The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.

Huge Hack of Equifax exposes ~140 million US customers' info

1246722

Posts

  • redxredx I(x)=2(x)+1 whole numbersRegistered User regular
    edited September 2017
    Polaritie wrote: »
    Chief fraud guy here says he expects this was a state sponsored action. Hasn't seen any uptick in ID theft activity since the timeframe, but thinks the data is still being bundled into tranches to sell in The Under.

    Was there an uptick after OPA? I recall reading an article several years ago in which the writer observed that the market was flooded even then. Pennies a name, bundles of thousands.

    It gave me the impression it was crap shoot on their end as to whether the end customer got IDs of any use, then a lottery as to whether yours was the first one that worked.

    I have been considerably less concerned about these mass breeches ever since.

    OPM seemed business as usual, so no uptick beyond the constant level of stuff that happens.

    The amount of data available on this one is far more extensive than any other breach. While each piece of data that was compromised was likely independently available already, the files that were taken here have it all bundled together. The fear is that we might see an increase in attempts as more numerous/less sophisticated fraud shops buy and try this data.

    Phone number porting and synthetic IDs are going to leave just about all current forms of consumer authentication compromised. We're kind of left with biometrics + an elevated level of fraud loss until some new tech/ideas come out.

    (Proper) two-factor auth is fine. It's this reliance on something you know that's biting us in the collective ass.

    Phone number porting kills the 2nd factor method that relies on texting one time passcodes

    wierd, i pay a fair amount of attention to security and haven't seen this talked about at all. is this currently happening?

    wouldn't most folk notice that their phone has stopped working, call their telco, and find out their number had been transferred fairly quickly?

    like, wouldn't itprobably tip the hand of whomever is trying to steal the identity quickly which is a lot less damaging than if they own your identity for weeks/months.


    also token based mfa, say through Google's authenticator app, would be a bit safer.

    redx on
    They moistly come out at night, moistly.
  • tbloxhamtbloxham Registered User regular
    Here's how to find out if you are compromised

    1) Do you live in the USA?
    2) Have you ever signed a formal contract promising to pay someone over a period of time?

    If the answer to both is yes, then you are compromised.

    "That is cool" - Abraham Lincoln
  • ArtereisArtereis Registered User regular
    So, misleading website used to encourage people to sign up and agree to arbitration? That's just great.

  • bowenbowen Sup? Registered User regular
    Artereis wrote: »
    So, misleading website used to encourage people to sign up and agree to arbitration? That's just great.

    Likely illegal!

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    edited September 2017
    Artereis wrote: »
    So, misleading website used to encourage people to sign up and agree to arbitration? That's just great.

    New York State AG.

    Shadowfire on
  • FencingsaxFencingsax It is difficult to get a man to understand, when his salary depends upon his not understanding GNU Terry PratchettRegistered User regular
    Someone has to go to jail for this

  • JragghenJragghen Registered User regular
    edited September 2017
    http://www.ibtimes.com/political-capital/equifax-lobbied-kill-rule-protecting-victims-data-breaches-2587929
    Federal documents reviewed by International Business Times show that in response to that 2016 rule, the Consumer Data Industry Association (CDIA) — which says it is “the trade association which represents Equifax” — pressed regulators to back off the proposed prohibitions, saying the regulations would subject data companies to tough penalties if during a class action suit they were found to have broken the law.

    In one section of the letter, CDIA declares that federal regulators “should exempt from its arbitration rule class action claims against providers of credit monitoring products.” The letter asserted that allowing customers to sue companies “would not serve the public interest or the public good” because it could subject the companies to “extraordinary and draconian civil liability provisions” under current law. In another section of the letter, Equifax’s lobbying group says that a rule blocking companies from forcing their customers to waive class action rights would expose credit agencies “to unmanageable class action liability that could result in full disgorgement of revenues” if companies are found to have illegally harmed their customers.

    Equifax’s lobbying group argued against the prohibition even as it acknowledged that a 2015 government study found “that credit reporting constituted one of the four largest product areas for class action relief” for consumers. Consumer groups countered the claims of CDIA and other rule opponents by saying the ability to file suit is necessary to protect Americans’ legal rights.

    ...
    Equifax itself has directly lobbied the CFPB on the arbitration rule. Federal records show that since the second quarter of 2015, a team of lobbyists from Equifax’s own government relations shop lobbied the Bureau on the “Use of arbitration agreements involving consumer financial products and services.” This year, the company was still lobbying the CFPB; during the most recent period for which lobbying information is available, the second quarter of 2017, Equifax had five lobbyists personally pushing the CFPB to revise the rule.

