Renowned security researcher Bruce Schneier has a story up on his blog On the Equifax Data Breach:
Last Thursday, Equifax reported a data breach that affects 143 million US customers, about 44% of the population. It's an extremely serious breach; hackers got access to full names, Social Security numbers, birth dates, addresses, driver's license numbers -- exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, and other businesses vulnerable to fraud.
Many sites posted guides to protecting yourself now that it's happened. But if you want to prevent this kind of thing from happening again, your only solution is government regulation (as unlikely as that may be at the moment).
The market can't fix this. Markets work because buyers choose between sellers, and sellers compete for buyers. In case you didn't notice, you're not Equifax's customer. You're its product.
This happened because your personal information is valuable, and Equifax is in the business of selling it. The company is much more than a credit reporting agency. It's a data broker. It collects information about all of us, analyzes it all, and then sells those insights.
Its customers are people and organizations who want to buy information: banks looking to lend you money, landlords deciding whether to rent you an apartment, employers deciding whether to hire you, companies trying to figure out whether you'd be a profitable customer -- everyone who wants to sell you something, even governments.
It's not just Equifax. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about you -- almost all of them companies you've never heard of and have no business relationship with.
Surveillance capitalism fuels the Internet, and sometimes it seems that everyone is spying on you. You're secretly tracked on pretty much every commercial website you visit.
Bruce continues with observations about the data gathering activities of such on-line behemoths as Google and Facebook, as well as companies as mundane as your cell phone provider. Sadly, massive data breaches such as what happened at Target, Home Depot, and Yahoo! gathered media attention for a while, but after a matter of time faded from public awareness and concern.
He suggests the only solution is government regulation. Maybe. But that also runs up against the problem of regulatory capture.
What, if anything, can be done? Mandate a minimum payment of, say, $100.00 to each person who had information disclosed? That would certainly boost a company's willingness to implement security best-practices.
(Score: 3, Insightful) by TheGratefulNet on Friday September 15 2017, @03:39AM (7 children)
NOTHING will be done to help or protect consumers. they HATE consumers. well, not quite, they LOVE our money but they truly hate US.
the dems have lost their way, too, but their basic principles are not as hateful toward the common man as the R's are.
with the orange idiot in office, nothing will change for us.
but bruce is right, the market won't fix this because the market does not get HARMED by this. if they are not hurt, they won't change.
put the ceo's in jail for 10 years. then things will change pretty fuckin fast.
"It is now safe to switch off your computer."
(Score: -1, Offtopic) by Anonymous Coward on Friday September 15 2017, @03:56AM
You're the brainless proles who drag the rest of us down to the lowest common denominator. You're the assholes who keep the rat wheel of society spinning faster and faster.
(Score: 3, Touché) by c0lo on Friday September 15 2017, @04:14AM
No, they don't have the R's hate, they have the D's disdain.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 1) by fustakrakich on Friday September 15 2017, @04:28AM
the dems have lost their way, too, but their basic principles are not as hateful toward the common man as the R's are.
Don't be silly, they're wrapped up in this just as tightly as anybody. They have to obscure the deception a a bit more to keep the "liberal" money from running off. The game they play is not the one we see on the TV.
La politica e i criminali sono la stessa cosa..
(Score: -1, Redundant) by Anonymous Coward on Friday September 15 2017, @05:33AM (1 child)
You are the brainless proles who drag the rest of us down to the lowest common denominator. You're the assholes who keep the rat wheel of society spinning faster and faster.
(Score: 0) by Anonymous Coward on Friday September 15 2017, @01:35PM
I am Jack's palm as it rapidly meets his forehead.
(Score: 3, Informative) by Anonymous Coward on Friday September 15 2017, @09:35AM (1 child)
As long as an R or a D is in office would be more accurate. They don't really hate consumers, or even love their money. What they do love is themselves and staying in office. And that is bankrolled by corporations, like Equifax. [opensecrets.org] Remember when bankers crashed the entire US (and indirectly world) economy mostly through reckless and fraudulent trading? And we had a D in office? And he made sure not a single person was held accountable. That same D that's now giving chats on Wallstreet at half a million dollars per event? It's not one party or the other that's screwed. That's mostly the game that convinces us to keep putting these jokers in office (well they're not as bad as the alternative I guess... err...)
(Score: 0) by Anonymous Coward on Friday September 15 2017, @11:53PM
Thanks for the link. The "Party Split" [opensecrets.org] shows Equifax favoring Republicans by about 5 to 1.
