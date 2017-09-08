Ask Slashdot: What's a Practical Response To the Equifax Breach? 101
In response to the massive Equifax cybersecurity incident impacting approximately 143 million U.S. consumer -- making it possibly the worst leak of personal info ever -- Slashdot reader AdamStarks asks: What steps can the average Joe take to protect their identity? Accepting Equifax's help forfeits your right to sue; it's the same with applying for protection at TransUnion (not sure about Experian). Extra services at those companies also cost money, but that's putting even more of your data in their hands, and it's not clear whether the protection/help they provide is worth it (leaving aside not wanting to reward bad behavior).
Why? So a handful of law firms can score big dollars while you and I get a check for $15 and 2 years of free credit monitoring? Class action suits rarely (never?) help the actual victims.
Actually, if you agree to their free credit monitoring, you get it for a year...and then you're on the hook to pay for it if you don't cancel. One would almost think this was engineered to boost subscriptions to their credit monitoring service....nah....
https://www.cnbc.com/2017/09/0... [cnbc.com]
And it's not like you have the option to tell creditors to NOT share your data with these asshats.
Pay cash for everything and leave these jackals twisting in the wind.
Two other words (Score:5, Informative)
CREDIT FREEZE
Here is a good guide on freezing your credit: http://clark.com/personal-fina... [clark.com]
There is no reason for the vast majority of people to leave their credit open. Seriously, most people apply for new credit maybe once every few years, if that. Leaving your credit open is simply asking for trouble.
As they say, an ounce of prevention is worth a pound of cure (or their SI equivalents if you don't like conventional weights and measures).
The problem with freezing your credit is that you have to pay for the privilege of not being spied on and exploited. And you have to pay this fee to each reporting agency. Then you have to pay again if you need to unfreeze it. For example to change insurance companies or buy something expensive. Since Obama Care, insurance changes are a yearly thing now. Then you pay again to freeze it afterwards. Pay, pay, pay!
Uhhh... I just finished freezing all 3 credit agencies and it cost me $6 and about 10 minutes of time. As far as Security Bang For Buck goes, I don't know if it gets any better than that. They give you a pin number so, in a few years, if I need to unfreeze, it should take about 10 minutes and, if it again costs me $6, I'm definitely OK with that.
I agree that it should have been free but, a stable adult rarely needs to do anything related to credit checks. Even beyond that, I am 100% willing to give up convenience for palpable online security. I've never had my identity stolen, never had a virus on my computer, never had a website password breach compromise another account, etc. And the reason for that is that I'm cautious and willing to inconvenience myself to avoid a threat. As soon as I read about credit freezes (on this website!) I decided t
Quit job, close accounts, change name, leave country.
The chance to fight this has long passed. You all asked for this. You all begged for it. Now, you've got it.
Forfeit your right to sue? (Score:1)
The average person is not an Equifax top exec that was able to cash out before the news got out.
Shut it down and fine the executives! (Score:1)
Class-action will only transfer additional costs on to the consumers.
I vote to shut it down, have the FTC or somebody step in, and force a direct payout to the consumers, bypassing all the fucking lawyers.
Per Brian Krebs... (Score:5, Informative)
Don't waste your time or money on their monitoring "services", which don't do much. Instead, freeze your credit with each of the agencies.
Krebs' "Dumpster Fire" post on the Equifax debacle is worth reading.
https://krebsonsecurity.com/20... [krebsonsecurity.com]
Don't waste your time or money on their monitoring "services", which don't do much.
Um, here's Brian Krebs's takeaway from the end of the article you linked:
My advice: Sign up for credit monitoring if you can (and you’re not holding out for a puny class action windfall) and then freeze your credit files at the major credit bureaus (it is generally not possible to sign up for credit monitoring services after a freeze is in place).
I can't! I'm in the middle of a refi!
First thing: request a credit freeze (Score:5, Informative)
The security freeze prevents anyone, even you, from opening a credit account or getting a loan in your name, including yourself, until you lift the freeze.
You never know about a identity theft until after the fact and weird bills start coming in. Basically you agree to a PIN number. No new loans can take place in your name unless the applicant knows the number.
It's close to free but there may be a few $10 fees depending on where you do it: https://www.transunion.com/cre... [transunion.com]
The credit reputation agencies don't offer it by default because their business model is to sell you fraud alert monitoring services. Logically, if there's a freeze, there's nothing for them to monitor. This is the cheapest and best solution.
