On the Equifax Data Breach

[Rich]

<URL:https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html
>

Quoting from the URL above:

Last Thursday, Equifax reported a data breach that affects 143 million
US customers, about 44% of the population. It's an extremely serious
breach; hackers got access to full names, Social Security numbers, birth
dates, addresses, driver's license numbers -- exactly the sort of
information criminals can use to impersonate victims to banks, credit
card companies, insurance companies, and other businesses vulnerable to
fraud.

Many sites posted guides to protecting yourself now that it's happened.
But if you want to prevent this kind of thing from happening again, your
only solution is government regulation (as unlikely as that may be at
the moment).

The market can't fix this. Markets work because buyers choose between
sellers, and sellers compete for buyers. In case you didn't notice,
you're not Equifax's customer. You're its product.

This happened because your personal information is valuable, and Equifax
is in the business of selling it. The company is much more than a credit
reporting agency. It's a data broker. It collects information about all
of us, analyzes it all, and then sells those insights.

...

[Sylvia Else]

On 16/09/2017 2:08 PM, Rich wrote:
> <URL:https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html
>>
>
> Quoting from the URL above:
>
> Last Thursday, Equifax reported a data breach that affects 143 million
> US customers, about 44% of the population. It's an extremely serious
> breach; hackers got access to full names, Social Security numbers, birth
> dates, addresses, driver's license numbers -- exactly the sort of
> information criminals can use to impersonate victims to banks, credit
> card companies, insurance companies, and other businesses vulnerable to
> fraud.

The corollary is that companies can no longer use such methods for
identification purposes. The frauds are perpetrated against the
companies, not the people whose identities are stolen, but the
disruption that occurs to people's lives may lead to a class action.

Sylvia.

[Roger Blake]

The "solution" is not to put that kind of information on any computer
system that is connected to the internet. Equifax was criminally
negligent in doing so.

BTW, how many remember that the federal government essentially swore
on a stack of bibles that the Social Security number would NEVER become
a national ID number, and that it would only ever be used for Social
Security purposes? (Early cards had it in writing.) What happened?

--
-----------------------------------------------------------------------------
Roger Blake (Posts from Google Groups killfiled due to excess spam.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
Don't talk to cops! -- http://www.DontTalkToCops.com
Badges don't grant extra rights -- http://www.CopBlock.org
-----------------------------------------------------------------------------

[Paul Sture]

On 2017-09-16, Rich <ri...@example.invalid> wrote:
><URL:https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html
>>
>
> Quoting from the URL above:
>
> Last Thursday, Equifax reported a data breach that affects 143 million
> US customers, about 44% of the population.

Anyone any idea what percentage of the adult population of the US that
represents?

In follow up news, Experian and Active Credit Report.com also come under
criticism for not patching:

<https://www.theregister.co.uk/2017/09/13/credit_ref_agency_patching/>

Experian and Annual Credit Report.com – an organization set up by
Equifax, Experian and Transunion to meet US consumer finance regulations
– left themselves exposed to a serious vulnerability in Apache Struts
earlier this year.

--
Everybody has a testing environment. Some people are lucky enough to
have a totally separate environment to run production in.

[Rich]

Roger Blake <rogb...@iname.invalid> wrote:
> The "solution" is not to put that kind of information on any computer
> system that is connected to the internet. Equifax was criminally
> negligent in doing so.
>
> BTW, how many remember that the federal government essentially swore
> on a stack of bibles that the Social Security number would NEVER become
> a national ID number, and that it would only ever be used for Social
> Security purposes? (Early cards had it in writing.) What happened?

Businesses (esp. those that loaned out money) wanted a way to track
that individual X at business Y was the same X at business Z (in order
to help reduce their risk). So the businesses started asking for it.
And people gave it up, unthinkingly.

And now we have this mess where a number that was never meant to be a
secret in the first place is used as the "secret" part of an
authentication that person X is in fact person X.