    The company and CDIA are also both lobbying Congress on a Republican-sponsored House bill, pointed out by journalist David Dayan on Twitter on Friday, that would cap class action damages at $500,000 and eliminate punitive damages altogether. The bill's sponsor, Barry Loudermilk (R-GA), announced CDIA's support.

    $500,000 max damage would work out to $0.0035 per person impacted :V

    Jragghen on
  • FencingsaxFencingsax It is difficult to get a man to understand, when his salary depends upon his not understanding GNU Terry PratchettRegistered User regular
    Someone just decided to primary Loudermilk

  • TomantaTomanta Registered User regular
    I've seen reports of people who get a different answer if they put their info in on a PC vs. Mobile. Just lots of signs that says "Eh, who knows, just sign up. Plz."

  • SmokeStacksSmokeStacks Registered User regular
    redx wrote: »
    Phone number porting kills the 2nd factor method that relies on texting one time passcodes

    wierd, i pay a fair amount of attention to security and haven't seen this talked about at all. is this currently happening?

    wouldn't most folk notice that their phone has stopped working, call their telco, and find out their number had been transferred fairly quickly?

    You can, depending on the provider you're going from and the provider you're going to, port a number in less than 20 minutes in ideal conditions, entirely over the phone. Certain providers (especially MVNOs) have extremely lax security standards for porting out and in most cases the only roadblock you'll run into isn't a security issue so much as a retention agent who will try to sway you with a slightly better deal to get "you" to stay.

    The only caveats are you need to know the phone number in question, and sometimes you'll need a PIN or other type of password (assuming it's not the default), but social engineering (Sorry, I forgot my password) can take care of the latter and isn't even required if you have physical access to the phone itself. Alternately, someone could forge your identity and change your number in person.

    A few high profile hacks have been facilitated through redirecting 2FA messages, so it's something to consider, but odds are a private individual won't have to worry about it unless they are a specific target.

  • MugsleyMugsley DelawareRegistered User regular
    I never thought I'd say this in a non-political thread.


    How are they so bad at this?

  • fightinfilipinofightinfilipino Angry as Hell #BLMRegistered User regular
    Mugsley wrote: »
    I never thought I'd say this in a non-political thread.


    How are they so bad at this?

    you know that saying "don't attribute to malice what can be explained by stupidity"? nah, it's malice:



    David Sirota is a journo for the International Business Times

    ffNewSig.png
    steam | Dokkan: 868846562
  • LostNinjaLostNinja Registered User regular
    Fencingsax wrote: »
    Someone has to go to jail for this

    They probably would have gotten away scott free with the criminal negligence that caused all of this, and I don't think any of us would have been surprised. Everything after the fact has just made it so much worse and has been done with much more malice. 1) waiting months to announce it (had they alerted authorities prior to that?), 2) created a way to find out if you've been affected that basically gauruntees if you haven't you will be, and 3) the tool to help you find out appears to be fake and just a way to trick people into giving away their rights to litigate the their damages.

    This isn't the banking crisis, there is a much smaller group of individuals that these decisions can most likely be tracked back to. They should be in jail for a very long time, and their personal wealth should go to the people who's lives they have now ruined.

    I would hope this would also be a wake up call for tighter regulation of both data security and who companies you work with directly can pass your information along to, but it won't and that pisses me off.

  • PantsBPantsB Fake Thomas Jefferson Registered User regular
    Scooter wrote: »
    bowen wrote: »
    So do we know what kind of attack it was yet?

    My money is on SQL injection, or, maybe a really shitty cookie/javascript code that allowed them to change data around with absolutely 0 server side checking after the initial login.

    When my CC info was leaked a few years ago, it turned out that once you logged in to any account, if you changed the # of your web account in your URL you could see anyone's account page if you could guess the numbers.

    From my experience in my misspent mid teens (20 years ago now), it was very common for that kind of non-sense to be exploitable. People in charge of mid-sized companies lack the expertise to evaluate vendors abilities to provide secure IT, let alone webpages.

    Hell, I work for a software development company and until 5 years ago or so (when the company was about 2.5-3K employees and 40+ years old as exclusively a software development company), anyone with decent experience in our database technology and network access could see basically all of payroll including bank stuff, health insurance enrollment, addresses etc. Part of that was an open company philosophy (at the time anyone could also read anyone else's work email up to and including the CEO and President), but most of it was just no one had considered that to be a bad thing

    11793-1.png
    day9gosu.png
    QEDMF xbl: PantsB G+
  • ArbitraryDescriptorArbitraryDescriptor Registered User regular
    edited September 2017
    Jragghen wrote: »
    http://www.ibtimes.com/political-capital/equifax-lobbied-kill-rule-protecting-victims-data-breaches-2587929
    Federal documents reviewed by International Business Times show that in response to that 2016 rule, the Consumer Data Industry Association (CDIA) — which says it is “the trade association which represents Equifax” — pressed regulators to back off the proposed prohibitions, saying the regulations would subject data companies to tough penalties if during a class action suit they were found to have broken the law.

