Discussion Topic |
|
This thread has been locked |
Messages 1 - 52 of total 52 in this topic |
zBrown
Ice climber
|
|
Topic Author's Original Post - Sep 7, 2017 - 05:49pm PT
|
When did Equifax find out about the hack?
Equifax learned about the hack on July 29, according to an FAQ. September 7, however, was the first day the company publicly announced the hack.
How can I find out if I was affected?
Equifax has set up its own program to help people find out if they were one of the millions affected in the hack. The program isn't exactly straightforward, however -- it requires a multi-step process that takes place over the course of at least one week.
Here's an overview of the process: ...
https://www.cnet.com/how-to/equifax-hack-find-out-if-you-were-one-of-143-million-hacked/
Sure, why not?
|
|
zBrown
Ice climber
|
|
Topic Author's Reply - Sep 7, 2017 - 06:08pm PT
|
Bill of Rights - RIGHT ON!
They want to "fix" the problem by offering a "free" subscription to their system? For one year.
This doesn't even come close to addressing the issues.
I am not optimistic, but these companies and many others need to be accountable for the economic damages (and some whopping big punitive damges on top) they cause.
|
|
zBrown
Ice climber
|
|
Topic Author's Reply - Sep 7, 2017 - 07:21pm PT
|
The credit reporting agency Equifax said Thursday that hackers gained access to sensitive personal data — Social Security numbers, birth dates and home addresses — for up to 143 million Americans, a major cybersecurity breach at a firm that serves as one of the three major clearinghouses for Americans’ credit histories.
Equifax said the breach began in May and continued until it was discovered in late July. It said hackers exploited a “website application vulnerability” and obtained personal data about British and Canadian consumers as well as Americans. Social Security numbers and birth dates are particularly sensitive data, giving those who possess them the ingredients for identity fraud and other crimes.
143 million Americans
Went on from May till July
"Announced" to public September (7 ?)
Who developed the website application exhibiting this vulnerability?
|
|
Dapper Dan
Trad climber
Redwood City
|
|
143 million people affected. I wonder if having a stronger credit score increases your chances of having your information used?
|
|
dirtbag
climber
|
|
According to equifux, i might have been affected.
I signed up for the one year free protection--whoopee.
We're all gonna get boned.
|
|
Moof
Big Wall climber
Orygun
|
|
Sounds like signing up for their "free" credit monitoring requires agreeing not to sue them. Seems sleezy.
|
|
zBrown
Ice climber
|
|
Topic Author's Reply - Sep 7, 2017 - 09:37pm PT
|
Good catch Moof
SA - lockemup
|
|
dirtbag
climber
|
|
Well--really--what can ya do?
A 143,000,000 strong class action means that (after a potential bankruptcy), equifax will shell out $.12 to each class member.
Better off shoring up your info defenses and blunting any potential damages from this mess.
|
|
couchmaster
climber
|
|
There will be plenty of litigation to go around. Add securities fraud as well since it's reported that 3 of the executives sold stock after learning of the fraud but before they had announced it to the public. I was affected, but am unable to sign up for their "free" one year monitoring.
"Free" gets quotations as Moof noted upthread you have to waive your right to sue them to obtain their "free" offer. https://www.equifaxsecurity2017.com/
They give you a date, when that date comes you need to go back and then sign up. Interesting as my date which I requested this am is 5 days away. Sooooo, until that time......
Free credit report here: https://www.annualcreditreport.com/index.action but they must be inundated as it's not working currently.
|
|
paganmonkeyboy
climber
mars...it's near nevada...
|
|
Can we buy some Congressonal Credentials ? Maybe something in an AG ?
|
|
Jan
Mountain climber
Colorado & Nepal
|
|
Better to change your passwords and security questions than bother with trying to see if you were hacked.
Meanwhile, 14 million military, civil service and government contractors were hacked a couple years ago by the Chinese who got all of our security clearance info including our fingerprints. If security clearances aren't secure, then nothing is.
And here's the final burn, the government gave all of us two years of free credit monitoring from of course - Equifax.
|
|
ec
climber
ca
|
|
|
|
fear
Ice climber
hartford, ct
|
|
...I am not optimistic, but these companies and many others need to be accountable for the economic damages (and some whopping big punitive damges on top) they cause....
Maybe it's too much covefe... but I'm laughing really hard at that one...
Laws are for little people not in the club. And if you make any progress fighting that, the club kills you.
|
|
Rock!...oopsie.
