"Criminals gained access to certain files in the company’s system from mid-May to July by exploiting a weak point in a website application, according to an investigation by Equifax. The company said that it discovered the intrusion on July 29 and has since found no evidence of unauthorized activity on its main consumer or commercial credit reporting databases."
I thought we were paying
Equifax to safe-guard our data. (
Damn Russians - those guys are
really good.)
https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
Comments
(Gives ya a lot of confidence in the bureaucrats who administer various government agencies and allow this to continue.)
Your SS number is plastered everywhere: former employers, schools attended, contractors who've worked on your home (and obtained permits in your name), dentists, doctors, other medical personnel, etc. etc.
The list is l-o-n-g. Not that the those who have the number are necessarily dishonest. But such common usage makes the number easy to steal.
On the one hand, SSNs are used to uniquely identify you, so that for better or worse, your medical data can be matched ("joined") with your insurance information, your employment information, your credit score, whatever. Identifiers work well when they are public, or at least widely known - as hank noted, "plastered everywhere".
On the other hand, if SSNs are to be used for security, then they should be secret, like passwords. There's an inherent conflict here - a password or security scheme isn't useful if everyone knows it. SSNs are being used as identifiers, which is what makes them useless as security devices. Yet the world goes on pretending that they provide some level of security ("I'll give you your bank info over the phone if you'll just give me the last four digits of your SSN").
We need to acknowledge that using SSN for security is just for show, like taking off your shoes in the airport. It makes it look like TSA, or your local financial institution, is doing something to protect you. Meanwhile guns get through security, and computer systems are left weakly guarded.
Good points. I'm afraid we're often served-up the illusion of protection instead of the real thing.
Related: I recall that at one time just a SSN (in lieu of a password) was necessary to log into many online mutual fund accounts. Either by edict from some oversight agency (which I think) or voluntarily, fund companies ceased that practice 10-15 years ago and insisted users create a unique password.
After a semi-successful attempt to access some of my accounts a decade ago (We were made whole by Pay Pal and a local bank) I inquired about changing my SSN. I found that that is not allowed except in the most extreme cases. Essentially, the number you received at age 16 is still being used when you're 70 or 80. I filed a police report and contacted the credit bureaus who placed extra security on my credit files. (They require the police report before they will do so.)
Investigation found the hacking originated from Russia. My casual understanding is there's an affiliation over there between organized crime and government. If true, it helps explain the immense power and effectiveness of their cyber-warfare and cyber-criminal apparatus.
My morning rant!
Since that time, I completely changed my lifestyle. No more debt. Live within your means. Want new car? No. Buy old car, save for years, pay cash for new car.
I have not even pulled my credit report for over 20 years. The only reason I even know about my credit score is because of the financial institutions I deal with started offering it to me free every month. I keep getting emails about "your information may have been compromised" now and again with free credit monitoring offered for a year. Sometimes I feel it is a conspiracy to get you signed for credit monitoring and make money.
It is ironic I was thinking of pulling credit report for every adult in the family just yesterday, and now I see this post. I operate under the assumption everyone's identity is already stolen, but you only learn about it when something bad is done with it. Credit Monitoring is a scam, another form of insurance for something you shouldn't be paying for. At least not those who don't live on credit. If anyone has outstanding loan, charge $1 more a month to pay for credit monitoring. Leave everyone else alone.
We had no debt when our identity was stolen. The thieves succeeded in completely draining everything I had on deposit at one local bank (Imagine the surprise when I walked in to make a withdrawal and was told I had a "0" balance.) They also tried to borrow $100,000 from some online lender in my name, but were halted in the process. Third, they set up a phony account at Pay Pal in my name, using a phony email account in my name, and than started "selling" items to unsuspecting buyers. After several complaints from buyers who had been defrauded, Pay Pal contacted me.
Regards
Edit/Add: Were either credit cards or debit cards involved?
money.cnn.com/2017/09/08/investing/equifax-stock-insider-sales-hack-data-breach/index.html?iid=EL
To Hank's original post, how is it that Equifax could take SO long before informing everyone about the breach? That doesn't seem right at all. Scottrade did a similar thing awhile back waiting over 6-mo to inform their customers. Just nasty.
The entire Equifax thing acts just like a Phishing scam would act. (If the initial check says you are eligible, then they know all that info. You aren't applying for credit. They initiated this. Turning monitoring on shouldn't need to fill out forms that look like phishing. People all over are scratching their head. Additionally, they have an agreement that must be signed that waives your right to be part of a class action and has also been reported to say that they aren't agreeing to help restore your credit and rating.