Second, stop giving Equifax your money.
Third, class action suit.
PS: Krebs on Security has a great piece that's now a few years old but shows why credit freezes are good and the other crap sold by Equifax and their peers are more or less useless in comparison: Transition and Experien promote have little value: https://krebsonsecurity.com/20... [krebsonsecurity.com]
And how exactly does a freeze help, if the next credit bureau hack obtains all those freeze PINs?
There's nothing you can realistically do to protect yourself against these attacks. The entire business model of storing a bunch of sensitive information about literally everyone in a single place is fundamentally fucked from the beginning. Especially when they have very little incentive to safeguard data about us peasants.
Because money is involved to unlock (Score:2)
And how exactly does a freeze help, if the next credit bureau hack obtains all those freeze PINs?
SSN's you can use in bulk. But even knowing a freeze PIN you still have to pay real money - either to unlock it temporarily, or for good. That makes it less likely attackers would make use of it.
And how exactly does a freeze help, if the next credit bureau hack obtains all those freeze PINs?
Four different bureaus, four different PINs. What said a single bureau has the PINs of other bureaus? For that matter, what said THIS breach has any PIN info?
What not to do... (Score:4)
...don't respond to the breach by forcing users to go to a phishy-sounding "equifaxsecurity2017.com" web site (I've actually had phishing e-mails directing me to go to "paypal2017.com" and such. Worse, don't direct them to a THIRD site that doesn't even have a valid certificate, causing Chrome, Firefox and other browsers to scream "Dangerous and Deceptive Site!!!!" with a big red warning screen.
Lastly, don't force them to join your crappy credit monitoring site in order to find out if they are part of the breach... and thereby forcing them to renounce their ability to sue you.
The clueless executives need to be fired, and probably anybody on their IT staff with "security" in their title or job requirements.
Right, because Bitcoin is SUCH a safe alternative. How many Bitcoin exchanges have been shut down at this point because of embezzlement or money laundering schemes? I've lost count. At least your bank account is FDIC insured in the US... with Bitcoin you're basically screwed because it's largely unregulated.
Oh, and there is nothing wrong with the blockchain technology itself. It's a great idea, but many of the developers building on it seemed to have built some pretty half assed and insecure solutions so far.
panic, you are fucked (Score:2)
Seriously, besides the waving the right to participate in a class action lawsuit, which might net you a fucking nickel in a decade, you are fucked, and what's the response, sign up for security?
cause security obviously works
how bout you actually watch and keep up with your shit, like you should be doing anyway
... I dunno about you, but I am not so filthy rich that I dont keep track of what I buy, and check on the card (yes card not cards) at least once a week to make sure everything is as it should be
That's not something I could have easily monitored by just checking my bank's website.
In my case the perpetrator was caught by police in another state within a day or two of my first learning about the first bogus acc
Political change (Score:4, Insightful)
That sad story could be used to ask for political change.
There are countries where knowing someone's SSN is not enough to get a credit on his behalf, why US residents could not enjoy similar protection by law?
nice idea. you go ahead and try to get a data broker to actually delete stuff and not maintain a record on you. good luck with that.
Change your name to a base64 representation of some child porn, then send the feds after them?
LOL, on what grounds? The DMCA?
Torches and pitchforks. (Score:1)
Time to end the three credit reporting cartels and while we are at it end fico.
Basically everyone is affected (Score:4, Insightful)
I am not being defeatist, this will cause necessary change in the entire industry.
No. It probably won't cause any change whatsoever.
I am not being defeatist, this will cause necessary change in the entire industry.
Right. Just like how in 2008 the narrow miss of a global economic meltdown has caused necessary change in the entire industry...
You mean this LifeLock [google.ca]?
I'm not a security guard. I'm a security monitor. I let people know when there's a robbery.
There's a robbery.
Heavy fines from FCC and/or mandatory SoP (Score:2)
Heavy fines from the FCC for such breaches no matter the cause, and/or impose standard operating procedures based on best practices.
laws, strong laws for liability (Score:1)
A good response would be for laws that make companies that collect data financially responsible for misuse of that data. Either internal misuse or misuse through the information being leaked or stolen.
Then the companies would have a decision to make either collect the data and take effort to secure it, or don't collect the data.
U.S. Government is Corrupt Like Most Others (Score:1)
There's absolutely no excuse that credit freezing / thawing should cost anything. Some states allow for fees while others don't.