(Score: 5, Interesting) by KilroySmith on Friday September 15 2017, @03:47AM (3 children)
If the copyright cartel can get ruinous statutory awards for file sharing, even without showing harm, I should be able to also. $500 doesn't seem unreasonable, considering the number of hours and the money it would cost me to straighten out an issue caused by this breach.
Require that a breached company must notify the public within 72 hours of discovering a breach, and notify each individual involved within 7 days.
Require that the notification provide a way for the affected individual to find out precisely what got taken, or may have gotten taken - not just "credit card and personal information", but all of the records and data that may have been accessed - it pissed me off when Anthem wouldn't tell me what information got taken. They know it, and the bad guys know it, but I'm not allowed to know it?
If they're gonna collect data on me without my permission, data that can be used to destroy my financial stability if handled poorly, then they need to take responsibility for that data, and the damage that will be done to me if the data is exposed.
(Score: 1) by fustakrakich on Friday September 15 2017, @04:19AM (1 child)
And who is going to write all these new rules, or even adequately enforce the old ones? I mean, it looks like nobody wants the job. The ones that do are woefully unqualified. What to do, what to do...
La politica e i criminali sono la stessa cosa..
(Score: -1, Troll) by Anonymous Coward on Friday September 15 2017, @04:42AM
You voted, which according to you gave the winners your unrevokable consent [soylentnews.org]. You don't object to physical rape [soylentnews.org], so isn't it hypocritical of you object to mere financial rape?
I know! You could spout some more empty [soylentnews.org] platitudes [soylentnews.org] without having even a scrap of principle you'd be willing to take a stand on.
(Score: 3, Interesting) by VLM on Friday September 15 2017, @11:34AM
1) All of it. I don't wanna say how bad it is, means its like ten megs worth of stuff per person. OCRd scanned bills and reimbursement check stubs and med records the whole thing.
2) There's a classic social engineering back where the "bad guy" calls the Indian call center, convinces them they're KilroySmith (how hard can it be, especially if they've got half your info from this or numerous other breaches) and next thing you know some Indian dude thinks he's providing information to "you" but its actually an attacker.
(Score: 0) by Anonymous Coward on Friday September 15 2017, @03:53AM
I've seen that movie already; it's cliché, and full of plot holes.
(Score: 4, Insightful) by krishnoid on Friday September 15 2017, @03:56AM (2 children)
Could we follow along with governments that have already solved this problem [techcrunch.com]?
(Score: -1, Offtopic) by Anonymous Coward on Friday September 15 2017, @03:59AM
You keep using that word.
(Score: 2) by VLM on Friday September 15 2017, @11:37AM
I thought that would be a Chinese link; they have some good policies
https://en.wikipedia.org/wiki/Zheng_Xiaoyu [wikipedia.org]
(Score: 5, Insightful) by Anonymous Coward on Friday September 15 2017, @04:15AM
Thanks to complete and gross ineptitude and reckless disregard for personal information now a large chunk of the entire United States has just had all the information criminals need to engage in identity theft or break many 'prove you are you' systems. When people fall victim to this the costs, opportunity and real, amount to the thousands of dollars.
That's just compensatory damages. The whole point of fees is not just compensation. It's deterrence. When you run pay a traffic fine you're not paying for the damage you directly caused with your actions. You're paying a fee that deters you from ever doing that again. And it's clear big companies could not care less about the security of the vast amounts of data they're collecting (and storing) on everybody. It's time for punitive damages to start hitting the ceiling. And given the scale of the breach and recklessness in this case, it would be appropriate for this fine to break Equifax.
But what does it matter? This is all fantasy. We live in a country where we have a democratic government only in name. They're controlled by corporations. Equifax will get a slap on the wrist, make a public apology (we're sorry you feel we did anything wrong), and promise to never do it again (heh heh).
(Score: 1, Offtopic) by MichaelDavidCrawford on Friday September 15 2017, @04:32AM (3 children)
I Am Absolutely Serious.
Yes I Have No Bananas. [gofundme.com]
(Score: 2, Offtopic) by Hyperturtle on Friday September 15 2017, @03:38PM (2 children)
If you are responsible for a few computers, then adding this to a locally managed DNS server can be quick and easy. This is just a general gist of what one can do; you will need to alter this to suit your DNS server. (the example below is an export from dns in windows server)
Name Type Data
hosted-pixel.com
(same as parent folder) Host (A) 127.0.0.254
(same as parent folder) Start of Authority (SOA) [7], yourlocaldnsserver.domain.int., hostmaster.domain.int.
