The new forums will be named Coin Return (based on the most recent
vote)! You can check on the status and timeline of the transition to the new forums
here.
The Guiding Principles and New Rules
document is now in effect.
Huge Hack of Equifax exposes ~140 million US customers' info
Posts
wierd, i pay a fair amount of attention to security and haven't seen this talked about at all. is this currently happening?
wouldn't most folk notice that their phone has stopped working, call their telco, and find out their number had been transferred fairly quickly?
like, wouldn't itprobably tip the hand of whomever is trying to steal the identity quickly which is a lot less damaging than if they own your identity for weeks/months.
also token based mfa, say through Google's authenticator app, would be a bit safer.
1) Do you live in the USA?
2) Have you ever signed a formal contract promising to pay someone over a period of time?
If the answer to both is yes, then you are compromised.
Rock Band DLC | GW:OttW - arrcd | WLD - Thortar
Likely illegal!
New York State AG.
https://steamcommunity.com/profiles/76561197970666737/
...
$500,000 max damage would work out to $0.0035 per person impacted :V
You can, depending on the provider you're going from and the provider you're going to, port a number in less than 20 minutes in ideal conditions, entirely over the phone. Certain providers (especially MVNOs) have extremely lax security standards for porting out and in most cases the only roadblock you'll run into isn't a security issue so much as a retention agent who will try to sway you with a slightly better deal to get "you" to stay.
The only caveats are you need to know the phone number in question, and sometimes you'll need a PIN or other type of password (assuming it's not the default), but social engineering (Sorry, I forgot my password) can take care of the latter and isn't even required if you have physical access to the phone itself. Alternately, someone could forge your identity and change your number in person.
A few high profile hacks have been facilitated through redirecting 2FA messages, so it's something to consider, but odds are a private individual won't have to worry about it unless they are a specific target.
How are they so bad at this?
you know that saying "don't attribute to malice what can be explained by stupidity"? nah, it's malice:
David Sirota is a journo for the International Business Times
steam | Dokkan: 868846562
They probably would have gotten away scott free with the criminal negligence that caused all of this, and I don't think any of us would have been surprised. Everything after the fact has just made it so much worse and has been done with much more malice. 1) waiting months to announce it (had they alerted authorities prior to that?), 2) created a way to find out if you've been affected that basically gauruntees if you haven't you will be, and 3) the tool to help you find out appears to be fake and just a way to trick people into giving away their rights to litigate the their damages.
This isn't the banking crisis, there is a much smaller group of individuals that these decisions can most likely be tracked back to. They should be in jail for a very long time, and their personal wealth should go to the people who's lives they have now ruined.
I would hope this would also be a wake up call for tighter regulation of both data security and who companies you work with directly can pass your information along to, but it won't and that pisses me off.
From my experience in my misspent mid teens (20 years ago now), it was very common for that kind of non-sense to be exploitable. People in charge of mid-sized companies lack the expertise to evaluate vendors abilities to provide secure IT, let alone webpages.
Hell, I work for a software development company and until 5 years ago or so (when the company was about 2.5-3K employees and 40+ years old as exclusively a software development company), anyone with decent experience in our database technology and network access could see basically all of payroll including bank stuff, health insurance enrollment, addresses etc. Part of that was an open company philosophy (at the time anyone could also read anyone else's work email up to and including the CEO and President), but most of it was just no one had considered that to be a bad thing
QEDMF xbl: PantsB G+
Or 1% of the net worth of "such a person"
Where "such a person" is.. maybe explained here?
So, hypothetically: Is that 1% of Equifax (the "person" being sued) or 1% of Steve in IT, the "person" who did a thing? Or 1% of Equifax as the shell-person who is responsible for Steve?
Fake edit:
Was searching the amended statute for clarity (nope), but did find this hilarious (in context) double standard:
People want to sue Equifax? Maximum penalty amount.
Equifax wants to sue you? Minimum penalty amount.
Are you just saying hypothetically someone blew a gasket and has decided to do it, or has at least one individual with a name openly declared intention to primary Loudermilk? Because yes, any politician trying to shield Equifax after this should be primaried, and I hope is, just as I hope the Equifax executives are found guilty of all their crimes up to and including insider trading, are stripped of their misbegotten wealth, and are thrown in prison.
This is fuckin bananas
I was just saying that the attack ads write themselves.
Don't hold your breath.
The other thing that gets me is I work in the card fraud department for a company that handles things for a few hundred banks and I've been getting slammed by scared and angry people all day who think my name is John Equifax apparently even though we have nothing to do with this.
I had a friend who use to work IT at the college I go to, they had a similar issue with the student ID logins. Once you logged into your own you could just change the end of the URL which was a string of numbers that oh hey were actually a student ID, and you would have complete access to their logged in account, their financial aid stuff, their course schedule, their address and full social security number. It was a mess.
I've had my identity "stolen" on a few occasions, generally via credit card fraud. There was a huge problem with it in my area a few years ago. But every time it happened my credit union immediately owned up to it being a shortcoming with their credit card security, they were working to fix it, and refunded my accounts. So, while a bit of a pain, I was sympathetic to the fact that running a massive financial organization is likely difficult. But even in the face of these difficulties my credit union did their best to ensure that I could still expect a certain level of service, otherwise it'd be pointless to even use them.