Interesting how some things are under federal law and yet often those that can hurt consumers aren't. For example, many credit card issuers get around state usury laws by incorporating in South Dakota and doing business across state lines. For example, in Pennsylvania, a person can't charge more than 18% annual interest (may be lower). Yet, a credit card company that operates from
If one wants more immediate compensation, they could max out their credit cards, not pay, and then work out a settlement for 25% - 50% or so off. One's credit scores will tank for awhile, but is a little way to get back at the system.
That only works if you have no assets for them to seize or put a lien on, and if the stuff you bought the the credit cards is un-repo-able. No material goods, only consumables and services.
I mean, if you've got nothing to lose, why not? Most people have just enough to lose that they're afraid of losing it. That's exactly where the powers that be want us. Teetering on the edge forever. If they push too far, we revolt. If they don't push far enough, then there's MONEY that they don't have, and that's ju
Issue New SSNs (Score:1)
The government should issue everyone a new Social Security Number. And when they do so, they should add a digit so that we don't run out anytime soon (or start using a mix of letters and numbers). This is a great time to think about what a good replacement would be. For example, there could be a short form of the number that is sufficient for tax reporting, with four random additional digits that are used when applying for credit. If there is ever evidence of fraud, you would receive a new random four d
Your Social Security card says right on it that it's not legal to use it for ANY purpose than social security.
Right, let's get rid of social security (or let me opt out of paying AND receiving), as well!
Yeah... with the number of social security numbers that were exposed, a complete social security number reset for everyone in the US is the only practical option.
The fine for this breach also needs to be in the 10 billion range for it to actually make a difference. Basically, you need to make securing your systems LESS expensive than the fine for not doing so before CEO's will start taking security seriously.
You don't freeze your cards, you freeze your credit at the 3 major shitholes - Trannyunion, Equifux, and Suxperian.
Ripley (Score:2)
Corps and Govt stop treating the SSN as a Secret (Score:3)
The SSN, passport number, or, for all practical intents and purposes any government issued number is NOT a secret. There are ways to get those numbers, be it through breaches like this one, or other means.
The SSN is not a Secret. Is just a number issued by the government to identify you more easily to the Social Security.
Again, the SSN is not a secret. Nurses, Doctors, Clerks see the number as a matter of routine...
Your passport number is not a secret. Clerks, security guards and border patrol agents, both in your country and abroad see it on a regular basis.
Driver license numbers are not a secret.....
ID Numbers (for countries which issue ID Cards) are not a secret....
You get the drift....
Maybe, just maybe, the Goverments and companies will stop treating these numbers (be it the SSN in the USoA, the Cedula or DNI, or what have you ) as a "Secret", and recognize that these are just ID numbers, not secrets, and we move towards a real secret when needed, in the form of, perhaps PIN+SmartCard, or some other mechanism.
I know, is a loooooong shot, but dreaming is free....
My military serial number is my SSN. (It shouldn't be, and didn't USED to be, and it's illegal, but it's the government and who's going to prosecute them?) For years, in order to write a check at the Base Exchange, we were REQUIRED to have our serial numbers - our SSNs - printed or written on the check.
For all those companies that want to use the last 4 of your SSN as a security code - you can demand that they assign you a different number.
This is actually hilarious. Someone please try this and let us know the results.
1) Freeze all three agencies
Or just freeze Equifax. If enough people do this, banks and lenders will have to take their business elsewhere.
delete.. (Score:2)
Once they lose 30% of their data they might start being a little more careful about their cash stream. I lied, I will let them keep one bit of data:
USER DELETED DATA DUE TO 9/7/whatever breach and make it non-derogatory in the FICO scores.
Best Defense.... (Score:2)
The best defense to the Equifax breach, as it is to all the other data breaches, is to:
1. NEVER EVER click on a link in an email. Type in the web address yourself.
2. Check your credit card statements religiously.
3. Keep your antivirus and anti-malware software up to date.
Really, aside from the fact that it's Equifax being penetrated, what's the big deal? I get free credit monitoring because my wireless provider T-Mobile was hacked. I get free credit monitoring from somebody else because the U.S. Office
Mob violence (Score:2)
And public lynching.
Make a law (Score:2)
In my dream world I would have Congress make a law to have the credit reporting agencies, financial institutions, or any business holding certain types of information by default to place a freeze on exporting/sharing that information.
Something like this:
