Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Communications Network Security The Internet United States Technology

Ask Slashdot: What's a Practical Response To the Equifax Breach? 217

In response to the massive Equifax cybersecurity incident impacting approximately 143 million U.S. consumer -- making it possibly the worst leak of personal info ever -- Slashdot reader AdamStarks asks: What steps can the average Joe take to protect their identity? Accepting Equifax's help forfeits your right to sue; it's the same with applying for protection at TransUnion (not sure about Experian). Extra services at those companies also cost money, but that's putting even more of your data in their hands, and it's not clear whether the protection/help they provide is worth it (leaving aside not wanting to reward bad behavior).
This discussion has been archived. No new comments can be posted.

Ask Slashdot: What's a Practical Response To the Equifax Breach?

Comments Filter:
  • Two Words.... (Score:4, Insightful)

    by Steve Jackson ( 4687763 ) on Friday September 08, 2017 @07:06PM (#55162059)
    CLASS ACTION!
    • Re:Two Words.... (Score:4, Insightful)

      by acvh ( 120205 ) <geek@msci[ ]s.com ['gar' in gap]> on Friday September 08, 2017 @07:22PM (#55162129) Homepage

      Why? So a handful of law firms can score big dollars while you and I get a check for $15 and 2 years of free credit monitoring? Class action suits rarely (never?) help the actual victims.

      • Re:Two Words.... (Score:5, Insightful)

        by Steve Jackson ( 4687763 ) on Friday September 08, 2017 @07:26PM (#55162163)
        No, but that several billion dollar judgement hit sure hurts The Credit Mongers! They HATE to lose money. Maybe a couple billion in THEIR losses, might make them a bit more cautious about not caring about OUR losses when they allow BS like this to happen.... Hmmm? Maybe? :-P
      • Re:Two Words.... (Score:4, Insightful)

        by Ritz_Just_Ritz ( 883997 ) on Friday September 08, 2017 @08:06PM (#55162333)

        Actually, if you agree to their free credit monitoring, you get it for a year...and then you're on the hook to pay for it if you don't cancel. One would almost think this was engineered to boost subscriptions to their credit monitoring service....nah....

        https://www.cnbc.com/2017/09/0... [cnbc.com]

        And it's not like you have the option to tell creditors to NOT share your data with these asshats.

        Pay cash for everything and leave these jackals twisting in the wind.

      • Class action suits rarely (never?) help the actual victims.

        Sure, and locking drunk drivers up rarely (never?) brings back people killed by drunk drivers.

        Stop thinking of class action lawsuits as something the individuals "win" to make things all better.

        Class action lawsuits ARE an effective tool in preventing otherwise omnipotent mega-corporations from trampling all over consumers, and they're one of the very few that don't depend on bribable politicians or idiotic voters.

        Don't think they're effective in instilling fear in corporations? Then explain to me [washingtonpost.com]

      • If it made Experian go out of business, and the other two invest heavily in security to prevent another event (or even if they don't and are subsequently put out of business), that's fine. I'd like to be made whole, but since that's not going to happen, let some lawyer take the cash.

        • Since the breach happened at Equifax, it would be utterly bizarre if a lawsuit made Experian go out of business.
        • by pthisis ( 27352 )

          If it made Experian go out of business, and the other two invest heavily in security to prevent another event

          I assume that's a thinko for Equifax (not experian)

          There are 4 other credit bureaus, not 2; Experian, Innovis, PRBC, Transunion. Though PRBC is weird.

    • Two other words (Score:5, Informative)

      by El Cubano ( 631386 ) on Friday September 08, 2017 @07:24PM (#55162153)

      CREDIT FREEZE

      What steps can the average Joe take to protect their identity? Accepting Equifax's help forfeits your right to sue; it's the same with applying for protection at TransUnion (not sure about Experian). Extra services at those companies also cost money, but that's putting even more of your data in their hands, and it's not clear whether the protection/help they provide is worth it (leaving aside not wanting to reward bad behavior).

      Here is a good guide on freezing your credit: http://clark.com/personal-fina... [clark.com]

      There is no reason for the vast majority of people to leave their credit open. Seriously, most people apply for new credit maybe once every few years, if that. Leaving your credit open is simply asking for trouble.

      As they say, an ounce of prevention is worth a pound of cure (or their SI equivalents if you don't like conventional weights and measures).

      • PROJECT MAYHEM

        Burn the company to the ground, tar-and-feather all the executives, secure-erase all their data. Nobody deserves the kind of power they have, and obviously can't control.

      • A credit freeze just freezes your credit reports, not the actual credit. Since all your info is leaked, this is probably pretty useless.

