Equifax Says Cyberattack May Have Hit 143 Million Customers

@therealjrn Neither did Martha Stewart.

@Kidsandliz I’m suspicious about the site anyway because you have to give your last name and the last 6 digits of your SSN. Anyone that knows where I was born can deduce the first 3 digits so that’s providing a 3rd party (the site gets redirected to trustedidpremier dot com) with a large dataset of personal info. Maybe if they asked for the last 4 digits I might feel safer but not 6 digits.

@Kidsandliz The Ars Technica article explains why you saw that: https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/. Short answer: Equifax is incompetent.

@SSteve Thanks

@Kidsandliz Thanks for posting the link. It says that I’m not on the list, and just to be safe, I also checked under my maiden name.

I really loathe all the credit agencies, though. Every one of them. I have no trust in them, and that especially includes all the ones that most consumers don’t interact with, such as LexisNexis (otherwise known as the Spawn of Satan)

@Shrdlu Do you feel confident in the response that you’re not on the list? I feel uneasy about trusting them. For some reason.

@InFrom

The Equifax exposure checker has shown some tendencies to be very unreliable, according to some reports.

@InFrom @f00l I didn’t just use their checker, and I’d strongly recommend against trusting it, no matter which answer they gave. I have other resources, and they all report back negative on my personal data showing up anywhere. I should add that I’m extremely careful, including everything from those I’m willing to write checks to, to insisting on only my Amex for transactions with folks I don’t trust. There are businesses where I will only use cash.

None of this means that I’ve let my guard down. Nor will I. Ever.

@Kidsandliz I’m pretty sure deceptive sites are just determined by a bunch of people reporting it as being deceptive. And while it does look sketchy as hell (which could very well be why it got reported so much), it’s linked to directly from Equifax’s real site, so I think it is legit.

@Kidsandliz You must have been hacked! You’re double posted!

@therealjrn blame the goat.

@m33rkat Thanks

@therealjrn Actually I clicked on “Say it” twice because it was reacting so slowly I thought maybe I didn’t click. Meh flaw.

@Kidsandliz I’m just glad the haxors didn’t get you.

@therealjrn Thank you for posting this. It says I wasn’t compromised, but I get the free monitoring anyway

@Barney He’s not disappointed that our information got disseminated. That’s exactly what they do. He’s just disappointed that they didn’t profit from it.

@Barney
It’s cool.

@medz Me too! And my wife! Not sure about our robot, though. It wasn’t allowed to check.

@SSteve 1 year of free protection, whoopty doo. All the bad guys have to do is wait until next year.

@medz Yep. 143 million people aren’t going to change their driver’s license and social security numbers. The people holding this info can afford to play the long game.

@medz +1. They won’t let me enroll in the monitoring program until 9/13 for some reason. Probably due to the massive number of people responding, they’re attempting to meter website traffic.
¯\_(ツ)_/¯

@ruouttaurmind I got the 12th. Hope you aren’t identity thieved on Tuesday!

@SSteve I read a little while ago that in order to get the free credit monitoring for a year there is a clause in the fine print that states you waive your right to sue them for any damages that arise from their security breach.

@SSteve
/image get paid! animated gif

@SSteve

Lawyers called these “coupon lawsuits”. The lawyers get a payout. Things may or may not improve re the problem. Legislation may or may not be passed.

The customer or injured party gets the $ equivalent of a piece of chewing gum.

@SSteve, @f00l, I received a pair of dollar store jumper cables for the Ford Bronco II settlement maybe a dozen years ago.

One of the Chase Bank credit card settlements actually netted about $45.

The De Beers diamond cartel settlement sent a check for $80.

The PB plumbing settlement paid over $4,000 to replace all the plumbing in my house with copper.

I always join these CA lawsuits when I have standing 'cause you just never know what may come of it.

@ruouttaurmind
I’m not against these lawsuits, or against joining them. But many of them pay pennies. No-one will be retiring or taking a vacation in the payouts, except in rare circumstances.

@f00l Agreed. Probably 80% that I’ve opted to join have settlements not worth the effort it took to join. I never expect to strike it big, but those few which have paid checks worth depositing gives me motivation to continue participating. The plumbing settlement in particular really surprised me. I expected to get pennies on the dollar if I went out of pocket to pay for the retrofit. I never expected the settlement to handle everything for me with zero expense to me.

@f00l the lawyers might retire, take a vacation, or but a vacation home or new yacht with their payouts, though.

@f00l @ruouttaurmind I had a Norplant (birth control in five tubes to last five years) put in my arm after my first child and we ended up getting pregnant (with a miscarriage) a year later. Had the tubes removed as soon as we knew we were with child. But apparently it was a common problem and there was a large lawsuit filed that I joined. Never heard a thing about it afterwards for two years until all the company offered was a different birth control for a year. Made by the same company - so we turned it down. Only one I’ve ever joined.

I usually check out all three yearly but I missed last year. I was about to check it this month but now I have reservations. Equifax was the one company that always had wrong information on it and I faxed, emailed and mailed a letter each year to get them to fix it and they never have. Does anyone know if they have done anything to prevent future hacks or should I do the other two and skip them? Also, has anyone used that Creditkarma site to check credit scores and if so is it any good?

@WTFsunshine wow I wouldn’t have taken an alternate either; that’s just beyond unethical on their part. Sad you had to go thru that awful experience, and that then their response to the suit doesn’t even begin to make it right

@WTFsunshine I use credit karma; it has been extremely helpful for me the past couple of years; it’s accurate, up to date, sends me messages (I use the phone app) whenever there is any change or application for credit. I am not sure it reports all the credit agencies; think it is just Equifax and Trans whatever. I could be wrong though.

@kerryzero Thank you for answering my question. It is very much appreciated. I was unaware that they had an app - I’ll have to go look that up. Thank you for your sympathy on the other issue as well.

@WTFsunshine I use it. Spent YEARS trying to get a rather major mistake fixed. Finally saw it was fixed on the 2 credit agencies through them (as someone else said they only report on two). They don’t use the “usual” credit score used by banks, etc. and instead use some other score. I have no idea how those scores correlate with each other. On the other hand, at this point my scores are about 25-30 points apart on creditkarma between the credit reporting agencies for reasons I can’t identify since what they show on the report is identical and theoretically are using the same formula to calculate it from both reports.

@Kidsandliz

Each agency calculates and sells its own scores, created using internal formulas. They sell a variety of scores (variances in formula used for calculation), supposedly tailored for the industry and purpose of the score lookup.

FICO (Fair, Issac, and Company) pioneered this practice, and their scores have the best reputation.

If you apply for a mortgage, the big daddy score your bank or mortgage broker pulls will probably be the FICO mortgage score. It’s kinda the assumed industry baseline from what I hear.

The credit bureaus themselves started calculating and selling scores, in hopes of grabbing some of FICO’s business.

Most of the scores you see with credit monitoring services are bureau calculated scores, not actual FICO scores. But the scores should be similar.

Smallish variations in score from bureau to bureau often have to do with exactly how up to date one bureau is compared to another, or similar small data variations that won’t show up on a consumer credit monitoring report. Small variations don’t mean a lot.

If you want to know your actual FICO mortgage score, often your bank will pull it at no change.

@sgrazi Discover card offers to monitor for your information showing up for free. I dont know if they are using the same service, but I signed up just last month.

@sgrazi What they are getting is if you sign up you have then opted out of any class action suit and agreed to arbitration. A win for them if they can get as many people as possible ineligible for membership in a class action suit.

@Kidsandliz Heard that on the radio yesterday, fortunately before doing anything to sign up. We get the ‘dark web search’ stuff through work so I’m going to let them do that

@dashcloud But then aren’t you also opting out of the free service?

@Kidsandliz No- you’re just taking the (very hidden) option to not use arbitration.

@dashcloud Thanks

@baqui63 is my smart friend

@meh you’re jsut saying that 'cuz you’re drunk.

@baqui63 NUH UH

@meh uh huh! also, I’m now off to bed, so you can win this argument if you can still type and click.

@baqui63 I’m not being critical, I’m being curious: So what do you suggest as the fix?

@ruouttaurmind I don’t know his opinion, but not using the social security number as a convenient unique ID for people in any system outside of social security would be a good start. Using it (or part of it) as a password of sorts is even worse.

@ruouttaurmind, knowledge of a person’s SS# should be no more significant than knowing any other piece of public information about that person. As an example, my knowing your SS# should be no more significant than my knowing that you have used the forum at meh.com.

Unlike @djslack (apparently, anyway; apologies to @djslack if I have made an incorrect assumption) I have no problem with a SS# being used as a (mostly) unique identifier (database key, whatever) for a person across multiple systems. What do I care if my bank, the IRS and my doctor all use the same ID# for me? They all use the same given name, phone number and zip code for me and I’m ok with that, so why should their ID# for me be any different?

However, as @djslack later states, not using the SS# as any form of a password (ie. for any form of authentication) would be a good start. Why do I have to use “the last four digits of the primary account holder’s SS#” as the PIN for my TMobile account? Especially given that my SS#, name, address, DOB, email address(es), telephone number(s), employer(s), salary(ies), etc. may be public information. BTW- my “mother’s maiden name” has not been Pike (her actual maiden name) in any company’s records for me since the late 1980s.

(Note that I have not tried to get TMobile to use something other than the last four digits of my SS# as the PIN for my account, so it may be that they are not a good example. If so, I apologize in advance to John Legere and company.)

The solution is simple: stop using potentially public and immutable information to authenticate identity.

I fully understand and acknowledge that this will be hard to change for many companies. I also firmly believe that any system where it is hard to change is poorly designed and the company using it is putting their profit margin (ie. not paying enough for security) above the security of their customers. (Again, using TMobile as a possibly flawed example: I’m fine with defaulting my PIN to the last four digits of my SS#, but I should be able to change it whenever I want, without significant hassle. If changing my PIN at will would require TMobile to make significant changes to their system, then their system is not well designed, etc.)

@baqui63 You’re right and said it way better than me. The only problem I have with using it as the de facto unique ID is the fact that it’s also used as an identity verifier, so you have these conflicting needs to use it everywhere but keep it private. Making the second change removes my concerns on the first count. If you can treat it as public information, hell, use it as my phone number too.

see, @baqui63 is my smart friend

@meh baqui63 might be part of the vast government false-flag conspiracy to put microchips under your skin for identification, and then, all currency will be abolished, and you will need to go to FEMA camps to get your food, and the floride in the water is changing the climate and Area 51 and stuff.

True story.

(I’m just being silly. @baqui63 obviously knows what he’s typing about. And FEMA food isn’t too bad. What’s it called? “Green Soylent”?)

@baqul63 In our state they finally took our SSN off of our drivers licenses and gave us a permanent OLN. Unfortunately, places started to ask for our drivers license to put the number in their computers or cash registers which is as bad as when they used to ask for our SSN. Same with putting phone numbers on checks so we always put “unlisted” on them. At least most stores got smart and only ask for zip codes to track where customers are coming from to shop. Just too many ways these days for our information to get out there.

@baqui63 great post. I was looking for a paragraph with a similar criticism of biometric information, because you know that’s coming.

And it’s the same potato, all over again.

@WTFsunshine I don’t have a problem with use of these numbers for IDENTIFICATION purposes and thus I see nothing wrong with a store wanting a phone number or DL number on a check. After all, I’m the one requesting the favor of paying by check rather than cash.*

My problem is with using these numbers for AUTHENTICATION purposes. These are very different things.

*Given that a personal check contains most, if not all, of the information required to steal a person’s identity, I’ve stopped using them except for paying people I trust (my gun club dues, my condo association and until May of this year, child support to my ex-wife). I’m looking into ways that our condo association might take electronic payments (I’m its president) but this is not as straightforward as it sounds, especially for a 16 unit condominium.

@baqui63 I agree with your statements. I only have issue with where the information is kept on file. Some banks send your check physically and/or digitally to too many places. Once someone gets hold of your OLN (or what you put in the memo line I.e. Johnny’s soccer team fees) all they have to do is request your driving record (which anyone can do electronically as well as anything that is public information (your address, court records, marriage and divorce records and the list goes on) through county and state records) with it and then they have more than enough to steal your identity, money, create a new DL in their own name and go to the post office to file a forwarding address. By the time you get a notification that a forwarding address was filed it’s too late to undo the damage. Monitoring your accounts online is something a lot of people (the elderly for example) still do not do. Even in these days when vigilance is even more important than the days of old where scammers had to stalk your mailbox. BBB lets you sign up for emails from them to see which new scams are being done and I have my family and parents on the email list. So I am agreeing with you- not against- but just explaining a little further to why I typed what I did.

@dashcloud so don’t tell people exactly when you froze…

@medz they don’t need to know exactly when you froze it. If you put the freeze on in response to the breech it will be trivial to guess it

@unksol I imagine there will be some red flags if someone is guessing up to 86400 possible pins per day for each person. It should lock them out after three tries or so, right?

@medz this is Equifax you’re talking about, right? Locking someone out of something is clearly not their strong suit.

@sgrazi Even if they were unaware of the data breach, it doesn’t mean that they weren’t told, “Don’t ask questions. Go sell your stock before the end of the week.”

@baqui63 That I would believe. When a certain public company was headed towards a tank (it is still around), my brother-in-law, CFO there at the time, told my dad to sell all his stock in that company, don’t ask any questions, don’t say why you are doing it, just do it now. Several weeks later the shit hit the fan.

@sgrazi
I believe they were lobbying Congress for limitations in liability recently, including before the beach was announced.

Equifax lobbied to take away breach victims’ right to sue

https://boingboing.net/2017/09/09/depraved-indifference.html

Gotta love ethics.

@f00l I don’t think Equifax and Ethics can be used together @Kidsandliz I applaud your brother in- law for looking out for family while putting his butt on the line for doing so.

@sophi it’s not accurate, as discussed in the post one above this.

The language in question applies when signing up for the free credit monitoring service, and Equifax states that that clause does not apply to the breach itself.

No doubt that they have handled this very poorly in just about every way imaginable. It’s very shitty for the consumer who has no say over them having access to their data in the first place.

@f00l i think an equally useful/accurate tool when compared to the data breach checker is…

/8ball was my data breached?
As I see it, yes

@Yoda_Daenerys

Agreed.

/8ball It is. Is it?
You may rely on it

@PocketBrain The Russians also (supposedly) helped put a real dick in charge of the country too. Sorry - to all of his supporters here in the forum.