Trad climber
the pitch above you
|
|
Equifax updates user agreement at prodding of New York Attorney General
Well gee, thanks Equif*#ks... that's mighty generous of you. Here's hoping your whole board of directors has the privilege of living out their days in cardboard boxes on the streets.
|
|
Ed Hartouni
Trad climber
Livermore, CA
|
|
Sep 10, 2017 - 10:09am PT
|
interesting thread which begs the question about the existence of credit agencies, which have been around since credit started to become commercially important for doing business.
A transaction is certainly an act between at least two parties, and tracking the outcome of those transactions is what the credit agencies have done... the information regarding the transaction's outcome is "owned" by all the parties to the transaction.
The agency can collect that information from any of them.
With the expansion of the credit market to consumers, think credit cards, mortgages, car loans, etc, the credit agencies have expanded their data collection to include individuals, you and me, and sell the information regarding the outcomes of our transactions, and with sufficient information to identify us uniquely, so that they can be sure to provide the "correct" information to other parties interested in engaging us in transactions.
Now most of us do not provide the information of our transactions to the credit agencies, but the "other party" in the transaction does, the banks, etc...
...and we allow this because it makes the ability to obtain "easy" credit.
We are complicit in this aggregation of information because we find it convenient to have access to easy credit. But also because we hadn't noticed it happening, the expansion of credit, and the evolution of the credit providing industry, has changed, expanding greatly in just a few decades. Most likely we have all agreed to this information sharing in the contracts we enter into, though most of us aren't aware that we have explicitly consented to it.
Couple that with the possibility of producing large revenues in the credit business, and thus the industry's resistance to governmental oversight, and the ability of other actors to use that information for illicit economic gain, and we get to where we are now.
|
|
Jon Beck
Trad climber
Oceanside
|
|
Sep 10, 2017 - 10:32am PT
|
That waiver of the right to file a class action was not enforceable. Duress anyone?
|
|
zBrown
Ice climber
|
|
Topic Author's Reply - Sep 10, 2017 - 01:26pm PT
|
There is a very lopsided relationship between the financial "businesses" and individuals.
This is brought to you courtesy of our elected officials who for the (very) most part are bought and paid for by the "businesses".
Like the tax code problems, this situation will likely never be rectified.
|
|
Ed Hartouni
Trad climber
Livermore, CA
|
|
Sep 10, 2017 - 01:55pm PT
|
not sure it will "never" be rectified...
For instance, say that 143 million tax returns are submitted with the data taken from the hack, that would essentially bring down the government, unable to raise revenue, or at least having been dealt a severe blow to one of the important functions of government.
Faced with that sort of attack, the government has an interest in strengthening the security of the data the credit agencies have aggregated.
|
|
Rock!...oopsie.
Trad climber
the pitch above you
|
|
Sep 10, 2017 - 02:21pm PT
|
Faced with that sort of attack, the government has an interest in strengthening the security of the data the credit agencies have aggregated.
The best time to address an issue is after it has already created crippling problems ;-)
|
|
Studly
Trad climber
WA
|
|
Sep 10, 2017 - 03:12pm PT
|
Who is this to say that this is an attack? It seems to me more likely that it was an inside job. Just follow the money trail and see where it leads..
|
|
zBrown
Ice climber
|
|
Topic Author's Reply - Sep 10, 2017 - 07:08pm PT
|
Yes indeed, Doc H., the government will address the data security issue since the companies will not.
I predict it will not be nearly sufficient, but it will help.
Just like software companies are continually releasing more patches rather than addressing the fundamental underlying flaws in their software, a similar process will occur.
The lopsidedness will persist IMO unfortunately.
|
|
zBrown
Ice climber
|
|
Topic Author's Reply - Sep 11, 2017 - 10:49am PT
|
LITTLE BROTHER IS WATCHING YOU EQUIFAX
WASHINGTON ― The credit monitoring company that compromised the personal information of nearly half the U.S. population said Monday it won’t ask people for credit card info if they sign up for its “free” service.
Last week, Equifax Inc. announced that it had been hacked by criminals who obtained personal details about 143 million Americans, including names, addresses and Social Security numbers. To make up for its massive cybersecurity failure, the firm said it would give victims a free one-year subscription to its credit monitoring service.
There was a catch: the supposedly free service required credit card information up front and would begin charging the card after the free trial ended unless users proactively canceled, according to terms of use for the product dated Sept. 6.
Equifax quietly deleted the information about fees from its website over the weekend, and on Monday, the firm announced it wouldn’t ask for credit cards when people sign up for the service, which is called TrustedID Premier.
