Discussion Topic |
|
This thread has been locked |
Ed Hartouni
Trad climber
Livermore, CA
|
|
|
Sep 10, 2017 - 10:09am PT
|
interesting thread which begs the question about the existence of credit agencies, which have been around since credit started to become commercially important for doing business.
A transaction is certainly an act between at least two parties, and tracking the outcome of those transactions is what the credit agencies have done... the information regarding the transaction's outcome is "owned" by all the parties to the transaction.
The agency can collect that information from any of them.
With the expansion of the credit market to consumers, think credit cards, mortgages, car loans, etc, the credit agencies have expanded their data collection to include individuals, you and me, and sell the information regarding the outcomes of our transactions, and with sufficient information to identify us uniquely, so that they can be sure to provide the "correct" information to other parties interested in engaging us in transactions.
Now most of us do not provide the information of our transactions to the credit agencies, but the "other party" in the transaction does, the banks, etc...
...and we allow this because it makes the ability to obtain "easy" credit.
We are complicit in this aggregation of information because we find it convenient to have access to easy credit. But also because we hadn't noticed it happening, the expansion of credit, and the evolution of the credit providing industry, has changed, expanding greatly in just a few decades. Most likely we have all agreed to this information sharing in the contracts we enter into, though most of us aren't aware that we have explicitly consented to it.
Couple that with the possibility of producing large revenues in the credit business, and thus the industry's resistance to governmental oversight, and the ability of other actors to use that information for illicit economic gain, and we get to where we are now.
|
|
Jon Beck
Trad climber
Oceanside
|
|
|
Sep 10, 2017 - 10:32am PT
|
That waiver of the right to file a class action was not enforceable. Duress anyone?
|
|
zBrown
Ice climber
|
|
|
Topic Author's Reply - Sep 10, 2017 - 01:26pm PT
|
There is a very lopsided relationship between the financial "businesses" and individuals.
This is brought to you courtesy of our elected officials who for the (very) most part are bought and paid for by the "businesses".
Like the tax code problems, this situation will likely never be rectified.
|
|
Ed Hartouni
Trad climber
Livermore, CA
|
|
|
Sep 10, 2017 - 01:55pm PT
|
not sure it will "never" be rectified...
For instance, say that 143 million tax returns are submitted with the data taken from the hack, that would essentially bring down the government, unable to raise revenue, or at least having been dealt a severe blow to one of the important functions of government.
Faced with that sort of attack, the government has an interest in strengthening the security of the data the credit agencies have aggregated.
|
|
Rock!...oopsie.
Trad climber
the pitch above you
|
|
|
Sep 10, 2017 - 02:21pm PT
|
Faced with that sort of attack, the government has an interest in strengthening the security of the data the credit agencies have aggregated.
The best time to address an issue is after it has already created crippling problems ;-)
|
|
Studly
Trad climber
WA
|
|
|
Sep 10, 2017 - 03:12pm PT
|
Who is this to say that this is an attack? It seems to me more likely that it was an inside job. Just follow the money trail and see where it leads..
|
|
zBrown
Ice climber
|
|
|
Topic Author's Reply - Sep 10, 2017 - 07:08pm PT
|
Yes indeed, Doc H., the government will address the data security issue since the companies will not.
I predict it will not be nearly sufficient, but it will help.
Just like software companies are continually releasing more patches rather than addressing the fundamental underlying flaws in their software, a similar process will occur.
The lopsidedness will persist IMO unfortunately.
|
|
zBrown
Ice climber
|
|
|
Topic Author's Reply - Sep 11, 2017 - 10:49am PT
|
LITTLE BROTHER IS WATCHING YOU EQUIFAX
WASHINGTON ― The credit monitoring company that compromised the personal information of nearly half the U.S. population said Monday it won’t ask people for credit card info if they sign up for its “free” service.
Last week, Equifax Inc. announced that it had been hacked by criminals who obtained personal details about 143 million Americans, including names, addresses and Social Security numbers. To make up for its massive cybersecurity failure, the firm said it would give victims a free one-year subscription to its credit monitoring service.
There was a catch: the supposedly free service required credit card information up front and would begin charging the card after the free trial ended unless users proactively canceled, according to terms of use for the product dated Sept. 6.
Equifax quietly deleted the information about fees from its website over the weekend, and on Monday, the firm announced it wouldn’t ask for credit cards when people sign up for the service, which is called TrustedID Premier.
Amanda Werner of the consumer advocacy group Public Citizen said Equifax changed its policy in the face of public pressure.
“This is what happens when someone’s watching,” Werner said. “Equifax got caught trying to profit from a massive security breach and the outrage from consumers and advocates made them reverse their position.”
http://www.huffingtonpost.com/entry/equifax-hack-credit-monitoring-service_us_59b69ca7e4b036fd85cc9220
|
|
Winemaker
Sport climber
Yakima, WA
|
|
|
Sep 15, 2017 - 04:37pm PT
|
zBrown, you nailed it. That's exactly why I don't use facebook, twitter, snapchat, or a google email address (except for throwaway addresses) or any of a myriad of other information sucks. Still, it's impossible to remain anonymous. I froze credit at all three reporting companies and got my daughter to do the same. Highly recommended.
|
|
zBrown
Ice climber
|
|
|
Topic Author's Reply - Sep 15, 2017 - 05:09pm PT
|
Ain't it just like the night to play tricks when we're [sic] trying to be so quiet
-Dylan (1966)Seems Like a Freeze Out
I will say more later, but I don't think that a credit freeze will do that much for you.
Eternal vigilance is the price we are all going to have to pay for all this wonderful technology.
Get used to keeping tabs on things.