        • It will prevent thieves from opening new credit cards or taking new loans out. I don't know if it would stop someone from buying a new cell phone with your info and running up a large bill, or stop someone from getting a drivers license with your name.

          I froze my credit several years ago. I needed to unlock it twice this year. I don't see myself unlocking it again for 10 years or so. Yes, it costs a little money for the initial lock and then for every unlock, but $12/unlock is cheaper than a monthly fee for

      • by pthisis ( 27352 )

        Clark only has 3 of the 5 major credit bureaus listed at that link; PRBC is a little wonky, but if you're freezing your credit you'll want to freeze it with Equifax, Experian, Innovis, and TransUnion. http://krebsonsecurity.com/201... [krebsonsecurity.com] has all 4, or use Clark's links and add https://www.innovis.com/person... [innovis.com]

      • by Afty0r ( 263037 )
        As a non-USian who might move there soon, is my credit "open" by default? And with how many agencies?
    • Won't accomplish a thing.

      A simple command is better: killall -q

    • Two Words:

      Torches, pitchforks...

  • by Anonymous Coward

    Then I say they forfeit their right to live. Off with their heads!

  • Bend over (Score:3, Insightful)

    by Anonymous Coward on Friday September 08, 2017 @07:16PM (#55162101)

    The average person is not an Equifax top exec that was able to cash out before the news got out.

  • by Anonymous Coward

    Class-action will only transfer additional costs on to the consumers.

    I vote to shut it down, have the FTC or somebody step in, and force a direct payout to the consumers, bypassing all the fucking lawyers.

  • Per Brian Krebs... (Score:5, Informative)

    by jddj ( 1085169 ) on Friday September 08, 2017 @07:17PM (#55162111) Journal

    Don't waste your time or money on their monitoring "services", which don't do much. Instead, freeze your credit with each of the agencies.

    Krebs' "Dumpster Fire" post on the Equifax debacle is worth reading.

    https://krebsonsecurity.com/20... [krebsonsecurity.com]

    • Don't waste your time or money on their monitoring "services", which don't do much.

      Um, here's Brian Krebs's takeaway from the end of the article you linked:

      My advice: Sign up for credit monitoring if you can (and you’re not holding out for a puny class action windfall) and then freeze your credit files at the major credit bureaus (it is generally not possible to sign up for credit monitoring services after a freeze is in place).

      • by sconeu ( 64226 )

        I can't! I'm in the middle of a refi!

      • Yes, he does, and I thought it was a little contradictory to the earlier passage where he says:

        "I have repeatedly urged readers to consider putting a security freeze on their accounts in lieu of or in addition to accepting these free credit monitoring offers, noting that credit monitoring services donâ(TM)t protect you against identity theft (the most you can hope for is they alert you when ID thieves do steal your identity), while security freezes can prevent thieves from taking out new lines of credi

    • Their site is even worse than Krebs points out. I followed a link in a CNN article to the Equifax site [equifaxsecurity2017.com]. If I enter certain personal info, it purports to tell me if I'm affected by the hack and says it will give me the option to sign up for TrustedID Premier.

      I put in my last name, a few digits of my SSN, and passed the captcha. It took me directly to a page thanking me for signing up for TrustedID Premier. It never told me if I was affected. Since others are getting the site to (sorta) work, I'm not
      • To have a legally-enforceable 'click-wrap' contract, they have to have given you a 'meaningful opportunity to review the terms' (this per the ABA Cyberlaw working group a few years ago). That may be as little as a link to the terms and conditions page.

        You should (per recent news stories) have 30 days to opt out of arbitration in writing, so get on that.

  • by sandbagger ( 654585 ) on Friday September 08, 2017 @07:18PM (#55162113)

    The security freeze prevents anyone, even you, from opening a credit account or getting a loan in your name, including yourself, until you lift the freeze.

    You never know about a identity theft until after the fact and weird bills start coming in. Basically you agree to a PIN number. No new loans can take place in your name unless the applicant knows the number.

    It's close to free but there may be a few $10 fees depending on where you do it: https://www.transunion.com/cre... [transunion.com]

    The credit reputation agencies don't offer it by default because their business model is to sell you fraud alert monitoring services. Logically, if there's a freeze, there's nothing for them to monitor. This is the cheapest and best solution.

    Second, stop giving Equifax your money.
    Third, class action suit.

    PS: Krebs on Security has a great piece that's now a few years old but shows why credit freezes are good and the other crap sold by Equifax and their peers are more or less useless in comparison: Transition and Experien promote have little value: https://krebsonsecurity.com/20... [krebsonsecurity.com]

    • by Anonymous Coward on Friday September 08, 2017 @07:57PM (#55162291)

      And how exactly does a freeze help, if the next credit bureau hack obtains all those freeze PINs?