    In one section of the letter, CDIA declares that federal regulators “should exempt from its arbitration rule class action claims against providers of credit monitoring products.” The letter asserted that allowing customers to sue companies “would not serve the public interest or the public good” because it could subject the companies to “extraordinary and draconian civil liability provisions” under current law. In another section of the letter, Equifax’s lobbying group says that a rule blocking companies from forcing their customers to waive class action rights would expose credit agencies “to unmanageable class action liability that could result in full disgorgement of revenues” if companies are found to have illegally harmed their customers.

    Equifax’s lobbying group argued against the prohibition even as it acknowledged that a 2015 government study found “that credit reporting constituted one of the four largest product areas for class action relief” for consumers. Consumer groups countered the claims of CDIA and other rule opponents by saying the ability to file suit is necessary to protect Americans’ legal rights.

    ...
    Equifax itself has directly lobbied the CFPB on the arbitration rule. Federal records show that since the second quarter of 2015, a team of lobbyists from Equifax’s own government relations shop lobbied the Bureau on the “Use of arbitration agreements involving consumer financial products and services.” This year, the company was still lobbying the CFPB; during the most recent period for which lobbying information is available, the second quarter of 2017, Equifax had five lobbyists personally pushing the CFPB to revise the rule.

    The company and CDIA are also both lobbying Congress on a Republican-sponsored House bill, pointed out by journalist David Dayan on Twitter on Friday, that would cap class action damages at $500,000 and eliminate punitive damages altogether. The bill's sponsor, Barry Loudermilk (R-GA), announced CDIA's support.

    $500,000 max damage would work out to $0.0035 per person impacted :V

    Or 1% of the net worth of "such a person"

    Where "such a person" is.. maybe explained here?
    With respect to a class action (as such term is defined in section 1711 of title 28, United States Code), or series of class actions arising out of the same failure to comply of a person, brought by consumers against a person who willfully fails to comply with any requirement imposed under this title, such person is liable to such consumers in such an amount as a court may determine, except that-

    So, hypothetically: Is that 1% of Equifax (the "person" being sued) or 1% of Steve in IT, the "person" who did a thing? Or 1% of Equifax as the shell-person who is responsible for Steve?


    Fake edit:
    Was searching the amended statute for clarity (nope), but did find this hilarious (in context) double standard:
    (b) Civil liability for knowing noncompliance
    Any person who obtains a consumer report from a consumer reporting agency under false pretenses or knowingly without a permissible purpose shall be liable to the consumer reporting agency for actual damages sustained by the consumer reporting agency or $1,000, whichever is greater.

    People want to sue Equifax? Maximum penalty amount.

    Equifax wants to sue you? Minimum penalty amount.

    ArbitraryDescriptor on
  • MayabirdMayabird Pecking at the keyboardRegistered User regular
    Fencingsax wrote: »
    Someone just decided to primary Loudermilk

    Are you just saying hypothetically someone blew a gasket and has decided to do it, or has at least one individual with a name openly declared intention to primary Loudermilk? Because yes, any politician trying to shield Equifax after this should be primaried, and I hope is, just as I hope the Equifax executives are found guilty of all their crimes up to and including insider trading, are stripped of their misbegotten wealth, and are thrown in prison.

  • SleepSleep Registered User regular
    just fuckin wow

    This is fuckin bananas

  • FencingsaxFencingsax It is difficult to get a man to understand, when his salary depends upon his not understanding GNU Terry PratchettRegistered User regular
    Mayabird wrote: »
    Fencingsax wrote: »
    Someone just decided to primary Loudermilk

    Are you just saying hypothetically someone blew a gasket and has decided to do it, or has at least one individual with a name openly declared intention to primary Loudermilk? Because yes, any politician trying to shield Equifax after this should be primaried, and I hope is, just as I hope the Equifax executives are found guilty of all their crimes up to and including insider trading, are stripped of their misbegotten wealth, and are thrown in prison.

    I was just saying that the attack ads write themselves.

