.co ... 5/day-279/

Senate Republicans repealed a rule that allowed Americans to sue their banks and credit card companies in class-action lawsuits. Senators passed the measure by a vote of 50-50, with Pence breaking the tie. The Obama-era rule banned Wall Street banks and credit card companies from inserting arbitration clauses into contracts that prevented consumers from banding together to bring class-action lawsuits. Democrats and consumer advocates called the effort a gift to financial institutions like Wells Fargo and Equifax


So for any new scandal or hack, citizens are no longer properly protected :(

User avatar
EdgarJPublius
Official Propagandi.... Nifty Poster Guy
Posts: 3556
Joined: Tue Oct 09, 2007 4:56 am UTC
Location: where the wind takes me

Re: Equifax is hacked

Postby EdgarJPublius » Fri Oct 27, 2017 7:11 am UTC

We weren't really properly protected before
Roosevelt wrote:
I wrote:Does Space Teddy Roosevelt wrestle Space Bears and fight the Space Spanish-American War with his band of Space-volunteers the Space Rough Riders?

Yes.

-still unaware of the origin and meaning of his own user-title


Return to “News & Articles”

Who is online

Users browsing this forum: No registered users and 17 guests