Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

Here's a statement of the obvious: The opinions expressed here are those of the participants, not those of the Mutual Fund Observer. We cannot vouch for the accuracy or appropriateness of any of it, though we do encourage civility and good humor.

    Support MFO

  • Donate through PayPal

Equifax Says Cyberattack May Have Affected 143 Million Customers

edited September 2017 in Off-Topic
"Criminals gained access to certain files in the company’s system from mid-May to July by exploiting a weak point in a website application, according to an investigation by Equifax. The company said that it discovered the intrusion on July 29 and has since found no evidence of unauthorized activity on its main consumer or commercial credit reporting databases."

I thought we were paying Equifax to safe-guard our data. (Damn Russians - those guys are really good.)

https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
«13

Comments

  • But it seems that the social security numbers being accessed should be a big deal
  • Potentially adding to criticism of the company, three senior executives, including the company’s chief financial officer, John Gamble, sold shares worth almost $1.8 million in the days after the breach was discovered. The shares were not part of a sale planned in advance, Bloomberg reported.
    These 3 senior executives should be fired. They showed concern for themselves only.
    The company said that it discovered the intrusion on July 29
    Why does it take so long to inform the public? Maybe they were too busy putting their golden parachutes together.
  • The fact that we're still using an SSN as an identifier seems rather lazy. There should be a better way. And, with all of the breaches in the news within the last few years, why on earth would you have this data unmasked/unencrypted. Your average Joe has the ability to encrypt their home PC, and this company can't do the same? There should be a PCI equivalent for these agencies and better oversight to how they're doing business. These businesses stalk us our entire life, collecting data and creating profiles which they sell to other companies. Then they have the nerve to say, its for your benefit because otherwise you wouldn't have the ability to purchase on credit. Well, the nasty little secret that has been exposed here, is they aren't very good at their fiduciary responsibilities. On second thought, do they have a fiduciary responsibility?
  • edited September 2017
    "The fact that we're still using an SSN as an identifier seems rather lazy." Exactly!
    (Gives ya a lot of confidence in the bureaucrats who administer various government agencies and allow this to continue.)

    Your SS number is plastered everywhere: former employers, schools attended, contractors who've worked on your home (and obtained permits in your name), dentists, doctors, other medical personnel, etc. etc.
    The list is l-o-n-g. Not that the those who have the number are necessarily dishonest. But such common usage makes the number easy to steal.
  • Years ago I read (on Epic?) what seems like an obvious statement - the objectives of a number serving as a universally unique identifier and of ensuring security are conflicting.

    On the one hand, SSNs are used to uniquely identify you, so that for better or worse, your medical data can be matched ("joined") with your insurance information, your employment information, your credit score, whatever. Identifiers work well when they are public, or at least widely known - as hank noted, "plastered everywhere".

    On the other hand, if SSNs are to be used for security, then they should be secret, like passwords. There's an inherent conflict here - a password or security scheme isn't useful if everyone knows it. SSNs are being used as identifiers, which is what makes them useless as security devices. Yet the world goes on pretending that they provide some level of security ("I'll give you your bank info over the phone if you'll just give me the last four digits of your SSN").

    We need to acknowledge that using SSN for security is just for show, like taking off your shoes in the airport. It makes it look like TSA, or your local financial institution, is doing something to protect you. Meanwhile guns get through security, and computer systems are left weakly guarded.
  • edited September 2017
    @msf

    Good points. I'm afraid we're often served-up the illusion of protection instead of the real thing.

    Related: I recall that at one time just a SSN (in lieu of a password) was necessary to log into many online mutual fund accounts. Either by edict from some oversight agency (which I think) or voluntarily, fund companies ceased that practice 10-15 years ago and insisted users create a unique password.

    After a semi-successful attempt to access some of my accounts a decade ago (We were made whole by Pay Pal and a local bank) I inquired about changing my SSN. I found that that is not allowed except in the most extreme cases. Essentially, the number you received at age 16 is still being used when you're 70 or 80. I filed a police report and contacted the credit bureaus who placed extra security on my credit files. (They require the police report before they will do so.)

    Investigation found the hacking originated from Russia. My casual understanding is there's an affiliation over there between organized crime and government. If true, it helps explain the immense power and effectiveness of their cyber-warfare and cyber-criminal apparatus.

    My morning rant!
  • edited September 2017
    I have been a victim of identity theft. It was an inside job. Nothing I could have done to prevent it. It changed my entire way of thinking

    Since that time, I completely changed my lifestyle. No more debt. Live within your means. Want new car? No. Buy old car, save for years, pay cash for new car.

    I have not even pulled my credit report for over 20 years. The only reason I even know about my credit score is because of the financial institutions I deal with started offering it to me free every month. I keep getting emails about "your information may have been compromised" now and again with free credit monitoring offered for a year. Sometimes I feel it is a conspiracy to get you signed for credit monitoring and make money.