      There's nothing you can realistically do to protect yourself against these attacks. The entire business model of storing a bunch of sensitive information about literally everyone in a single place is fundamentally fucked from the beginning. Especially when they have very little incentive to safeguard data about us peasants.

      • And how exactly does a freeze help, if the next credit bureau hack obtains all those freeze PINs?

        SSN's you can use in bulk. But even knowing a freeze PIN you still have to pay real money - either to unlock it temporarily, or for good. That makes it less likely attackers would make use of it.

        • still have to pay real money

          If that's the case thieves would never buy stolen ID information. And yet they do.

          • Yes but if you've ever undone a credit freeze it takes some effort in addition to the money... and there are so many accounts leaked why would you bother to unfreeze an account even for $20 when you could simply move on to the next one which likely is not frozen??? Defense in depth means that any one point of defense being weak does not matter in the big picture because the layers make it more secure overall and thieves (being lazy) will not bother.

      • by nnet ( 20306 )

        And how exactly does a freeze help, if the next credit bureau hack obtains all those freeze PINs?

        Four different bureaus, four different PINs. What said a single bureau has the PINs of other bureaus? For that matter, what said THIS breach has any PIN info?

        • by Pyramid ( 57001 )

          FIVE Credit Bureaus!

          Equifax
          Trans Union
          Experian
          Innovis
          PRBC ---I'm currently fighting with these chuckleheads. They have no online freeze method or even instructions. The "form" they emailed me was for a dispute. When I questioned how I'm supposed to use this to freeze my information with them, per state law, I was directed to *snail mail* or call them for instructions.

      • And how exactly does a freeze help, if the next credit bureau hack obtains all those freeze PINs?

        You don't seem to realize what you're asking, since you're basically questioning the value of setting up passwords (PINs) for accounts that currently don't have them, and you're suggesting that there's no point in bothering with passwords in the first place since subsequent attacks may suck them up.

        Never mind that freezing your accounts (i.e. locking it behind a password):
        1) Makes the currently leaked data useless to bad actors until and unless they succeed in capturing your PIN via a hypothetical second ha

    • The fraudster just calls up and says they forgot the PIN. The credit agency then asks him/her information which only you should know to confirm identity, then lifts the freeze or resets the PIN. Still, it is (or was) the best way to protect your credit. Unfortunately, the information they use to confirm your identity is probably what's been stolen in this hack. So whoever stole it can lift any freeze you put on your credit.
  • What not to do... (Score:5, Insightful)

    by BenJeremy ( 181303 ) on Friday September 08, 2017 @07:19PM (#55162121)

    ...don't respond to the breach by forcing users to go to a phishy-sounding "equifaxsecurity2017.com" web site (I've actually had phishing e-mails directing me to go to "paypal2017.com" and such. Worse, don't direct them to a THIRD site that doesn't even have a valid certificate, causing Chrome, Firefox and other browsers to scream "Dangerous and Deceptive Site!!!!" with a big red warning screen.

    Lastly, don't force them to join your crappy credit monitoring site in order to find out if they are part of the breach... and thereby forcing them to renounce their ability to sue you.

    The clueless executives need to be fired, and probably anybody on their IT staff with "security" in their title or job requirements.

    • It appears that Equifax's primary response to the breach wasn't centered around the consumers whose information they gave up - it was an attempt to cover their butts and try to somehow distance themselves from the damage, if possible. Note that their initial statement didn't apologize for losing people's data to thieves... it apologized for the "anxiety" people might be feeling.

      So from their viewpoint, it would make sense for them to shuffle all of this over to a completely different domain, keeping it off

  • by Osgeld ( 1900440 ) on Friday September 08, 2017 @07:22PM (#55162135)

    Seriously, besides the waving the right to participate in a class action lawsuit, which might net you a fucking nickel in a decade, you are fucked, and what's the response, sign up for security?

    cause security obviously works

    how bout you actually watch and keep up with your shit, like you should be doing anyway ... I dunno about you, but I am not so filthy rich that I dont keep track of what I buy, and check on the card (yes card not cards) at least once a week to make sure everything is as it should be

    • What if they don't charge it against your checking accound or CC number? What if they only use your name and SSN, tying it to your credit score, and leaving it between you, the big three, and the debt collector to sort how who is on the hook for the debt.
    • by nnet ( 20306 )
      its good you check on the card you know about.
    • by Swave An deBwoner ( 907414 ) on Friday September 08, 2017 @08:23PM (#55162401)
      When I experienced identity theft it wasn't through bogus charges on my credit card (which my bank normally picks up on right away) but through about a dozen newly-opened store-specific credit card purchases and utility bills in places between 1,000 and 4,000 miles away from where I live.

      That's not something I could have easily monitored by just checking my bank's website.

      In my case the perpetrator was caught by police in another state within a day or two of my first learning about the first bogus account. Not everybody is so lucky.
  • Political change (Score:5, Insightful)

    by manu0601 ( 2221348 ) on Friday September 08, 2017 @07:23PM (#55162139)

    That sad story could be used to ask for political change.

    There are countries where knowing someone's SSN is not enough to get a credit on his behalf, why US residents could not enjoy similar protection by law?

  • by Anonymous Coward

    Time to end the three credit reporting cartels and while we are at it end fico.

  • by netsavior ( 627338 ) on Friday September 08, 2017 @07:26PM (#55162165)
    basically everyone with a bank account or water bill is affected. This is an industry altering breech. There is no reason to believe you have any ability to do anything about it.

    I am not being defeatist, this will cause necessary change in the entire industry.
    • by Anonymous Coward

      No. It probably won't cause any change whatsoever.

    • I am not being defeatist, this will cause necessary change in the entire industry.

      Right. Just like how in 2008 the narrow miss of a global economic meltdown has caused necessary change in the entire industry...

    • Everyone was affected by the 2008 Mortgage Fraud recession, but it was not industry altering, other than minor legislation that has been chipped away to nothing. Banks are too big to fail. Look at the continuing fraud from Wells Fargo, Citi, and B of A. Organized criminal organizations.

      Equifax may not have that kind of clout. We'll see.

  • Heavy fines from the FCC for such breaches no matter the cause, and/or impose standard operating procedures based on best practices.

    • Won't happen. The FCC is too hell bent on killing net neutrality so the communications oligarchy can enrich themselves further.
      To even suggest this FCC has any concerns for consumer protections is laughable. The only way to fix this is campaign finance reform. Get real in the oval office and as our elected "representatives" who care about voters and citizens over the current Plutocracy.
  • by Anonymous Coward

    A good response would be for laws that make companies that collect data financially responsible for misuse of that data. Either internal misuse or misuse through the information being leaked or stolen.
    Then the companies would have a decision to make either collect the data and take effort to secure it, or don't collect the data.

  • There's absolutely no excuse that credit freezing / thawing should cost anything. Some states allow for fees while others don't.

    Interesting how some things are under federal law and yet often those that can hurt consumers aren't. For example, many credit card issuers get around state usury laws by incorporating in South Dakota and doing business across state lines. For example, in Pennsylvania, a person can't charge more than 18% annual interest (may be lower). Yet, a credit card company that operates from

    • If one wants more immediate compensation, they could max out their credit cards, not pay, and then work out a settlement for 25% - 50% or so off. One's credit scores will tank for awhile, but is a little way to get back at the system.

      That only works if you have no assets for them to seize or put a lien on, and if the stuff you bought the the credit cards is un-repo-able. No material goods, only consumables and services.

      I mean, if you've got nothing to lose, why not? Most people have just enough to lose that they're afraid of losing it. That's exactly where the powers that be want us. Teetering on the edge forever. If they push too far, we revolt. If they don't push far enough, then there's MONEY that they don't have, and that's ju

  • The government should issue everyone a new Social Security Number. And when they do so, they should add a digit so that we don't run out anytime soon (or start using a mix of letters and numbers). This is a great time to think about what a good replacement would be. For example, there could be a short form of the number that is sufficient for tax reporting, with four random additional digits that are used when applying for credit. If there is ever evidence of fraud, you would receive a new random four d

    • The SSN is not meant to be used as an identifier for things like credit. It is being misused.
      • Your Social Security card says right on it that it's not legal to use it for ANY purpose than social security.

      • Worse than that, it's also used as a secret password.

    • Yeah... with the number of social security numbers that were exposed, a complete social security number reset for everyone in the US is the only practical option.

      The fine for this breach also needs to be in the 10 billion range for it to actually make a difference. Basically, you need to make securing your systems LESS expensive than the fine for not doing so before CEO's will start taking security seriously.

      • by crow ( 16139 )

        Well, Equifax's market cap before this was about $20B, so that's the number I would look at.

    • by AHuxley ( 892839 )
      That would fix so many issues. All the old numbers that still get used would be found.
      All the created number that get used stop working.
      All eligible US citizens would get a new number by showing some real citizenship ID. Any old numbers or fake numbers still been used would be detected and investigated.
  • Nuke them from orbit. It's the only way to be sure.
  • by williamyf ( 227051 ) on Friday September 08, 2017 @07:58PM (#55162303)

    The SSN, passport number, or, for all practical intents and purposes any government issued number is NOT a secret. There are ways to get those numbers, be it through breaches like this one, or other means.