I have no sympathy for the notion that, if a business can't operate without harming customers, it should be shielded from the consequences of doing so. If a company being held accountable for its actions makes it nonviable then it deserves to fail. Businesses like Equifax trying to pawn off the bare minimum expectations of responsibility to their customers can clear the hell out.
See, now I'm disappointed because I know the jackass is going to get away with it. Because if there's one things voters are consistent at, it's continuing to mindlessly vote for their own local shithead even as they whine about problems in Congress. I looked up Loudermilk and he's the representative for the rich white northern suburbs of Atlanta, which will continue to vote for a guy so long as he's dog-whistling racist and promises to cut their own taxes, even if it hurts them in the long term. He's a Freedom Caucuser for goodness sakes. We all knew they were evil hypocrites who have rabid support from hypocrite bases. No, he's not getting primaried, and stop trying to be cute about it.
He is allegedly no longer a Freedom Caucus member, citing a lack of time:
http://politics.blog.myajc.com/2017/03/02/barry-loudermilk-quietly-leaves-the-house-freedom-caucus/
"Too busy... for Freedom?"
Sure, but the notion of having ANY secondary step in line seems like a better one than not. Every extra layer becomes a barrier to those who aren't informed/skilled enough, or are too lazy, to jump through the extra hoops.
I mean, this has always been the case, but it's still funny to me that my fucking Battle.net and Steam accounts are better protected than my banking information (does not use 2 factor, far as I know) or stockpiles of PII like this bullshit.
Also, people are comparing the 143 million to the population of the US, but if what I read in an article is true, there are piles of Canadians in there (like, tens of millions possibly). So, good news, the likelihood of your data being snagged went down a little! Bad news, my chances went way up! :-D
Edit: to be clear, yes, I would prefer a *good* secondary authentication be involved, but I'd take an improvement of any sort at this point as long as it wasn't actively counterproductive in an egregious way.
Thinking anything different is severely shortsighted and exceptionally naive.
The only upside is that there's a good chance your info was already compromised in a different breach.
SMS is specifically vulnerable to attack as a 2fa method: https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/
it's not an improvement if malicious actors target it as a vulnerability.
but i agree with your point in general. it's baffling to me that gaming companies have better security than actual banks. and banks won't do more until their bottom line is hurt.
steam | Dokkan: 868846562
If the banks are shit heels, you... give up society?
If all of us strip naked and head into the woods the banks will have no power
Laughing all the way to the hermitage.
Sorry, that particular section of woods you entered was property that was foreclosed on by a large bank. You are now arrested for trespassing.
That is an excellent idea.
I will watch your stuff while you're gone.
Two factor authentication via text message leaves you still vulnerable to attacks directly made on you by determined actors willing to spend time to hack you. Everyone is vulnerable to that level of attention. Almost all hacking attacks or identity theft attempts are broadly distributed and waste no time on those who have any level of additional protection. There are more than enough people whose password is password to take up their time.
And in this case, the overwhelming risk is new accounts being opened in your name. And no level of authentication beyond a credit freeze will help you there. Attacks on your personal accounts are a risk, but all your bank accounts should have individual strong passwords, and banks you actually bank with are far more likely to reimburse you for theft of this nature.
"Hello, I've forgotten my password. Can you reset it for me? My social security number? Of course, just a minute..."
Call your bank and see if you can have a verbal password set. I was able to do this, and now if someone tries calling the main office, hey have to give a password to do anything.
Your hack has already taken too long, and required the use of a single humans time on a phone line. Also, if you just call someone up then two factor authorization is also useless.
"Oh, I lost my two factor app. Can you reset access to not need it?"
Probably would also be a good idea to maybe require in person registration for certain things. I know it being far less convenient would pose issues for some, but on the other hand that might force society to address a few issues. I'm willing to bet some of that convenience doesn't extend to most of the individuals, that people claimed are helped by the convenience. Also aware it wouldn't be a cure all, some people will still find a way to pull of some shit, but if we make it harder for people to get away with identity theft. We're likely to see less people doing it because the risks are too high and probably more getting caught.
@Tomanta
So, @Mugsley's post was excellent and I totally agree with what they said.
I just want to add one more thing. Put pressure on the companies you do business with. Ask them what their cybersecurity practices are. If you're willing to learn a few basic concepts, and learn a few buzzwords, ask them if private data is encrypted both at rest and in motion. Ask them if they salt their passwords. Ask them how many contractors they have who have access to your data. Put pressure on them on Twitter and Facebook.
Be willing to walk away from companies that practice bad cybersecurity. If a company is willing to provide private info over the phone without verifying your identity (with nonpublic info, like a passcode, or something hard to spoof like a return phone call to your phone number on record with them) that's bad cybersecurity. If they handle password reset by sending you by email your prior password, that's bad cybersecurity. If you enter private info on a website that isn't HTTPS encrypted, that's bad cybersecurity. If they redirect you to a million bullshit domains (like equifaxcodswallop2017) that's bad cybersecurity.
I'll be honest: most of the time a company's call center representatives won't know what you're talking about. They'll lie to you. Nothing will change quickly. But the more people who do this, and do it consistently, the more companies will listen.
the "no true scotch man" fallacy.