Best to assume the answer to "has my SSN been leaked" is yes, from the sound of things. So... next steps?
posted by Artw at 7:54 AM on September 8, 2017 [8 favorites]

Another "too big to fail" company has their ass handed to them. This is fine.
posted by Melismata at 7:57 AM on September 8, 2017 [20 favorites]

Jake Williams has some good comments, like "most of the victims of the #Equifax breach have no business relationship with them"
posted by jeffburdges at 8:05 AM on September 8, 2017 [30 favorites]

So... next steps?

I mean, I really don't see what anyone can do except put a freeze on their credit from now til the end of time.

And by doing so, of course, they're conveniently agreeing to hand over cash to the exact businesses that exposed their info, every time they want to rent an apartment or get a mortgage and on and on and on....
posted by We put our faith in Blast Hardcheese at 8:06 AM on September 8, 2017 [19 favorites]

The impossibly broad scope of this fuckup is making it hard for me to even think it through. It's not clear to me whether the situation here is "143 million records are definitely compromised" or the slightly-but-not-really better "any of among these 143 million records might be compromised"; either version is just mind-boggling.
posted by cortex at 8:06 AM on September 8, 2017 [33 favorites]

This is fine.

Nearly half the population of the US is affected, so I'm not sure if "fine" is the word I'd use, personally.

I'm almost certainly affected because late last year, hackers stole enough information to file false tax returns in my name from some combination of government websites (FAFSA site breached in a way that allowed access to arbitrary tax records) and my employer's W-2 preparer (also hacked), and in consequence I got all sorts of free equifax stuff from various sources, in exactly the right timeframe for this. I guess at least my information couldn't be much more stolen than it already has been.
posted by advil at 8:06 AM on September 8, 2017 [14 favorites]

I'm not sure if "fine" is the word I'd use, personally

I believe Melismata was speaking in the KC Greenian mode.
posted by cortex at 8:08 AM on September 8, 2017 [36 favorites]

Ahahahahahah holy shit. The insider trading part is my favorite part probably.
posted by We put our faith in Blast Hardcheese at 8:09 AM on September 8, 2017 [87 favorites]

What can we do?
posted by doctornemo at 8:11 AM on September 8, 2017 [2 favorites]

Ahahahahahah holy shit. The insider trading part is my favorite part probably.

Oh my. Well those people will be going straight to jail/living in fabulous luxury for the rest of their lives without fear of consequence.
posted by Artw at 8:13 AM on September 8, 2017 [12 favorites]

What can we do?

Abandon capitalism?
posted by runcibleshaw at 8:14 AM on September 8, 2017 [82 favorites]

Start from scratch, bureaucratically speaking. New SSNs, new credit card numbers, new driver's license numbers, etc. Cancel all the old shit.
posted by pracowity at 8:15 AM on September 8, 2017 [13 favorites]

That would require a functioning government.
posted by Artw at 8:16 AM on September 8, 2017 [102 favorites]

Speaking of which all of this is undoubtedly going to end up in the vote suppression stew/GOP-Russia election influencing efforts. Joy.
posted by Artw at 8:17 AM on September 8, 2017 [14 favorites]

Jubilee, forgive all debts
posted by Cash4Lead at 8:18 AM on September 8, 2017 [118 favorites]

It already makes me angry that banks and credit rating companies could decide that a few trivial facts about me (none of them secret or hard to find) are sufficient to claim my "identity", and if I don't want the consequences of someone ruining the ephemeral and unreliable "score" they pulled out of their asses to rate me, it's my responsibility to fix it. But the fact that a company I have never done business with, and never wanted to do business with , stored this non secret info in an irresponsible way, making it a touch easier for people to ruin my life for their financial gain, is simply puke icing on the shit cake.
posted by idiopath at 8:21 AM on September 8, 2017 [186 favorites]

For any Americans considering putting a freeze on their credit: The FTC FAQ on credit freezing (including links to the three major credit reporting companies' freeze forms).
posted by Hot Pastrami! at 8:26 AM on September 8, 2017 [14 favorites]

Jake Williams has some good comments

What's "PHI"?
posted by thelonius at 8:28 AM on September 8, 2017

Goodness, things are really going to hell in a handbasket, aren't they?
Whoever gets the job of recovering democracy will need the determination and public backing of IDK, F.D. Roosevelt? Is that enough? They will have to be saintly too.
posted by mumimor at 8:29 AM on September 8, 2017 [3 favorites]

The thing that kills me is that they sat on this for 6 weeks, I guess to make preparations for the reveal that ended up being:

- a Wordpress site that looks fake and is broken (and may also take away your right to sue them)
- PR messaging that's basically just "gosh, we're real sorry"
- executives cashing out a couple million dollars of stock options

Are they trying to come off as inept, corrupt bunglers? Hell, maybe that's the right choice in a regulatory environment that's now in the hands of people whose only feelings of empathy are for white guys who lost millions of dollars of other people's money.
posted by Copronymus at 8:30 AM on September 8, 2017 [50 favorites]

this is pretty much is the end of SSN's as useful for anything besides fraud.
posted by Annika Cicada at 8:32 AM on September 8, 2017 [44 favorites]

What's "PHI"?

Protected Health Information. Basically, any information falling under the auspices of HIPAA.
posted by NoxAeternum at 8:32 AM on September 8, 2017 [12 favorites]

Not to be confused with PII, which is Personally Identifable Information, which isn't a legal term (I think) but is the idea of specific stuff about you that could lead to you being identified. Age, workplace, zip code, for example.
posted by kerf at 8:35 AM on September 8, 2017 [2 favorites]

I just tried to place a freeze on my Equifax report, and I get a page saying "We're sorry...we cannot process your online request concerning an Equifax security freeze." The incompetence is breathtaking.
posted by Hot Pastrami! at 8:37 AM on September 8, 2017 [24 favorites]

Justin Soffer on Twitter

Me: "Smith" and "123456"

Equifax: You're in danger. Sign up for our premium service for a year and then we'll start charging you.

WFT?

posted by Pater Aletheias at 8:38 AM on September 8, 2017 [35 favorites]

Why is it my responsibility to make sure that companies don't fall for someone impersonating me? Shouldn't that be their job?

Capitalism!
posted by Artw at 8:39 AM on September 8, 2017 [27 favorites]

Best case scenario: the Equifax hack is some sort of Mr. Robot/Fight Club type plot to erase everyone's debt and we're all about to be free.

Worst case scenario: the Equihaxors plan to pwn us all by selling the data of 143 million people to third parties more nefarious than predatory credit bureaus.
posted by guiseroom at 8:39 AM on September 8, 2017 [9 favorites]

I've one thought on what might help : Call your congressmen to ask for (emergency) legislation that freezes everyone's credit. In effect, this would require Equifax, Experian, and TransUnion to seek approval before revealing any information about anyone to anyone, without folks needing to pay them. It'd might kill those three companies in the long run, but not necessarily since they can simply raise their rates for creditors seeking records.
posted by jeffburdges at 8:42 AM on September 8, 2017 [112 favorites]

Yeah, this is a disaster that requires government intervention. As noted above in the thread (I think? Might be crossing wires with the politics thread.) we do not have a government that is likely to address this issue.
posted by Slackermagee at 8:45 AM on September 8, 2017 [12 favorites]

So I am curious, with so many stolen records to choose from, what will the thieves do with it? Do they pick the juiciest ones to fleece first? Divide them into tranches based on credit score and sell them like derivatives? I mean, something of this scale, for them to cash in on all the targets right away, they'd have to have infrastructure comparable to a TBTF bank. Once a criminal organization gets that large, they must become almost like a normal corporation. And it's not like the legit corporations aren't blurring the line between legal and illegal, from the other side.

If humans are still here to look at history in 50 or 100 years, will they think that whoever got away with this info was, like, a pioneering corporate executive worthy of venerating? Will the hacker's grandson get elected president?
posted by elizilla at 8:46 AM on September 8, 2017 [15 favorites]

The site they put up is awful. First of all you have to go to three separate websites to check if you've been compromised (equifax.com, equifaxsecurity2017.com and trustedidpremier.com). I was linked to the second one and didn't trust it, so went all the way back to their main page.

Then you have to give the last 6 digits of your social security number (instead of the usual 4).

Then they don't even tell you whether or not you've been compromised (or at least they didn't in my case). It's just an enrollment date for their credit monitoring and a note saying 'too bad if you forget to enroll on this specific date'

Awful response all round, and that's not even getting into the insider trading aspect. If those folks don't see jail time I'll be investing in pitchfork companies!
posted by TwoWordReview at 8:47 AM on September 8, 2017 [26 favorites]

If I fuck up a PCI implementation my client gets completely locked out of the financial system.

Something like turnabout is fair play should apply here.
posted by Talez at 8:52 AM on September 8, 2017 [36 favorites]

Oh, this is gonna be ugly. We already had someone file taxes under our numbers, and when I checked the "are you haxored" site, which even as bad as it is, what the fuck difference does entering my last six ss# matter anymore, and it said "yep, you're haxored. Come back on the 14th and sign up for protection."

No instructions on what I'm supposed to do between now and the 14th.
posted by SecretAgentSockpuppet at 8:54 AM on September 8, 2017 [1 favorite]

Equifax also hold details on 44 million Brits and 'some' of these are likely to be impacted, along with an undefined number of Canadians.
posted by biffa at 8:57 AM on September 8, 2017 [6 favorites]

I'm supposed to come back on the 12th. That was dumb of them, because it gives people lots of time to hear about the thing where you supposedly sign away your right to sue.
posted by ArbitraryAndCapricious at 8:58 AM on September 8, 2017 [5 favorites]

Out of curiosity, has anyone used the "are you haxored" site and been told "nope, you're in the clear"? Or are they just telling everyone they're fucked and should sign up for the sign-away-your-right-to-sue site.
posted by ArbitraryAndCapricious at 8:59 AM on September 8, 2017 [17 favorites]

I am lucky enough to live in Georgia, Experian's home state, and to put a freeze on my credit requires a payment of $3. To temporarily suspend it so I can, you know, use my credit, I get to pay them another $3. This is what effective lobbying in state legislatures can do for a nice big company: allow you to screw the pooch and then screw your customers.
posted by conscious matter at 9:00 AM on September 8, 2017 [12 favorites]

A Facebook friend reports that he got a "you're in the clear" message. He is a US citizen but lives outside of the US.
posted by ArbitraryAndCapricious at 9:02 AM on September 8, 2017 [3 favorites]

So every piece of identifiable info i might use to do anything financial has been stolen.

The only step I can take is to preemptively pay the agencies who fucked this up 30 dollars to lock my credit, and then another 30 every time i need to use it.

Am I missing anything?
posted by Lord_Pall at 9:02 AM on September 8, 2017 [21 favorites]

Oh christ, Elliot, come fix this.
posted by Space Kitty at 9:04 AM on September 8, 2017 [5 favorites]

Shouldn't a company that loses your data be financially responsible for any damage that causes you?
posted by pracowity at 9:05 AM on September 8, 2017 [83 favorites]

Shouldn't a company that loses your data be financially responsible for any damage that causes you?

Yes.
posted by ArbitraryAndCapricious at 9:06 AM on September 8, 2017 [86 favorites]

You cannot fix this just by freezing your credit report. All that information helps with breaking into accounts you already use too. You can normally put verbal passwords on many accounts though.
posted by jeffburdges at 9:06 AM on September 8, 2017 [4 favorites]

Out of curiosity, has anyone used the "are you haxored" site and been told "nope, you're in the clear"?

My wife comes up as safe, while I've apparently had my data breached. At least it didn't say it was automatically signing me up for their waiver-of-liability credit protection, which it apparently has been for other people.
posted by Phineas Rhyne at 9:06 AM on September 8, 2017

I am dismayed at this unalloyed piracy of my intellectual property. Copyright law provides for substantial damages in these cases. I wonder how hard it is to find an IP lawyer....
posted by Pogo_Fuzzybutt at 9:09 AM on September 8, 2017 [3 favorites]

Yesterday I was walking this three host chain, each domain sketchier and phish-ier than the previous, and looked at the https certificate details for the final trustedpremiereid one: owner info - none, issuer - amazon.

Reader, this did not allay my concerns.

Now, nothing against Amazon. But if I'm going to put up a "we've been hacked site" I'm going to go with a name brand SSL certificate, not one from a server rental site (Amazon).
posted by zippy at 9:13 AM on September 8, 2017 [11 favorites]

It's the forced arbitration clause that is the icing on the cake for me. "Yeah, we fucked up, but if you use this site to see if we fucked you, you agree that you can't sue us over it."

Trying to think of a corporate response to a mistake that has been this poorly handled. This is "We don't care. We're the phone company, we don't have to" territory.
posted by fifteen schnitzengruben is my limit at 9:17 AM on September 8, 2017 [11 favorites]

Jokes on them! My credit is already shot and I have no money to steal.
posted by Room 641-A at 9:21 AM on September 8, 2017 [43 favorites]

It's just an enrollment date for their credit monitoring and a note saying 'too bad if you forget to enroll on this specific date'

Not to minimize how horrible this whole setup is, but to clarify, you don't have to sign up on that specific date--you have to sign up after that date but before mid-November.
posted by Four Ds at 9:22 AM on September 8, 2017 [1 favorite]

this is simultaneously so perfectly situated to craft an infinite stream of revenue for Equifax, and so horribly stupid and bungled, that a more paranoid person would be forgiven for thinking they made it all up in some kind of grand Coen Brothers scheme.
posted by We put our faith in Blast Hardcheese at 9:24 AM on September 8, 2017 [18 favorites]

A comment by a Reddit user in this thread:

I have a pretty lengthy email chain with them 3 months ago basicaly scolding them for their horrifying cybersecurity.

After making an account, immediately a password reset "forgotton password email", was made on my account and my password was delivered in plaintext to my email. Without my knowledge. I assume they were internally infected and usernames and passwords were being read straight out of the emails from their end. No encryption, no reset nothing. Just, heres your password thanks.

I've never been so angry with a company in my life. I asked them to delete all my personal data and sensitive information and they refused and basically stopped replying to me.

People seriously need to go to jail for housing a database of plaintext usernames and passwords to accounts linked to credit cards and credit reports.
posted by fairmettle at 9:27 AM on September 8, 2017 [92 favorites]

That "businesses" like Equifax exist in the first place is the problem here. They should be 100% illegal, and it should be 100% illegal for banks (or anyone else) to share your private information with third parties.

And, in all honesty, the way they're handling it, I'm not sure I even believe there was a data breach at all. This whole thing feels like a scam to exploit panic, and since Equifax is a scam to begin with...
posted by Sys Rq at 9:27 AM on September 8, 2017 [59 favorites]

So, where can one go to check if they've been compromised without having to sign-up for their credit monitoring?

I don't think you have to sign up for their credit monitoring if you go to equifaxsecurity2017.com. I'm still not sure it's a good idea, because you have to give the final six digits of your social security number, and the first three digits are not hard to guess if you know where someone was born. And various articles are claiming that the site itself has terrible security.
posted by ArbitraryAndCapricious at 9:27 AM on September 8, 2017 [4 favorites]

People seriously need to go to jail for housing a database of plaintext usernames and passwords to accounts linked to credit cards and credit reports.

This is free-market America, where it's up to the consumer to make sure they're safe. Statues will be erected to these swindlers.
posted by Thorzdad at 9:30 AM on September 8, 2017 [5 favorites]

It is probably a good idea, if you haven't already, to go to ssa.gov and make an account for your ss#.
posted by agatha_magatha at 9:30 AM on September 8, 2017 [19 favorites]

My running theory is that modern capitalism is the equivalent of an abusive partner who forces the victim to do all the emotional labor and gaslights the victim all along the way.
posted by kokaku at 9:33 AM on September 8, 2017 [43 favorites]

I'd also mention that the feds are finally planning on rolling out new Medicare cards, because they currently have your full SS#. And since it's your insurance card, that means everyone over 65 and on SSDI are forced to walk around with it on their person.
posted by Room 641-A at 9:34 AM on September 8, 2017 [1 favorite]

It is probably a good idea, if you haven't already, to go to ssa.gov and make an account for your ss#.


...care to explain why this is a good idea, specifically? I'm getting a shitload of conflicting orders to do various things and honestly nobody seems to know why anyone should do anything at this point.
posted by We put our faith in Blast Hardcheese at 9:35 AM on September 8, 2017 [11 favorites]

It is probably a good idea, if you haven't already, to go to ssa.gov and make an account for your ss#.

Why? What will this do?
posted by maggiemaggie at 9:35 AM on September 8, 2017

> My running theory is that modern capitalism is the equivalent of an abusive partner who forces the victim to do all the emotional labor and gaslights the victim all along the way.

So basically Marxian alienation theory.
posted by runcifex at 9:37 AM on September 8, 2017 [6 favorites]

It is probably a good idea, if you haven't already, to go to ssa.gov and make an account for your ss#.

Why? What will this do?

This looks like it's how you tell the government where to send your checks and other such. With your SSN out there, if you don't have an account on SSA.gov, someone else could set one up for you, and then any attempts to say, change your login, would go to them, not you.
posted by Four Ds at 9:39 AM on September 8, 2017 [13 favorites]

Also, I believe there are a total of four House members with a CS degree. This is a problem if we want better laws to protect us. We need way more awareness on the federal level. It's 2017 and were still basically at "the internet is a series of tubes."
posted by Room 641-A at 9:39 AM on September 8, 2017 [14 favorites]

So basically Marxian alienation theory.

It's called "externalizing costs".
posted by Artw at 9:41 AM on September 8, 2017 [11 favorites]

and it should be 100% illegal for banks (or anyone else) to share your private information with third parties.

This, but it seems like a pipe dream. No one should be able to run a credit check, send me email, send me snail mail, sell my info to another company, buy my info from another company, use my info in an unrelated subsidiary of a conglomerate with whom I do business, track my website visitation habits, etc. etc. without my express written opt-in consent and if applicable an offer to pay me a cut of whatever they are getting out of it. And that request and consent needs to be in a communication that contains *only* that request and not be part of lengthy usage terms. If that breaks your business model, tough shit.

Don't even get me started on companies running a credit check for new hires. God forbid anyone with money problems should want to get a job to resolve those problems.
posted by freecellwizard at 9:42 AM on September 8, 2017 [54 favorites]

ahahaha well I just tried to use that ssa.gov site and entered my info and...then it just reset, and nothing happened. So...maybe don't do that, y'all.
posted by We put our faith in Blast Hardcheese at 9:42 AM on September 8, 2017 [1 favorite]

Equifax Faces Multibillion-Dollar Lawsuit Over Hack

We need to make it illegal to handle customer's data over any nontrivial time scale of course. I'm thrilled Europe went as far with the GDPR though. And that European courts struck down Safe Harbor. And I hope this breach helps wreck the EU-US Privacy Shield.