  • SmrtnikSmrtnik job boli zub Registered User regular
    Fencingsax wrote: »
    Someone has to go to jail for this

    Don't hold your breath.

    steam_sig.png
  • BucketmanBucketman Call me SkraggRegistered User regular
    edited September 2017
    Heres the thing that gets me, I never agreed to this! I mean technically I'm sure I did, but I never wanted these agencies that are allowed to do whatever to have my information, but because thats how banks work they have it all.

    The other thing that gets me is I work in the card fraud department for a company that handles things for a few hundred banks and I've been getting slammed by scared and angry people all day who think my name is John Equifax apparently even though we have nothing to do with this.
    Scooter wrote: »
    bowen wrote: »
    So do we know what kind of attack it was yet?

    My money is on SQL injection, or, maybe a really shitty cookie/javascript code that allowed them to change data around with absolutely 0 server side checking after the initial login.

    When my CC info was leaked a few years ago, it turned out that once you logged in to any account, if you changed the # of your web account in your URL you could see anyone's account page if you could guess the numbers.

    I had a friend who use to work IT at the college I go to, they had a similar issue with the student ID logins. Once you logged into your own you could just change the end of the URL which was a string of numbers that oh hey were actually a student ID, and you would have complete access to their logged in account, their financial aid stuff, their course schedule, their address and full social security number. It was a mess.

    Bucketman on
  • QuidQuid Definitely not a banana Registered User regular
    Jragghen wrote: »
    http://www.ibtimes.com/political-capital/equifax-lobbied-kill-rule-protecting-victims-data-breaches-2587929
    Federal documents reviewed by International Business Times show that in response to that 2016 rule, the Consumer Data Industry Association (CDIA) — which says it is “the trade association which represents Equifax” — pressed regulators to back off the proposed prohibitions, saying the regulations would subject data companies to tough penalties if during a class action suit they were found to have broken the law.

    In one section of the letter, CDIA declares that federal regulators “should exempt from its arbitration rule class action claims against providers of credit monitoring products.” The letter asserted that allowing customers to sue companies “would not serve the public interest or the public good” because it could subject the companies to “extraordinary and draconian civil liability provisions” under current law. In another section of the letter, Equifax’s lobbying group says that a rule blocking companies from forcing their customers to waive class action rights would expose credit agencies “to unmanageable class action liability that could result in full disgorgement of revenues” if companies are found to have illegally harmed their customers.

    Equifax’s lobbying group argued against the prohibition even as it acknowledged that a 2015 government study found “that credit reporting constituted one of the four largest product areas for class action relief” for consumers. Consumer groups countered the claims of CDIA and other rule opponents by saying the ability to file suit is necessary to protect Americans’ legal rights.

    ...
    Equifax itself has directly lobbied the CFPB on the arbitration rule. Federal records show that since the second quarter of 2015, a team of lobbyists from Equifax’s own government relations shop lobbied the Bureau on the “Use of arbitration agreements involving consumer financial products and services.” This year, the company was still lobbying the CFPB; during the most recent period for which lobbying information is available, the second quarter of 2017, Equifax had five lobbyists personally pushing the CFPB to revise the rule.

    The company and CDIA are also both lobbying Congress on a Republican-sponsored House bill, pointed out by journalist David Dayan on Twitter on Friday, that would cap class action damages at $500,000 and eliminate punitive damages altogether. The bill's sponsor, Barry Loudermilk (R-GA), announced CDIA's support.

    $500,000 max damage would work out to $0.0035 per person impacted :V

    I've had my identity "stolen" on a few occasions, generally via credit card fraud. There was a huge problem with it in my area a few years ago. But every time it happened my credit union immediately owned up to it being a shortcoming with their credit card security, they were working to fix it, and refunded my accounts. So, while a bit of a pain, I was sympathetic to the fact that running a massive financial organization is likely difficult. But even in the face of these difficulties my credit union did their best to ensure that I could still expect a certain level of service, otherwise it'd be pointless to even use them.

    I have no sympathy for the notion that, if a business can't operate without harming customers, it should be shielded from the consequences of doing so. If a company being held accountable for its actions makes it nonviable then it deserves to fail. Businesses like Equifax trying to pawn off the bare minimum expectations of responsibility to their customers can clear the hell out.

  • MayabirdMayabird Pecking at the keyboardRegistered User regular
    Fencingsax wrote: »
    Mayabird wrote: »
    Fencingsax wrote: »
    Someone just decided to primary Loudermilk

    Are you just saying hypothetically someone blew a gasket and has decided to do it, or has at least one individual with a name openly declared intention to primary Loudermilk? Because yes, any politician trying to shield Equifax after this should be primaried, and I hope is, just as I hope the Equifax executives are found guilty of all their crimes up to and including insider trading, are stripped of their misbegotten wealth, and are thrown in prison.