    It is ironic I was thinking of pulling credit report for every adult in the family just yesterday, and now I see this post. I operate under the assumption everyone's identity is already stolen, but you only learn about it when something bad is done with it. Credit Monitoring is a scam, another form of insurance for something you shouldn't be paying for. At least not those who don't live on credit. If anyone has outstanding loan, charge $1 more a month to pay for credit monitoring. Leave everyone else alone.
  • @msf. It remains to be seen whether cyber threat or nuclear threat is more dangerous. Or imagine cyber attack on nuclear installations. We did it to the Iranians. Everyone watched "Zero Days" right?
  • edited September 2017
    @VF - I'm not aware that having "no more debt" has anything to do with identity theft. If anything, having no debt makes you a better target (more wealth to steal). But congratulations on eliminating your debt. Always a good idea.

    We had no debt when our identity was stolen. The thieves succeeded in completely draining everything I had on deposit at one local bank (Imagine the surprise when I walked in to make a withdrawal and was told I had a "0" balance.) They also tried to borrow $100,000 from some online lender in my name, but were halted in the process. Third, they set up a phony account at Pay Pal in my name, using a phony email account in my name, and than started "selling" items to unsuspecting buyers. After several complaints from buyers who had been defrauded, Pay Pal contacted me.

    Regards
  • Whether you use credit or not doesn't really matter. Your information is out there and gathered, packaged and sold. Each month, companies contact the credit bureaus with requirements such as: people within a certain zipcode, age, FICO score, etc. This is used to make sure only certain people are sent pre-approved offers. Doesn't really matter if you accept or not, the credit bureaus such as Equifax still get paid. And, if you happen to have a child named after you, good luck with that. Your record and theirs are almost guaranteed to be confused. Furthermore, all representatives at the credit bureau can look up your information for what ever reason. There are no checks in place to make sure the person looking up your information has a legitimate reason for doing so. All they need is your name, state or even better, SSN.
  • edited September 2017
    @hank- Wow. Did you ever discover the actual mechanism that they used? Was it a checking account or a savings account? Was the account set up for on-line access (bill-paying and such) or did they somehow get access directly to the bank?

    Edit/Add: Were either credit cards or debit cards involved?
  • edited September 2017
    The user and all related content has been deleted.
  • The user and all related content has been deleted.
  • I registered there. They confirmed that my data may be compromised. They said that I should contact them again on Sept. 13 (my friend received the date Sept 12) to finalize the registration.
  • The user and all related content has been deleted.
  • I feel like a schmuck. My credit card account was breached last March and I was referred to Equifax to set up credit monitoring. In my panic, I agreed to pay them 16.95 a month to "protect" me. Recently, I canceled that service as it gave me nothing worthwhile but I must be one of the customers adversely affected.
  • They confirmed that my data may be compromised also. They said that I should contact them again on/after Sept. 12.
  • The user and all related content has been deleted.
  • The obvious answer is to assign everyone new SS numbers which will automatically be changed every thirty seconds so as to make it impossible for anyone to use them, including you.
  • The user and all related content has been deleted.
  • edited September 2017
    Is that like pressing your nose against a window? I'd guess that everyone has a different noseprint.:)
  • The user and all related content has been deleted.
  • We could have a password protection program such as Dashlane create an identity for each of us. The identity will be impossible to commit to memory, like a Dashlane password. Then we won't know who we are, who are friends are, or anything else. Who would then bother to steal our identity?
  • The user and all related content has been deleted.
  • @BenWP - if they knew my friends they for sure wouldn't bother.

    To Hank's original post, how is it that Equifax could take SO long before informing everyone about the breach? That doesn't seem right at all. Scottrade did a similar thing awhile back waiting over 6-mo to inform their customers. Just nasty.
  • edited September 2017
    Guess what. As of now (I think the complaints might change this) when you do get to enroll you have to input your full name, full SS number, and current address. Then, if you do this, they send an email saying "It is time to take the final steps in enrolling in your free product, TrustedID Premier, by verifying your identity. To do this, you’ll need to answer some questions about yourself. Successfully completing this step will conclude your enrollment process and activate your product. "

    The entire Equifax thing acts just like a Phishing scam would act. (If the initial check says you are eligible, then they know all that info. You aren't applying for credit. They initiated this. Turning monitoring on shouldn't need to fill out forms that look like phishing. People all over are scratching their head. Additionally, they have an agreement that must be signed that waives your right to be part of a class action and has also been reported to say that they aren't agreeing to help restore your credit and rating.