My info is coming from Internet chatter but, since they aren't explaining the process in detail, it's all there is.
Additionally, they have an agreement that must be signed that waives your right to be part of a class action and has also been reported to say that they aren't agreeing to help restore your credit and rating.
Do they, Equifax and Wells Fargo Bank, have any Board of Directors members serving both organizations?
'Course, one might consider that the lesser peeps of our grand society as it exists today; don't know or understand how badly they continue to be "trampled under foot", by the all powerful and controlling, eh?
Now, if you'all would just get those nose swabs in the mail so that "we" may indicate how many folks around the globe are related to you; the sooner the necessary data base will be in place.
Sincerely,
Catch
How many credit cards do you need? Answer = 1.
How many places do you use credit card? Only when you need too. Every time card leaves your line of sight it can be swiped into devices you don't see.
Sometimes it is better to change the game than playing it or trying to win it.
It all began more than 10 years ago and unfolded over a 3-5 year period. The bank account defrauded was a long standing checking account at an area Michigan based bank where both monthly Social Security & Pension payments were automatically deposited. The thief (thieves) apparently used the credit card feature of the bank-issued ATM card to empty the account over just a few days. Probably less than $1000 in the account at the time they hit it (got lucky). I don't remember what they purchased. But some were made at area merchants, but not in person. One was an "entertainment pass-book" (of coupons). This might well have been an early fishing expedition. I complained to the bank about the phony charges and they credited the funds back to me. We both figured it was a simple case of stolen account number. The bank changed the ATM card / account number, made me whole, and I pretty much forgot about it.
A couple years passed. Than over perhaps a 3-6 month period I received 2 different letters in the mail from an online lender (a legitimate company) requesting a written signature on a short enclosed form before they could "release the approved funds". The amount was very high - but whether it was to be in the form of a line-of-credit or outright cash payment - I don't remember. My assumption was that this was just an aggressive credit marketer. So, I sent off a couple nasty letters to their home office - the last one by certified mail, directing them to "cease and desist" and threatening legal action.
A year or so passed and than while opening a new checking account at an area credit union (where I had an existing relationship) the agent alluded to some type of negative remark on my credit file - which she'd accessed during our meeting. She printed the report (from one of the big 3 credit reporting agencies) and gave me a copy. It contained a negative remark (delinquent account) from a company I'd never done business with. The credit union helped me contact the credit reporting agency and file an "appeal" - seeking to have the negative remark removed. Several weeks later the credit reporting agency responded in writing that they had investigated and that complainant had "dropped" the complaint, and so they were "clearing" my credit report (good news). In hindsight, that episode (the negative remark) was likely caused by whomever had stolen my identity. But at the time I still was clueless.
Than about 6 months later I received an email from PayPal with whom I had a legitimate relationship. They stated that they had "frozen" my account and would no longer allow me to do business with them. The stated reason was that I had violated their policies by maintaining more than one account. I called PayPal (finding them incredibly easy to contact and communicate with). It didn't take long for us to conclude that someone had stolen my identity and had set-up the fake PayPal account. They had defrauded two or three people selling things in my name, collecting the funds thru Pay Pal, and not delivering the promised merchandise. I don't remember the amount - probably less than $1,000 total. I was told I'd be liable for that amount, but if I filed a police report and established it was a case of stolen identity, PayPal would likely cover the loss (which they did).
I researched credit protection agencies and found high marks for Idendity Guard, which I continue to use. It's a small monthly fee, but they're most helpful whenever I call with questions and provide many other advantages. On their advice I filed a report with the local police both in writing and in person summarizing all of the above. They investigated for a month or so and determined that someone, operating from a Russia based server, had established a phony email account in my name which closely resembled my own - and with my own email provider. (They'd simply reversed a couple digits in a sequence of numbers). I'm guessing that by utilizing this remarkably similar email address they were able to dupe an unwitting individual somewhere into releasing sensitive credit information. And it was with this phony email address that the phony PayPal account was set up. Likely, it had been used in other fraudulent activity. I got the feeling the police get a lot of these cases and, while helpful, aren't going to invest a lot of time and $$ trying to track down / prosecute criminals operating from foreign countries.
If you provide a written police report the credit agencies (together) will impose a "verify the identity" restriction on your credit files. This means that someone cannot grant credit in your name or lend $$ based simply on a phone call or internet request. The lender must either actually see you in person or, at least, have tangible evidence (like a drivers license) in their possession before granting credit. Seems simple enough. I'm surprised it's not required of all credit applications. Lasts 7 years once you have it placed on your files. There's a more severe option - that of having your credit files "frozen." Didn't opt for that one. Too draconian IMHO.