    I was just saying that the attack ads write themselves.

    See, now I'm disappointed because I know the jackass is going to get away with it. Because if there's one things voters are consistent at, it's continuing to mindlessly vote for their own local shithead even as they whine about problems in Congress. I looked up Loudermilk and he's the representative for the rich white northern suburbs of Atlanta, which will continue to vote for a guy so long as he's dog-whistling racist and promises to cut their own taxes, even if it hurts them in the long term. He's a Freedom Caucuser for goodness sakes. We all knew they were evil hypocrites who have rabid support from hypocrite bases. No, he's not getting primaried, and stop trying to be cute about it.

  • ArbitraryDescriptorArbitraryDescriptor Registered User regular
    Mayabird wrote: »
    Fencingsax wrote: »
    Mayabird wrote: »
    Fencingsax wrote: »
    Someone just decided to primary Loudermilk

    Are you just saying hypothetically someone blew a gasket and has decided to do it, or has at least one individual with a name openly declared intention to primary Loudermilk? Because yes, any politician trying to shield Equifax after this should be primaried, and I hope is, just as I hope the Equifax executives are found guilty of all their crimes up to and including insider trading, are stripped of their misbegotten wealth, and are thrown in prison.

    I was just saying that the attack ads write themselves.

    See, now I'm disappointed because I know the jackass is going to get away with it. Because if there's one things voters are consistent at, it's continuing to mindlessly vote for their own local shithead even as they whine about problems in Congress. I looked up Loudermilk and he's the representative for the rich white northern suburbs of Atlanta, which will continue to vote for a guy so long as he's dog-whistling racist and promises to cut their own taxes, even if it hurts them in the long term. He's a Freedom Caucuser for goodness sakes. We all knew they were evil hypocrites who have rabid support from hypocrite bases. No, he's not getting primaried, and stop trying to be cute about it.

    He is allegedly no longer a Freedom Caucus member, citing a lack of time:
    http://politics.blog.myajc.com/2017/03/02/barry-loudermilk-quietly-leaves-the-house-freedom-caucus/

    "Too busy... for Freedom?"

  • ForarForar #432 Toronto, Ontario, CanadaRegistered User regular
    edited September 2017
    Switch to the Google Authenticator ASAP if you can (It's free, available on most smart phones, and is easy to set up). SMS is not, and never has been, secure.

    Sure, but the notion of having ANY secondary step in line seems like a better one than not. Every extra layer becomes a barrier to those who aren't informed/skilled enough, or are too lazy, to jump through the extra hoops.

    I mean, this has always been the case, but it's still funny to me that my fucking Battle.net and Steam accounts are better protected than my banking information (does not use 2 factor, far as I know) or stockpiles of PII like this bullshit.

    Also, people are comparing the 143 million to the population of the US, but if what I read in an article is true, there are piles of Canadians in there (like, tens of millions possibly). So, good news, the likelihood of your data being snagged went down a little! Bad news, my chances went way up! :-D

    Edit: to be clear, yes, I would prefer a *good* secondary authentication be involved, but I'd take an improvement of any sort at this point as long as it wasn't actively counterproductive in an egregious way.

    Forar on
    First they came for the Muslims, and we said NOT TODAY, MOTHERFUCKER!
  • MugsleyMugsley DelawareRegistered User regular
    In the spirit of "you can make statistics say whatever you want," rest assured that if you've ever used a bank or had financial transactions involving debt (I would say that student debt is included in this), you're caught up in this.

    Thinking anything different is severely shortsighted and exceptionally naive.

    The only upside is that there's a good chance your info was already compromised in a different breach.

  • fightinfilipinofightinfilipino Angry as Hell #BLMRegistered User regular
    Forar wrote: »
    Switch to the Google Authenticator ASAP if you can (It's free, available on most smart phones, and is easy to set up). SMS is not, and never has been, secure.

    Sure, but the notion of having ANY secondary step in line seems like a better one than not. Every extra layer becomes a barrier to those who aren't informed/skilled enough, or are too lazy, to jump through the extra hoops.

    I mean, this has always been the case, but it's still funny to me that my fucking Battle.net and Steam accounts are better protected than my banking information (does not use 2 factor, far as I know) or stockpiles of PII like this bullshit.

    Also, people are comparing the 143 million to the population of the US, but if what I read in an article is true, there are piles of Canadians in there (like, tens of millions possibly). So, good news, the likelihood of your data being snagged went down a little! Bad news, my chances went way up! :-D

    Edit: to be clear, yes, I would prefer a *good* secondary authentication be involved, but I'd take an improvement of any sort at this point as long as it wasn't actively counterproductive in an egregious way.