"I'm not worried about this Equifax thing. I changed my SSN after the OPM hack, and now it has a letter and a special character."
"The silver lining about Equifax is that our data might only have been stolen by spies, not actual criminals."
posted by jeffburdges at 9:43 AM on September 8, 2017 [17 favorites]

Maybe the gold hoarders were right.
posted by Artw at 9:44 AM on September 8, 2017 [1 favorite]

Oh, this is rich. From ssa.gov:

Definition: Identity Services Provider
Identity Services Provider
The U.S. Social Security Administration uses an external data source, or what we refer to as an “Identity Services Provider,” to help us verify the identity of our online customers and to prevent fraudulent access to our customers’ sensitive personal information. Equifax is the Identity Services Provider that provides identity verification services to the Social Security Administration. For more information, please visit www.Equifax.com, (Disclaimer).

There is an option on the SSA website to block electronic access to your account. Anyone have any thoughts on or experience with that?
posted by EvaDestruction at 9:49 AM on September 8, 2017 [34 favorites]

NY AG Eric Schneiderman just tweeted that his office has already "demanded" that Equifax remove the language about waiving rights to sue.
posted by noneuclidean at 9:50 AM on September 8, 2017 [39 favorites]

I wonder if Trump's information was part of the breach. That would be fun to see.
posted by yesster at 9:52 AM on September 8, 2017 [8 favorites]

So, seriously, what the hell do we do here?

I have no interest in waiving my right to a class action, but there appears to be no mechanism to prevent future potential breach because all the identifying information necessary to show "I am me," has been subject to this breach.
posted by leotrotsky at 9:54 AM on September 8, 2017 [11 favorites]

Hmm. SSA.gov says there is already an account with my information. The password recovery questions aren't ones I normally choose.

Either I signed up and forgot or...

Why in the world would anyone sign up for that if they weren't me? Is there anything you can actually do on there?
posted by FakeFreyja at 9:54 AM on September 8, 2017

Jokes on them! My credit is already shot and I have no money to steal.

It looks like my totally intentional plan of living like a starving artist pays off again!

Yeah, if someone manages to open any lines of credit with my info I want to know how they did it, because I'd like a new camera, and a bunch of big archival prints so I can get a gallery show.
posted by loquacious at 9:54 AM on September 8, 2017 [11 favorites]

Of course, as a Sony Pictures employee who was here during The Hack™, all of my PII has been available for years. It's about the only time I've been grateful for the Chapter 11 Bankruptcy that I was granted a while back. If they are arranging all the accounts into tranches, mine will end up in the Triple Garbage tranche.

If some nefarious hacker person manages to get issued a credit card with my info, I hope they let me know how they managed it.
posted by curiousgene at 9:58 AM on September 8, 2017 [11 favorites]

This sounds terrible but I'm realizing the US is too foreign for me to fully grasp the implications. Could somebody explain to this European what Equifax does, why they hold sensitive data for so many people, and why the SSN in particular is so sensitive?
posted by dmh at 10:04 AM on September 8, 2017 [3 favorites]

People basically use their social security number as a super secret password for pretty much EVERYTHING, so if you have it then it's easy to impersonate them. This was previously dubious as a security measure, now utterly laughable, and yet it's the way it's always been done so...
posted by Artw at 10:08 AM on September 8, 2017 [5 favorites]

Equifax is a credit bureau. They issue reports on whether any given individual will be able to pay back a loan or the like, which loaners use to decide whether to give a loan or not. To do that, they get information from everyone who loans anyone money: banks, credit unions, credit card companies, car loans, mortgages, etc. If you've ever borrowed money or received a line of credit, they have information on you.

The SSN is the one government issued identifier that every American will have, and is needed for proof of identity all over the place. It is probably the hardest identifier to get changed, short of intrinsic things like your birthday or fingerprints.
posted by Four Ds at 10:11 AM on September 8, 2017 [6 favorites]

So, at this juncture, is freezing your credit about the best option for now?
posted by Thorzdad at 10:13 AM on September 8, 2017

And what's crazy, is that RIGHT ON THE FUCKING SS CARD it says "Not To Be Used As Identification". They were never designed to be a default user id number for citizens, and yet, here we are.
posted by SecretAgentSockpuppet at 10:13 AM on September 8, 2017 [50 favorites]

As for the credit rating part of this, it's not just for borrowing money. Increasingly in the US you may not be able to get a job or rent an apartment if your credit score from Equifax or one of the other credit rating agencies is not high enough.
posted by maggiemaggie at 10:13 AM on September 8, 2017 [35 favorites]

It was a stupid idea pre-internet, an insane one now.
posted by Artw at 10:14 AM on September 8, 2017 [13 favorites]

SSN is sensitive because it's a one-to-one mapping of identity to a US citizen/resident.

It shouldn't be particularly sensitive, just as one's mother's maiden name or childhood pet shouldn't be particularly sensitive, but because we lack really any other good national method of remote one-to-one identity verification, SSN becomes a key bit of info in a lot of electronic/financial/etc systems. And so it is treated secretively, and is considered not for public broadcast, because "oh, sure, here's (some portion of) my SSN" is the answer to a lot of "let me just confirm your identity before I let you at this account you claim to have ownership of" gatekeeping steps.

As internet services have put greater and greater pressure on the need for quick, remote, standardized identity verification, the SSN problem has gotten a lot worse. People are using it less casually in a lot of cases to make it less likely to leak out incidentally, but it's also not a very good piece of secret information (it's certainly not, historically, very random at all, for one thing, having encoded some rough demographic info about place and date of birth) and not everyone is careful with it. So it becomes more secret and more important even as it's used more and more ubiquitously and, by sheer numbers, more recklessly by one or another service provider.

When I went to college, we were issued student id numbers that were literally just our full SSN. Some time before i graduated, somebody decided that was a bad idea and we moved to an independent student id number that wasn't SSN, but rather a number that was, for everyone already in the system, just coincidentally exactly identical to our SSN. Presumably they started issuing actual randomish numbers to new students.
posted by cortex at 10:14 AM on September 8, 2017 [29 favorites]

If you've ever borrowed money or received a line of credit, they have information on you.

A bunch of landlords and employers also run credit checks, so you don't even need to have borrowed money to be in their system, although I'm not sure what exactly they would have if you only had your SSN run and weren't otherwise exposed.
posted by Copronymus at 10:14 AM on September 8, 2017 [3 favorites]

And what's crazy, is that RIGHT ON THE FUCKING SS CARD it says "Not To Be Used As Identification". They were never designed to be a default user id number for citizens, and yet, here we are.

It's even worse. It was used both as the username "X is Y" and also as the password "Z proves this is X who is Y"

edit: yeah, what cortex said.
posted by leotrotsky at 10:15 AM on September 8, 2017 [6 favorites]

The 2017 writers strike again! One of the three executives who sold shares is named John Gamble.
posted by bonje at 10:16 AM on September 8, 2017 [13 favorites]

Not to be confused with PII, which is Personally Identifable Information, which isn't a legal term (I think) but is the idea of specific stuff about you that could lead to you being identified. Age, workplace, zip code, for example.

PII is primarily associated with PCI DSS, the Payment Card Industry Data Security Standard created by the major credit card companies. It's an industry standard, any organization that stores, processes or transmits credit cards is required by a council formed by the industry to certify that they treat PII securely if they want to handle credit card data. Somewhat curiously, banks are exempted from PCI; Equifax is not. PCI DSS isn't Federally mandated but there are a few states that require it.
posted by scalefree at 10:16 AM on September 8, 2017 [4 favorites]

Sign up for our premium service for a year and then we'll start charging you.

I can't prove this, but I was very VERY careful, after a previous bad experience, to not be tricked into signing up for credit monitoring when requesting a annual free credit report via Equifax last year after some ID theft issues.

A month later, the monthly charge showed up on my card statement. I took me almost an hour on the phone to get it taken off and the service cancelled. They tried to hard sell me the whole time.

I strongly suspect some Wells Fargo-level fraud is probably going on with Equifax's credit monitoring division. I'm guessing it's rotten from top to bottom.
posted by ryanshepard at 10:17 AM on September 8, 2017 [38 favorites]

PII also comes into play in COPPA (the Child Online Privacy Protection Act)
posted by kokaku at 10:18 AM on September 8, 2017 [1 favorite]

Maciej Ceglowski made the point that the best analogy for user data is not 'valuable information' but radioactive waste. This is looking truer and truer every day.
posted by sixswitch at 10:20 AM on September 8, 2017 [31 favorites]

I strongly suspect some Wells Fargo-level fraud is probably going on with Equifax's credit monitoring division.

This is what happens when large financial institutions know they can operate with little or no legal liability (and zero criminal liability).
posted by mikeand1 at 10:21 AM on September 8, 2017 [20 favorites]

When I went to college, we were issued student id numbers that were literally just our full SSN. Some time before i graduated, somebody decided that was a bad idea and we moved to an independent student id number that wasn't SSN, but rather a number that was, for everyone already in the system, just coincidentally exactly identical to our SSN. Presumably they started issuing actual randomish numbers to new students.

When I was in college the CS department used SSNs as tokens to create user accounts on their systems. They also posted test results on a bulletin board in the CS building hallway using SSNs as identifiers to provide anonymity. Put together, anyone who saw the test results could create accounts using the handy SSNs.
posted by scalefree at 10:21 AM on September 8, 2017 [5 favorites]

May Have Affected 143 Million Customers

I'm not the customer. I'm the product being sold.
posted by Obscure Reference at 10:24 AM on September 8, 2017 [80 favorites]

Just came to say the same thing scalefree. I used to know the SSN of a handful of classmates just because it was how you saw the test results reported. It's not a remotely secure piece of information, just a vaguely obscure one.
posted by meinvt at 10:24 AM on September 8, 2017 [2 favorites]

One of the first things I did at my current job was to purge SSNs out of data, many years ago now I am glad to say.
posted by thelonius at 10:26 AM on September 8, 2017 [4 favorites]

The FTC has a website designed to help with identity theft.
posted by SecretAgentSockpuppet at 10:32 AM on September 8, 2017 [3 favorites]

my suggestion from a previous hacking thread...

punative approach: any private entity or govt agency that stores personal information has a duty to protect the information. any unauthorized release (hacking, lost laptop, whatevs), pays the individual $100,000 per data element that is released (e.g. name and address == $200,000; name & address & phone == $300,000). $1,000,000 for SSN. $10M for SF-86. Must be paid within 72 hours of breach.

only occurance matters. no leniency for 'due diligence' or 'reasonable precautions'.

i think legislative action is necessary at this point. anyway, how is this not prosecutable as negligence? maybe civil liability, but that shit always ends up as a settlement with no admission of wrongdoing. ugh.
posted by j_curiouser at 10:33 AM on September 8, 2017 [16 favorites]

Paid my $30 for freezes at all 3 bureaus. People should go to jail for this and all three agencies shut down as national security risks.
posted by PMdixon at 10:35 AM on September 8, 2017 [21 favorites]

It's crazy that what state you live in determines how deeply they fuck you. Freezing all three accounts for me was free (Maine).

This is the best argument yet for the corporate death penalty.
posted by selfnoise at 10:44 AM on September 8, 2017 [27 favorites]

This is the best argument yet for the corporate death penalty.

It's looking more and more like we're going to have to string them up ourselves.
posted by ryanshepard at 10:48 AM on September 8, 2017 [35 favorites]

leotrotsky: ...all the identifying information necessary to show "I am me," has been subject to this breach.

Right, this is the first thing I thought of: all the automatically-generated verification questions are based on data that was stolen. So anyone who buys it can probably wrote a script to walk your record, request a new Equifax password, and then lock you out. In the mean time, they use your data to run wild online to several different web sites and open a card or three and vacuum out cash, order some stuff, and leave a contrail of fraudulent activity that will ruin your record.

And even worse is that this data gets checked against for job applicants and other uses that aren't anything like loan approvals.

Gaaaaaah.
posted by wenestvedt at 10:50 AM on September 8, 2017 [5 favorites]

I've never really understood that US thing where if somebody knows like three pieces of data about you, trivial ones like SSN, Birthdate and mother's name, you're p0wned, game over.

What's the thinking behind this? Why have such an insecure system in the first place?

Where I live, people ask for the equivalent of your SSN all the time, and it's printed right on your government issued ID, which many buildings require you to show to enter them, and is required on many web and offline forms for basically anything.

The particular part of the US's interpersonal fiction where these little bits of data are enough to prove your identity has always seemed super weird.
posted by signal at 10:56 AM on September 8, 2017 [14 favorites]

lol chrome says experian's "add a credit freeze" page is insecure

i've decided to respond to this crisis which most certainly affects me by laying face down on the floor and waiting for death
posted by poffin boffin at 10:57 AM on September 8, 2017 [55 favorites]

Equifax Breach – Early lessons
tl;dr Equifax' security was amateur hour
posted by jeffburdges at 10:59 AM on September 8, 2017 [9 favorites]

I've never really understood that US thing where if somebody knows like three pieces of data about you, trivial ones like SSN, Birthdate and mother's name, you're p0wned, game over.

What's the thinking behind this? Why have such an insecure system in the first place?

Other records for confirming identity in the United States are often issued by states and therefore don't necessarily conform to a standard format or level of detail. And historically Americans have tended to be suspicious, in general, of giving the federal government "too much" information about themselves and so have rejected past proposals for a formal national identification system. Leading us to the ironic result of a federal government that undoubtedly has tons of personal information about all of us yet no formal, secure, and public-facing way of confirming our identities.
posted by AndrewInDC at 11:04 AM on September 8, 2017 [4 favorites]

Per cortex, when I was in night school, they wanted me to sign in to the computer lab on a logbook out in the corridor, using my name and student ID. Said ID was, of course, my SSAN. I refused, and gave a hard time to the kid tasked with making people sign in. Eventually, a faculty member told him to let me in. Later, they changed to random student ID numbers.


I am curious, with so many stolen records to choose from, what will the thieves do with it? Do they pick the juiciest ones to fleece first?

I have no experiance with identity thieving, but I'd probably sort by age, since I'd have all the birth dates. Old people are gullible, and tend to have more money to steal than young people.

I am an old person.
posted by Kirth Gerson at 11:05 AM on September 8, 2017 [7 favorites]

Thanks for the explanations of SSN and Equifax. Would it be fair to say that the financial industry failed to deliver a strong authentication mechanism -- which might be somewhat understandable in a highly competitive market -- but then also failed to actually deliver that competitive market, considering that Equifax is dubbed "too big to fail"?
posted by dmh at 11:06 AM on September 8, 2017 [6 favorites]

Death penalty. Revoke their corporate charter. Deterrence effect.

SSN is sensitive because it's a one-to-one mapping of identity to a US citizen/resident.

Isn't it also used in employment to prove citizenship on the I-9? If you live in a red state it might be fruitful to connect this breach to current Republican policy against non-citizens. "What's going to stop an illegal alien rapist from hiding behind my SSN to stay in the country?" I don't agree with the logic or sentiment, but they do.
posted by rhizome at 11:08 AM on September 8, 2017 [10 favorites]

i've decided to respond to this crisis which most certainly affects me by laying face down on the floor and waiting for death

May I join you? I will bring ice cream.
posted by curiousgene at 11:09 AM on September 8, 2017 [23 favorites]

It's crazy that what state you live in determines how deeply they fuck you. Freezing all three accounts for me was free (Maine).

Freezing is free, but I bet unfreezing isn't. I froze my Transunion account for free when I lived in Florida. They would let you unfreeze it permanently for free, but unfreezing temporarily cost something crazy, like $15. You know that site Credit Karma, that gives you your "free" credit score? They use Transunion. And they wouldn't unfreeze your account right away, of course. It took 24 hours.

These companies are criminal enterprises, and they've made themselves necessary just to live in the US. You want a decent job? Need a credit check. You want an apartment that doesn't feature decorative bullet holes? Need a credit check. You want to open a bank account so you don't have to stash the cash from your shitty under-the-table job in your bullet-ridden mattress? Credit check. And you have to give all those people and more your Social Security number. That number that you're supposed to keep secret, so it's your fault if the wrong person gets it, because you're supposed to keep it secret, but also give it to everyone literally on the planet alive or dead.

Boy, I'm glad we didn't elect a life-long grifter who surrounds himself with fellow grifters to the highest office in the land.

I wonder if Trump's information was part of the breach. That would be fun to see.

Trump's credit is so bad he had to get Russian mobsters and oligarchs to pull him out of bankruptcy.
posted by dirigibleman at 11:11 AM on September 8, 2017 [52 favorites]

I, too, would like to lie face down in ice cream, please.
would also accept sherbet
posted by Spathe Cadet at 11:11 AM on September 8, 2017 [19 favorites]

Basically SSNs are the American version of True Name magic.

What's the thinking behind this? Why have such an insecure system in the first place?

Well, real security is expensive, and it seems the executive plan for 'what do we do when this blows up' is short sell the company. I imagine leaving the country is also in the plan.

The reality is it's really hard to bootstrap trust over the internet at the moment. What we really need is something closer to PKI -- your SSN is a public key, and you have a corresponding private key. Assuming your private key is never compromised, and the key replacement protocol is sufficiently robust against fraud*, that would at least get us to a place where an Experian breach is embarrassing, but not financially ruinous. IIRC, the US military issues ID with a keypair, so there's some level of experience with this at scale already.

*I.e. not the same shitty what's your mom's maiden name "security question" or anything else a Facebook employee could easily discover.
posted by pwnguin at 11:12 AM on September 8, 2017 [16 favorites]

SSA.gov adventures: I just tried to create an account on SSA.gov for myself as described upthread. I entered my contact info/SSN on the SSA.gov site as requested. The SSA.gov site said it could not find my record using the info I provided, and told me to "correct" my data (with no indication of what was "wrong") and try again. (Note: This ain't my first rodeo - the data I entered was correct and complete, in the right fields, etc.) After my third unsuccessful attempt, it told me I was locked out of the account creation portion of my account on the SSA.gov site for 24 hours. Since the error message I received said that SSA.gov was unable to match me to an existing account, I don't know if this means they've blocked the IP address I used to make the request, or if I am actually locked out based on partially identifying data. FML.

Alternative theory: I divided by zero and broke the system, locking everyone of us out for the next 24 hours while we ponder every recent decision. FML, and FYL too, I guess.
posted by mosk at 11:13 AM on September 8, 2017 [10 favorites]

You can also see from this screenshot (via of Twitter user @notdan) that there are unhandled exceptions in some Equifax web pages.

A great many Java developers seem to think that catching exceptions always counts as "using exceptions for flow of control", which they have been told is a "code smell" or some other halfwitted notion. The more virulent form of this is when they think that handling, or even throwing, an exception always shows that the condition that caused it wasn't really an exception, and so should not be done.
posted by thelonius at 11:19 AM on September 8, 2017 [8 favorites]

Maybe this is a candidate for ask.me, but how are credit decisions made in other countries (other than the US).

The US dependency on SSID and other trivial information is silly, but how is this handled elsewhere?
posted by dforemsky at 11:22 AM on September 8, 2017 [5 favorites]

I made this comment in a past thread, paraphrased because I can't find it, but:

In the year 1994, as a new student at Villanova, our email addresses were SSN@ucis.vill.edu

I had memorized at least three friends SSNs, then 3 months in they realized that maybe that wasn't such a good idea????