(same as parent folder) Name Server (NS) yourlocaldnsserver.domain.int
(you can add more of these Name Server entries, if you have more DNS servers at your disposal--just make sure your dns server can resolve your other dns servers!)
You don't really need a server name specific as an A record for a domain you want to block, unless you identify what the servers are within the domain and want to uniquely identify them with differing host records. Just giving the FQDN itself an A record is enough to prevent *all* of the servers in that domain from resolving and leaving 1x1 pixels (or whatever) on your PC.
My choice of 127.0.0.254 is associated with other trackers I block. 127.x.x.x is all wasted for loopbacks; there is no reason to limit everything to 127.0.0.1. That way, if I suspect I need to add a new primary DNS zone, I can first look up if the domain even resolves to an IP, and then if it already does internally on my DNS, I can determine how I have categorized it, just by the 127.x.x.x that replies back.
FB has its own address, as do its domains, google does, and then generic ones that I don't see acting with numerous domains get a unique one, but might be under a 'subnet' within 127.x.x.x -- for tracking, marketing, or both like with pixels. .254 is sort of my "its everywhere" bucket.
Using alternate loopback IPs helps me determine what a site is doing, if half the connection attempts go to numerous 127.x.x.x IP addresses (as resolved by my DNS server). It gives me a very good idea as to what a site is trying to about my visit, besides just showing me what I came to the site to see.
Of course, you can always point stuff to an actual local server or something else -- an IP address is an IP address. Just make sure it goes somewhere you want it to, if not a loopback, otherwise your experience may get wonky waiting to time out. (don't use 0.0.0.0 for example; that often does not work well for numerous platforms --loopbacks, however, always do).
It also helps me understand when changes take place on the backend, without any visible gui differences as presented in the web browser. Sometimes, I find that there is a new business partner that wasn't there before.
I don't do much in the way of analyzing the data.. its mostly for my curiosity. At first I just had a bazillion 127.0.0.1 entries, but it got frustrating when everything came back with that IP and i wasn't sure what it was doing besides being something I already 'blocked' via poisoning my DNS, so to speak.
Anyway, it is a constant battle, and to set it up took half a day or so out of a weekend. I set up a couple VMs on other hardware for redundancy, and that lets me use my primary DNS server for other things without fear of breaking all my dns filtering if I reboot my DNS server or otherwise prevent it from resolving names for a while. Hey, sometimes windows server blue screens and I don't even notice because my other servers fill the gap.
The only real problem I have with this method of dns filtering (I just set it up once on the server, and every device on my network is then 'protected') is that if I take my portable devices somewhere else... they can't benefit. For those, I have a large hosts file.
The hosts file is very good for blocking things locally, that other people want to access and you might not want to put on the DNS server. I am not above using host files in favor of an actual DNS server--I try to use both as the situation merits and I'm not a purist. (Besides, it can be tough to update host files on mobile phones, too...but when using wifi at home, your local DNS server and block a whole lot of ads and tracking.)
(IPV6 trackers are a problem, too, but the DNS for that is similar.)
(Score: 0) by Anonymous Coward on Friday September 15 2017, @04:43PM (1 child)
Another benefit of spreading it out in the address space is that most browsers limit requests to the same host, which includes IP address. With the increased number of different "hosts," you end up with less waiting for timeouts or dummy payloads.
(Score: 2) by Hyperturtle on Sunday September 17 2017, @02:02PM
I agree.
It's usually better to use 127.x.x.x for such entries, since 0.0.0.0 (often in pre-made lists available for download at various places) is sometimes parsed as a place to go, and causes a delay while it times out. 127.x.x.x never do that.
(Score: 2) by MichaelDavidCrawford on Friday September 15 2017, @04:34AM (6 children)
I expect this will end the use of Social Security Numbers as database keys.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Interesting) by anubi on Friday September 15 2017, @05:41AM (4 children)
Kinda doubt it as its still your number, unique, and won't change like a phone number, and it is assigned to you.
What I do see changing is businesses ability to collect debts, as debtors will find it easier than ever before to avoid payback by pointing to inconclusive evidence that it was he who incurred the debt. Especially at big institutional businesses where the credit was extended without ever seeing the guy.
As identity theft fomented by the abundance of leaked info gets into the public, I see businesses increasingly being asked to prove that some particular individual incurred the obligation, and things on the compromised databases won't count, as anyone could have put that on the forms. Retinal Scans?
Even DNA samples aren't a good proof as it is easy to get a sample of someone else's DNA. Especially if they are a smoker. Even seasoned crooks often fail at eradicating all of their DNA from a crime scene.