    SMS is specifically vulnerable to attack as a 2fa method: https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

    it's not an improvement if malicious actors target it as a vulnerability.

    but i agree with your point in general. it's baffling to me that gaming companies have better security than actual banks. and banks won't do more until their bottom line is hurt.

    ffNewSig.png
    steam | Dokkan: 868846562
  • ElJeffeElJeffe Registered User, ClubPA regular
    Gaming is optional. If a game company is a shit heel, you find a different game or give up gaming.

    If the banks are shit heels, you... give up society?

    I submitted an entry to Lego Ideas, and if 10,000 people support me, it'll be turned into an actual Lego set!If you'd like to see and support my submission, follow this link.
  • NSDFRandNSDFRand FloridaRegistered User regular
    RE credit card fraud/identity theft: It isn't only private companies where this can happen. My parents had their identity stolen because they used the city website to pay a utility bill (the only online payment they made that month). It only took a few days to get the money back and cancel/reissue the card but from that day forward they only ever paid utility bills in person. This type of problem isn't only an issue of the private sector cutting corners on IT and infosec but, as many others who were also affected by the OPM hack have pointed out, the public sector also has these security issues.

  • override367override367 ALL minions Registered User regular
    ElJeffe wrote: »
    Gaming is optional. If a game company is a shit heel, you find a different game or give up gaming.

    If the banks are shit heels, you... give up society?

    If all of us strip naked and head into the woods the banks will have no power

  • monikermoniker Registered User regular
    ElJeffe wrote: »
    Gaming is optional. If a game company is a shit heel, you find a different game or give up gaming.

    If the banks are shit heels, you... give up society?

    Laughing all the way to the hermitage.

  • DonnictonDonnicton Registered User regular
    ElJeffe wrote: »
    Gaming is optional. If a game company is a shit heel, you find a different game or give up gaming.

    If the banks are shit heels, you... give up society?

    If all of us strip naked and head into the woods the banks will have no power

    Sorry, that particular section of woods you entered was property that was foreclosed on by a large bank. You are now arrested for trespassing.

  • ElJeffeElJeffe Registered User, ClubPA regular
    ElJeffe wrote: »
    Gaming is optional. If a game company is a shit heel, you find a different game or give up gaming.

    If the banks are shit heels, you... give up society?

    If all of us strip naked and head into the woods the banks will have no power

    That is an excellent idea.

    I will watch your stuff while you're gone.

    I submitted an entry to Lego Ideas, and if 10,000 people support me, it'll be turned into an actual Lego set!If you'd like to see and support my submission, follow this link.
  • tbloxhamtbloxham Registered User regular
    Forar wrote: »
    Switch to the Google Authenticator ASAP if you can (It's free, available on most smart phones, and is easy to set up). SMS is not, and never has been, secure.

    Sure, but the notion of having ANY secondary step in line seems like a better one than not. Every extra layer becomes a barrier to those who aren't informed/skilled enough, or are too lazy, to jump through the extra hoops.

    I mean, this has always been the case, but it's still funny to me that my fucking Battle.net and Steam accounts are better protected than my banking information (does not use 2 factor, far as I know) or stockpiles of PII like this bullshit.

    Also, people are comparing the 143 million to the population of the US, but if what I read in an article is true, there are piles of Canadians in there (like, tens of millions possibly). So, good news, the likelihood of your data being snagged went down a little! Bad news, my chances went way up! :-D

    Edit: to be clear, yes, I would prefer a *good* secondary authentication be involved, but I'd take an improvement of any sort at this point as long as it wasn't actively counterproductive in an egregious way.

    SMS is specifically vulnerable to attack as a 2fa method: https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

    it's not an improvement if malicious actors target it as a vulnerability.

    but i agree with your point in general. it's baffling to me that gaming companies have better security than actual banks. and banks won't do more until their bottom line is hurt.

    Two factor authentication via text message leaves you still vulnerable to attacks directly made on you by determined actors willing to spend time to hack you. Everyone is vulnerable to that level of attention. Almost all hacking attacks or identity theft attempts are broadly distributed and waste no time on those who have any level of additional protection. There are more than enough people whose password is password to take up their time.

    And in this case, the overwhelming risk is new accounts being opened in your name. And no level of authentication beyond a credit freeze will help you there. Attacks on your personal accounts are a risk, but all your bank accounts should have individual strong passwords, and banks you actually bank with are far more likely to reimburse you for theft of this nature.