Amanda Werner of the consumer advocacy group Public Citizen said Equifax changed its policy in the face of public pressure.
“This is what happens when someone’s watching,” Werner said. “Equifax got caught trying to profit from a massive security breach and the outrage from consumers and advocates made them reverse their position.”
http://www.huffingtonpost.com/entry/equifax-hack-credit-monitoring-service_us_59b69ca7e4b036fd85cc9220
|
|
Winemaker
Sport climber
Yakima, WA
|
|
Sep 15, 2017 - 04:37pm PT
|
zBrown, you nailed it. That's exactly why I don't use facebook, twitter, snapchat, or a google email address (except for throwaway addresses) or any of a myriad of other information sucks. Still, it's impossible to remain anonymous. I froze credit at all three reporting companies and got my daughter to do the same. Highly recommended.
|
|
zBrown
Ice climber
|
|
Topic Author's Reply - Sep 15, 2017 - 05:09pm PT
|
Ain't it just like the night to play tricks when we're [sic] trying to be so quiet
-Dylan (1966)Seems Like a Freeze Out
I will say more later, but I don't think that a credit freeze will do that much for you.
Eternal vigilance is the price we are all going to have to pay for all this wonderful technology.
Get used to keeping tabs on things.
I'm considering one of those "insurance" plans that help you clean up your credit when your ID gets hacked, which there is a good chance it will.
You'll still have to find it yourself.
Here's what we're facing, my doctor has on his computer system:
Copy of my driver's license (with photo and copy of my signature)
Photo of me
Copies of my insurance cards
My social security number
address, phone etc
My credit card number
How safe is this info?
Not very.
Any one of many employess with access could just take all that info and provide it to his/her frendly ID hacker associate
Then add on that the system probably has very minimal network protections.
And finally, nobody knows how many other systems this info has been "uploaded" to.
YIKES
|
|
Winemaker
Sport climber
Yakima, WA
|
|
Sep 15, 2017 - 09:22pm PT
|
@ zBrown. So what do you suggest we do? Honest question.
|
|
zBrown
Ice climber
|
|
Topic Author's Reply - Sep 15, 2017 - 10:40pm PT
|
I'm in the process of identifying all the places where my info resides.
I'm just building a spreadsheet with all the places I can think of and what's known to be there.
I'm not going all the way back in time to closed accounts, doctors visited in college etc.
Then I'll set up a schedule for monitoring them as best I can.
I'm also considering those ID protection services, one of whom claims to provide the protection for about $10/month. As I recall, the guy hiking the PCT trail in segments has had a good experience with it.
Finally* though it's a pain in the ass, set up strong passwords and change them regularly. Password strength checkers abound and It was disconcerting to find out how weak mine were (/and how old).
Sheeit does happen. Michele, who I live with has had two notices of from banks which declined charges on her accounts in about the last six months. Thank Gawd or MIT for AI TECHNIQUES. One was noted in a phone call, the other when she attempted to use a card and found it frozen.
In each case the best course is to have the institution issue a new card, which can be a headache if the card is on file to accomodate recurring charges. Hence the spreadsheet which allows you to know where it is used.
Not long after the failed card usages her email account was locked for too many failed login attempts. So once they get something they try to get more.
I will keep my spreadsheet and passwords offline on a pristineUSB disc that I'll keep out at Dylan's house at Point Dume. It's very guarded. Townes van Zandt couldn't even get in to jump on his coffee table!
*IMO (et Alia) this gives you the best return on investment.
BTW I pay about $70/month for Internet, so another $10 doesn't seem bad.
|
|
Winemaker
Sport climber
Yakima, WA
|
|
Sep 16, 2017 - 07:30am PT
|
I read an interesting article about password strength recently (sorry, no link) where the author contended the strongest password was simply a string of words. For example, springtopounderweardog, as opposed to the now seemingly mandatory *9Tg? components. Also, a lot easier to remember. It makes a lot of sense, as any hacker will assume you are using all the keys, but the combinations with a 20 letter password using only lower case letters is 26^20, a quite large number.
|
|
zBrown
Ice climber
|
|
Topic Author's Reply - Sep 16, 2017 - 08:35am PT
|
I agree longer is better. Including caps and special characters dramatically increases the number of combinations though.
Use a computation or algorithm for getting a numeric string that you can than embed in a mnemonically easier to rember string. This is what I'm doing. For example:
Ihavealist@633746youfoolz.
Also check your three "free" credit reports each year. Space them out over the course of the year, rather than all at once.