    My info is coming from Internet chatter but, since they aren't explaining the process in detail, it's all there is.
  • @Anna made this point, which is apparently this case; based upon other reporting I have seen:
    Additionally, they have an agreement that must be signed that waives your right to be part of a class action and has also been reported to say that they aren't agreeing to help restore your credit and rating.
    Do they, Equifax and Wells Fargo Bank, have any Board of Directors members serving both organizations?
    'Course, one might consider that the lesser peeps of our grand society as it exists today; don't know or understand how badly they continue to be "trampled under foot", by the all powerful and controlling, eh?
    Now, if you'all would just get those nose swabs in the mail so that "we" may indicate how many folks around the globe are related to you; the sooner the necessary data base will be in place.:)
    Sincerely,
    Catch
  • edited September 2017
    @hank I didn't mean to imply having no debt had anything to do with identify theft. I was just mentioning how I handled it. When someone else shot my credit history and score, I decided to try and take it out of the equation. If I can live without borrowing, I don't need to worry about my credit score/history.

    How many credit cards do you need? Answer = 1.
    How many places do you use credit card? Only when you need too. Every time card leaves your line of sight it can be swiped into devices you don't see.

    Sometimes it is better to change the game than playing it or trying to win it.
  • edited September 2017
    In response to questions.

    It all began more than 10 years ago and unfolded over a 3-5 year period. The bank account defrauded was a long standing checking account at an area Michigan based bank where both monthly Social Security & Pension payments were automatically deposited. The thief (thieves) apparently used the credit card feature of the bank-issued ATM card to empty the account over just a few days. Probably less than $1000 in the account at the time they hit it (got lucky). I don't remember what they purchased. But some were made at area merchants, but not in person. One was an "entertainment pass-book" (of coupons). This might well have been an early fishing expedition. I complained to the bank about the phony charges and they credited the funds back to me. We both figured it was a simple case of stolen account number. The bank changed the ATM card / account number, made me whole, and I pretty much forgot about it.

    A couple years passed. Than over perhaps a 3-6 month period I received 2 different letters in the mail from an online lender (a legitimate company) requesting a written signature on a short enclosed form before they could "release the approved funds". The amount was very high - but whether it was to be in the form of a line-of-credit or outright cash payment - I don't remember. My assumption was that this was just an aggressive credit marketer. So, I sent off a couple nasty letters to their home office - the last one by certified mail, directing them to "cease and desist" and threatening legal action.

    A year or so passed and than while opening a new checking account at an area credit union (where I had an existing relationship) the agent alluded to some type of negative remark on my credit file - which she'd accessed during our meeting. She printed the report (from one of the big 3 credit reporting agencies) and gave me a copy. It contained a negative remark (delinquent account) from a company I'd never done business with. The credit union helped me contact the credit reporting agency and file an "appeal" - seeking to have the negative remark removed. Several weeks later the credit reporting agency responded in writing that they had investigated and that complainant had "dropped" the complaint, and so they were "clearing" my credit report (good news). In hindsight, that episode (the negative remark) was likely caused by whomever had stolen my identity. But at the time I still was clueless.

    Than about 6 months later I received an email from PayPal with whom I had a legitimate relationship. They stated that they had "frozen" my account and would no longer allow me to do business with them. The stated reason was that I had violated their policies by maintaining more than one account. I called PayPal (finding them incredibly easy to contact and communicate with). It didn't take long for us to conclude that someone had stolen my identity and had set-up the fake PayPal account. They had defrauded two or three people selling things in my name, collecting the funds thru Pay Pal, and not delivering the promised merchandise. I don't remember the amount - probably less than $1,000 total. I was told I'd be liable for that amount, but if I filed a police report and established it was a case of stolen identity, PayPal would likely cover the loss (which they did).

    I researched credit protection agencies and found high marks for Idendity Guard, which I continue to use. It's a small monthly fee, but they're most helpful whenever I call with questions and provide many other advantages. On their advice I filed a report with the local police both in writing and in person summarizing all of the above. They investigated for a month or so and determined that someone, operating from a Russia based server, had established a phony email account in my name which closely resembled my own - and with my own email provider. (They'd simply reversed a couple digits in a sequence of numbers). I'm guessing that by utilizing this remarkably similar email address they were able to dupe an unwitting individual somewhere into releasing sensitive credit information. And it was with this phony email address that the phony PayPal account was set up. Likely, it had been used in other fraudulent activity. I got the feeling the police get a lot of these cases and, while helpful, aren't going to invest a lot of time and $$ trying to track down / prosecute criminals operating from foreign countries.

    If you provide a written police report the credit agencies (together) will impose a "verify the identity" restriction on your credit files. This means that someone cannot grant credit in your name or lend $$ based simply on a phone call or internet request. The lender must either actually see you in person or, at least, have tangible evidence (like a drivers license) in their possession before granting credit. Seems simple enough. I'm surprised it's not required of all credit applications. Lasts 7 years once you have it placed on your files. There's a more severe option - that of having your credit files "frozen." Didn't opt for that one. Too draconian IMHO.
Sign In or Register to comment.