The new forums will be named Coin Return (based on the most recent
vote)! You can check on the status and timeline of the transition to the new forums
here.
The Guiding Principles and New Rules
document is now in effect.
Huge Hack of Equifax exposes ~140 million US customers' info
Posts
I mean, beyond opening new lines of credit, with the information obtained in this breach, someone could easily just call up anyone's bank and take control of their existing account without much fuss.
SSNs can't exactly be reissued, and now for 44% of the US population, their SSN is compromised.
I once spoke, unprofessionally, with a lawyer fighting with a CC company who was somehow trying to make his client pay for XYZ charges. It seemed to have just come down to their being unable to prove the client actually purchased them. (Got their card cloned on vacation, apparently)
I'm curious if the ubiquity of identifty theft will slowly place in the minds of jurors and judges, the idea that a signed form containing all your personal information is no longer any sort of proof of identity or consent; even without a more secure alternative. And if the case law underpinning the fraudulent CC scenario might then begin to creep into the wider world of finance.
Why not though? It's just a plaintext number in a database. Maintain the individual's history so relevant parties can review your lifetime stats, but the guy who stole yesterday's code isn't going to get anywhere with it. Request a new SSN, present people who use your SSN with Form 72B, Change of SSN, enjoy your new SSN.
So the old SSN will still be active, making reissuing pointless for security purposes.
Too many people and places have treated it as a unique number over the years. It is the closest thing we have to a universal system identification number. Reissuing does happen, as do errors and the like. But until people find another way to uniquely identify someone, we are kind of stuck.
That is literally for Social Security though. Businesses aren't required to accept anything but the latest. That they use them to identify us at all is probably entirely up to them.
it's that for decades people have used it as both ID and password which is uh
no that's not how that works
but here we are
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
I wonder if it would be possible to do a unique ID number tied to some forn of two factor authentication whenever it was used. Certainly not possible for 100% of the population right now, but thinking about it would be a good exercise.
That's potentially brilliant? SSA gives you an ID. Just issue a damned Social Security Password and there you go.
By which I mean, then expand their IT infrastructure to function as a global authentication server. So, some hurdles there, but mostly just $$$ and elbow grease.
Law and Order ≠ Justice
So not happening.
https://steamcommunity.com/profiles/76561197970666737/
You don't need it. Just make the banks liable for the crime and they will figure it out by the end of the month.
This just means that when someone takes out a loan with your identity through one of those "we operate from an Indian reservation so we're not subject to federal laws" lenders it'll have an interest rate in the stratosphere.
I wonder if this will lead to an upturn in people who take out skeevy loans or purchase items on credit, then claim it was identity fraud since their information is now out in the wild.
... After all, big corps already have Global Unique Identifiers (GUID) for you - likely multiple cross-indexed. Now think of the outrage of giving the government that ability.
My bank refunded some $2500 in fraudulent charges to me this summer. They weren't happy about it, but they did it without dragging their feet or anything. Just from that I assumed banks were already liable. Or is it different when your credit card isn't issued through your bank?
The irony is that most of the fraud happened while I was on vacation in France. I'd told my bank I'd be out of the country so my card wouldn't get flagged overseas, and all the bogus charges were stateside. You'd think that would work both ways.
Anyway, a credit freeze is looking like a really attractive option right now.
https://techcrunch.com/2017/09/07/equifax-data-breach-help-site-leaves-consumers-with-more-questions-than-answers/
The actual ToS if you want to look over them: https://trustedidpremier.com/static/terms
The NPR article about this has a phone number at the bottom.
http://www.npr.org/sections/thetwo-way/2017/09/07/549296359/hackers-accessed-the-personal-data-of-143-million-people-equifax-says
Personally, I'm thinking more information might come out over time, so I'm not rushing in on this myself.
Ars Technica analysis of the breach.
Jesus.
And good job giving crooks three months to use it without telling me!
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
What really gets my goat with this crap is how heavily we have to enforce PCI, navigating a labyrinth of regulations that are half security theater and half actual good measures, to the point where the credit card companies can just say "nope, you missed this, you can no longer get money from any of your customers!" and we are constantly scrambling to interpret and update our systems.
... and then one of the companies I'd assume is part of defining the PCI regs pulls this shit.
Yes, the vast majority of their colleagues, including their accounts management team, found about it the same time/way we all did. They are sending these people out on conference calls with huge, angry banks with no more knowledge than what's contained in this thread.
Hah. That was a couple years ago wasn't it? Only state here but was part of the same breach so I've had the protection ever since. Useful at times, but not exactly heartening to see how bad security is for our personal info.
Equifax needs to be made accountable for this breach. An example made that if you hold people's information, who sure as hell didn't choose to give it to them, then if they can't protect it they get the hammer.
44% exposed, but the percentage impacted is going to be a good chunk higher once you figure in families and couples.
This is especially frustrating because when I heard about it, I double checked to make sure their sketchy looking site was legit and wanted to know if I was included in the leak. Of course, I neglected to read the fine print and putting your name in doesn't actually tell you if you're compromised, it signs you up for the thing and then says to check back in a few days to see if you were part of the leak. I thought I was checking my status, not signing up for something, but signing up is a requirement to check your status apparently.
Is there anything else I should do? I have monthly credit scores via B of A.
Wait, what the fuck?
I'm not a lawyer, but that arbitration clause says for "products purchased" so I think it should only apply if you actually complete enrollment in the credit protection service after seeing if you're impacted. From their instructions, simply checking to see if you're impacted is not actually enrolling in their service. From the site:
I still wouldn't do it at this point knowing what we know now, and honestly it seems like we are stuck in binding arbitration with companies simply by knowing they exist these days, but you may still have a way to join the lawsuit.
I find this dubious. Maybe they were never "informed", but I find it very easy to believe someone could've quietly slipped word to the execs that something was about to go down.
The most frustrating thing is it feels like security at this point and possibly the rest of my life is basically a pointless exercise. My information's been stolen so many times now, from places entirely outside of my control, that it feels like my personal efforts to protect my info has been a complete joke. I'm pretty sure the only thing protecting me from actual ID fraud at this point is that thieves may not ever manage to actually work their way through 140m identities.
I'm pretty sure I've been getting a new credit card every year for the last few years now. I know for sure I have the last two, both around Christmas. I've had "lost password" and "strange login" notices from so many websites I've lost track of. It's practically impossible to keep up with all of it, so I just don't care. The main steps I've taken are not using my debit card if at all possible, and making sure my email password is never, ever used anywhere else (and two-factor authentication). Anything else is just dealing with things as they happen.
This. I had someone fill out a form and I assume accidentally mistyped their SSN and it became mine. Then it became my burden to prove who I was. I mean WTF. Some other idiot's mistake caused me to waste time. That might be the easiest cyber-terrorism some cretin could do. So easy its probably why those dopes haven't thought of it yet.
My money is on SQL injection, or, maybe a really shitty cookie/javascript code that allowed them to change data around with absolutely 0 server side checking after the initial login.