    "That is cool" - Abraham Lincoln
  • TetraNitroCubaneTetraNitroCubane Not Angry... Just VERY Disappointed...Registered User regular
    tbloxham wrote: »
    Forar wrote: »
    Switch to the Google Authenticator ASAP if you can (It's free, available on most smart phones, and is easy to set up). SMS is not, and never has been, secure.

    Sure, but the notion of having ANY secondary step in line seems like a better one than not. Every extra layer becomes a barrier to those who aren't informed/skilled enough, or are too lazy, to jump through the extra hoops.

    I mean, this has always been the case, but it's still funny to me that my fucking Battle.net and Steam accounts are better protected than my banking information (does not use 2 factor, far as I know) or stockpiles of PII like this bullshit.

    Also, people are comparing the 143 million to the population of the US, but if what I read in an article is true, there are piles of Canadians in there (like, tens of millions possibly). So, good news, the likelihood of your data being snagged went down a little! Bad news, my chances went way up! :-D

    Edit: to be clear, yes, I would prefer a *good* secondary authentication be involved, but I'd take an improvement of any sort at this point as long as it wasn't actively counterproductive in an egregious way.

    SMS is specifically vulnerable to attack as a 2fa method: https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

    it's not an improvement if malicious actors target it as a vulnerability.

    but i agree with your point in general. it's baffling to me that gaming companies have better security than actual banks. and banks won't do more until their bottom line is hurt.

    Two factor authentication via text message leaves you still vulnerable to attacks directly made on you by determined actors willing to spend time to hack you. Everyone is vulnerable to that level of attention. Almost all hacking attacks or identity theft attempts are broadly distributed and waste no time on those who have any level of additional protection. There are more than enough people whose password is password to take up their time.

    And in this case, the overwhelming risk is new accounts being opened in your name. And no level of authentication beyond a credit freeze will help you there. Attacks on your personal accounts are a risk, but all your bank accounts should have individual strong passwords, and banks you actually bank with are far more likely to reimburse you for theft of this nature.

    "Hello, I've forgotten my password. Can you reset it for me? My social security number? Of course, just a minute..."

  • AngelHedgieAngelHedgie Registered User regular
    tbloxham wrote: »
    Forar wrote: »
    Switch to the Google Authenticator ASAP if you can (It's free, available on most smart phones, and is easy to set up). SMS is not, and never has been, secure.

    Sure, but the notion of having ANY secondary step in line seems like a better one than not. Every extra layer becomes a barrier to those who aren't informed/skilled enough, or are too lazy, to jump through the extra hoops.

    I mean, this has always been the case, but it's still funny to me that my fucking Battle.net and Steam accounts are better protected than my banking information (does not use 2 factor, far as I know) or stockpiles of PII like this bullshit.

    Also, people are comparing the 143 million to the population of the US, but if what I read in an article is true, there are piles of Canadians in there (like, tens of millions possibly). So, good news, the likelihood of your data being snagged went down a little! Bad news, my chances went way up! :-D

    Edit: to be clear, yes, I would prefer a *good* secondary authentication be involved, but I'd take an improvement of any sort at this point as long as it wasn't actively counterproductive in an egregious way.

    SMS is specifically vulnerable to attack as a 2fa method: https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

    it's not an improvement if malicious actors target it as a vulnerability.

    but i agree with your point in general. it's baffling to me that gaming companies have better security than actual banks. and banks won't do more until their bottom line is hurt.

    Two factor authentication via text message leaves you still vulnerable to attacks directly made on you by determined actors willing to spend time to hack you. Everyone is vulnerable to that level of attention. Almost all hacking attacks or identity theft attempts are broadly distributed and waste no time on those who have any level of additional protection. There are more than enough people whose password is password to take up their time.

    And in this case, the overwhelming risk is new accounts being opened in your name. And no level of authentication beyond a credit freeze will help you there. Attacks on your personal accounts are a risk, but all your bank accounts should have individual strong passwords, and banks you actually bank with are far more likely to reimburse you for theft of this nature.

    "Hello, I've forgotten my password. Can you reset it for me? My social security number? Of course, just a minute..."

    Call your bank and see if you can have a verbal password set. I was able to do this, and now if someone tries calling the main office, hey have to give a password to do anything.

    XBL: Nox Aeternum / PSN: NoxAeternum / NN:NoxAeternum / Steam: noxaeternum
  • tbloxhamtbloxham Registered User regular
    tbloxham wrote: »
    Forar wrote: »
    Switch to the Google Authenticator ASAP if you can (It's free, available on most smart phones, and is easy to set up). SMS is not, and never has been, secure.

    Sure, but the notion of having ANY secondary step in line seems like a better one than not. Every extra layer becomes a barrier to those who aren't informed/skilled enough, or are too lazy, to jump through the extra hoops.