[Rich]

Paul Sture <nos...@sture.ch> wrote:
> On 2017-09-16, Rich <ri...@example.invalid> wrote:
>><URL:https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html
>>>
>>
>> Quoting from the URL above:
>>
>> Last Thursday, Equifax reported a data breach that affects 143 million
>> US customers, about 44% of the population.
>
> Anyone any idea what percentage of the adult population of the US that
> represents?

I've seen news reports that 143 mil is somewhere near 100% of the
adult, credit carrying, population. So it appears that it is "almost
everyone".

[Roger Blake]

On 2017-09-16, Rich <ri...@example.invalid> wrote:

> Businesses (esp. those that loaned out money) wanted a way to track
> that individual X at business Y was the same X at business Z (in order
> to help reduce their risk). So the businesses started asking for it.
> And people gave it up, unthinkingly.

In the U.S., government at all levels is a major offender as well despite
the fact that it was the federal government that solemnly promised the
SSN would never be used for identification or other non-SS purposes.

Try getting a driver's license without an SSN. (Your state will tell you
the feds force them to collect it.) Or for that matter try dealing with
almost any governmental office or function without one.

[Rich]

Roger Blake <rogb...@iname.invalid> wrote:
> On 2017-09-16, Rich <ri...@example.invalid> wrote:
>> Businesses (esp. those that loaned out money) wanted a way to track
>> that individual X at business Y was the same X at business Z (in order
>> to help reduce their risk). So the businesses started asking for it.
>> And people gave it up, unthinkingly.
>
> In the U.S., government at all levels is a major offender as well despite
> the fact that it was the federal government that solemnly promised the
> SSN would never be used for identification or other non-SS purposes.

This is all too true.

> Try getting a driver's license without an SSN. (Your state will tell you
> the feds force them to collect it.)

I wonder if that is actually true, or if the various state DMV's
learned that telling individuals who tried not to give it this excuse
that almost all of them would relent and hand it over.

> Or for that matter try dealing with almost any governmental office or
> function without one.

It can be quite difficult, given how many ask for it, and how many will
turn one away if one refuses to give it up.

Which is why using it (SSN) as an identity authenticator (i.e., password)
while simutaneously using it as an identity (i.e., username) was
*always* a bad idea. Most just never understood why it was a bad idea,
and even after this, most likely still don't understand why it is a
bad idea.

[Sylvia Else]

On 18/09/2017 6:05 AM, Huge wrote:
> On 2017-09-16, Rich <ri...@example.invalid> wrote:

>> <URL:https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html
>>>
>>
>> Quoting from the URL above:
>>
>> Last Thursday, Equifax reported a data breach that affects 143 million
>> US customers, about 44% of the population. It's an extremely serious
>> breach; hackers got access to full names, Social Security numbers, birth
>> dates, addresses, driver's license numbers -- exactly the sort of
>> information criminals can use to impersonate victims to banks, credit
>> card companies, insurance companies, and other businesses vulnerable to
>> fraud.
>>
>> Many sites posted guides to protecting yourself now that it's happened.
>> But if you want to prevent this kind of thing from happening again, your
>> only solution is government regulation (as unlikely as that may be at
>> the moment).
>>
>> The market can't fix this.
>

> Nonsense.

For the market to fix it, the use of inadequate security has to impose a
cost on those who fail to improve it (hereinafter, if somewhat
inaccurately, "the banks"). That cost has to exceed the cost of
improving the security.

At the moment it appears that the total cost is carried in part by third
parties who are for various reasons (legal, practical, etc.) unable to
recover it from the banks. The remainder, which takes the form of fraud
against the banks, is seemingly less than, or at least assessed as being
less than, the cost of implementing the higher security plus the income
impacts of that higher security (customers can't or won't comply, and go
to other banks).

As the article suggests, legislation may be required to ensure that the
cost imposed on third parties is easily recoverable from the banks. If
that were done, then the cost to the banks might then be high enough for
them to act.

Sylvia.