    The SSN is not a Secret. Is just a number issued by the government to identify you more easily to the Social Security.

    Again, the SSN is not a secret. Nurses, Doctors, Clerks see the number as a matter of routine...
    Your passport number is not a secret. Clerks, security guards and border patrol agents, both in your country and abroad see it on a regular basis.
    Driver license numbers are not a secret.....
    ID Numbers (for countries which issue ID Cards) are not a secret....
    You get the drift....

    Maybe, just maybe, the Goverments and companies will stop treating these numbers (be it the SSN in the USoA, the Cedula or DNI, or what have you ) as a "Secret", and recognize that these are just ID numbers, not secrets, and we move towards a real secret when needed, in the form of, perhaps PIN+SmartCard, or some other mechanism.

    I know, is a loooooong shot, but dreaming is free....

    • My military serial number is my SSN. (It shouldn't be, and didn't USED to be, and it's illegal, but it's the government and who's going to prosecute them?) For years, in order to write a check at the Base Exchange, we were REQUIRED to have our serial numbers - our SSNs - printed or written on the check.

      For all those companies that want to use the last 4 of your SSN as a security code - you can demand that they assign you a different number.

  • Let me delete my data... can't keep it safe, you can't keep it at all.

    Once they lose 30% of their data they might start being a little more careful about their cash stream. I lied, I will let them keep one bit of data:
    USER DELETED DATA DUE TO 9/7/whatever breach and make it non-derogatory in the FICO scores.
  • The best defense to the Equifax breach, as it is to all the other data breaches, is to:

    1. NEVER EVER click on a link in an email. Type in the web address yourself.
    2. Check your credit card statements religiously.
    3. Keep your antivirus and anti-malware software up to date.

    Really, aside from the fact that it's Equifax being penetrated, what's the big deal? I get free credit monitoring because my wireless provider T-Mobile was hacked. I get free credit monitoring from somebody else because the U.S. Office

  • Comment removed based on user account deletion
  • In my dream world I would have Congress make a law to have the credit reporting agencies, financial institutions, or any business holding certain types of information by default to place a freeze on exporting/sharing that information.

    Something like this:
    For example, if a company collects social security numbers or driver's licenses numbers, then that company must by law place a freeze by default on all accounts and ANY information in that file can only be revealed by the owner of the SSN giving specific per

  • Accepting Equifax's help forfeits your right to sue;

    Nope [snopes.com]. New York's attorney general demanded they clarify the wording [twitter.com] on this.

  • When the class action suit is settled you may have to prove you used them, not them hunting you down.

    I have the results from Equifax I got from annualcreditreport.com as PDF's.

  • " Your loan application has been approved"

  • Almost everyone says "freeze your credit". As though new credit lines are the only problem. Yes, it is atrocious fraudsters can use simple public info to steal identities. But this breach is worse.

    Fraudsters can assemble so much of data, call the bank, ask for password reset and hijack an existing account. Before you can call back and fix the issue the money would be gone.

  • The magic formula is L = 1,260 / W.

  • >> Accepting Equifax's help forfeits your right to sue

    I can't believe that this is true. It may say that in the agreement but I seriously doubt that it's actually legal.

  • This question is key to resolving this and other issues with personal data hoarders.

    If personal data is owned by the person, then maybe it is copyrightable.

    If you own the copyright on your personal data, then you could conceivable issue a DMCA "Takedown Notice" to all the credit reporting agencies.

    This would wipe your credit file (Which has distinct disadvantages as you would no longer have a credit record). If you avoid financing things, then maybe
    this would work out just fine.

  • If Equifax was holding toxic waste, and they failed to keep it secure and some of it leaked into the environment, what would our response be?

    If they can't responsibly hold information secure, then take that information away from them.
    Force them to delete all data which was "breached" so they can't lose it again.
    If they're unsure what data was lost, then allow anyone to have "their" data deleted.

    Monitor the company to insure compliance.

  • "Identity theft" is a complete sham. When some third party convinces someone to loan them money in your name, they have committed fraud and the whoever handed them bags of cash without making sure they knew who they were dealing with is an idiot who cannot be trusted.

    Any attempt to collect the money from you is a second fraud since there exists no evidence you took the loan (because you didn't). If any credit agency accepts a negative statement about your credit worthiness from such an untrustworthy idiot a

Life is a whim of several billion cells to be you for a while.

Working...