www. O S N E W S .com
News Features Interviews
BlogContact Editorials
.
Data of 143 million Americans stolen from Equifax
By Thom Holwerda on 2017-09-07 23:45:22

Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

Names, social security numbers, birthdays, addresses, driver's license numbers, credit card numbers - this is a very big breach.

Interestingly enough, three executives of the credit reporting agency sold their shares in the company days after the breach was discovered.

 Email a friend - Printer friendly - Related stories
.
Read Comments: 1-10 -- 11-20 -- 21-30 -- 31-38
.
RE[5]: Public social security numbers
By bryanv on 2017-09-08 18:07:09
Because their friends who pay them to 'represent you and me' (har har har!) can't make money off _fixing_ the problem. They make more money by _prolonging_ it.

Also, if you legislated _fixing_ something, then you wouldn't be able to keep legislating around it, and that keeps you from being able to sneak more legislation in as pork on top of it.

The incentives all around for the US legislation system is to:

* prolong all problems, rather than actual deal with root causes.
* Transfer money from taxpayers to private accounts through legislation of non-solutions for both real and imaginary threats.

There really is no incentive or positive reinforcement for an elected official in the US to actually do the moral and ethical thing.
Permalink - Score: 1
.
RE: Comment by XKCD
By Sidux on 2017-09-08 19:38:12
That's mostly for managers and those with decision power. The ones that usually suffer are the end users.
Most of them hardly understand the idea that their data is stored on someone else's computer or care enough about it.
Permalink - Score: 1
.
RE[2]: Comment by XKCD
By leech on 2017-09-08 22:23:05
The real problem with this one is that it's completely out of the hands of the 'normals'. Pretty sure not a single damn one of us really is happy with the credit reporting agencies having our information, it's just the way it works. How these places can be for profit though...
Permalink - Score: 2
.
RE[4]: Public social security numbers
By Doc Pain on 2017-09-09 03:33:38
> In France you can vote, have insurance, open bank accounts without giving a number that is your single unique identifier.

There is a number on your ID card that nobody ever asks. Another number on your passport if you have one (only necessary if you travel out of Europe). You are not legally obliged to get any of these documents.


It's a liitle bit different in Germany: You are forced to "buy" an ID card ("Personalausweis", personal identification) for a relatively high price (compared to the actual costs of creating the ID card), and it has a built-in expiration date. If you do not have one, you'll be facing a quite heavy fine. After expiration, you may not keep the (invalidated) ID card. It also contains "online functionality" which doesn't actually work and is also insecure.

A passport ("ReisepaƟ", travel passport) is fully optional. It is more expensive than the ID card. In many cases, it can substitute the regular ID card, but often requires that you also have a registration card ("Meldebescheinigung", certificate of residence) because the passport doesn't contain your postal address. This additional document of course also costs some money.

However, revealing the identification numbers of those documents (which identify the document, not the person!) is typically not needed. Data protection and privacy laws provide strong regulations about what may be obtained and stored by private companies.

> Another number for social security.

Correct, and it usually won't be used for anything else.

In Germany, also add a tax identification number which will be a "life-long companion" to any person. Again, this number will only be relevant for matters of taxes.
Permalink - Score: 3
.
RE[2]: Comment by PJBonoVox
By daveak on 2017-09-09 10:54:09
removed as I didn't read the parent

Edited 2017-09-09 10:54 UTC
Permalink - Score: 2
.
RE[3]: Public social security numbers
By daveak on 2017-09-09 11:15:20
> IMHO the federal government is doing the correct thing by assigning everyone a unique number.

While the intention is to be unique, they are not.

https://www.nbcnews.com/technolog...

and a quick google will find many more articles.
Permalink - Score: 2
.
RE[4]: Public social security numbers
By Alfman on 2017-09-09 16:19:14
daveak,

> While the intention is to be unique, they are not.

https://www.nbcnews.com/technolog......

and a quick google will find many more articles.


The report is talking strictly about fraud. I'm not denying that's a problem, but it's not a problem that has to do with unique numbers in principal.

Consider someone at a hotel staying in room #214 and asks the restaurant to charge dinner to their room. This isn't uncommon in resorts. However if staff fails to take measures to prevent fraud, then liars could clearly cause a problem by merely claiming to be in room #214, which is someone else's. One might conclude that unique room numbers are the problem, but that's silly right? The real problem is not that rooms have unique numbers, but that the number by itself does not prove occupancy.

As I keep maintaining, abstract numbers are great for unique keys, but laughably insecure as proof and it is essential for claimants to provide proof of ownership, otherwise liars can exploit the system. Proof can be something tangible, such as a physical card or cyptographic device, which ideally is cheap for an authentic original but difficult/expensive to clone (ie holograms/PKI).

Even with very strong proof, there remains a risk that a legitimate key can be stolen from the real owner. So in the PKI world we have two different solutions for that, key expiration dates, and key revocation.

Edited 2017-09-09 16:26 UTC
Permalink - Score: 3
.
RE[5]: Public social security numbers
By daveak on 2017-09-09 16:27:13
Nope, not just about fraud. The research is http://www.idanalytics.com/blog/... and states mainly data entry errors that do genuinely result in multiple people being assigned the same number.

http://www.wptv.com/money/id-ana... mentions a non fraud example. Similar name, same birth date, ended up entered as the same number.

While conceptually SSN supposedly being a unique number suggests it is great for a unique key, in practice it isn't, whether that be fraud, or the most likely, as concluded by the research mentioned, simple human error.
Permalink - Score: 3
.
RE[6]: Public social security numbers
By Alfman on 2017-09-09 17:23:08
daveak,
> Nope, not just about fraud. The research is http://www.idanalytics.com/blog/...... and states mainly data entry errors that do genuinely result in multiple people being assigned the same number.

This comes from the same source cited in the previous article. Look, I'm not claiming using the wrong number isn't a problem...it obviously is a problem. However you are missing my point completely, the problem is not with having unique numbers but with the lack of proof.

I still think the hotel room is very illustrative. People can give the wrong room number either accidentally or intentionally resulting in fraudulent charges to one's room, but that could be rectified by supplementing the unique room number with actual proof, like scanning the room card.


> http://www.wptv.com/money/id-ana...... mentions a non fraud example. Similar name, same birth date, ended up entered as the same number.

>
The government gave both babies the same Social Security number.

There are honest mistakes where Social Security numbers get mixed up in data systems.

The Social Security Administration said it was a mistake made in 1990 by the hospitals that created the Social Security record for two babies with similar first names, the same last name, and same date of birth.

The acknowledgement by the Social Security Administration finally ends a 25-year mystery.




That's a great example actually of how everybody makes mistakes, even the social security administration. They deserve criticism when they do. Still 1) it's nowhere near the "One in 7" statistic caused by people submitting fraudulent/incorrect id numbers cited in your previous links. 2) it's fixable in that new numbers can be assigned to the duplicate entities that were mistakenly given the same number.


> While conceptually SSN supposedly being a unique number suggests it is great for a unique key, in practice it isn't, whether that be fraud, or the most likely, as concluded by the research mentioned, simple human error.

Any application that accepts an ID without requiring some kind of proof of ownership is fundamentally insecure. I feel like I'm reiterating the same point over and over again, but the problem isn't with the unique ids themselves, but with how they are being used.

Edited 2017-09-09 17:26 UTC
Permalink - Score: 3
.
RE[7]: Public social security numbers
By daveak on 2017-09-09 17:26:05
You are missing the point. SSN are supposed to be unique. They are not. End of story. There is no problem in having a unique number. They just need to actually bloody be unique.
Permalink - Score: 1

Read Comments 1-10 -- 11-20 -- 21-30 -- 31-38

No new comments are allowed for stories older than 10 days.
This story is now archived.

.
News Features Interviews
BlogContact Editorials
.
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?