Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
Equifax Data Breach Was an Unconscionable Mistake
I’ve been waiting for someone else to post about Equifax so I could vent my wrath in a comment, but as I haven’t seen much yet, I can no longer contain myself. I cannot believe that a company charged with holding the most sensitive information about us — information that we neither asked for nor wanted to be held on our behalf — has been breached. The information of half of American adults may have been stolen. Bad enough, but they didn’t even bother to tell us about it for over a month. Never mind their executives selling nearly 2 million dollars in stock in the meanwhile. Never mind the anemic apology from their CEO:
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes.”
This is the type of apology we’ve become accustomed to when someone uses an incorrect gender pronoun, not when the lives of 148 million people are potentially wrecked. My cousin lived through identify theft and it is awful. No doubt Mr. Smith has an army of lawyers and admins who will clean up the mess should his identify be stolen. But for the rest of us, it is time taken away from work and family, hours on the phone, loss of the ability to travel and sometimes worse. I have already had to spend $20 freezing my credit. They’ve offered free credit monitoring for a year (did you hear that identify thieves, you have to wait a year!), after which, no doubt, we’ll be stuck automatically with their $29.99 a month service. But even if it were free for the rest of my life, how can we trust their credit monitoring service? So that will be another $300 per year for the mess they created.
I hope Equifax goes down for this. The money will go to the law firms and not to the victims, but right now, I just want blood. God help me, I may even want Elizabeth Warren.
Thank you for letting me vent. It seems churlish to do so with Irma bearing down on Florida. My prayers to all of you in her path.
Published in General
Then I suppose I should have the right to opt out entirely. No lazy tech needed for that.
Once you give your name, your date of birth, etc., how do you get that back? I suppose that’s the question that no-one wants to answer, because if we can all be anonymous then no-one gets any bank credit.
Don’t we need banks to know who we are, in order to give lines of credit? Would you like it if you were treated the same as a random stranger?
I give that information to the financial institution freely. Why is it I do not have a say on who they pass it off to? If I want to be anonymous and have no bank credit, then that is my decision. There needs to be more say by the individual and less deference given to the financial entities. If someone has no problem with the way things run now, then they can stay in the system. But as far as I know, I have no right to opt out of my information being sent to these agencies. Why not?
This is what has been posted on their site since this morning:
I’m just guessing here, but I’d bet you give them permission to share your information somewhere in the many pages of fine print (that no one ever reads) whenever you sign up for a new financial account.
I think the future solution will be blockchain technology like that used in BitCoin. What else is the BitCoin register but a record of financial transactions? Why not have a credit rating system that records all of your financial transactions with a blockchain registered to your personal cryptographic key? Every credit card transaction, every mortgage payment, every check you write will be recorded into the blockchain register for any company like Equifax to “distill” and generate a credit report. The credit agencies will still generate revenue by creating credit scores, but now they will do it by “proof of work” on the blockchain. However, then people’s credit will be secured as your credit is only tied to the public key. The private key held by the individual, is just used to verify that you are the person that owns that public key.
That’s great, till it comes to authenticating the public key.
“Who’re you, mate?”
“Well, it’s me.”
“Who’re you?”
“Well, I own these bitcoin.”
“Oh right, mate. Sure you do.”
“Yeah, I’ve got this private key thing on my USB stick.”
“Well nobody could steal that, go on ahead old chap.”
It is a bit ridiculous that credit card companies and credit agencies are not already using blockchain technology to secure people’s credit. There is a real chance here of a start-up company to disrupt the whole financial system. This Equifax breach might be the catalyst that makes it happen.
You are missing the whole point of public key encryption. You can verify that you are the owner of both keys without revealing information about your private key. Now if someone physically beats your private key (i.e. your password or phrase which decrypts the private key) out of you then you have a problem.
Steal bitcoin? Why, that’s nearly impossible!
Aha! You do know something about public key encryption.
Exactly. Read the article, BitCoin can only be stolen if someone steals your private key. You need to keep your private key secure. Sure, if you are careless it can still be stolen, but it sure as hell is a lot better than writing it down on every form like we do now.
Blockchain makes it easier to steal absolutely massive amounts of money from stupid people.
No, I don’t think I’m missing any kind of point. My point is that your private key is vulnerable to all manner of attacks, including beating the sh** out of you.
If you want some better security you could build a double layer blockchain system that ties your “operating” keys to a set of “physically verified” keys where the secret private key is written down on a piece of paper and stored in a safe deposit box that you can only access by showing up and giving finger prints, a retina scan, and a DNA sample to match to a public database secured by a blockchain. Then if your “operating” private key is stolen you can dispute the theft by demonstrating that you and only you have access to the “physically verified” private key.
I understand @odysseus. But with great power comes great responsibility. You screw up, you own it and do what you can to mitigate the damage. Equifax did not handle this well.
I agree PKI is a much better technology, my point was that technology alone is not going to solve this problem. No solution is foolproof, and many end users are fools.
Also, there’s always a security vs. convenience trade-off. That’s why we’re still using so many low-security technologies: they are convenient. Even a minor shift like moving to credit card chips has people complaining about how it takes longer to read the chip than to swipe a card, even though the chips are clearly a more secure technology.