I've never had my identity stolen and I've always wondered if 'Nova did something to secure our SSNs, though that seems too good to be true.
posted by waitangi at 11:24 AM on September 8, 2017 [2 favorites]

The library system I worked at in the early 1990s used SSN's to identify patrons; the numbers weren't on the cards, but were stored where anyone who worked there could look them up and make sure people weren't getting multiple accounts to avoid paying lost book fees. I was a snotty young punk and thought the rare person who wouldn't divulge their number was a paranoid kook. In my defense they probably were kooks, but it turns out they were smarter than the rest of us.
posted by The corpse in the library at 11:27 AM on September 8, 2017 [6 favorites]

If there's one good thing that will come of this boondoggle, it's that sweet $1.80 check we'll get in six years as a result of the inevitable class action lawsuit.
posted by FakeFreyja at 11:27 AM on September 8, 2017 [122 favorites]

If w're lucky one or more of those executives will have lied to the FBI /been female, and then someone will actually go to jail.
posted by bq at 11:27 AM on September 8, 2017 [14 favorites]

FWIW, I just set up my SSA.gov account and had no problems. Forced 2-factor authentification for every log-in. First time I've seen that on a consumer facing website.
posted by COD at 11:29 AM on September 8, 2017 [6 favorites]

North Dakota driver's license numbers used to be your SSN. And a lot of people had their driver's license number printed on their checks because some merchants wouldn't accept a check without your DL#. You can see where this is going.
posted by nathan_teske at 11:30 AM on September 8, 2017 [3 favorites]

I set up an account for myself on ssa.gov and then did the same for my spouse (even though the goddamned site told me I wasn't allowed to do so, because I'm not her). The only hard part was waiting for her to send me the text confirmation code as she works about 5 miles away from where I do... not that it was hard to wait, but that I had to explain to her WHY I was setting up the account.

The more pressing question though is why neither of us can register any kind of account for our kid, who is under 18... shouldn't we be able to at least add him to one of our accounts as a minor, until he comes of age? I can do that with Apple or Google or etc., you'd think it would be important for a parent to be able to verify that some asshat isn't using my kid's stolen SSN to impersonate him and wreck his credit before he even turns 9.
posted by caution live frogs at 11:34 AM on September 8, 2017 [5 favorites]

Could someone please post a comprehensive "so Equifax told you to come back next week...here's what to do until then!" list of protections individuals can take now?

I just called MN's AG Lori Swanson's office asking her to get in line behind NY AG Schneiderman and was told that "there are several responses being considered at present." Call your reps.
posted by thenewbrunette at 11:38 AM on September 8, 2017 [4 favorites]

Well that's not good. Google 'site:equifax.com "stack trace"' then follow the only result.
posted by scalefree at 11:39 AM on September 8, 2017 [8 favorites]

I set up a security freeze with Equifax just now and it was relatively painless. I did have to pay those fuckers $10 to do it, but whatever.

But trying to do the same with Experian has been a nightmare. After filling out all the online forms (and having my address not be recognized the first two times) I was prompted to answer four security questions about past financial activity. I've never owned a credit card or taken a loan out for anything in my life, and all the questions were along the lines of "In May of 2014, you drew a line of credit for the purchase of a new home (haha that's rich) from which financial instituation: A. B. C. or D." The D. choice was a "Does Not Apply/Didn't Happen" option, which I chose for all four questions since I've never interacted with any bank or loan company like that before.

This sent me to a "We were unable to honor your request to place a security freeze on your personal credit report based on the information you entered" message, and told me to submit all the information again in writing to their Texas P.O. box. I'm starting to worry that someone has been taking out loans in my name and I don't know about it. How would I know if I've never checked my credit score before?

And I've been on hold with Experian's customer service department for over thirty-five minutes now.

There'll be a special place in hell for all these people, right?
posted by Hey Dean Yeager! at 11:39 AM on September 8, 2017 [11 favorites]

>Jokes on them! My credit is already shot and I have no money to steal.

An Incomplete List of Money Available to SSNs With Bad Credit:

- Unemployment
- Tax Refunds
- Federal Student Loans
- Pell Grants
- Social Security
- Medicare/Medicaid
- Checking accounts
posted by pwnguin at 11:39 AM on September 8, 2017 [15 favorites]

The problem isn't that SSNs are a unique ID number, the problem is that they're used as a shared secret.

There's nothing intrinsically wrong with having the government administer a namespace, and assign a unique ID to each person. That solves a lot of problems, actually. If the government weren't already doing it, I'd say it's actually a pretty nice thing for government to do. It beats the hell out of trying to map people 1-to-1 with phone numbers or something.

The problem happens as soon as someone uses the fact that you know what someone's SSN is, as a way of doing identity proving. That is, to make sure that I am Joe Smith, they ask me for Joe Smith's SSN, and if I know the correct SSN, then they say "yup, you're Joe Smith all right, please proceed with that personal loan".

The SSA has said over and over that SSNs should not be used that way but there haven't been any penalties in place to keep companies, particularly in the financial sector, from doing it. It's just fucking laziness — it kinda/sorta works, some of the time, and there's no motivation to do more rigorous authentication so it doesn't get done.

I think it was actually better when people had their SSN's printed on their checks, drivers licenses, etc., because as a way of distinguishing two people with the same name from each other, it's a pretty decent way of doing it.

Hell, what I think the SSA ought to do is tell everyone that in 24 months, they're going to publish a master list of names and SSNs, and that anyone using SSNs as a way to verify identity, and not just disambiguate, will be responsible for it. It's sort of the tell-everyone-before-you-get-blackmailed solution. They need to make SSNs impossible to use by lazy banks and other systems as a shared secret, and the easiest way to do that is to make them not secret to everyone, not just to the increasingly-broad array of hackers who have managed to steal big chunks of the data.

Every once in a while I've run into financial institutions who have done things better, and don't do the stupid SSN-as-secret thing, and actually verify you against your physical address by mailing out a secret-decoder-ring postcard or some other secret. It's imperfect, and the real solution is probably for government-issued ID to contain public key auth, but it's not that there aren't other solutions available. They just cost more, and therefore are totally impossible for profit-driven institutions to conceive of if the cheap and lazy way is available.
posted by Kadin2048 at 11:42 AM on September 8, 2017 [61 favorites]

I suppose ssa.gov accounts may help against some attacks listed by pwnguin, but your first move should be verbal passwords on your existing accounts. If someone opens a new credit card in your name, or heck takes out a home equity loan on your house, then you might be able to recover through the courts, but individuals who get their bank accounts broken into have no such protections.
posted by jeffburdges at 11:45 AM on September 8, 2017 [1 favorite]

And I've been on hold with Experian's customer service department for over thirty-five minutes now.

UGH i just do not have the fucking energy to deal with this today
posted by poffin boffin at 11:45 AM on September 8, 2017 [5 favorites]

"Statues will be erected to these swindlers."

heritage not hate

"When I went to college, we were issued student id numbers that were literally just our full SSN. Some time before i graduated, somebody decided that was a bad idea and we moved to an independent student id number that wasn't SSN, but rather a number that was, for everyone already in the system, just coincidentally exactly identical to our SSN. Presumably they started issuing actual randomish numbers to new students."

Ha. I went through two changes of student ID numbers while I was in college. First, it was all social security numbers. Then, when people complained to Directional State U, they changed it by adding a 1 to the end of your SSN (so instead of eg 345-678-9012, it would be 345-678-90121). Then, finally, they gave us student ID numbers that were just the same length but sequential based on when you first enrolled in classes after the new IDs were issued, so they looked like 10000000012 or whatever.
posted by klangklangston at 11:51 AM on September 8, 2017 [5 favorites]

MetaFilter: FML, and FYL too, I guess.

Thanks, mosk!
posted by wenestvedt at 11:52 AM on September 8, 2017 [6 favorites]

The problem isn't that SSNs are a unique ID number, the problem is that they're used as a shared secret.

SSNs are effectively plaintext passwords that we're basically required to hand out to many organizations to store on our behalf. I'm starting to think we need a Y2K-esque project to replace them with something more secure.
posted by scalefree at 11:53 AM on September 8, 2017 [12 favorites]

I'm ditching my SSN. From now on please refer to me as "b8ad11d5-d00e-4280-8efd-325eb296cd93" or "the entity formerly known as freecellwizard".
posted by freecellwizard at 11:59 AM on September 8, 2017 [13 favorites]

Can I claim 0xFEEDFACEC0FFEE?
posted by loquacious at 12:03 PM on September 8, 2017 [20 favorites]

An Incomplete List of Money Available to SSNs With Bad Credit:

- Unemployment
- Tax Refunds
- Federal Student Loans
- Pell Grants
- Social Security
- Medicare/Medicaid
- Checking accounts

I'm aware. Trust me when I say that the possibility of running out of coffee before my next paycheck is a higher priority for me.
posted by Room 641-A at 12:05 PM on September 8, 2017 [4 favorites]

0xDEADBEEF
posted by scalefree at 12:05 PM on September 8, 2017 [10 favorites]

For people asking how other countries do things, I was fairly impressed with the Danish system. Everyone, resident or citizen, is issued a number akin to SSN. It's on your health card and I think your residence permit if you're a foreigner as well. But they are also issued a second item, sent to the address you use to register your person number, which is basically a one-time pad. It's a card with a list of around 100 pairs of numbers.

Every time you interact with the government, or bank online, you sign in and the system gives you a number. The number will match the first half of one of the pairs on your card. You have to respond with the other half of the pair. The cards have no identifying information on them, so if you lose the card it's not of use to anyone else. And when you run out of numbers, they send a new one to your address but with no other info on it.

Of course, there are still problems with this-- if someone steals the card *from you* somehow (most people don't wander about with theirs, but occasionally you need it with you in order to use it), then they could impersonate you. It doesn't deal at all with people who have no addresses, and if the postal system was compromised that would be a vector for attack. And it's kind of a problem when you first arrive in-country because you can't do anything without the person number, including rent an apartment, and you need the address in order to get the number (so they can send you the one time pad.) It's an imperfect system, but a pile of random numbers is a much better way to deal with this than my mother's maiden name or an ID number that is entirely nonsecret.

Of course, it's also possible because Denmark is a country of under 6 million people who largely trust their government; there isn't the concern there is in the US about a nationalized ID system.
posted by nat at 12:06 PM on September 8, 2017 [42 favorites]

Further, this is big huge bad stuff.

The appropriate response is probably for everyone who can afford it to lawyer up and just start pestering Equifax to death with lawsuits in as many appropriate courts as possible and let it snowball into the biggest legal backhanded slap a corporation has ever faced.

Equifax needs to be restructured into a smoking furrow in the ground.
posted by loquacious at 12:06 PM on September 8, 2017 [24 favorites]

In other news, Mr. Nat and I are in the process of buying a house, so we've definitely been pinging credit bureaus a bunch lately. And both of us are kind of amazed at how big the whole house-buying system is -- from the realtors to the government records to the title people to the mortgage people and the insurance people and oh boy. He's taken to calling it the "mortgage industrial complex".

I feel like there ought to be a similar term here.. the "credit industrial complex". I may still have more fear of the military industrial complex, but that doesn't make me *happy* with this one.
posted by nat at 12:12 PM on September 8, 2017 [13 favorites]

Huh. I was also told that SSA.gov can't verify my information. Any idea what that's about?
posted by ArbitraryAndCapricious at 12:15 PM on September 8, 2017 [1 favorite]

I was told that an account could not be created for my SSN so uhhh...? 😓
posted by selfnoise at 12:20 PM on September 8, 2017 [1 favorite]

the US military issues ID with a keypair

yep. it's an element of their integrated PKI/identity management regime. everybody gets a chipped id card. everybody gets an x509 client cert from a DOD CA. cert is associated to user-selected (private) pin. two factor:

-something you have (card/cert)
-something you know (pin)

BUT, certs expire, cards get lost. the ultimate lifetime dod uuid is the EDIPI (ctrl+f edipi), which you get one of for your lifetime. this is an element of each client cert.

this way, if you have multiple roles, you get multiple cards (with unique certs). authentication is to edipi, authorization to cert.

icydk, none of this is protected info, it's all public and google-able.

this seems workable (especially if we're stapling) but the CA management and oversight has gotta be bombproof. like, dmvs ain't gonna work.

the overhead and expense is mind boggling.
posted by j_curiouser at 12:22 PM on September 8, 2017 [6 favorites]

Same on the SSA account. Have asked for a call back.
posted by PMdixon at 12:22 PM on September 8, 2017 [1 favorite]

SSA.gov uses Experian (iirc) credit report info to verify your identity when you sign up for an account. When I signed up for one a couple of years ago, I couldn't make it work on the first pass, so I called and was told what they use to verify. So I pulled my free credit report from Experian? and found out that they were using my mailing address instead of my physical address, or something like that. So I went through the automated system again and put in the info from the report and it went through just fine.
posted by monopas at 12:23 PM on September 8, 2017 [3 favorites]

A Facebook friend reports that he got a "you're in the clear" message. He is a US citizen but lives outside of the US.

Data point: I'm in the same position as your friend (plus I haven't lived in the US much (as an adult)). I also got a "you're in the clear" message.

What a ridiculous clusterfuck.
posted by busted_crayons at 12:29 PM on September 8, 2017 [1 favorite]

I got a "you're fine, stop fussing" message too, and am in the US.
posted by The corpse in the library at 12:30 PM on September 8, 2017

I read about this last night in the Toronto Star and went to the securityequifax2017 website. The website was just so shoddy (and why does it need the last 6 digits of my SIN?) that my assumption became that someone planted a fake article in The Star in order to harvest a bunch of personal information. I guess the story was real but I'm still not going to trust that site with my info.
posted by any portmanteau in a storm at 12:35 PM on September 8, 2017 [5 favorites]

I foolishly trusted the site, but got "In The Clear." I read about the site on Vice News, which while it IS Vice News, is still a real news source. So I trusted it. Then I read The Verge's article warning people not to use that site. So now maybe I'm not in the clear? One thing's for sure: I'm a dum.

-edit- In my defense, that same site is mentioned in an AP article as well. So who the hell knows.
posted by UltraMorgnus at 12:38 PM on September 8, 2017

For securityequifax2017.com, the firewall at my work returned: "this phishing attack site has been blocked."
posted by jetsetsc at 12:39 PM on September 8, 2017 [15 favorites]

jetsetsc:

"For securityequifax2017.com, the firewall at my work returned: "this phishing attack site has been blocked.""

If you click on the "return to Equifax" link at the top you get Rickrolled.

DO NOT USE THIS SITE.
posted by charred husk at 12:42 PM on September 8, 2017 [7 favorites]

The selling stock part is still amazing me. Isn't that pretty much the absolute definition of insider trading, and also set those individuals up for huge fraud lawsuits? And it's not like the hack wasn't going to become public, so it's not just that it was shitty behavior, it seems like shitty behavior that is certain to land you in jail and/or financially ruin you. I was under the impression that that kind of financial crime was one that was actually still prosecuted (see Shkreli), probably because it harms other corporations and rich people. And given the scale of this breach it seems like an easy look-good move by prosecutors to go after them hard.
posted by tavella at 12:42 PM on September 8, 2017 [9 favorites]

52 min on hold with Experian, since their website isn't letting me log in properly.
posted by desuetude at 12:42 PM on September 8, 2017 [1 favorite]

anyone using SSNs as a way to verify identity, and not just disambiguate, will be responsible for it.

Do we need to actually hand out everybody's SSNs before we do this, though? I suppose that's a good way to avoid ambiguity. But it seems like that's not actually a prerequisite for the critical step where, after an institution says "Hey some guy said he was you and so I gave him a bunch of money", the legal system decides not to say "Clearly their gullibility is your fault somehow so pay them back" but instead just says "Hahahaha!" (dressed up in more formal legalese, if they insist).
posted by roystgnr at 12:43 PM on September 8, 2017 [1 favorite]

Also the phone number at the bottom is a 555 number.
posted by charred husk at 12:44 PM on September 8, 2017 [1 favorite]

Oh dear. If you visit securityequifax2017.com right now it has a message I'm pretty sure wasn't approved by Equifax's CISO.
posted by scalefree at 12:44 PM on September 8, 2017 [25 favorites]

Maybe I should also have read the text...

I'm sooo stupid...
posted by charred husk at 12:46 PM on September 8, 2017 [1 favorite]

For posterity:

Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That's So Easily Impersonated By Phishing Sites?

Equifax Announces Cybersecurity Incident Involving Consumer Information, Because of Incompetence

Equifax should have hosted this on equifax.com with a reputable [EV] SSL Certificate.

Instead they chose an easily impersonated domain and used a jelly-bean SSL cert that anyone can get.

Their response to this incident leaves millions vulnerable to phishing attacks on copycat sites.

This is why you don't put your security incident website on a domain that looks like a scam (with an Amazon SSL cert), no-one can tell the difference between the real thing an a phishing site. Try the form by clicking "Potential Impact"

Tweet @equifax to get them to change it to equifax.com before thousands of people lose their info to phishing sites!

Contacts:

Trolls Anonymous
Corporate Communications
mediainquiries@equifax.com
555-885-8555

posted by scalefree at 12:47 PM on September 8, 2017 [27 favorites]

That is, to make sure that I am Joe Smith, they ask me for Joe Smith's SSN, and if I know the correct SSN, then they say "yup, you're Joe Smith all right, please proceed with that personal loan".

Years ago, a shady used car dealer used my SS# to get loans for a mother and daughter whose own credit was wrecked. It's not clear whether the mother and daughter knew about the fraud. The police detective thought not, that it was just the car salesman, a known quantity to the police who had already moved on from our area, but I thought the fact that the mother lived directly across the street from my previous home was pretty suspicious.

Eventually they defaulted on both loans, which then showed up on my credit report, which I found out about because I started getting collection calls. It took awhile to untangle (and the mom's name still shows up as one of my "reported names" on my TransUnion credit report, something I have tried to fix repeatedly for more than a decade now).

Anyway, at one point I was on the phone with the bank that issues the loans, and I pointed out that, although the mother and I have the same extremely common first name (the #1 name for girls the year I was born), we have different last names. I wondered why this hadn't raised any red flags. She said that they had "just assumed I'd gotten married and changed my name." They had no explanation for why they hadn't noticed or cared that our first names were spelled differently.

I hope that creditors would be more careful about things like this these days.

Because of this fraud, I've had freezes on my reports for years. When I applied for something or other a year or two ago, I received a phone call at my phone number of record and had to answer a long series of questions so detailed that I wasn't even sure of the answer to some of them, like recognizing the street number of a house I lived in in New Jersey in 1987. It was annoying but also satisfying to know that the freeze was working, as someone would have to go way beyond stealing my mail to know some of the stuff they asked me about.
posted by Orlop at 12:49 PM on September 8, 2017 [6 favorites]

Ah, looking at the Bloomberg article, Equifax claims they didn't know:

The credit-reporting service said earlier in a statement that it discovered the intrusion on July 29. Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.