I'm considering one of those "insurance" plans that help you clean up your credit when your ID gets hacked, which there is a good chance it will.
You'll still have to find it yourself.
Here's what we're facing, my doctor has on his computer system:
Copy of my driver's license (with photo and copy of my signature)
Photo of me
Copies of my insurance cards
My social security number
address, phone etc
My credit card number
How safe is this info?
Not very.
Any one of many employess with access could just take all that info and provide it to his/her frendly ID hacker associate
Then add on that the system probably has very minimal network protections.
And finally, nobody knows how many other systems this info has been "uploaded" to.
YIKES
|
|
Winemaker
Sport climber
Yakima, WA
|
|
|
Sep 15, 2017 - 09:22pm PT
|
@ zBrown. So what do you suggest we do? Honest question.
|
|
zBrown
Ice climber
|
|
|
Topic Author's Reply - Sep 15, 2017 - 10:40pm PT
|
I'm in the process of identifying all the places where my info resides.
I'm just building a spreadsheet with all the places I can think of and what's known to be there.
I'm not going all the way back in time to closed accounts, doctors visited in college etc.
Then I'll set up a schedule for monitoring them as best I can.
I'm also considering those ID protection services, one of whom claims to provide the protection for about $10/month. As I recall, the guy hiking the PCT trail in segments has had a good experience with it.
Finally* though it's a pain in the ass, set up strong passwords and change them regularly. Password strength checkers abound and It was disconcerting to find out how weak mine were (/and how old).
Sheeit does happen. Michele, who I live with has had two notices of from banks which declined charges on her accounts in about the last six months. Thank Gawd or MIT for AI TECHNIQUES. One was noted in a phone call, the other when she attempted to use a card and found it frozen.
In each case the best course is to have the institution issue a new card, which can be a headache if the card is on file to accomodate recurring charges. Hence the spreadsheet which allows you to know where it is used.
Not long after the failed card usages her email account was locked for too many failed login attempts. So once they get something they try to get more.
I will keep my spreadsheet and passwords offline on a pristineUSB disc that I'll keep out at Dylan's house at Point Dume. It's very guarded. Townes van Zandt couldn't even get in to jump on his coffee table!
*IMO (et Alia) this gives you the best return on investment.
BTW I pay about $70/month for Internet, so another $10 doesn't seem bad.
|
|
Winemaker
Sport climber
Yakima, WA
|
|
|
Sep 16, 2017 - 07:30am PT
|
I read an interesting article about password strength recently (sorry, no link) where the author contended the strongest password was simply a string of words. For example, springtopounderweardog, as opposed to the now seemingly mandatory *9Tg? components. Also, a lot easier to remember. It makes a lot of sense, as any hacker will assume you are using all the keys, but the combinations with a 20 letter password using only lower case letters is 26^20, a quite large number.
|
|
zBrown
Ice climber
|
|
|
Topic Author's Reply - Sep 16, 2017 - 08:35am PT
|
I agree longer is better. Including caps and special characters dramatically increases the number of combinations though.
Use a computation or algorithm for getting a numeric string that you can than embed in a mnemonically easier to rember string. This is what I'm doing. For example:
Ihavealist@633746youfoolz.
Also check your three "free" credit reports each year. Space them out over the course of the year, rather than all at once.
Once you semi-automate these processes it's not as time consuming as I expected.
Still, all this having been said, it can be a major hassle to track down and straighten out the problem oponce it has occurred, so I still think one of the insurance type programs is the way to go.
READ THE CONTRACT CAREFULLY.
|
|
Winemaker
Sport climber
Yakima, WA
|
|
|
Sep 16, 2017 - 11:07am PT
|
Yeah, other characters increase the combinations, but if the hacker assumes you are using the other characters, which they must, he/she has to include those in any attempt to hack; not using them in your password doesn't change the strength of the password. For example, including upper and lower case, as well as number and number shift characters gives 72 possible characters for a hacker to deal with, so a 20 character password has 72^20 potential combinations the hacker has to try; whether you include those extra characters or not makes no difference to your strength as long as you don't use a common phrase. The hacker also doesn't know the length of your password, making it more exhaustive to break.
|
|
zBrown
Ice climber
|
|
|
Topic Author's Reply - Sep 16, 2017 - 12:09pm PT
|
Well we have forgotten to define our terms.
What is the strength measure? I'll use time and effort to hack.
So:
"26 X 20, a quite large number" and 72 X 20 is even larger. Therefore, to exhaustively run out the combinations would take longer.
But like the midwest farmer said in the old joke "time? What's time to a pig?".
A Canonical Password Strength Measure
Eugene Panferov
Abstract
We notice that the “password security” discourse is missing a fundamental notion of the “password strength”.
We propose a canonical measure of password’s strength. We give formal definition of the “guessing attack”, and
the “attacker’s strategy”. The measure is based on the assessment of the efficiency of the best possible guessing
attack. Unlike naive password strength assessments our measure takes into account the attacker’s strategy. We
argue strongly against widespread informal assumptions about “strong” and “weak” passwords, and advise to
adopt formal metrics such as proposed one. This paper does NOT advise you to include “at least three capital
letters”, seven underscores, and a number thirteen in your password.
https://www.t-dose.org/sites/t-dose.org/files/password.pdf
Encrypted srings in passwords? Sure, why not.
What you really need is Symmetric cryptography, i.e., the algorithm uses same key to encrypt and decrypt the data. There are many algorithms available which support symmetric cryptography like DES, AES.
Have a look at this example: http://www.java2s.com/Code/Java/Security/EncryptionanddecryptionwithAESECBPKCS7Padding.htm
|
|
|
SuperTopo on the Web
|
Let us know!