Wish we had a black ops hit squad that investigated and took out such criminals.
The hack evidently retrieved ‘in the clear’ personal identifying information. There is off-the-shelf technology to systematically encrypt such information when at rest, in transmission, and in some cases while being used for search and computation. That Equifax evidently did not employ such technology or did it incompetently is prima facie evidence of negligence.
Why not?
Not so sure it works this way @katrose. Credit, as you know, is not something owed to us. It is something we earn by our own personal financial behavior. If we ask some entity to give us credit, we most likely have to give up some of our privacy in return. They will need to know our history of financial transactions, our complete identity, and our current income level (ability to repay the debt), and probably other stuff. The only way to stay “off the grid” is to pay cash for everything…house, car, food, taxes, medical, etc. In other words, it’s nearly impossible. One thing that certainly should be the case is financial institutions are responsible for who they give access to your money. Before they cash checks, pay bills, or accept withdrawals, they should be forced to know for certain it is the owner of those funds who is asking for them.
The way to opt out is not to make deals with companies that send your information to the ratings agencies.
Of course that’s a tough way to live, since that excludes many services we take for granted as well as some we use rarely but consider necessary (car loan, mortgage, etc.). But it’s possible – I came pretty close to living that way for a few years.
But the reason this is such an unrealistic scenario is that most people want the convenience, savings ,and access to credit that the credit rating system brings. But there’s no free lunch, just trade offs – and the trade-off here is that easy and cheap credit comes at the expense of our data winding up in the hands of a company that is unaccountable to us. And yet most people still seem happy with that trade off.
In fact, the big epiphany of the last decade, in my opinion, is how little we actually value our own data.
It’s easy to throw stones at Equifax and claim that they collect our data without our consent (which legally isn’t true). But nearly everyone knows that companies like Google and Facebook actively collect and analyze our personal data – yet we gleefully agree in exchange for free use of their services.
And even other big data breaches haven’t done much to change consumers’ behavior. For example, Target didn’t see much of a hit when it got hacked and its customers’ credit card data was stolen.
I would take the outrage over Equifax more seriously if more of the American public actually acted like it cared about the integrity of its personal data. But this seems like somebody leaving their valuables in their front yard and then complaining when something is missing the next day.
Well, if your encryption key is that valuable (i.e you’re filthy rich) then you’ll have the resources to provide yourself additional protection, including physical protection.
One of the advantages of this data compromise for the individual is that so many people were affected that you’re less likely to be targeted.
My plan is to sign up for a credit monitoring company. I base that on a WSJ recommendations. I will also consider putting a freeze on credit checks. That could end up being very inconvenient, so I’ll mull that one over.
A few years back my management team asked how we could fully secure our servers (including from internal resources) and guarantee that everything was completely locked down. I sent them a picture of a power strip with everything unplugged from it. (They were not amused.) That’s the unpalatable truth: there is no such thing as perfect security. Every system can be hacked somehow. Often the hacks are not technical, but use social engineering. (Basically tricking a person into compromising system security.) That doesn’t mean that security is useless. Even if it’s impossible to make some data 100% secure, you can make it really, really hard to get. The thing is, Equifax is in the business of sharing data, not securing data. They want the data to be easy to get… as long as you’re a paying customer. The problem from Equifax’s point of view is not that the data was breached, but that no one paid for it. So we’ll all end up paying for it one way or another. Either we pay in some small amount of time and money to monitor our credit better (or freeze it entirely), or we pay a lot when our identity is stolen. Such is the price of living in the modern world.
I am not explaining well what I am frustrated with. I realize all of this. The individual consumer at this time has no control and no say on what gets reported to the agencies and who has access to that information. It was all so convenient at the beginning but now we are realizing with this convenience comes risks that we have no means of ameliorating. We accept the rules created at the beginning of our financial life being available on the internet many years ago and I am saying some of those rules need to change. The risks are much greater now and I truly do not feel that all these large agencies or financial institutions give a crap about us and our information. They want it easier and easier and I want to make a few roadblocks is all. Make them jump through some hoops and bear some of the cost and consequence of screwing up.
Today I called my financial company and my bank. I spoke to both about their methods of securing my money/assets. I was quite satisfied with the answer from my financial guy and I was able to add an additional layer of password protection on my bank stuff. See Nick H. comment #87 @katrose. It can’t be perfect. I share your frustrations with our seeming impotence in data sharing, but we have to make some choices. If we wish to engage in online bill payment, it is a tremendous convenience. But it opens us up to greater risk. If you wish to use your smart phone to pay with a swipe or to do online bill paying, that also is less secure. It’s a lot to do with our own choices. And our own choices are about all we can control.
After hearing from several other sources that the credit locks were the way to go, I just finished doing that with all 3 companies on line. It was very simple and took about 10 minutes for all 3. Nobody asked for a fee. We are at a point in our lives when we aren’t asking for new credit very often, so we’ll just have to remember to unlock it when needed, which can also be done online. Seems like a no-brainer to me.