Once you semi-automate these processes it's not as time consuming as I expected.
Still, all this having been said, it can be a major hassle to track down and straighten out the problem oponce it has occurred, so I still think one of the insurance type programs is the way to go.
READ THE CONTRACT CAREFULLY.
|
|
Winemaker
Sport climber
Yakima, WA
|
|
Sep 16, 2017 - 11:07am PT
|
Yeah, other characters increase the combinations, but if the hacker assumes you are using the other characters, which they must, he/she has to include those in any attempt to hack; not using them in your password doesn't change the strength of the password. For example, including upper and lower case, as well as number and number shift characters gives 72 possible characters for a hacker to deal with, so a 20 character password has 72^20 potential combinations the hacker has to try; whether you include those extra characters or not makes no difference to your strength as long as you don't use a common phrase. The hacker also doesn't know the length of your password, making it more exhaustive to break.
|
|
zBrown
Ice climber
|
|
Topic Author's Reply - Sep 16, 2017 - 12:09pm PT
|
Well we have forgotten to define our terms.
What is the strength measure? I'll use time and effort to hack.
So:
"26 X 20, a quite large number" and 72 X 20 is even larger. Therefore, to exhaustively run out the combinations would take longer.
But like the midwest farmer said in the old joke "time? What's time to a pig?".
A Canonical Password Strength Measure
Eugene Panferov
Abstract
We notice that the “password security” discourse is missing a fundamental notion of the “password strength”.
We propose a canonical measure of password’s strength. We give formal definition of the “guessing attack”, and
the “attacker’s strategy”. The measure is based on the assessment of the efficiency of the best possible guessing
attack. Unlike naive password strength assessments our measure takes into account the attacker’s strategy. We
argue strongly against widespread informal assumptions about “strong” and “weak” passwords, and advise to
adopt formal metrics such as proposed one. This paper does NOT advise you to include “at least three capital
letters”, seven underscores, and a number thirteen in your password.
https://www.t-dose.org/sites/t-dose.org/files/password.pdf
Encrypted srings in passwords? Sure, why not.
What you really need is Symmetric cryptography, i.e., the algorithm uses same key to encrypt and decrypt the data. There are many algorithms available which support symmetric cryptography like DES, AES.
Have a look at this example: http://www.java2s.com/Code/Java/Security/EncryptionanddecryptionwithAESECBPKCS7Padding.htm
|
|
Winemaker
Sport climber
Yakima, WA
|
|
Sep 16, 2017 - 12:51pm PT
|
If you want to make it REALLY tough to brute force crack a password, add some characters the hacker wouldn't even try. For example there are all the ASCII codes most people don't even know exist; press and hold Alt and then type the code number. Alt 214 = ±, Alt 248 = °, Alt 227 = π, Alt 228 = Σ, Alt 178 = ▓. There are all the Greek letters, mathematical symbols, plus lots of other stuff. That would throw a hacker off! Of course ASCII codes generate numbers and letters also; Alt 66 = B for example, so with the extended ASCII code there are 255 characters available.
|
|
DM88T
climber
Dave Tully SanDimas,California
|
|
Sep 16, 2017 - 01:23pm PT
|
I found that sites that ask you to create a password have a very limited set of special characters that they will accept.
|
|
zBrown
Ice climber
|
|
Topic Author's Reply - Sep 16, 2017 - 06:23pm PT
|
I've had success with all three in the past in getting my credit report. I even got them to correct items which I disputed.
I have never had to s-mail anything in the past.
The last time I tried (can't remember which one) I was informed that I'd already gotten my report for the year (untrue). I was busy so I didn't follow up.
I will now.
Equifax, under duress, is supposed to be waiving fees for credit freezes.
But, who ya gonna call Ghostbusters?
The tale began on July 29, when the company’s security team detected suspicious network traffic associated with the software that ran its U.S. online-dispute portal. After blocking that traffic, the company saw additional “suspicious activity” and took the portal’s software offline.
At this point, Equifax’s retelling grows cloudy. The company said an internal review then “discovered” a flaw in an open-source software package called Apache Struts used in the dispute portal, which it then fixed with a software patch. It subsequently brought the portal back online.
But that vulnerability had been known publicly since early March 2017, and a fix was available shortly thereafter — facts that Equifax acknowledged in its Friday statement. The company did not say why the software used in the online-dispute portal hadn’t been patched earlier, although it claimed that its security organization was “aware” of the software flaw in March, and that it “took efforts” to locate and fix “any vulnerable systems in the company’s IT infrastructure.”
|
|
zBrown
Ice climber
|
|
Topic Author's Reply - Sep 18, 2017 - 08:19am PT
|
Ain' that some crap?