...except that would mean that they had a giant US breach and didn't tell their CFO or their head US IT person. Which seems both wildly unlikely and extremely incompetent if so.
posted by tavella at 12:50 PM on September 8, 2017 [12 favorites]

I just called my bank and credit card companies to ask what they're doing to protect customers potentially affected by this breach. I pointed out that even if I am not affected, 143 million is a large fucking number that will definitely include some percentage of their customers, so: what are you assholes doing to protect your customers and by extension yourselves? Every single one just read off the company boilerplate about how important account security is to them, how good they are at flagging and stopping suspicious activity, etc.

I called them because I logged into all my accounts today to set All The Security Alerts and was perturbed that not one site acknowledged the breach. So joke's on me, I guess, what did I expect?

Fun fact, though: Just about every single one had a pre-recorded message about how "inclement weather" had forced call center closures. If this shit isn't straight out of Revelations, y'all, I don't know what is.
posted by Fish, fish, are you doing your duty? at 12:54 PM on September 8, 2017 [2 favorites]

People basically use their social security number as a super secret password for pretty much EVERYTHING

There are also major financial websites where name, SSN and current address are all you need to do a password reset: They don't even require email verification! Fortunately, they do allow, but don't require, 2FA.
posted by Coventry at 12:54 PM on September 8, 2017 [2 favorites]

Awesome, so your Social Security Administration passwords must:

Begin with a letter or number
Contain 8-20 characters
Contain upper & lowercase letters
Contain numbers
Contain symbols (! @ # $ % ^ & *)

AND you must change it every 6 months.

Difficult for people to remember, but easy for computers, and it's always changing. FFS, if you're using two factor verification, why the f#ck would you ALSO force a new password every six months?!

It's like they're trying to fuck us.
posted by leotrotsky at 12:56 PM on September 8, 2017 [23 favorites]

So is the current best practice just to go apply for credit freezes at all three and not bother with the Equifax sites on whether you are exposed or not? I'm not planning on moving or buying a new car right now, so I shouldn't have to pay much in the way of unfreezing.
posted by tavella at 12:57 PM on September 8, 2017 [1 favorite]

I used to be able to use my driver's license number to set up my internet and utilities, but as of about 6 years ago or so they all refused to set them up without my S.S. number. I fought with them for days before eventually giving in because I needed power and gas and internet.
posted by UltraMorgnus at 12:57 PM on September 8, 2017 [1 favorite]

Why is Equifax even making you go to a website to find out whether your info was hacked? They know which accounts were hacked. They know your address. They know your phone number.
posted by dirigibleman at 12:59 PM on September 8, 2017 [57 favorites]

Years ago, a shady used car dealer used my SS# to get loans for a mother and daughter whose own credit was wrecked. It's not clear whether the mother and daughter knew about the fraud. The police detective thought not, that it was just the car salesman, a known quantity to the police who had already moved on from our area, but I thought the fact that the mother lived directly across the street from my previous home was pretty suspicious.

Once met a guy in a...place...who claimed to be a world class con artist specializing in credit fraud exactly like this. He regaled me with story after story about all the cars, RVs, boats & other assorted vehicles he acquired & flipped as he moved from town to town plying his trade. Said he was even featured in an episode of Unsolved Mysteries. I tended to believe him as he was in the process of being extradited from Canada at the time. I've done some searching but I've never found that episode.
posted by scalefree at 1:02 PM on September 8, 2017 [4 favorites]

the other day i had a lot of trouble getting my flattened cardboard recycling into the tremendous clear recycling bag and i ended up throwing the boxes all over my living room in a huff and then climbing into the trash bag myself like a sleeping bag for the worst sleepover ever

that is now the good old days where i was safe and cozy inside a bag and did not have credit problems
posted by poffin boffin at 1:04 PM on September 8, 2017 [35 favorites]

Why is Equifax even making you go to a website to find out whether your info was hacked?

Because part of the submission process is signing away your right to sue them & agreeing to arbitration instead.
posted by scalefree at 1:10 PM on September 8, 2017 [5 favorites]

I was also told that SSA.gov can't verify my information.

This happened to me, too. Locked out for 24 hours. One of the information checks presented information connected to my wife, which has somehow become connected to me in Equifax's database. I'll try saying it's valid, when I retry.
posted by Coventry at 1:20 PM on September 8, 2017 [1 favorite]

Someone should start an organization that monitors the digital security practices and breach incidents of financial corporations and generates a "security score," an opaque, unchallengeable number that represents how responsibly a company stores private information. Then other companies would be able to do a "security check" on Equifax and see that they shouldn't do business with them.
posted by skymt at 1:31 PM on September 8, 2017 [38 favorites]

//It should serve as a reminder not to type the URL for the site to check whether your data was exposed yourself//

Of course, this is the exact opposite of what we've been told for years - to never trust links because they can be obfuscated. Arrgghhh.
posted by COD at 1:39 PM on September 8, 2017 [16 favorites]

By coincidence, I set up my SSA account just a week or two ago, and it went fine--I wonder if either that site or whatever calls it makes on Equifax for verification are failing under the rush.
posted by Horace Rumpole at 1:46 PM on September 8, 2017

I've been seeing some suggestions that complaining to the CFPB might be worth your time. If you agree with the sentiment, here's the form.

Calling your Congressfolk and state Attorneys General is probably a pretty good idea, too. At the moment, the burden is on each of the 143 million affected people to individually ask the credit agencies to freeze and monitor their credit, which is simply not a solution that scales. The agencies need to be forced into proactively doing this for everybody affected rather than waiting around to process 143 million separate requests.
posted by tobascodagama at 1:47 PM on September 8, 2017 [14 favorites]

Those of you who have in the past frozen and later unfrozen your credit: what did it take to un-freeze? Because if all it takes to unfreeze one's credit is the same set of information that was in the breached records (and not any additional layer of security [lol]), then what's the point of even freezing it?

(Other than, of course, to enrich equifax/experian/transunion each by $10 from every freaked-out American. This fuckup is going to cost the credit agencies big-time... to the tune of a negative billion dollar loss.)
posted by Westringia F. at 1:49 PM on September 8, 2017 [6 favorites]

this whole thing I call the Microsoft effect (though probably fairer to call it the unrestrained capitalism effect): "Our products are making everything wonderful! But bad people have found ways to use our shitty product to hurt you, thank god there is another whole anti-virus-malware industry sprung up to protect you with more unreliable and shitty products!"

"We all began using space age computer tech back in the 50's to make everything wonderful! But we need unique id fields, so we began to use SSN's. For everything. Unfortunately, bad people can use this info to "become" you and because "you" are so deeply embedded for decades into our data systems, it's almost impossible to protect you if that happens. fortunately there is another entire industry etc etc etc"

aint capitalism grand?!?!
posted by quonsar II: smock fishpants and the temple of foon at 1:58 PM on September 8, 2017 [10 favorites]

Those of you who have in the past frozen and later unfrozen your credit: what did it take to un-freeze? Because if all it takes to unfreeze one's credit is the same set of information that was in the breached records (and not any additional layer of security [lol]), then what's the point of even freezing it?

I haven't gone through the process myself, but my understanding is that, indeed, all of the information required to unfreeze your credit would be in the breached materials.
posted by tobascodagama at 1:59 PM on September 8, 2017 [1 favorite]

This is all scaring me so much I don't trust i should do anything.
posted by agregoli at 2:00 PM on September 8, 2017 [3 favorites]

The directors sold 1.2 million in shares in the days before the loss was announced and it wasn't insider trading???
posted by Burn_IT at 2:03 PM on September 8, 2017 [7 favorites]

This is all scaring me so much I don't trust i should do anything.

The advice to set up verbal passwords for all your important financial accounts is sensible.
posted by Coventry at 2:07 PM on September 8, 2017 [1 favorite]

What does set up verbal password mean? (Also, I got locked out of SSA.)
posted by SecretAgentSockpuppet at 2:11 PM on September 8, 2017 [3 favorites]

"and the mom's name still shows up as one of my "reported names" on my TransUnion credit report, something I have tried to fix repeatedly for more than a decade now)."

This is the part that makes me CRAZY about the credit reporting companies. You can't get wrong things fixed, even now that they have a legal obligation. You say, "I didn't take out a loan in 2007" "Well the computer says you did." "Okay, that wasn't me." "Can you PROVE it wasn't you?" "No, it is logically impossible to prove a negative." "Okay, well, tough noogies, we TRIED, but if you can't PROVE it ..." Like, a sworn affidavit should be adequate. But -- in my #1 beef with corporations of all sorts -- once it's in the computer, it can't be challenged or changed or fixed and you must live with it forever. We're all helpless once the computer has a wrong idea. Nothing can be done!
posted by Eyebrows McGee at 2:13 PM on September 8, 2017 [29 favorites]

What does set up verbal password mean?

Call the responsible company, and ask them to set up a password so you can't access the account over the phone without repeating the password back to them.
posted by Coventry at 2:14 PM on September 8, 2017 [2 favorites]

hades: In case there's any confusion: securityequifax2017 is a site set up by someone to mock how badly done equifaxsecurity2017 (which was set up by Equifax) is. It uses the same design and layout, has a valid but meaningless SSL cert, is registered through a privacy proxy, and rickrolls you if you click on most of the links. (Except for the rickroll, these are all true of the legitimate site, too. That's the joke.)

Not all true of the legit site. Experian is smart enough to openly register their sites:

MacBook-Pro:~ hanov3r$ whois -h whois.markmonitor.com equifaxsecurity2017.com
Domain Name: equifaxsecurity2017.com
Registry Domain ID: 2156034374_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-09-07T21:47:22-0700
Creation Date: 2017-08-22T15:07:28-0700
Registrar Registration Expiration Date: 2019-08-22T15:07:28-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registry Registrant ID:
Registrant Name: Domain Admin
Registrant Organization: Equifax Inc
Registrant Street: P.O. Box 740006,
Registrant City: Atlanta
Registrant State/Province: GA
Registrant Postal Code: 30374-0006
Registrant Country: US
Registrant Phone: +1.4048858000
Registrant Phone Ext:
Registrant Fax: +0.0000000000
Registrant Fax Ext:
Registrant Email: hostmaster@equifax.com
Registry Admin ID:

Remember, kids, WHOIS is your friend.
posted by hanov3r at 2:19 PM on September 8, 2017 [1 favorite]

Yesterday I was walking this three host chain, each domain sketchier and phish-ier than the previous, and looked at the https certificate details for the final trustedpremiereid one: owner info - none, issuer - amazon.

i recently obtained several SSL certs via EFF's Certbot (Let's Encrypt). anyone heard anything negative about them? If they aren't trustworthy then I'm resigning from the internet.
posted by quonsar II: smock fishpants and the temple of foon at 2:22 PM on September 8, 2017

Regarding the arbitration and class-action waiver provision, NPR is reporting the following:

After pressure from consumer advocates and New York's attorney general, Equifax on Friday afternoon added a new line to its FAQ section:

"The arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident."

Typed so hurriedly, they misspelled "waiver." Despite that haste and the need to be pressured before making a clear statement on the matter, I hope they mean what they say this time.
posted by JimInLoganSquare at 2:22 PM on September 8, 2017 [7 favorites]

Those of you who have in the past frozen and later unfrozen your credit: what did it take to un-freeze? Because if all it takes to unfreeze one's credit is the same set of information that was in the breached records (and not any additional layer of security [lol]), then what's the point of even freezing it?

As part of setting up the freeze, you end up with a 6-10 digit PIN (for TransUnion you come up with your own, for Experian you can either come up with your own or use one they generate, and for Equifax you use one they generate), and you need that PIN to unfreeze your account. I don't know what the process is to retreive a lost PIN, though; so it may be possible to get at the PIN with the info from the breach.
posted by Itaxpica at 2:28 PM on September 8, 2017 [4 favorites]

Wtf. What do we even do with this? I am so exhausted from this week. I am worried about my friends who are in DACA, I am worried about friends in the Southeast, and I am still smelling wildfire smoke. Yikes.
posted by yueliang at 2:29 PM on September 8, 2017 [3 favorites]

And as far as "what's the point of freezing it" goes, it's running-from-the-bear theory: you don't have to run faster than a bear to escape it, you just have to run faster than the other guy. Unless you're a particularly lucrative target for some reason, or someone has reason to target you personally, the hope is that the average criminal is gonna try to open an account with your info, hit a freeze, and just move on to the next target instead of spending time and effort to get around the freeze.
posted by Itaxpica at 2:31 PM on September 8, 2017 [13 favorites]

The directors sold 1.2 million in shares in the days before the loss was announced and it wasn't insider trading???

Miss some credit card or other payments? Fucking irresponsible piece of shit, it's proof of your poor judgment and character and you don't deserve loans or credit.

Lose vital information of tens of millions people opening them to a lifetime of potential fraud and theft? I don't know, I guess like 3 executives might maybe see some kind of punishment?
posted by Sangermaine at 2:36 PM on September 8, 2017 [18 favorites]

Zhuangzi wrote (a few thousand years ago):

a poor man must swing
for stealing a belt buckle
but if a rich man steals a whole state
he is acclaimed
as a great statesman

Nothing ever changes and the only way out is to be rich. :(
posted by ragtag at 2:43 PM on September 8, 2017 [38 favorites]

"Those of you who have in the past frozen and later unfrozen your credit: what did it take to un-freeze? Because if all it takes to unfreeze one's credit is the same set of information that was in the breached records (and not any additional layer of security [lol]), then what's the point of even freezing it?"

Here's the info:

Equifax (main site currently bogged down, but this subdomain appears to function):
www.freeze.equifax.com

• you will be issued a 10 digit pin which you'll need to thaw your credit temporarily when you're applying for a loan etc so it's vital to not lose the pin

Experian
www.experian.com/freeze/center.html

• you will be issued or allowed to set your own 10 digit pin which you'll need to thaw your credit temporarily when you're applying for a loan etc so it's vital to not lose the pin

Transunion
www.transunion.com/credit-freeze/place-credit-freeze

• you will have to set up a free account with their site.
• you will have to set your own 6 digit pin which you'll need to thaw your credit temporarily when you're applying for a loan etc so it's vital to not lose the pin.

I think the cost varies depending on state rules. Here's the numbers for California. The numbers in each row are for (1) Adding a freeze (2) Thawing the freeze temporarily and (3) Removing the freeze permanently

Regular: $10 $10 -free-
ID Theft Victim: -free- -free- -free-
Over 65: $5 $5 -free-

posted by Hairy Lobster at 2:47 PM on September 8, 2017 [33 favorites]

Regarding the arbitration and class-action waiver provision, NPR is reporting the following:

After pressure from consumer advocates and New York's attorney general, Equifax on Friday afternoon added a new line to its FAQ section:

"The arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident."

I can confirm this.
posted by praemunire at 2:50 PM on September 8, 2017 [2 favorites]

i recently obtained several SSL certs via EFF's Certbot

I think the concern is that while Let's Encrypt is great, its main purpose is to somewhat decouple the authentication aspect of SSL from the encryption aspect. The more serious your authentication needs are, the more hoops you should require from your CA. Equifax should be taking the problem of authenticating its websites to its users very, very seriously, and they didn't.
posted by Coventry at 2:53 PM on September 8, 2017 [6 favorites]

ex-pfc wintergreen and doc daneeka would be proud.
posted by j_curiouser at 3:39 PM on September 8, 2017 [1 favorite]

adding a security freeze to your credit report may also delay or interfere with or prohibit the timely approval of any subsequent requests or application you make regarding new credit, loans or services

...but do I care? Has anyone had problems with that? I don't have any plans to get a new car, house, or credit card, but is there some other thing I haven't thought of?
posted by The corpse in the library at 3:40 PM on September 8, 2017

My impression, so far today, is that there's still not a consensus about what constitutes best (better?) practices for consumers who may be affected by this. Hopefully more of such will shake out in the next few days/weeks.
posted by sandettie light vessel automatic at 3:46 PM on September 8, 2017 [4 favorites]

adding a security freeze to your credit report may also delay or interfere with or prohibit the timely approval of any subsequent requests or application you make regarding new credit, loans or services

That's what the temporary thaw is for. Just need to trigger it a few days ahead when you know someone needs access to your file. Ideally you can find out which agency or agencies they're going to use and only thaw those.
posted by Hairy Lobster at 3:49 PM on September 8, 2017 [1 favorite]

I don't have any plans to get a new car, house, or credit card, but is there some other thing I haven't thought of?

Lots of employer now run a credit check during the hiring process. That's scary -- and I feel bad because I will be interviewing people soon and I hope this doesn't hose anyone.
posted by wenestvedt at 4:01 PM on September 8, 2017 [2 favorites]

The hackers who broke into Equifax exploited a nine-year-old security flaw

Now, if you;d told me this morning I'd be giving good thought to the issuing of life sentences for failure to patch I probably wouldn't have believed you.
posted by Artw at 4:04 PM on September 8, 2017 [9 favorites]

The hackers who broke into Equifax exploited a nine-year-old security flaw

To clarify for those who don't click through to the story: the flaw in question has been in Struts for 9 years, but it was only patched on the 5th of this month.
posted by skymt at 4:07 PM on September 8, 2017 [9 favorites]

The hackers who broke into Equifax exploited a nine-year-old security flaw

I had heard about that Struts vulnerability, and wondered if the Equifax breach was related. Sure enough it is. The article was a little light on details but it sounds like it's something to do with serializing and deserializing objects. It's not news that that can be a vector for attacks, either - I saw a talk about that at least 10 years ago. All those Java web frameworks also usually make heavy use of the Reflection API, which is designed for tinkering around with compiled classes, adding fields or methods or whatnot, and that too can be trouble.

If an attacker can inject their own copy of something like a security manager, or alter the legitimate one, it's kind of game over, I suppose.
posted by thelonius at 4:09 PM on September 8, 2017 [4 favorites]

To clarify for those who don't click through to the story: the flaw in question has been in Struts for 9 years, but it was only patched on the 5th of this month.

/puts away gun.
posted by Artw at 4:15 PM on September 8, 2017

I just created a SSA.gov account, and it worked OK for me. Had to answer a lot of questions, but it worked.

It was nice to see how much money I'd would have been entitled to if the Baby Boomers weren't about to burn through the Trust Fund...
posted by mikeand1 at 4:28 PM on September 8, 2017

The Struts REST vulnerability is very serious & very new; the hack must have taken place in the last few days. But for an enterprise network like Equifax to fall to a single point of failure at its public facing attack surface like this speaks very poorly to its architecture. You should not be able to easily pivot from one compromise to exfiltration of hundreds of thousands of PII database records. They are very poorly managed.
posted by scalefree at 4:37 PM on September 8, 2017 [15 favorites]

/puts away gun.

Don't be too hasty to mollify your thirst for vengeance, my friend!

A front-end data deserialization bug gave the Baddies an opening they could move laterally from at will, and remain roaming free for ten weeks? Equifax has bigger problems than a loose patch window: if you can remain at large in their network for that long, and move from a web application into the back end and onwards to exfiltrate gobs of data, then there are other Top Twenty controls that failed.

When you are this high-profile like Equifax is and have this much data like Equifax does that's this sensitive, then you are held to a higher standard than some MSP in Des Moines or an auto body shop in San Antonio.

(On Preview: also what scalefree said.)
posted by wenestvedt at 4:45 PM on September 8, 2017 [13 favorites]

A front-end data deserialization bug gave the Baddies an opening they could move laterally from at will, and remain roaming free for ten weeks?

Wait, they trusted the frontend? Holy shit is that amateur hour. Where can I find a breakdown?
posted by The Gaffer at 4:50 PM on September 8, 2017 [2 favorites]

Hello, IRS. I am totally Donald j. Trump. Just a moment, let me check what j. stands for. John. Really. Can you send me a copy of my income tax returns. Here are my identifiers. Excuse me, identifires. I almost forgot that I don't know how to spell. Send them to the name Fahrenheit in care of the Washington Post.
posted by dances_with_sneetches at 4:56 PM on September 8, 2017 [32 favorites]

The days of "crunchy shell, chewy center" are long gone. It's no longer a question of whether you'll be compromised but how well your systems protect you when you are. Network segmentation, least privilege, network IDS & IPS both, strong outbound as well as inbound filtering, knowledgable eyes on glass in the SOC & even better on your IR team.
posted by scalefree at 4:57 PM on September 8, 2017 [4 favorites]

When I said the agencies need to be dissolved as national security risks I wasn't being hyperbolic. There is no way to internalize the externalities inherent in such a juicy target so as to enforce appropriate security short of firing squads.
posted by PMdixon at 4:57 PM on September 8, 2017 [8 favorites]

Eponysterical, entropicamericana.
posted by Coventry at 5:13 PM on September 8, 2017 [1 favorite]

The Struts REST vulnerability is very serious & very new; the hack must have taken place in the last few days.

"Equifax said the breach happened between mid-May and July. It discovered the hack on July 29. It informed the public on September 7.". CNN Money
posted by Rufous-headed Towhee heehee at 5:30 PM on September 8, 2017 [5 favorites]

"Equifax said the breach happened between mid-May and July. It discovered the hack on July 29. It informed the public on September 7.". CNN Money

Yeah I'm trying to reconcile all the facts. This is the writeup that made it public, Sept 5. His timeline says he disclosed it to Apache on July 17. I'm guessing there was parallel research by the hacker(s) that discovered it just a few months earlier. That'd be really weird synchronicity except for the earlier Struts hole published in March I think, that likely triggered them both to start looking for more Struts vulnerabilities.
posted by scalefree at 5:52 PM on September 8, 2017 [3 favorites]

I asked some corporate general counsels I know if they think the Equifax execs who sold stock will go to jail. They all said that proving insider trading would be tough, so probably not (absent a god-awful e-mail trail), but that it was likely they would be forced to "disgorge" their profits (you don't have to have intent to be required to disgorge), unless the sales were pre-scheduled or structured in such a way that they were routine sales (like, you get 1,000 shares in August 2016 that vest in August 2017 and automatically sell as soon as they vest or something like that).

But they'll probably get investigated by both a board-hired law firm and by the SEC, so at least that'll be unpleasant.

They all agreed it was a friggin' nightmare and none of them would want to be the GC for a company who had any execs who sold stock during a period between when the company discovered the hack and when they announced it. Also some conversation about whether it was believable that the CFO wouldn't know, and whether you would tell your exec team about the hack specifically to avoid this kind of awful PR. Most thought that these execs must have legitimately not known when they made the trades because they'd have to be absolute fucking morons to sell stock when they knew this was coming, but they all allowed as how some executives are absolute fucking morons and it was totally possible there were ugly-ass e-mails and memos waiting to be discovered.
posted by Eyebrows McGee at 5:53 PM on September 8, 2017 [20 favorites]

Good grief. What a bunch of bunglers.

If I were an actual customer of Equifax's -- someone who relies on their data analysis to determine whether or not a potential customer of mine was a credit risk or not -- I'd be reconsidering my relationship.
posted by notyou at 5:54 PM on September 8, 2017 [4 favorites]

God, I was skeptical of the security checker yesterday, but it was linked on their website so I used it anyway. I feel like such a fucking idiot.

I hope there are horrible consequences for Equifax and their insider-trading executives. Jail seems like it should be a pretty safe assumption, but we all know it's not. They could just walk away, and they probably will.
posted by shapes that haunt the dusk at 5:58 PM on September 8, 2017 [7 favorites]

(Bloomberg, who broke the stock sales story, noted that the sales weren't obviously part of a structured or preplanned stock sales program (said more clearly: there wasn't one). The story also indicated the those execs still hold thousands of shares each, so there you go.)

Martha Stewart got nailed for obstruction, iirc, so we'll see how competently these bunglers respond to the SEC, et al, when that happens.
posted by notyou at 6:00 PM on September 8, 2017 [3 favorites]

Equifax is not going to contact people directly because its impossible to tell the difference between Equifax calling you directly and some scammer calling you directly. If Equifax started calling around, "hey FYI you got hacked," then scammers would start calling around, "Hey we're from Equifax, FYI you got hacked, but we'll setup protection if you give us x, y, z info..." This is why Equifax is making you visit a website to find out if you got hacked.

There's not enough Infosec talent to go around - we will continue to see issues like this because financial institutions have to hire someone to do the work of software engineering and Amazon/Google/et al get the best talent, because they pay best. It is horrifying but many institutions that handle incredibly sensitive data (medical, financial) are not competitive for the best engineers, so it's mid-rate talent that's in charge of all that stuff. I say that as mid-rate talent that has worked in healthcare research and at a bank.

On the plus side, banks and other financial institutions are deeply, deeply motivated to keep your trust and hence your business, and so are working pretty hard to separate fraud from genuine financial transactions on their side and just comp you for anything that looks like fraud. Banks / credit card companies / lenders make money from genuine, good-faith people, not from fraudsters. If someone steals your identity to take out a loan, the lender loses from that too, because the fraudster is not going to pay the lender back the principle, much less pay the interest. Since we're all giving up so much personal data every time we access the web, in a fairly short amount of time lenders are going to have enough information based on behavior to identify us uniquely, and individual pieces of data like SSN won't be nearly as important.

Terrifying in its own way, and no fun for the people affected during the transition period, but for everyone invested in capitalism as stability if not justice, reassuring in the medium term.
posted by ProtoStar at 6:11 PM on September 8, 2017 [8 favorites]

I don't believe it's so much a matter of lack of talent as lack of political will to prioritize security of PII. You don't have to be a genius to mitigate the risk of that kind of vulnerability, but you do need resources and organizational coordination.
posted by Coventry at 6:18 PM on September 8, 2017 [9 favorites]

admittedly i haven't read anything on this but like half of this thread, so excuse any redundancy. but i have always had some basic questions ever since all the breathless reports of data breaches got frequent.

what is the definition of 'compromised' in terms of data? your specific information was extracted from a database and downloaded? your info was one among (insert number) extracted and downloaded? the info was not extracted or queried but instead the entire datafile was downloaded/copied?

what is the definition of 'breached/hacked'? an unauthorized entry into specific machines holding the data in question, or just unauthorized entry into a network of which it is a member?

is it assumed that information is 'compromised' based on evidence of unauthorized entry, or is there a verifiable trail in terms of logs as to what was accessed and what was downloaded?

the abstract manner in which these things are reported and discussed really bothers me. of course, it's unlikely anyone in the know would answer those questions because liability/5th amendment/CYA.

as an oldster, i can say for certain that I have been leaking my own SSN for decades because its been required to do almost anything, but the vast networking of big data makes this a horse of a different color.
posted by quonsar II: smock fishpants and the temple of foon at 6:19 PM on September 8, 2017 [6 favorites]

And, in all honesty, the way they're handling it, I'm not sure I even believe there was a data breach at all. This whole thing feels like a scam to exploit panic, and since Equifax is a scam to begin with...

Going one step further, is there a chance this was manufactured to create insecurity about the current state of identification? Maybe we'd be more secure if ID was tied to our cell phones, finger/iris scan, etc. With the goal to further entrench everyone into the system...
posted by Christ, what an asshole at 6:30 PM on September 8, 2017 [2 favorites]

Does anyone know if it's possible or makes sense to file a police report about this (in states where a credit freeze is free if you make a police report)?
posted by pinochiette at 6:32 PM on September 8, 2017 [1 favorite]

You can fill out a form with the ftc that fulfills reporting requirements. On mobile, so linking is a hassle, but if you start at ftc.gov there should be a link on the front page, or I linked the direct page earlier.
posted by SecretAgentSockpuppet at 6:42 PM on September 8, 2017 [3 favorites]

The free certificates from Let's Encrypt say nothing about who you are (other than the owner of the domain in question). With EV certificates you have to jump through some hoops to prove that you're who you say you are: the business with the legit right to be using the business's name:

https://www.globalsign.com/en/ssl-information-center/types-of-ssl-certificate/
posted by oheso at 6:48 PM on September 8, 2017 [3 favorites]

Going one step further, is there a chance this was manufactured to create insecurity about the current state of identification?

Well sure, that is not impossible, but it seems to me pretty unlikely, compared to the scenario where lazy, rent-seeking, incompetent squidlords got simply owned by skillful, persistent criminals, of which there are many. Equifax presumably would prefer to coast along without an enormous crisis in its reputation and business, and it would be a desperate gamble to stage an incident like this, in the hopes of somehow getting everyone to adopt what, an ID system they run? Or that someone they are in with runs?

What seems clear is that their executives entered a criminal conspiracy to dump stock before the news broke, if you want conspiracy.
posted by thelonius at 6:55 PM on September 8, 2017 [13 favorites]

Context is everything but typically compromised, breached & hacked mean roughly the same thing, unauthorized control of one or more computers. Breach is generally reserved for the most severe hacks where many systems are taken over or key data (sometimes called "crown jewels") is available to the attacker. Compromise usually refers to individual computers. As for a user/customer/individual's unique data, the words to look for are "exposed", "affected", "altered", sometimes "copied" or "stolen". In a technical report you may see it as "exfiltrated" or simply "exfilled". But again, context is everything & not everybody uses words the same way.
posted by scalefree at 6:55 PM on September 8, 2017 [5 favorites]

Bunglers? These people are two-dimensional bunglers. I mean they just pile bungles on top of bungles.
posted by Samizdata at 7:12 PM on September 8, 2017 [4 favorites]

Out of curiosity, has anyone used the "are you haxored" site and been told "nope, you're in the clear"? Or are they just telling everyone they're fucked and should sign up for the sign-away-your-right-to-sue site.

It didn't tell me at all, yes, no, maybe, or even acknowledge it was supposed to be answering a question. Just "your date to check back if you can sign up for our shit is X". What a POS

My real worry is, Experian is probably just the first of the 3 to notice the breach and admit it.
posted by ctmf at 7:26 PM on September 8, 2017 [3 favorites]

Could they go to jail if it turns out that checker site literally returns a generated bullshit result without actually checking anything, just for appearances?
posted by ctmf at 7:33 PM on September 8, 2017 [3 favorites]

Just to make you guys feel even better, a couple of months ago, Citi bank, which is not my bank but whom I have to make payments to, stopped being able to take my payment when I logged in via firefox.

When I viewed source, it was a JS error (of course) and then examining their code. Jesus. I have rarely seen such sloppy JS in my life. A lot of which seems to have been rendered by Adobe's "instant website" service, which you'd have to be insane to trust in such a context.

At the end of the day, I got this from their online customer support, and then dismissed: The only browser we support is Chrome. WTF?

It's incompetence all the way down. (But I bet there's some swell code to make sure you see the latest promo offers.)

It just occurred to me that I may not have been able to create a SSA account because my credit is frozen everywhere.
posted by maxwelton at 7:56 PM on September 8, 2017 [7 favorites]

Out of curiosity, has anyone used the "are you haxored" site and been told "nope, you're in the clear"? Or are they just telling everyone they're fucked and should sign up for the sign-away-your-right-to-sue site.

I put in fake information before I entered my own, and the response was 'not believed to have been hacked'

It's pretty easy to check by entering a random last name and 123456 or something along those lines. I wish I'd checked this thread first, though. I felt very squicky about the site - double-checked the link trail and all to make sure it really was the right equifax site. Then entered my info anyway because panic.
posted by bunderful at 7:57 PM on September 8, 2017 [2 favorites]

Yeah, this is a disaster that requires government intervention.

Oh, no, I am confident the market will sort this out.
posted by ricochet biscuit at 7:57 PM on September 8, 2017 [15 favorites]

Oh, no, I am confident the market will sort this out.

Not true! I just checked, and Home Depot doesn't seem to currently have a sale on pitchforks.
posted by maxwelton at 8:01 PM on September 8, 2017 [20 favorites]

So I'm not a US citizen and I haven't lived there for a couple of years now, but I have an SSN because I needed one to work legally as an international student. I never was eligible for credit though because it aforementioned international student status.

Am I likely to get hit by this?
posted by divabat at 8:12 PM on September 8, 2017 [1 favorite]

Not true! I just checked, and Home Depot doesn't seem to currently have a sale on pitchforks.

That's simple supply and demand, my friend. You don't discount that which you can't keep in stock!
posted by pwnguin at 9:11 PM on September 8, 2017 [2 favorites]

Apparently, it is "likely" that my info was stolen. And to add additional gggrrrrr to the existing argggh.....I could only put a freeze on 2 of the 3 companies (Experian wouldn't cooperate with the online request) and only check 1 of my 3 credit reports (yay Transunion, boo to the others). And the social security administration wouldn't let me log in for some reason.

But oh lucky me: my identity/credit was stolen once about 4 years ago, so I still have 3 years left on my extended 'fraud alert'. So at least there's that. 8/
posted by Halo in reverse at 9:24 PM on September 8, 2017

wells fargo got downright huffy when i wanted to change my verbal password to "eat shit motherfucker".
posted by quonsar II: smock fishpants and the temple of foon at 9:44 PM on September 8, 2017 [17 favorites]

It was nice to see how much money I'd would have been entitled to if the Baby Boomers weren't about to burn through the Trust Fund...

republican lies.
posted by quonsar II: smock fishpants and the temple of foon at 10:05 PM on September 8, 2017 [9 favorites]

So it's starting to look like my confusion about the Struts timeline was warranted & the new hole most likely wasn't the culprit. Equifax has been quoted saying it was a "web application vulnerability"; financial analyst William Baird & Co. is taking that to mean Struts but they haven't said which Struts hole, the one made public a few days ago or the one from March, equally serious. I think they're guessing & everybody else is copying off them, believing they have an inside source; it's an information cascade. It's still possible it was the March Struts exploit but without strongly sourced forensic evidence it's very unlikely these hackers duplicated lgtm's discovery nearly simultaneously to them. It could also be Baird jumped the gun & it isn't Struts at all.
posted by scalefree at 10:09 PM on September 8, 2017 [3 favorites]

What can we do?

Fiddle?
posted by mavrc at 10:12 PM on September 8, 2017 [5 favorites]

do you suppose the Cajun World Bank will be along to rescue us?
posted by quonsar II: smock fishpants and the temple of foon at 10:20 PM on September 8, 2017 [9 favorites]

Am I likely to get hit by this?
posted by divabat at 8:12 PM on

Maybe? Join the club. We don't know. Nobody knows. Keep on and carry on. If you see some shit, report some shit.
posted by notyou at 10:22 PM on September 8, 2017 [2 favorites]

I'm also going to plant a marker & say the 143 million number is pure hype. Sure Equifax has that many records but if it was an external facing web app breach the real exposure is live transaction data passing through the owned servers, not anything at rest & stored in the core DB. So the real exposure is 200K credit cards & 108K credit histories, orders of magnitude less than their full repository.
posted by scalefree at 10:26 PM on September 8, 2017 [1 favorite]

209K & 182K, remembered the numbers slightly wrong.
posted by scalefree at 3:01 AM on September 9, 2017

Why? 143 million is the number reported by Equifax of leaked PII records with the phrasing "potentially impacting approximately 143 million U.S. consumers". Yes, they used the word "potentially" but they've had from the end of July until now to figure out wtf happened, and write and rewrite that statement. If my PII was leaked, that's a basic steal-my-identity kit, but if I was one of the unlucky 200k whose credit card number was also leaked, that's steal my money on easy mode for the criminals.

Yes, best practices include protections that mean breaking into one app server doesn't let you pivot into inner networks which are no longer soft, but passing a PCI audit doesn't mean you employ best practices, it just means you passed a PCI audit (which can even contradict with best practices; eg NIST no longer recommends password rotation; while PCI still requires rotation every 30 days).

There's no magic security dust to sprinkle on servers and suddenly everything's secure. Pop the right(/wrong) legacy web app server and get unfettered full DB access that was on a long list of things that is in the process of being locking down, but the overworked security and/or operations team just hadn't gotten there yet.

In the blast radius of this is Trustwave (Experian's PCI auditor); I'd hate to be them as well right now.
posted by fragmede at 3:08 AM on September 9, 2017 [5 favorites]

Martha Stewart got nailed for obstruction, iirc, so we'll see how competently these bunglers respond to the SEC, et al, when that happens.

18 USC 1001, actually. The "Never Fib to the FBI" law.
posted by mikelieman at 3:38 AM on September 9, 2017 [1 favorite]

Guys guy, don't worry! They've got all your personal information wrong, anyways! (Link to Last Week Tonight segment about data errors made by Equifax and other credit reporting agencies, and the difficulties in getting that data corrected as meanwhile your credit score is shot to pieces)

Why anyone entrusted such vital information to a company whose main business is taking an animal from a shelter that needs a good home, lets it come to your house to lick peanut butter off your dick, and then immediately returns it to the shelter in the first place I will never understand!
posted by Philby at 3:51 AM on September 9, 2017 [5 favorites]

Thanks Itaxpica and Hairy Lobster for explaining what additional security the $10 credit freeze fee (in IL, different elsewhere) would get me!

I have heard that freezing credit with one agency is sufficient to freeze them with all three (modulo the time it takes for the records to sync [which should be instantaneous, but this system is apparently made of string and chewing gum]). Can anyone confirm/disprove?

And to this I would add: the fact that all this information is collected by THREE independent organizations is itself a problem, since that's thrice as many points of failure. As far as I can tell, is a domain where a monopoly would be just fine. It's not like one has any meaningful choice in which one uses to monitor one's credit -- any of them could screw one over at any instant -- so they're effectively ganging-up rather than competing. And while redundancy could reduce errors, they don't seem to be doing that, either. So what's the benefit of having three?

[I mean, besides lining thrice as many executive pockets and greasing thrice as many politicians' hands.]
posted by Westringia F. at 5:30 AM on September 9, 2017 [3 favorites]

I also got locked out of ssa.gov on the first page. I do know, through the complimentary credit monitoring service I got as a result of the OPM breach, that some rando in Nevada is also associated with my number somehow. They used to show me her name, but the last time I signed in, they had it blocked out, I guess to protect her privacy?
posted by Hal Mumkin at 5:35 AM on September 9, 2017 [1 favorite]

Equifax: ... you will be issued a 10 digit pin which you'll need to thaw your credit temporarily when you're applying for a loan etc so it's vital to not lose the pin

I'm not sure if this is the case if you do the freeze over the phone, but if you do it online, your Equifax-assigned PIN will be the date and time corresponding to when you set up the freeze. So a person who set it up Friday morning at 9:30 has a PIN of 0908170930.

I first saw this on reddit after having already done the freeze. I went to look at my PIN and sure enough. MMDDYYHHMM
posted by mama casserole at 5:41 AM on September 9, 2017 [17 favorites]

I have heard that freezing credit with one agency is sufficient to freeze them with all three (modulo the time it takes for the records to sync [which should be instantaneous, but this system is apparently made of string and chewing gum]). Can anyone confirm/disprove?

My understanding is that a fraud alert placed at one will be passed along to the other two, but freezes have to be made at all three individually.
posted by anderjen at 5:48 AM on September 9, 2017 [1 favorite]

I checked my credit reports a few weeks ago due to some dodgy phone calls I was getting (someone giving out my number to places like, say, furniture retailers) and everything was fine, though that means I can't check again without paying.

And to think this is hitting at the same time that millions of people are dealing with hurricane drama, making insurance claims, are displaced or evacuated, or can't get to their important documents. Christ! What. A. Mess.
posted by Autumnheart at 5:53 AM on September 9, 2017 [4 favorites]

I'm taking cold comfort in the fact that my credit rating is absolute shit, thanks to years of heavy debts and some random thing in collections that I was never notified about but can't get removed. At this point I might as well challenge myself to see how low my score can get, like golfing with future prospects.

I would say we've created a shitty world for ourselves, but of course most of us had nothing to do with it.
posted by shapes that haunt the dusk at 6:18 AM on September 9, 2017 [6 favorites]

Not me. My credit rating is in the mid-800s, thanks to automatic bill pay and many years of extremely predictable spending habits. I suppose the dubious advantage of that is that fraud should be easy to spot, then.
posted by Autumnheart at 6:37 AM on September 9, 2017 [2 favorites]

- executives cashing out a couple million dollars of stock options

Good thing for them Trump's in the Whitehouse, because you know that no-one's going to spend a single day in jail because of this.
posted by acb at 6:52 AM on September 9, 2017 [3 favorites]

Just as a data point, my USAA checking account gets me free Experian credit monitoring, which generates an email every time there's any change to my credit rating. It looks like I'd have to pay Experian to "upgrade" my account to get much useful information out of it.
posted by Kirth Gerson at 7:20 AM on September 9, 2017

I should probably freeze my credit because I don't foresee any need for credit checks on the horizon, but the idea of paying Equifax to do so pisses me off to no end.
posted by geegollygosh at 8:26 AM on September 9, 2017 [12 favorites]

I'm not sure if this is the case if you do the freeze over the phone, but if you do it online, your Equifax-assigned PIN will be the date and time corresponding to when you set up the freeze. So a person who set it up Friday morning at 9:30 has a PIN of 0908170930.

I first saw this on reddit after having already done the freeze. I went to look at my PIN and sure enough. MMDDYYHHMM

This, unfortunately, is indeed still the case when you do it over the phone, I can confirm that my pin is also MMDDYYHHMM. Which means, what, with millions of people freezing their credit right now, many of us have the same PIN? And most of the digits for the PINs being issued right now are already known to hackers? And the remaining digits follow a clear logical progression and have a limited (more than normal) set of values...?

This company is truly the worst at security, ever.

I set my Transunion PIN myself, and my Experian PIN will be mailed to me so we'll see how random it is. Equifax needs to be shut down, since there is absolutely no way to protect your credit report with them.
posted by philotes at 8:41 AM on September 9, 2017 [14 favorites]

TransUnion tells me:

We are unable to complete your request.
What happened:
The username you have entered, "ThisIsBullshit", has already been reserved by another customer.

OK, which of you guys beat me to it?
posted by The corpse in the library at 8:57 AM on September 9, 2017 [28 favorites]

Equifax's PCI assessor is Habif, Arogeti & Wynne, LLP; not sure why I reported on Experian's assessor.
posted by fragmede at 9:25 AM on September 9, 2017 [2 favorites]

One warning: don't announce when you've put a security freeze on your Equifax record: apparently the PINs are, err, not tricky to work out.

@webster: OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.
posted by ambrosen at 11:06 AM on September 9, 2017 [7 favorites]

On preview, sorry, lots of people confirmed that before.
posted by ambrosen at 11:08 AM on September 9, 2017 [2 favorites]

Patrick McKenzie wrote this nicely detailed post on how to deal with identity theft and mistakes in your credit report. Having had to wrangle with this stuff before, I like his advice.

Related: scody's debt verification letter template.
posted by exogenous at 1:06 PM on September 9, 2017 [18 favorites]

OK, so there's some speculation & inference here & I'll walk the whole thing back if their narrative changes but at the moment there's 3 numbers that matter:

143 million credit histories. This is EFX's core repository, their master database all of which is "potentially affected" because they're still not sure they have their arms around the full scope of the breach although they have said the core DB wasn't touched.

209,000 credit card numbers. This is one half of what EFX says was actually taken.

182,000 "PII records". I take this to mean credit histories or scores. This is the other half of what they say was taken.

I've taken some heat on Twitter for saying this but to me it's the last 2 numbers that tell the tale not the first. EFX is saying very little & what they have said isn't very helpful but the way I read this is the hacker broke in using a "web application vulnerability" (probably but not definitively an earlier Struts exploit because if it was REST that makes it a 0-day) & siphoned off some credit card numbers & credit histories/scores as they went by in the web app.

So the upshot is, the hackers popped a web app & got away with a large number but very small percentage of EFX's goods & the rest can be put down to very poor message control by EFX & a lot of not very good follow through by the press.

This is my theory & it is mine. Ahem.
posted by scalefree at 1:16 PM on September 9, 2017 [5 favorites]

Somebody does some actual research & finds more questions than answers. My theory still holds & other candidates are entering the ring alongside Struts. MANY QUESTIONS, FEW ANSWERS FOR EQUIFAX BREACH VICTIMS
posted by scalefree at 1:43 PM on September 9, 2017 [2 favorites]

Equifax says it holds the personal details of 44 million UK citizens, that's pretty much every single adult in the UK over the age of 16.

Any bank approving a credit application right now has no way to do the most basic due diligence.
Perhaps they should just freeze all fresh applications for credit until this is locked down?
posted by Lanark at 2:11 PM on September 9, 2017 [4 favorites]

Equifax says it holds the personal details of 44 million UK citizens, that's pretty much every single adult in the UK over the age of 16.

I bet Equifax has fired people for not achieving that.
posted by rhizome at 4:19 PM on September 9, 2017 [2 favorites]

Re: SSA.gov

The order in which you create your SSA.gov and request a credit freeze / fraud alert may matter! According to this SSA FAQ page (I searched above and didn't see this yet - sorry if I missed it):

Can I create a my Social Security account if I have a security freeze or a fraud alert on my credit report?

You cannot create a my Social Security account online if you have a security freeze, fraud alert, or both on your credit report. You first must ask the credit bureau to remove the freeze or alert.

To create a my Social Security account in person without removing the security freeze or fraud alert, visit your local Social Security office.

That being said: I had just requested a fraud alert at Experian today before I saw the above, and I was still able to create an account at SSA.gov. I'm guessing because it's the weekend, and/or because SSA uses Equifax for their ID checking (as mentioned above) and the fraud alert hasn't been recorded by Equifax yet.

Re: TransUnion

Since TransUnion requires registration in order to do a freeze online (or fraud alert), I tried to create an account and it's telling me I already have one, when I am 99.9% sure I've never created one and it's not in my password manager. I couldn't answer the security question and got locked out, so I'll have to call them. (This is the reason why I requested the fraud alert from Experian, so that I can at least (theoretically) have the alert sent to TU until I get a chance to clear this up with them.)

Then I noticed on that same page that TransUnion is pushing something called "TrueIdentity identity protection" and the marketing blurbs say it's a "free subscription" and "no credit card, no charge, no catch" where you can "lock your TransUnion report with a single swipe or click." Not sure yet what the difference is between "locking" the report vs "freezing" the report; since it's free and the terminology is different I'm guessing it's not as effective as a freeze? It appears to have a separate registration workflow, although I haven't tried it yet and whether I'm locked out there, too.
posted by rangefinder 1.4 at 5:56 PM on September 9, 2017 [3 favorites]

Kind of handy "coincidence" for this to happen as tens of thousands US folks are losing their homes and possibly their incomes. If the insurance companies don't implode from all the claims, what a nightmare this is for folks trying to purchase another place to live.
This really looks like a blatant example of what Naomi Klein refers to as "catastrophe capitalism" at work.
posted by Mesaverdian at 7:13 PM on September 9, 2017 [2 favorites]

Any bank approving a credit application right now has no way to do the most basic due diligence.

I think that it's totally possible to do due diligence on credit applications. Pay a clerk ( or team ) to verify the information on the applications. Check the balances of the provided accounts themselves, and evaluate the risk themselves.

Yeah, it's not as EASY or CONVENIENT for them than running a credit-score, but I believe it would be orders of magnitude more accurate.
posted by mikelieman at 7:27 PM on September 9, 2017 [9 favorites]

My worry is that the next time I try to enter the US (for whatever reason) Border Control's gonna be all "nup, we found weird activity on your SSN, you are DEPORTED"
posted by divabat at 10:11 PM on September 9, 2017

republican lies.

Unfortunately, that particular part (that the Trust Fund is going to go broke) is true if nothing changes. The republican lie is that it's a "Ponzi scheme" when in fact the problem could be fixed if we implemented a modest tax increase soon.

Trust me; I know a lot more about this than you do. Or don't trust me; just read the latest Trustees' Report. They're actuaries, not republican liars.

Anyway, it's a topic for another thread...
posted by mikeand1 at 11:45 PM on September 9, 2017 [2 favorites]

So a person who set it up Friday morning at 9:30 has a PIN of 0908170930... I went to look at my PIN and sure enough. MMDDYYHHMM

because hey, with a granularity of one minute it'll be impossible to generate duplicate PINs.
posted by quonsar II: smock fishpants and the temple of foon at 7:10 AM on September 10, 2017

Unfortunately, that particular part (that the Trust Fund is going to go broke) is true if nothing changes.

Well. The event that these people typically characterize as "Social Security going bankrupt" is the point where it isn't taking in enough revenues to pay benefits. Because, you understand, the program has been continuously self-financing: benefits are not paid out of the general Treasury. At that time, it will make up the shortfall by the "trust fund", which is simply Treasury bills purchased with the excess FICA taxes collected, beginning in the 1980s, specifically for this eventuality. Almost everyone reading this has, for their entire working life, helped fund income tax and capital gains tax cuts for the rich by paying excess FICA tax, which was then borrowed by Congress from Social Security, by the mechanism of Social Security buying government securities.

That people aren't out in the streets every time a politician, in essence, proposes defaulting on those obligations and thus stealing from the very workers who have, for more than 30 years, been bearing the financial burden of preparing for "bankruptcy" [sic], is just inexplicable.

If I have any of this wrong, no doubt some local pedant will be along shortly to inform you. But I am pretty sure this is the deal.
posted by thelonius at 9:41 AM on September 10, 2017 [7 favorites]

What if we took Social Security funds and put them somewhere where they couldn't be touched, like, say, some kind of metaphorical lock box....

*Sob*
posted by Room 641-A at 9:44 AM on September 10, 2017 [7 favorites]

It's OK that the excess revenues were borrowed! What was SSA to do with them, put them under the mattress? What's not OK, is, defaulting on that debt.
posted by thelonius at 9:47 AM on September 10, 2017

The event that these people typically characterize as "Social Security going bankrupt" is the point where it isn't taking in enough revenues to pay benefits.


I won't try to characterize what other people are talking about, but I said "Trust Fund going broke." By that I mean that the Trust Fund (the surplus built up by the SSA and currently held in special treasuries) will go to a $0 balance.

The SSA's actuaries estimate that will happen in 2034 under their "intermediate" level forecasts. That's not a "republican lie" -- it's a straight up estimate given the best data and forecasting methods we have available.

Sorry to be pedantic, but I know what I'm talking about. I have a PhD in demography, and I've published my own forecasts of the Trust Fund in peer reviewed publications. I was programming stochastic computer simulations of the Trust Fund more than 20 years ago. I personally taught our forecasting methods to the SSA actuaries.
posted by mikeand1 at 10:58 AM on September 10, 2017 [3 favorites]

Not sure yet what the difference is between "locking" the report vs "freezing" the report; since it's free and the terminology is different I'm guessing it's not as effective as a freeze?

Rangefinder, the freeze is where it's at. It means third parties can't even run a credit check of you through that credit bureau, which means they won't be able to open any new accounts in your name at financial institutions, lender, etc. As a side effect it'll even prevent your credit from degrading due to too much credit check activity, which can negatively impact your score.

Not sure what that "lock" feature is they're offering but unless it includes proper freezing it's not as important.
posted by Hairy Lobster at 11:10 AM on September 10, 2017 [1 favorite]

No, thanks for the information, mikeand1. The summary is instructive. I have to admit, I did not know that the time from benefits exceeding income (2021) to depletion (2034) was so short.
posted by thelonius at 11:11 AM on September 10, 2017 [1 favorite]

I have to admit, I did not know that the time from benefits exceeding income (2021) to depletion (2034) was so short.


This is the thing that Gen-Xers and Millennials need to understand: They are going to get royally screwed if we don't do something soon to address the shortfall. When 2034 comes around, it will be too late to get more taxes from the Baby Boomers, and it will be nigh impossible to cut their benefits. The whole weight of the debt will fall on the shoulders of younger generations.

Millennials are already getting screwed financially; it strikes me as deeply immoral to make them pay for the Boomers' retirement as well. That's why the "republican lies" response is so short-sighted.

Someone really, really needs to educate younger generations about the nature and magnitude of the problem. It really does deserve its own thread, but I'm hesitant to start what would inevitably devolve into a shouting match.
posted by mikeand1 at 11:29 AM on September 10, 2017 [6 favorites]

Someone really, really needs to educate younger generations about the nature and magnitude of the problem.

I agree in the following sense. The magnitude of the problem regarding Social Security is really quite small and relatively easy to fix. It is exaggerated by Republicans to justify cutting benefits in order to cut taxes for the rich.
posted by JackFlash at 11:41 AM on September 10, 2017 [9 favorites]

From Commissioner Carolyn Colvin via blog.ssa.gov about a year ago:
Social Security Funded Until 2034, and About Three-Quarters Funded for the Long Term; Many Options to Address the Long-Term Shortfall
posted by Hairy Lobster at 11:42 AM on September 10, 2017 [2 favorites]

I mean, it would be deeply disappointing and hard to only get 75% of the social security to which I'm entitled, but that's not zero dollars, and I feel like everyone talks as though after 2034 there will be no social security for anyone, and this idea plays into the hands of the right.

Especially because, for pete's sake, just raise the damn taxes. I work a very ordinary pink collar job and will gladly pay more taxes to sustain social security. "Hm, would I rather pay a little more now - that is taken out of my check before I even see it! - so that I have a stable retirement? Or just let the whole thing go to hell so that I can take home an extra fifty or sixty dollars a month?"
posted by Frowner at 11:54 AM on September 10, 2017 [6 favorites]

I mean, it would be deeply disappointing and hard to only get 75% of the social security to which I'm entitled, but that's not zero dollars, and I feel like everyone talks as though after 2034 there will be no social security for anyone, and this idea plays into the hands of the right.

On the other hand, 75% of a retirement fund can make an enormous difference in quality of life. The "some money is better than no money" argument doesn't take into account that some things have fixed costs that don't scale -- you can either afford something or you can't. The average Social Security monthly benefit is $1350. We're not dealing with amounts that can really afford to be slashed.

Someone really, really needs to educate younger generations about the nature and magnitude of the problem. It really does deserve its own thread, but I'm hesitant to start what would inevitably devolve into a shouting match.

It's pretty hard to make a political thread that doesn't turn into a shouting match, but that doesn't mean people don't get anything out of them. Personally, I'd rather have this information, since I'm part of the demographic that will be completely screwed. I think an FPP on this would be great.
posted by shapes that haunt the dusk at 12:02 PM on September 10, 2017 [1 favorite]

I mean, it would be deeply disappointing and hard to only get 75% of the social security to which I'm entitled, but that's not zero dollars, and I feel like everyone talks as though after 2034 there will be no social security for anyone, and this idea plays into the hands of the right.


A 25% cut in benefits would be a massive transfer of wealth away from the younger generations. It amounts to a loss of about $600 billion per year (in current dollars). I can't fathom how anybody thinks that's OK, or how that's not a loss of major magnitude.

What's even stranger to me is that the same people who are fine with a 25% cut in benefits in 2034 would fight tooth and nail against a 5% cut in benefits for the Boomers today. Now, if you're a Boomer, I can see why you'd take that position. But this seems to be the position many younger folks are taking. How does that remotely make sense??

Don't get me wrong; I oppose cutting benefits at all. My preference would be to increase taxes. But the timing is the point: If you wait until the Boomers are all retired to increase taxes, the full cost falls on the younger generations.

It seems to me that the cost should be spread more equitably across generations.
posted by mikeand1 at 2:10 PM on September 10, 2017 [5 favorites]

A 25% cut in benefits would be a massive transfer of wealth away from the younger generations. It amounts to a loss of about $600 billion per year (in current dollars).

You might want to re-think that $600 billion number. It's way, way off.
posted by JackFlash at 2:42 PM on September 10, 2017

You might want to re-think that $600 billion number. It's way, way off.


No it isn't. Look at the table here. The cost of benefits is in the second-to-last column. Scroll down to 2033 for the "intermediate" forecast and look at the cost: $2.425 trillion. 25% of that is about $600 billion. (Again, in current dollars.)
posted by mikeand1 at 2:49 PM on September 10, 2017

How the fuck are we talking about SOCIAL SECURITY IS DOOOOOOOOOOOOOOOMED conspiracy nonsense in a thread about Equifax?
posted by tobascodagama at 3:03 PM on September 10, 2017 [6 favorites]

In re opposing benefit cuts for boomers: if my parents get their benefits cut, who supports them? The family member who is still working, to wit, me. If the choices are all bad - if we can't raise taxes because our oligarchs won't do it - I would prefer the lead time now while I'm young and earning so that I can save more and make better decisions while my parents have a stable retirement over suddenly needing to pony up to make up for my parents' lost income. Both options suck, but if I know I'm looking at 75% of social security when I retire, I can at least plan ahead, but if I'm looking at making up the sudden loss of 25% of my parents' income now, I'm pretty screwed.

I know it's fashionable to say that all retired boomers are rich as Croesus and spend their time rolling in gold while repeating "fuck you, young people, you'll never get to retire", but there are plenty of us whose parents would need financial support if their benefits went down to 75z% of what they are now.

Also, frankly, I wouldn't be at all surprised if I died in a pandemic or a disaster as climate change accelerates and my retirement therefore will become moot. I mean, I have to survive years and years as thing turn to shit before I could think of stopping working. My parents don't have the same out.
posted by Frowner at 3:06 PM on September 10, 2017 [1 favorite]

How the fuck are we talking about SOCIAL SECURITY IS DOOOOOOOOOOOOOOOMED conspiracy nonsense in a thread about Equifax?

Probably from there being much discussion of creating an SSA.gov account before criminals make one for you
posted by thelonius at 3:21 PM on September 10, 2017 [1 favorite]

OK, here's my theories about the Equifax hack:

1. It was done with knowledge of people on the inside. 2. Who has the data right now? The Russians. 3. What's going to happen with it? Look to 2018 and 2020.

I know this is a worst case scenario here, but given the last 10 months, I wonder if I'm being paranoid enough.
posted by happyroach at 3:21 PM on September 10, 2017 [2 favorites]

That's not a "republican lie" -- it's a straight up estimate given the best data and forecasting methods we have available.

the republican lie is that boomers are to blame, when it was repeated congressional raids to fund various tax cuts and other bullshit. the whole thing could be fixed in a flash by putting the top tax bracket back up to 90%.
posted by quonsar II: smock fishpants and the temple of foon at 3:30 PM on September 10, 2017 [11 favorites]

Probably from there being much discussion of creating an SSA.gov account before criminals make one for you

Sure, but it still seems like a pretty big divergence from the thread topic.
posted by tobascodagama at 3:31 PM on September 10, 2017 [3 favorites]

As for conspiracy theories, the more I think about this hack and the way Equifax has handled it since coming out about it the less I understand anything. It seems like incompetence on a scale I have just never witnessed in real life, certainly not anything I would be able (or want) to get away with.
posted by maggiemaggie at 3:49 PM on September 10, 2017 [3 favorites]

Again, in current dollars.

I hope you realize that "current dollars" is a very misleading metric. It probably doesn't mean what you think it does.

Current dollars means dollars in the year they are paid out. So your $600 billion number is in inflated 2033 dollars, not 2017 dollars. It also ignores the growth in the size of the economy. Today GDP is $18 trillion. In 2033 it will be approximately $40 trillion, more than doubling. So that $600 billion number in 2033 is much smaller than you might think at first glance.

I'm not accusing you, but a favorite trick of Republicans is to quote meaningless huge "billions" and "trillions" numbers without any context. When you place them in context, they are much less frightening then they make them out to be.

A better way to describe future debts is as a percentage of future GDP. This makes sense in the same way it makes sense to say that your future apartment rent will be, say, 25% of your income. That's much less frightening than a meaningless scary number like $10,000 a month 30 years from now that doesn't take into consideration wage increases and inflation.

So if you want to know about the Social Security shortfall in 2033 it is best expressed as a percent of GDP in 2033. That is exactly what the Social Security Administration shows in this table.

You can see that the shortfall is slightly more than 1% of GDP, not that frightening a number at all. Compare that to the annual cost of the Iraq War in the 2000s which was 1.6% of GDP and nobody blinked an eye.
posted by JackFlash at 4:10 PM on September 10, 2017 [2 favorites]

the republican lie is that boomers are to blame, when it was repeated congressional raids to fund various tax cuts and other bullshit.


Look, I'm all for raising taxes, but you're confusing two different things. The Social Security Trust Fund is accounted for separately from the general fund, and the Trust Fund is funded through its own special "payroll tax".

The payroll tax rate has never been cut. To the contrary, it's been increased several times over the years, and the cap on taxable income has also been increased periodically.

That's not to say you couldn't make payments to the Trust Fund out of the general fund if Congress wanted to do that, but tax cuts are not the reason why the Trust Fund faces a shortfall. The shortfall is due mostly to the fact that the ratio of retirees-to-workers is increasing dramatically as Baby Boomers enter retirement.

I'm not "blaming" Baby Boomers--they didn't formulate these policies personally, Congress did that--but it's a simple fact of demography that the aging of the Baby Boomers is going to put major stress on Social Security (and other age-related programs, e.g. Medicare).
posted by mikeand1 at 4:11 PM on September 10, 2017 [2 favorites]

The payroll tax rate has never been cut.

On the other hand they never do the thing that would seem to be completely obvious and sensible, which is not to cap the income subject to payroll tax. The Payroll tax is incredibly regressive.
posted by Justinian at 4:14 PM on September 10, 2017 [12 favorites]

I hope you realize that "current dollars" is a very misleading metric. It probably doesn't mean what you think it does.


I know exactly what it means. Are you paying any attention to what I've already said?

A quick back-of-the-envelope calculations shows that the present value of $600 billion in 2033 dollars equals about $400 billion in 2017 dollars, assuming a 2.5% discount rate.

So, $400 billion per year in 2017 dollars. Do you like that better? That amount of money is not "really quite small" in magnitude.
posted by mikeand1 at 4:15 PM on September 10, 2017

You can see that the shortfall is slightly more than 1% of GDP, not that frightening a number at all.


It's 1.58% of GDP in 2035, and that is a huge number. It sounds small to you because "1.58 percent" sounds small, but the GDP of the entire U.S. is gigantic.

And we're talking about a shortfall that's occurring every year.

You claimed my "$600 billion" number was "way, way off." You were wrong, weren't you.
posted by mikeand1 at 4:22 PM on September 10, 2017

So, $400 billion per year in 2017 dollars. Do you like that better?

Nope because that number is meaningless without the context of the size of the economy. The economy will more than double by 2033.

The future shortfall will be about 1% of GDP. In today's economy that is about $180 billion dollars. But, hey, a meaningless number like $600 billion sure got everyone's attention.
posted by JackFlash at 4:24 PM on September 10, 2017

It's 1.58% of GDP in 2035

Sorry, but you are mis-reading the table. You are apparently adding together Social Security (OASDI) and Medicare (HI). They are two different issues. Republicans often conflate the two to mislead people.
posted by JackFlash at 4:35 PM on September 10, 2017

Someone really, really needs to educate younger generations about the nature and magnitude of the problem. It really does deserve its own thread, but I'm hesitant to start what would inevitably devolve into a shouting match.

Oh dear. Well, here, let me save you the trouble. There's no Social Security crisis. There never has been. Please see my previous FPP length posts on the subject. Read all of those links in the entirety, as well as the 2016 updates to those sources, before making any more doom-saying posts about it.
posted by T.D. Strange at 5:32 PM on September 10, 2017 [9 favorites]

On other notes, the MMDDYYHHMM thing is supposed to be fixed within a day (am I supposed to note SLNYT or is that only for FPPs?)
posted by 2 cats in the yard at 6:04 PM on September 10, 2017

But, hey, a meaningless number like $600 billion sure got everyone's attention.


It's hardly meaningless. Even your $180 billion number (which downplays the problem substantially) is a frigging HUGE amount of money to lose, especially when it'll be lost on an annual basis.

Expressing something as a percentage of GDP doesn't help most people understand the magnitude of the problem. Your average person probably can't even define GDP, and the vast majority of folks could not tell you how big it is in dollars.

You know what isn't meaningless to anyone? A 25% cut in benefits. Now, personally, I've managed to save up for retirement, and a 25% cut probably won't have a material impact on my lifestyle. Maybe you're in the same boat.

But there will be a helluva lot of retirees for whom Social Security will be their sole source of income. I guarantee you, for them, having their monthly check reduced from $1,600 to $1,200 will NOT be a minor inconvenience. For them, there's nothing meaningless about it.
posted by mikeand1 at 6:36 PM on September 10, 2017 [1 favorite]

There's no Social Security crisis. There never has been.


I never used the word "crisis" and I'm not "doom-saying." The links you yourself posted back up everything I've said.

It's not a "crisis" in the sense that if we raised taxes now, the required increase would not be all that steep (about 2.83%). But if we wait until 2034 or so, when the Trust Fund runs out, then it will be a lot more painful. For some folks, losing 25% of their benefits would represent a crisis.
posted by mikeand1 at 6:41 PM on September 10, 2017 [4 favorites]

How to opt out of Equifax's rights-stripping arbitration clause

Equifax binding arbitration opt-out (unofficial)
posted by homunculus at 10:22 PM on September 10, 2017 [4 favorites]

Fun historical context to Equifax's shitbaggery:

They were founded in 1899 as the Retail Credit Company, and were known for collecting all information — both real and specious — that they could find on anyone, and then selling it to anyone. It's move to digitize its records led to congressional hearings in the '70s, resulting in the Fair Credit Reporting Act, and leading the RCC to change its name to Equifax in 1975 to move away from the negative associations those hearings brought.

Currently, they're one of the biggest funders of the credit reporting trade group that lobbies to defend arbitration clauses and to fight against consumer access to free credit reporting. Equifax also argued that making credit reporting agencies vulnerable to class-action lawsuits over systemic mistakes in their data could risk "forcing [them] to disgorge all profits," and that insurance alone could be enough to bankrupt them.

It seems like there's a clear way forward to deal with their lamprey-like fixation on the side of the credit economy, one that has both historical precedent and scares them to their core. That it would likely destroy their fellow credit reporting agencies would just be frosting.

Time to contact your representatives, tell them that you want class-action liability, an ability to have arbitration clauses reviewed in court (California's on the forefront of having them declared "unconscionable," essentially a judge's finding that they're too unfair to be legal, something that has different standards in different states), and liability attached to data protection requirements.
posted by klangklangston at 9:54 AM on September 11, 2017 [15 favorites]

liability attached to data protection requirements.

Ding ding ding. When credit card issuers became liable for fraudulent activity it's amazing how fast they got better at detecting and preventing it.
posted by PMdixon at 10:19 AM on September 11, 2017 [6 favorites]

Sen. Brian Schatz (D-HI) on Twitter [quoted tweets omitted]:

If half of those hit by breach buy "credit freeze" then Equifax makes $700 million off their own mistake. That's a ripoff. Waive the cost!

If people at equifax cannot pull it together to actually take care of consumers, they shouldn't be allowed to possess our identities.

Why should we have to pay Equifax for service to fix problem Equifax caused? I sent a formal letter but could @Equifax answer on twitter?

This @Equifax debacle shows this credit report ecosystem operates in the dark, no accountability or consumer protections. It ruins lives.

Why did senior executives liquidate their stock after finding out what happened?

Why do your outsourced customer service phone people not have access to the database of consumers whose data has been breached?

WHY ARE YOU CHARGING THIRTY BUCKS FOR A CREDIT FREEZE.

Your instructions are confusing. You are wasting people's time and causing a lot of anxiety. People aren't exactly sure what to do.

Hey, @Equifax this isn't a rhetorical question. I expect an answer.

posted by melissasaurus at 10:28 AM on September 11, 2017 [25 favorites]

WHY ARE YOU CHARGING THIRTY BUCKS FOR A CREDIT FREEZE.

because protection racket
posted by Sys Rq at 11:39 AM on September 11, 2017 [3 favorites]

Just a heads up: I set up a TransUnion account to do the freeze and got an email informing me that I'm now subscribing to the tune of $20/month. At no point did they indicate anywhere I was about to be charged for anything. (I gave them a credit card figuring they were using it to access my records, after double checking that there had been no statements anywhere that they were about to charge me anything, let alone put me on the hook for a monthly recurring charge.)

So sleazy. Now I'm on hold listening to a recording telling me what a virtue it is to be proactive about my credit score.
posted by whuppy at 12:18 PM on September 11, 2017 [2 favorites]

TransUnion followup: Go to https://freeze.transunion.com to set up a freeze.

For NJ residents it's like their toll bridges and tunnels: Free to get in, but you have to pay ($5) to leave.
posted by whuppy at 12:41 PM on September 11, 2017 [2 favorites]

There's not enough Infosec talent to go around - we will continue to see issues like this because financial institutions have to hire someone to do the work of software engineering and Amazon/Google/et al get the best talent, because they pay best. It is horrifying but many institutions that handle incredibly sensitive data (medical, financial) are not competitive for the best engineers, so it's mid-rate talent that's in charge of all that stuff. I say that as mid-rate talent that has worked in healthcare research and at a bank.

Interesting data point about that: CNBC: The man who runs Equifax's security group earned $2.8 million last year (probably autoplay on the link).

Kelley was paid a salary of $546,312 in 2016 along with $957,302 in stock awards. The rest of his pay came primarily from a non-equity incentive plan and pension-related benefits.

Kelley, who previously served as a senior partner at law firm King & Spalding, earned a total of $11.1 million in compensation in his first four years at Equifax, filings show.

This is only the guy in charge of the department, and I assume he is not an engineer. Also, for all I know, this might be well short of the best pay.
posted by polecat at 12:57 PM on September 11, 2017 [3 favorites]

On Friday night I signed up for a credit freeze at TransUnion and Experian. I saved the PINs in a "secure note" in Dashlane. On Sunday I happened to revisit this whole issue and I peeked into that secure note. I'm guessing I forgot to press the "save" button, because the Experian PIN wasn't in there. What fun!

I tried to figure out if I could dig it out of my browser cache, but no luck. Then I saw that the Experian page had a link for recovering the PIN. I filled out a little form and was then posed with the four pop quiz questions about my financial info that only I should know. This is always nerve wracking because experience tells me they'll pull from their spotty-yet-deeply reaching knowledge of my previous 12 addresses and 8 banks that I might have dealt with even if I didn't know their names. I was confident that I aced the quiz, but the next page said "based on the info you provided, we can not provide you a PIN". Now I might have to send photos of my Driver's License to get my PIN, or I might wait a couple of weeks to see whether the website will give me another chance at the quiz.

So on the one hand, the info to recover somebody's freeze PIN is probably the same info that was stolen from Equifax. On the other hand, this seems like something that would be hard to automate or do at scale, and it seems like a roll of the dice whether it will work at all.

For NJ residents it's like their toll bridges and tunnels: Free to get in, but you have to pay ($5) to leave.

I kind of like that, because the small fee could also limit the scale at which a fraudster would be willing to unfreeze the reports.
posted by polecat at 1:17 PM on September 11, 2017 [1 favorite]

Anyone else seeing two $10 charges from TransUnion on their accounts? I couldn't get through to anything relevant via their contact #s, nor could I reach a human being. Guess I'll email them and, failing that, protest the charge via my bank.
posted by christopherious at 1:28 PM on September 11, 2017

Just a heads up: I set up a TransUnion account to do the freeze and got an email informing me that I'm now subscribing to the tune of $20/month. At no point did they indicate anywhere I was about to be charged for anything.

Oh, wow, that sucks. Back when I did it you only needed to set up a free account for this. I wonder if that's also state dependent like the fees for freezing and thawing. (I'm in CA for the record).

This overview of per-state rules is from back in October 2007, the year when the three bureaus agreed to allow freezing of accounts. It simply states that in states were no law is enacted they get to set eligibility and fees and then lists info for each state. States with now laws enacted on that 2007 list include: AL, AK, AZ, GA, ID, IA, MI, MO, OH, SC and VA.
posted by Hairy Lobster at 2:22 PM on September 11, 2017

This one's from 2014 so it's probably more up-to-date. They're saying all states but Michigan had adopted laws at that point (5 Feb 2014 is the date on the article).
Unfortunately neither this nor the link I posted in my previous comment seem to say much about the bureaus being able to force you into a paid account.
posted by Hairy Lobster at 2:26 PM on September 11, 2017

Equifax's Maddening Unaccountability:

As long as impunity for corporations and their executives is the norm, data breaches will continue to happen. What should you do? It’s easy: Just make sure to change your name, Social Security number and home address regularly — and don’t go crying if you neglect to do that and suffer the consequences of your actions. It’s not as if you’re are a rich executive.

posted by ragtag at 7:10 PM on September 11, 2017 [2 favorites]

Sorry to hear, jamaro. A co-worker of mine ran into this as well yesterday when they tried to freeze at TransUnion. I suspect they never anticipated the current volume of freeze requests, didn't bother to make it beefy enough and now it's overwhelming their setup. I would call them to get your money back. I think you can freeze over the phone as well as via snail mail.

This utterly sucks and I feel super-lucky that I did the freezing a few years ago. The whole thing is a fucking racket that leaves you, as a captive participant, no choice but to try and maneuver through it as best you can.

This needs to be regulated at the federal level and it needs to be regulated hard. I never understood why they left it to the states when the information is regularly used across state lines.

Don't think this has been posted yet: Before its massive data breach, Equifax fought to kill a rule allowing victims to sue (LA Times)
posted by Hairy Lobster at 11:31 AM on September 12, 2017 [4 favorites]

And, just to make everybody's lives more miserable... there appears to be a 4th credit bureau named Innovis:

Info about them at blog.smartcredit.com.

Direct link to Innovis' security freeze page.
posted by Hairy Lobster at 11:38 AM on September 12, 2017 [2 favorites]

So their head of security makes $2M a year? Not surprising, given this expertise: Ayuda! (Help!) Equifax Has My Data!
posted by maxwelton at 5:11 PM on September 12, 2017 [1 favorite]

Equifax waives credit protection fees after consumer outcry

Equifax says it will now waive all of its fees for customers who want to freeze their credit files with the company, reports The New York Times, but it will only do so until November 21. Equifax will also refund fees to those who have paid since September 7....

US senator on Equifax hack: 'Somebody needs to go to jail'


How to protect yourself from the Equifax data breach scandal - Mostly stuff that's already been discussed but this was a new idea for me: "Closely monitor [your] own credit reports, which are available free once a year, and stagger them to see one every four months."
posted by bunderful at 5:43 AM on September 13, 2017 [4 favorites]

Second Krebs!
posted by silsurf at 9:29 AM on September 13, 2017 [1 favorite]

This is only the beginning, shout out as loud as you can.
posted by silsurf at 9:29 AM on September 13, 2017

Equifax had 'admin' as login and password in Argentina

Words fail.
posted by flabdablet at 7:17 AM on September 14, 2017 [9 favorites]

"Equifax said the breach happened between mid-May and July. It discovered the hack on July 29. It informed the public on September 7.". CNN Money

Yeah I'm trying to reconcile all the facts. This is the writeup that made it public, Sept 5. His timeline says he disclosed it to Apache on July 17. I'm guessing there was parallel research by the hacker(s) that discovered it just a few months earlier. That'd be really weird synchronicity except for the earlier Struts hole published in March I think, that likely triggered them both to start looking for more Struts vulnerabilities.
posted by scalefree at 17:52 on September 8

And here's the admission that in fact it was the March Struts vulnerability - the one that should have been dealt with two months before they were breached.

I'd suspect that somebody at Equifax was asleep at the wheel if I thought they had anybody at the wheel.

(via gizmodo, ars)
posted by flabdablet at 10:46 AM on September 14, 2017 [4 favorites]

There are probably half a dozen engineers in a windowless cube farm somewhere shouting "WE FUCKING TOLD YOU SO, YOU CHEAP ASSHOLES" into the void right now.
posted by tobascodagama at 11:18 AM on September 14, 2017 [7 favorites]

I'd suspect that somebody at Equifax was asleep at the wheel if I thought they had anybody at the wheel.

The self-driving car of finance?
posted by rhizome at 12:50 PM on September 14, 2017 [2 favorites]

So of course people are looking to monetize the incident. There's been two groups, both setting up shop on TOR nodes & selling access to exfil data with bitcoin*. The first was an amateurish affair offering no proof & showing signs of sloppy configuration, fairly easily discountable. But the second, now that's another matter. They provide web app admin page screenshots & a sample of the data pertaining to credit holders B Gates, D Trump & K Kardashian. The screenshots appear authentic but not the data, unless Bill has a secret home in Wisconsin.