Hope the big guys aren't considering microchipping us...geez, that would be a hacker field-day. People will be spoofing that as much as telemarketers spoof caller-ID.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 4, Interesting) by VLM on Friday September 15 2017, @11:57AM
My guess is the hand of the markets will have strange effects.
Some jackass steals my data on the other side of the country and gets credit and walks away, means the CC fee for retail cash and carry will become extremely high, like 5%, 10%, who knows how high. We may see the death of retail credit card use out of this. Its just too dangerous to allow people to walk off with valuable merchandise merely for waving a trivially faked plastic card. And you can't train illegal aliens and teenagers to do clearance-agency level ID checks on customers. Oh you'd like to buy that sweater? In addition to your CC you'll need fingerprints, blood test, seven forms of picture ID, and a cavity search, or we can just ship it to your house of record address for free, or you can pay cash...
On the other hand, the CC charge rate offered to Amazon will likely drop to zero. Look, dude, this is the third time you ordered a New Balance model 623 size 11-wide male walking shoe delivered to your home address, and you're claiming this time, a hacker invented the whole damn thing and stole your tennis shoes so you want a refund/credit? LOL dude... Amazon already freaks out if you buy gifts and don't tag them as "gift" now they're gonna get cops involved. I, note, I, have a history of buying electronics hobby stuff so I can buy an oscilloscope online, but YOU don't, so if YOU order a scope the cops will be dispatched with the delivery asking to verify your ID.
The great transition away from retail and toward online might not solely be shopping experience driven; might be credit driven. A world where you can only use plastic for delivery to addresses of record... interesting.
That would also cut down on fraud, or at least push it exclusively toward technology based crime. You can't steal my CC from a retail gas station if retail facilities no longer accept CC. Given that action and reaction I suspect the balance will involve marginal retail players getting frozen out of credit as a payment offer.
Meanwhile short term services online will be unable to use CC because they're stolen. We're going to a weird world where you can't buy things in a store but the only way to obtain services will be in person at a store. Long term services will be OK. Expect "seasoning" you pay $15 for a domain with a possibly stolen CC and it doesn't work for a month or until the registrar thinks the CC is not stolen and not going to be declined.
Writing a check is fundamentally accepting credit at the retail level. More than a quarter century ago I was a kid working retail after school and people took the transition to network based check acceptance very poorly. You can't just scrawl on a piece of paper and call it money and even up later if at all. Now we're in a similar transition where a piece of plastic with 16 digits proves roughly nothing and is probably fake.
(Score: 2) by MichaelDavidCrawford on Saturday September 16 2017, @01:18AM (2 children)
Pretty Boy Flood IIRC.
Whenever he robbed a bank, he would destroy all their promissory notes.
Yes I Have No Bananas. [gofundme.com]
(Score: 1) by anubi on Saturday September 16 2017, @07:09AM
That was damned nice of him... betcha he made a helluva lot of friends amongst the "common folk".
( Incidentally, there is a Biblical passage telling us of the wisdom of doing similar things [biblegateway.com]... about the wisdom of the shrewd manager. )
Now, that one really took me by surprise!
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Saturday September 16 2017, @08:03AM
*Floyd
(Score: 2, Insightful) by liberza on Friday September 15 2017, @10:43AM
Using them as keys is a much smaller problem than using them as authentication.
(Score: 3, Interesting) by SomeGuy on Friday September 15 2017, @07:07AM (3 children)
Serious question, what can the individual really do to protect their credit now?
The TV is parroting that everyone should freeze their credit. Note that this involves locking credit at each of the three credit reporting companies, from then on getting loans or employer credit checks involves unlocking and re-locking credit, and that this involves giving money to each of these credit reporting companies. It seems as if there might be some other downsides too.
With everyones personal data out there now, logically this seems like it will have to become the the new standard operating procedure?
(Score: 0) by Anonymous Coward on Friday September 15 2017, @09:53AM
Maybe the new standard operating procedure will be to have your DNA sampled for identity?
If someone accepts a fake identity without proper checks, then how should that be the problem of the person who's identity is impersonated? The problem should be with the person that accepts fake identity without proper checks. Lending money to a fake identity should require compensation for the victim of identity theft from the lender that did not do their job.
(Score: 3, Interesting) by VLM on Friday September 15 2017, @12:01PM
Yeah and they pay the TV a lot of money for advertising. Its hard to believe the TV might provide bad advice, but it does happen.
My guess short to medium term is the whole credit fraud thing will be just like telemarketers, an unavoidable waste of time.
A sign of cultural collapse is wasted time. We're used to it, look at health care middlemen and frankly every other middleman.
We'll have thieves doing that, soon enough. They'll be the only people really good at it.
(Score: 3, Interesting) by Anonymous Coward on Friday September 15 2017, @08:26PM
I'm not affected by it (that I know of), but frankly, if I were (or am, because why should I trust their webpage), they can go fuck themselves. I'm not giving them money to "lock" or "unlock" anything. How the fuck do they even know it's me that's doing the locking and unlocking if the very information they would have used to check that I am who I claim I am is now in the wild?
It's not my responsibility to make these rich assholes take security and problem of authentication a wee bit more seriously. It's not my problem if tons of fraudsters can authenticate as me now. You know what? If it comes down to it, it's going to be collateral damage. Not tomorrow or next week. Give it years.
Then some fat cat assholes are going to have to stop going into eyes-glassed-over-mode whenever somebody says "public/private key" if they ever want to have this stranglehold on credit again.
Personally, I think it's great. It's about time this happened. It may be painful for the first ten thousand human cattle or so that suffer, but unless the system changes, it's finally coming down just like at the end of Fight Club.
(Score: 1, Interesting) by Anonymous Coward on Friday September 15 2017, @09:46AM (2 children)
I checked into a hotel recently using an online booking service. They already know my name, that I paid for my room upfront, etc. Still the hotel demanded to photocopy my driver's licence and wrote down my credit card number. In this day and age this is stupidity at its worst.
What can you do if you are standing at a desk in another city and they demand your private information to prove that you made the booking for the room.
(Score: 0) by Anonymous Coward on Friday September 15 2017, @09:58AM (1 child)
In Europe, every hotel demands that you provide their passport to them along with contact information. So unless you want to sleep outside, you need to provide it. Then they probably have it stored in some Excel sheet.
(Score: 0) by Anonymous Coward on Saturday September 16 2017, @05:50PM
No, they don't. I've been to London multiple times and stayed in multiple hotels. Not one of them required me to hand over my passport. Credit Card on a previously purchased room (via Expedia), yes. But never my passport. Perhaps it's different in different European countries or at different priced hotels?
(Score: 2, Insightful) by Anonymous Coward on Friday September 15 2017, @03:09PM
There is no computer-based system that will have adequate security for Important Stuff(tm).
It doesn't matter what policies and procedures you follow, between officially-nonexistent back doors, constantly-refreshing zero-day lists, and deliberate insertion of not-really-vulnerabilities by government fiat. If it's on a computer, it's a matter of time before it's cracked. The reasons range from keystroke loggers to viruses to disgruntled employees to ... well, there's a whole gamut, isn't there?
If someone takes your information and puts it on a computer, it's out there. You're done. Even air gaps aren't perfect, but who uses air gaps these days? Nobody in that business.
The only halfway efficacious law (and this will never pass) would be to ban recording of personal information on computer, and require strong physical security on physically retained copies.
So get used to it; online security is a delusion.
If you somehow think this is wrong, I (and the whole industry) would be delighted to hear of it: please explain how you're going to turn all software, all hardware, all firmware and all networks secure.
(Score: 4, Insightful) by meustrus on Friday September 15 2017, @05:43PM (1 child)
One could imagine a future in which large data brokers like this are regulated by a large federal bureaucracy like the SEC. Lots of complicated reporting, tons of overhead, new partnerships between regulators and the regulated, and most importantly the codification into law of current shoddy business practices. Yeah, I'm sure that what we really need is to let this industry continue as-is, but with a federal bureaucracy bolted onto the side.
Or we could just take a good look at this activity, determine that it has zero economic value to anybody, and simply ban it. No government bureaucracy required. Lenders won't have as much insight into whether you will pay your bills, but we did just fine before this service was available. And maybe without the false sense of security these credit scores provide, lenders will start looking more at concrete factors like how much money you make and what responsibilities will make it painful for you to renege on the debt.
We didn't need Equifax to buy homes in 1955 and we don't need it now. #MAGA
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 1, Informative) by Anonymous Coward on Saturday September 16 2017, @04:39AM
Maybe, maybe not. This 1995 Wired article is a cite in the Wikipedia for Equifax: Separating Equifax from Fiction [archive.org].
Emphasis mine. Apparently, Equifax is the company that moved congress to pass the Fair Credit Reporting Act:
Modded you up earlier today without fact-checking! Looks like Westin's main argument wasn't even what happened here (according to Wired in 1995, anyway). Still agree with your sentiment, though. Credit needs to be able to exist without such centralized information warehousing.