Hackers have successfully breached CCleaner’s security to inject malware into the app and distribute it to millions of users
...
CCleaner has been downloaded more than 2 billion times according to Avast, making it a popular target for hackers. Dubbed “crap cleaner,” it’s designed to wipe out cookies and offer some web privacy protections. 2.27 million users have been affected by the attack, and Avast Piriform believes it was able to prevent the breach harming customers. “Piriform believes that these users are safe now as its investigation indicates it was able to disarm the threat before it was able to do any harm,” says an Avast spokesperson.
|
|
zBrown
Ice climber
|
|
Topic Author's Reply - Sep 18, 2017 - 09:11am PT
|
The U.S. Justice Department has opened a criminal investigation into whether top officials at Equifax Inc. violated insider trading laws when they sold stock before the company disclosed that it had been hacked, according to people familiar with the investigation.
|
|
Reilly
Mountain climber
The Other Monrovia- CA
|
|
Sep 18, 2017 - 09:11am PT
|
My financials are behind my password, of course, but then if a 'puter other than one of our known ones tries to enter they will have to answer our security questions. And even on the odd occassion when I use my phone I have to answer the security questions, which are case sensitive, Sergei or Hung Way Short are only gonna get five cracks at getting in.
|
|
fear
Ice climber
hartford, ct
|
|
Sep 18, 2017 - 10:21am PT
|
The U.S. Justice Department has opened a criminal investigation into whether top officials at Equifax Inc. violated insider trading laws....
lol... right... I'm sure that'll go anywhere.
|
|
zBrown
Ice climber
|
|
Topic Author's Reply - Sep 18, 2017 - 03:11pm PT
|
What do u want for nothing - rubber biscuits?
Have we ever seen any big insider cases?
Well yeah, Mama Stewart. She got 5+5+23 months.
Others?
What were the penalties at Enron?
Skilling, though he had more than IT going on got 24 years (reduced to 14) and $40 million of his ill-gotten gains to be distributed to victims
|
|
Jon Beck
Trad climber
Oceanside
|
|
Sep 18, 2017 - 03:44pm PT
|
I like the security layer that requires you to receive a code on your phone and re-enter it on their website. Google and Wells Fargo use it.
Of course if the thief gets your phone?
|
|
NutAgain!
Trad climber
South Pasadena, CA
|
|
Sep 20, 2017 - 10:50am PT
|
Nice one DMT.
More info about the evolving clvsterfvuck of Equifax:
https://www.theverge.com/2017/9/20/16339612/equifax-tweet-wrong-website-phishing-identity-monitoring
In short, their systems are so screwed up that their recovery websites are associated with a different domain than the company, so you can't tell if you are dealing with hackers taking more advantage of the mess or the official company. In fact, Equifax support personnel have wrongly directed customers to a website set up as a hacker proof-of-concept website, showing how untrustworthy the whole shebang is.
In short, you are almost as well off not trying to freeze your account as you are to freeze it, if you can't verify you are giving your private details to an entity posing as Equifax.
|
|
Lollie
Social climber
I'm Lolli.
|
|
Oct 19, 2017 - 02:35pm PT
|
"The GDPR also expands the definition of what personal data is, and brings additional requirements such as a right for consumers to see what information is held about them and have it deleted on request — so there are other big changes incoming."
This is not new. We've had that right for ages. There are excepted records of course, one cannot demand records of criminal acts removed, and such things.
I've used it against Facebook like maybe 10 years ago. Back then one wasn't allowed to have any other account but your real name account, so they closed my Lollipop account. But they kept all the photos, information etc, without me being able to remove anything. As I was pissed off, I threatened to take them to court as it was against the law in Sweden and Europe, and they - at least they said they did - backed down and erased all my material. (I didn't bother to actually drag them to court so they would have to prove that it was really deleted from their servers).
But this new variety of the law is tough. It affects almost everyone, businesses and authorities alike. And we better comply. But as most over here agree with the basic viewpoint, the right of the citizen, we just do it. No big deal. In the long run it ensures the freedom and protection for the individual.
As you maybe know, we do not consider corporations people, (extremely funny notion as I see it:-D) so therefore any individual EU citizen has greater civil rights than a corporation does, and therefore it will be no contest about who has the right to a higher degree of protection.
|
|
Messages 1 - 52 of total 52 in this topic |
|
SuperTopo on the Web
|