*technically ethereum but that's a distinction without a difference, really.
posted by scalefree at 1:12 PM on September 14, 2017 [1 favorite]

Surfing from some links above led me to
Krebs on Security: The Equifax Breach: What You Should Know
which breaks down facts and advice nicely. Near the end of the article are a couple of measures you can take that I didn't know about (follow the link for more specifics):

It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers that are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts.

ID thieves like to intercept offers of new credit and insurance sent via postal mail, so it’s a good idea to opt out of pre-approved credit offers. (followed by phone numbers and a link to a web portal for the opt out).

I've only cruised a few comments in, and I've already seen some interesting discussion. For example, Innovis isn't the only minor credit reporting agency--there are lots.
posted by polecat at 1:27 PM on September 14, 2017 [3 favorites]

Hope you folks don't mind, I just wanted to take a little victory lap over my amazing prognostication upthread.

I've taken some heat on Twitter for saying this but to me it's the last 2 numbers that tell the tale not the first. EFX is saying very little & what they have said isn't very helpful but the way I read this is the hacker broke in using a "web application vulnerability" (probably but not definitively an earlier Struts exploit because if it was REST that makes it a 0-day) & siphoned off some credit card numbers & credit histories/scores as they went by in the web app.

KrebsOnSecurity backs me up on almost everything I said except apparently the credit card (& presumably credit history also) data wasn't copied from live transactions but "historical" ones which is a clear PCI violation all by itself, cleartext storage of full credit card numbers (Primary Account Numbers (PANs) must be encrypted, one-way hashed, truncated or tokenized per PCI DSS req. 3.4) at rest.
posted by scalefree at 2:23 PM on September 14, 2017 [5 favorites]

I've been trying to freeze my credit and my partners credit via phone for the past two days and I have yet to succeed with all 3 agencies. Equifax has been a total fail.
posted by bq at 4:43 PM on September 14, 2017

The issue of being charged after failing to establish a credit freeze happened to me, with Experian. So far the phone numbers I've found don't seem to help.

Thankfully I did manage to set a fraud alert.
posted by CancerMan at 5:19 PM on September 14, 2017

Can we please please please let this be the last straw for the current model of credit bureaus in America? They somehow have the right to every bit of our personal information, all of our financial data, work history, residence history, legal history, but they can't be bothered to keep it accurate -- that's our job, to fight with them about any inaccuracies -- and they can't even be bothered to make token efforts to safeguard our information, and now that they've had the most devastating breach of PII in American history, their main goal outside of damage control is to profit by selling more services designed to mitigate the risk to our credit history, said risk ENTIRELY DUE TO THEIR OWN NEGLIGENCE. Even this existential threat of damage to our credit history -- that's a problem that we wouldn't have without Equifax and their partners in crime.

They blackmail us with our own data, charge us to see it, charge us to monitor it, make us jump through hoops to fix it when they get it wrong, and then fail to keep it safe, and then fail to take responsibility for that failure (though they at least made sure that their execs could dump the stock, they got that part right), and they just want to go back to the same old model of fucking us over six ways from Sunday, as hard as they can get away with.

We don't have to go back to that model. Let's not do that.
posted by Two unicycles and some duct tape at 5:26 PM on September 14, 2017 [14 favorites]

"KrebsOnSecurity backs me up on almost everything I said except apparently the credit card (& presumably credit history also) data wasn't copied from live transactions but "historical" ones which is a clear PCI violation all by itself, cleartext storage of full credit card numbers (Primary Account Numbers (PANs) must be encrypted, one-way hashed, truncated or tokenized per PCI DSS req. 3.4) at rest."

Might I dream that credit card companies will sue Equifax into oblivion?
posted by klangklangston at 5:33 PM on September 14, 2017 [1 favorite]

Might I dream that credit card companies will sue Equifax into oblivion?

I expect the whole sector will get an overhaul. Equifax is actually on the board of the standards group behind PCI. For them to be so negligent with so much of our data as they utterly fail their own standard makes the standard as it stands pointless*.

*I'll sit down now.
posted by scalefree at 8:14 PM on September 14, 2017

Can we please please please let this be the last straw for the current model of credit bureaus in America?

Surely this...
posted by flabdablet at 9:26 PM on September 14, 2017 [3 favorites]

Don't worry guys, Equifax is also a root CA to verify HTTPs on basically every device on the internet. I've heard no indication this was compromised but EFX is not a worthy steward of this kind of authority & privilege. I can't even guess at the full ramifications of pulling the trigger on revoking their cert but here's something to start on. How certificate revocation (doesn’t) work in practice.
posted by scalefree at 11:10 PM on September 14, 2017 [5 favorites]

There's disagreement on what applications & OSes currently trust EFX's root CA so the full scope of the problem isn't clear at the moment. Stay tuned I guess.
posted by scalefree at 11:18 PM on September 14, 2017

...and while you wait, sharpen those pitchfork tines, get some torches soaking, and warm up a fresh tub of hot pine tar.
posted by wenestvedt at 6:26 AM on September 15, 2017 [1 favorite]

I just tried to get my free credit report from Transunion before moving on to credit freezes and I got this after the hassle of entering all my info:

"Due to the Equifax data breach we are experiencing extremely high volumes and cannot fulfill your request at this time. We sincerely apologize and ask that you try again later."

Later? When later? An hour? Tomorrow? Next week? These companies are criminally incompetent.
posted by bluecore at 9:19 AM on September 15, 2017 [2 favorites]

Later? When later? An hour? Tomorrow? Next week?

Had the same thing happen to me yesterday (Equifax wouldn't even load at all), so apparently the answer is "more than 24 hours."
posted by brook horse at 9:37 AM on September 15, 2017

Credit rating companies haven't been especially good to consumers. On way too many occasions, including Ask.Me, consumers are advised to Just pay it even when bills are not legit. They are 100% on the side of companies that entice consumers into more consumer debt, with not enough information, but with an efficient collection mechanism. They collect very personal information, huge amounts of it, and sell it. Equifax was egregiously sloppy. They have my information, that I probably had to consent to because I want an electric utility account and a credit card, etc., and they should be held to a very high standard, because there's no excuse for them not knowing it's sensitive, no excuse for them not knowing it's valuable to bad actors. They waited to deal with the problem. The insider trading possibility smells very bad. They waited to inform the public. They're doing a terrible job with this process. They should be shut down. The fines should be draconian and they should be forced to close. Of course I know that won't happen, not with this Congress, but it's what should happen.
posted by theora55 at 2:39 PM on September 15, 2017 [4 favorites]

KrebsOnSecurity backs me up on almost everything I said

Thanks for that link. In the article, Krebs says that the Apache Struts vulnerability that Equifax had was also found on annualcreditreport.com, and in Experian’s Web properties.
- Does that mean that Experian potentially has also been breached, and either does not realise it or has not yet disclosed it?
- What about TransUnion, which can also be accessed through annualcreditreport.com?
posted by cynical pinnacle at 1:42 PM on September 16, 2017 [1 favorite]

- Does that mean that Experian potentially has also been breached, and either does not realise it or has not yet disclosed it?

Funny you should ask. According to Experian they patched Struts in March within a few days of the vulnerability's disclosure which is pretty fast especially since after you recompile Struts you then have to recompile every web app that uses it also, using the new Struts libraries. But someone did manage to run this exploit PoC against them before the new version was installed.
posted by scalefree at 6:34 PM on September 16, 2017 [1 favorite]

another rant, on Quartz
posted by theora55 at 7:13 PM on September 16, 2017

Nice comment from Larry on the Krebs piece linked above:

Equifax clearly needs the services of this fine company – http://www.equifax.com/help/data-breach-solutions/

Heh.
posted by flabdablet at 8:40 AM on September 17, 2017 [5 favorites]

As an update to my previous comment, Experian apparently canceled the charge. I don't know why they would have tried to charge my credit card in the first place, but at least they have something (I assume) that will verify their security freezes.
posted by CancerMan at 10:46 AM on September 18, 2017

One should be careful about sharing your phone number with Google because then SS7 attacks can intercept password reset tokens for Gmail from which they can access financial accounts.
posted by jeffburdges at 11:08 AM on September 18, 2017 [1 favorite]

I've still never been given any reason to believe that any form of 2FA offers me improved real-world security over what I get more conveniently from long, unique, randomly generated passwords held inside a KeePass database file and refusing to run any of the popular proprietary operating systems on any of my personal computers.

As for the idea of involving my phone in any process requiring actual security: nope. Just nope.
posted by flabdablet at 12:24 PM on September 18, 2017 [2 favorites]

Just when I thought I was out, they pulled me back in. Fairly major development in the EFX Saga - according to Bloomberg there was earlier breach in March. Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed. EFX still hasn't admitted this one publicly yet but they did quietly warn some banks about it; a memo has surfaced & Bloomberg has a copy. Also, no word yet on the hole they used. Relatedly, firm(er) confirmation that one of the Onion sites selling access to exfilled PII was legit:

This person said a large Canadian bank has determined that hackers claiming to sell celebrity profiles from Equifax on the dark web -- information that appears to be fraudulent, or recycled from other breaches -- did in fact steal the username and password for an application programming interface, or API, linking the bank’s back-end servers to Equifax.

This story has more moving parts then a Rube Goldberg machine.
posted by scalefree at 4:47 PM on September 18, 2017 [6 favorites]

So here's my new prospective timeline.

Early March - First hack
Mid(?) March - EFX detects hack & calls in Mandiant
Late May - Mandiant closes investigation
Later May - Second hack
Late July - EFX detects hack & calls Mandiant back

It's not forensic proof but it's at least suggestive that there was one group behind both breaches who just waited for Mandiant to pull out then went right back in, this time succeeding at least somewhat.
posted by scalefree at 5:00 PM on September 18, 2017 [1 favorite]

I've still never been given any reason to believe that any form of 2FA offers me improved real-world security over what I get more conveniently from long, unique, randomly generated passwords held inside a KeePass database file and refusing to run any of the popular proprietary operating systems on any of my personal computers.

Then you haven't looked at YubiKey. Affordable, easy to configure & drop-dead simple to use 2FA to protect your online life - Google, Facebook, Salesforce, Dropbox, GitHub, Docker all have YubiKey 2FA options. It even works with KeePass. And you can use it to help secure your own computers; YubiKey can be enabled as 2FA for logging into Windows, macOS & most Linuxes.

Keep all the rest of your setup, mine's similar. Just add a YubiKey to make it much, much harder for anyone to access your stuff who isn't you.
posted by scalefree at 5:32 PM on September 18, 2017 [2 favorites]

The first time any one of my online accounts is breached and causes me any level of inconvenience, I'll consider it; I quite like the look of the FIDO U2F public key version, which seems to me to be the first time anything like a universal second factor has ever been implemented in a way that makes it actually worth bothering with.

My banking is currently secured by a dedicated TOTP hardware dongle (they offered the option of SMS codes instead, but as I said before, nope). I've just sent the bank a message asking if they have any plans to support FIDO U2F any time soon. If they do, I'll probably grab one.

Unless and until they do, though, I'm pretty convinced that KeePass on its own is enough to render all my accounts as uncrackable as they're ever going to get, leaving aside the kind of stupid mistakes on my part that I'd also be quite capable of making even with 2FA. The only way I can see this not being true is if one of the services I use is actually storing passwords in plaintext instead of hashing them, and any service dopey enough to do that is clearly not going to get 2FA right either.

The main thing I have against 2FA is the assumption it encourages that having it set up means that security is all done and dusted. That kind of complacency, it seems to me, could easily tip the balance of a risk already rendered unquantifiably small by KeePass in the bad guys' favour.

It also seems to me that the risk that some service I use will simply fuck its security up by accident or carelessness, a la Equifax, is already many orders of magnitude higher than the risk that any of my KeePass-generated passwords will be exfiltrated and cracked.
posted by flabdablet at 8:48 AM on September 19, 2017 [1 favorite]

"[...] higher than the risk that any of my KeePass-generated passwords will be exfiltrated and cracked."

While the passwords generated by tools such as KeePass and, in my case, LastPass, are as safe as passwords can be, you are still limited by the risks forced on you by the companies you have accounts with. I have accounts with several financial institutions that limit me to 20 character passwords. Not an impossible crack with modern GPUs. Some accounts you can of course opt out of but not all. Old accounts are valuable for credit scores and you're kinda stuck when your mortgage gets sold by one institution to another. One gross offender has always been American Express. They limited users to 8 character passwords up until around 2010!!! Today they still limit you to 20. Same with a credit union I have an account with.
To limit the impact of such idiotic restrictions TFA is definitely useful.
Plus the logic of wanting to be less safe to be more vigilant seems rather odd and flawed. Do you not wear seatbelts in cars so you drive more safely? It doesn't take into account things you can't control or even be aware of.
posted by Hairy Lobster at 12:58 PM on September 19, 2017 [2 favorites]

The main thing I have against 2FA is the assumption it encourages that having it set up means that security is all done and dusted. That kind of complacency, it seems to me, could easily tip the balance of a risk already rendered unquantifiably small by KeePass in the bad guys' favour.

I'm a professional paranoid, it's literally part of my job description & it extends into my personal life too. I'm never going to be complacent about security & I don't think you are either. But what I can have is freedom from worry, peace of mind that the myriad projections of my persona online are as well protected as I can make them.

The primary threat model for 2FA isn't someone stealing your password datastore & cracking it open, it's someone triggering an account change for one of my online services & fooling the service into thinking I authorized it. Keep your KeePass in a faraday cage if you like, I'll just change your password or email address, lock you out & make your password useless. 2FA like a YubiKey stops that kind of attack dead in its tracks. It also makes that copy of your datastore I swiped useless to me without your YubiKey but that's a secondary benefit.
posted by scalefree at 7:25 PM on September 19, 2017 [1 favorite]

20 character passwords. Not an impossible crack with modern GPUs

Even assuming a conservative 64 possibilities per character, a randomly generated 20 character password is 120 bits of key space. Average complexity of a successful brute force crack is therefore 119 bits. And that's a pretty bloody large number.

Let's forget about GPUs and give the job to a hypothetical massive ASIC farm capable of checking one billion keys per nanosecond.

To chew through 119 bits of key space at a billion keys per nanosecond would take 2¹¹⁹ keys / 1,000,000,000 keys per nanosecond / 1,000,000,000 nanoseconds per second / 3,600 seconds per hour / 24 hours per day / 366 days per year = about 21 billion years.

I think 20 characters will be enough for a while.

the logic of wanting to be less safe to be more vigilant seems rather odd and flawed. Do you not wear seatbelts in cars so you drive more safely?

The seatbelts analogy doesn't really work because the risk scale is wrong. The point I'm trying to make is that using KeePass has already reduced the risk that I'll experience any security disaster with a technical cause to completely negligible proportions compared to the risk of human error. Any security breach I suffer at this point is going to happen because the thieves have talked me into inviting them to poke around inside my opened wall safe while I go and make them a cup of tea, not because the lock on the safe was too weak. Adding an extra padlock to the outside amounts to fixing a problem that's already been fixed.

The primary threat model for 2FA isn't someone stealing your password datastore & cracking it open, it's someone triggering an account change for one of my online services & fooling the service into thinking I authorized it.

2FA isn't going to make that failure mode any less likely unless physical loss of your 2FA token also results in absolutely irretrievable loss of access to the accounts it was protecting. If it doesn't, that means there exists an account recovery process that doesn't require your token, and that's going to be just as exploitable as any recovery process built to deal with lost passwords.
posted by flabdablet at 2:14 AM on September 20, 2017

what I can have is freedom from worry, peace of mind that the myriad projections of my persona online are as well protected as I can make them.

I absolutely sympathise with the desire, but it seems to me that the chance that I or some call centre drone in the Philippines will personally intervene to screw up a perfectly good security system is maybe one in several tens of thousands, while the chance that KeePass will fail me is maybe one in several billions of billions.

Making my accounts as well protected as I can involves making me more scam-resistant. Hardening already completely adequate technical measures by a few more orders of magnitude doesn't actually change anything.
posted by flabdablet at 2:18 AM on September 20, 2017

Some accounts you can of course opt out of but not all. Old accounts are valuable for credit scores and you're kinda stuck when your mortgage gets sold by one institution to another. One gross offender has always been American Express. They limited users to 8 character passwords up until around 2010!!! Today they still limit you to 20. Same with a credit union I have an account with.

I am fortunate enough to live in a country where the banking and credit regulation systems have actually managed to drag themselves out of the nineteenth century, and I do have the freedom to limit my financial dealings to organizations that show every sign of being worthy of the trust I place in them.
posted by flabdablet at 2:26 AM on September 20, 2017

2FA isn't going to make that failure mode any less likely unless physical loss of your 2FA token also results in absolutely irretrievable loss of access to the accounts it was protecting. If it doesn't, that means there exists an account recovery process that doesn't require your token, and that's going to be just as exploitable as any recovery process built to deal with lost passwords.

The recommendation is to get two, authorize both, make one a backup.
posted by idiopath at 7:41 AM on September 20, 2017 [1 favorite]

Sure, you could do that.

But the chance that somebody might break the encryption on my KeePass database is, by my best estimate, many orders of magnitude lower than the chance that somebody might break into my bank's safety deposit box and steal my spare YubiKey; and the chance of some server-side security failure mode that makes breaking KeePass encryption unnecessary looks about the same as the chance of one that would make my YubiKey unnecessary.

It really comes down to a balance of trust. Now that all my passwords are unique and unguessable, I trust myself not to screw up my own security much less than I trust the technical access controls protecting my accounts.

So yes, I drive with a seatbelt, but I can't see the point of installing two inch thick bulletproof glass all round.
posted by flabdablet at 1:54 PM on September 22, 2017

MetaFilter's own Jessamyn West has sued Equifax in small claims court.
posted by metaquarry at 9:12 AM on September 23, 2017 [14 favorites]

The IRS Just Hired Equifax To Safeguard Taxpayer Data   lol
posted by jeffburdges at 1:41 PM on October 4, 2017 [5 favorites]

Because somebody at the IRS has enough IT industry experience to understand perfectly well that the sole reason it was Equifax, rather than any of its competitors, that experienced this breach is pure dumb luck. None of these fuckers is any good.

Security is only as good as the weakest spot in the armour, and competition causes cost-cutting. I can think of no systemic feature capable of ensuring that any large commercial IT outfit pays more than lip service to the security of its livestock, as opposed to that of its customers.
posted by flabdablet at 3:33 AM on October 5, 2017 [1 favorite]

I think EquiFax' incompetence level sounds worse than others, but maybe they'd address that, or maybe not. It's a no bid contract so really they won because they had promised lucrative future jobs to whatever IRS higher ups assigned the winner.

Just noticed : IRS deliberately targeted innocents for civil forfeiture program that stole millions from Americans
posted by jeffburdges at 4:37 AM on October 5, 2017 [1 favorite]

Just remember, Citizen: if you have nothing to hide, that's reason to suspect you.
posted by flabdablet at 5:02 AM on October 5, 2017 [1 favorite]

And their competitors' admin passwords will be 123456 and pa55w0rd.
posted by flabdablet at 9:17 AM on October 5, 2017 [2 favorites]