    I mean, this has always been the case, but it's still funny to me that my fucking Battle.net and Steam accounts are better protected than my banking information (does not use 2 factor, far as I know) or stockpiles of PII like this bullshit.

    Also, people are comparing the 143 million to the population of the US, but if what I read in an article is true, there are piles of Canadians in there (like, tens of millions possibly). So, good news, the likelihood of your data being snagged went down a little! Bad news, my chances went way up! :-D

    Edit: to be clear, yes, I would prefer a *good* secondary authentication be involved, but I'd take an improvement of any sort at this point as long as it wasn't actively counterproductive in an egregious way.

    SMS is specifically vulnerable to attack as a 2fa method: https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

    it's not an improvement if malicious actors target it as a vulnerability.

    but i agree with your point in general. it's baffling to me that gaming companies have better security than actual banks. and banks won't do more until their bottom line is hurt.

    Two factor authentication via text message leaves you still vulnerable to attacks directly made on you by determined actors willing to spend time to hack you. Everyone is vulnerable to that level of attention. Almost all hacking attacks or identity theft attempts are broadly distributed and waste no time on those who have any level of additional protection. There are more than enough people whose password is password to take up their time.

    And in this case, the overwhelming risk is new accounts being opened in your name. And no level of authentication beyond a credit freeze will help you there. Attacks on your personal accounts are a risk, but all your bank accounts should have individual strong passwords, and banks you actually bank with are far more likely to reimburse you for theft of this nature.

    "Hello, I've forgotten my password. Can you reset it for me? My social security number? Of course, just a minute..."

    Your hack has already taken too long, and required the use of a single humans time on a phone line. Also, if you just call someone up then two factor authorization is also useless.

    "Oh, I lost my two factor app. Can you reset access to not need it?"

    "That is cool" - Abraham Lincoln
  • archivistkitsunearchivistkitsune Registered User regular
    Navy fed has that setup. I ended up doing that when my company had a bunch of data stolen because someone didn't engage their brain. I'm debating if I want to do get something in crediting monitoring at this point or not, I still have a year and half on the current ID protection that my company provided after the aforementioned fuck up. Pisses me off that we have to pay each of the big three agencies money to freeze credit. Our country needs to get its shit into gear and implement a more secure setup. Requiring another identify that isn't the social security number, rather than the half-assed setup where social security number is both ID and password, would help greatly.

    Probably would also be a good idea to maybe require in person registration for certain things. I know it being far less convenient would pose issues for some, but on the other hand that might force society to address a few issues. I'm willing to bet some of that convenience doesn't extend to most of the individuals, that people claimed are helped by the convenience. Also aware it wouldn't be a cure all, some people will still find a way to pull of some shit, but if we make it harder for people to get away with identity theft. We're likely to see less people doing it because the risks are too high and probably more getting caught.

  • FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    Tomanta wrote: »
    I'm not going to say this hack isn't bad because, well, with the info that got out it's really, really bad (and if it was SQL injection like speculated I'd call that criminally negligent - that's extremely common and extremely easy to prevent). I'm more distressed that one of these triple-digit customer info leaks happens about once a month or more these days and I haven't seen any good suggestions on what to do about it. Clearly we have to assume identity information is going to get leaked, so what can really be done at that point?

    @Tomanta

    So, @Mugsley's post was excellent and I totally agree with what they said.

    I just want to add one more thing. Put pressure on the companies you do business with. Ask them what their cybersecurity practices are. If you're willing to learn a few basic concepts, and learn a few buzzwords, ask them if private data is encrypted both at rest and in motion. Ask them if they salt their passwords. Ask them how many contractors they have who have access to your data. Put pressure on them on Twitter and Facebook.

    Be willing to walk away from companies that practice bad cybersecurity. If a company is willing to provide private info over the phone without verifying your identity (with nonpublic info, like a passcode, or something hard to spoof like a return phone call to your phone number on record with them) that's bad cybersecurity. If they handle password reset by sending you by email your prior password, that's bad cybersecurity. If you enter private info on a website that isn't HTTPS encrypted, that's bad cybersecurity. If they redirect you to a million bullshit domains (like equifaxcodswallop2017) that's bad cybersecurity.

    I'll be honest: most of the time a company's call center representatives won't know what you're talking about. They'll lie to you. Nothing will change quickly. But the more people who do this, and do it consistently, the more companies will listen.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • LabelLabel Registered User regular
    I think the companies will not do anything beyond theater until they are criminally liable for their fuckups.

Sign In or Register to comment.