Here's a statement of the obvious: The opinions expressed here are those of the participants, not those of the Mutual Fund Observer. We cannot vouch for the accuracy or appropriateness of any of it, though we do encourage civility and good humor.
Support MFO
Donate through PayPal
Equifax Says Cyberattack May Have Affected 143 Million Customers
@hank; Had identity theft a few years back. About $700 or $800 involved. I filed police report & froze one of the 3 big credit agencies. Knock on wood, no problems so far. Derf
@Anna made this point, which is apparently this case; based upon other reporting I have seen: Additionally, they have an agreement that must be signed that waives your right to be part of a class action and has also been reported to say that they aren't agreeing to help restore your credit and rating.
Equifax also recommended signing up for a monitoring services. But the program initially required users to give away their rights to legal action and agree to use arbitration to settle disputes.
It immediately drew outrage, with Mr. Schneiderman, the New York attorney general, calling on Equifax to remove language that could deny victims the right to sue. Equifax has since changed the clause, giving consumers the ability to opt out.
@msf So just so I understand, if we take advantage of Equifax free monitoring, which I'm assuming would be for 1 year, then we give away the right to sue. If we opt-out, then we don't get free monitoring.
Sorry if I see conspiracies all over the place. Some companies are going to make money of this from fear-mongering.
I just typed 'test' (as my name) and '654321' (as my partial SSN) into the Equifax 'are you affected' website.
It says I may have been impacted. Oh really?
Other random BS variations inputted were either "affected" or "not affected." What kind of first-year computer science random algo generator are they using? Clearly amateur-land response in many ways, as many of us in the industry have been discussing this past 36 hours or so. The more I think about it, that site feels more like a bait-and-switch attempt to get folks worried, enroll, and then unwittingly sign away their right to sue.
BTW there is a 30-day opt-out provision they threw into their ToS mid-day yesterday after the public outcry regarding the arbitration clause. You need to send a snail-mail letter to Equifax in Atlanta, though.
For those looking to freeze their credit reporting data this weekend, you may find it pathetically interesting to note that the scheme Equifax uses to generate the PIN for you to thaw the freeze is, I kid you not, the date and time your freeze request transaction was processed: IE, MMDDYYHHMM.
From a security perspective, you can't make this stuff up.
At the end of one year, consumers who signed up for the Equifax (TrustedID) identity protection product will begin being charged an unspecified amount unless they cancel by calling the company. Lax security to force more people into their identity protection service?
For those looking to freeze their credit reporting data this weekend, you may find it pathetically interesting to note that the scheme Equifax uses to generate the PIN for you to thaw the freeze is, I kid you not, the date and time your freeze request transaction was processed: IE, MMDDYYHHMM.
From a security perspective, you can't make this stuff up.
Like I have told my wife many times, I am in the wrong profession. Should have signed up for Mars flight.
Some things are too vital to a society to be left in the hands of for-profit corporations with limited resources and conflicted interests that align them more with their shareholders/owners than public consumers. The military and our courts system are two. Identity/credit card/Internet security should be a third. Equifax doesn't have the financial resources or the inclination to do an adequate job.
We can't sue a farmer for the size of strawberries he grows. That's understandable. However how can this be allowed? Government Auditors should be all over these guys. I mean .jsp ?!?!?! Even in 19th century they wouldn't do this shit.
We got Bitcoin right? How about an alternate credit score? Call it BitScore.
Hey now, whoever is going to come up with BlockChain solution please don't forget to send royalty checks to yours truly every month.
Some things are too vital to a society to be left in the hands of for-profit corporations with limited resources and conflicted interests that align them more with their shareholders/owners than public consumers. The military and our courts system are two. Identity/credit card/Internet security should be a third. Equifax doesn't have the financial resources or the inclination to do an adequate job.
There's no conflict of interest. CRAs' (consumer reporting agencies) sole interest is in making profit - in aggregating (manufacturing) information and selling it to eager customers. They have no concern about the subjects of that information.
This is why, absent regulatory laws, they didn't care about the accuracy of the data and didn't even let you see what information they have about you. It's only since the advent of the Fair Credit Reporting Act (FCRA) and amendments that they've had to pay the least bit of attention the public. It wasn't until 2003 that they had to conduct a "reasonable" investigation into data you contested. Even now, they don't have to remove data in dispute, though you can have them add a note to your file for whatever good that will do.
The risks of identity theft, invasion of privacy, and misuse have grown much larger as more and more data has been concentrated in a few CRAs (as well as freely passed around by businesses). As much of a problem as it may appear now, concentrating and expanding that data in a single place, whether that is a private company or the federal government would further aggravate the situation. This is why privacy and civil rights organizations have long opposed national IDs.
This is not a new problem. It's over a century in the making - the first major CRA, the Retail Credit Company, started in 1899 and gradually evolved into Equifax. (See Epic link below.) Nor is this the first time, even in recent history, that there's been a CRA breach of millions of records with SSNs (Experian 15M in 2015).
It seems to be only when large numbers of people are simultaneously put at actual risk that anyone takes notice. No suggested solutions here, just observing how a century of inattention by the public is only occasionally interrupted by short periods of concern.
So, with this wake-up call and all the posters here who have given first hand experiences with identity theft, what are peoples plans on what to do in the future. Free service from Equifax seems like placing a finger in a leaking dam. Your information is out there forever. They should be giving monitoring service for the rest of your life. I personally don't want the free service from Equifax. I'll jump on any lawsuit that holds them responsible for the safety of our info.
Does anyone know of an insurance policy or monitoring agency that can insure your life savings? And if your savings are stolen, can you be insured from total loss? I think I would buy that insurance.
mfs states,
It seems to be only when large numbers of people are simultaneously put at actual risk that anyone takes notice. No suggested solutions here, just observing how a century of inattention by the public is only occasionally interrupted by short periods of concern.
Suggested path forward, anyone? The government insures savings accounts (FDIC). Can/should they also insure individuals from the loss of their retirement savings?
Just my own personal perspective from having been victimized (although no money was lost).
1) I think it's unfortunate that the "Big 3" (Experian, Equifax, TransUnion) won't let you put the "verify identity first" restriction on your credit files until after you've been a victim of identity theft and filed a written police report. Our 7-year time limit is approaching. I know that the initial 7-year window can be extended a number of additional years. But I'm not sure how easy it is to do so. I'll certainly try. (BTW - Having that restriction hasn't in any way hampered my ability to open new accounts or receive new credit lines.)
2) I simply assume that all my data (SS#, DOB, previous employers, etc.) is out there somewhere in cyberspace. So constant awareness is the best safeguard. As my experience probably suggested, I'm kind of "lax" when it comes to regularily monitoring my credit files (which of course isn't hard to do). But there's also also a time-lag (probably a month or more) between the time someone opens a new account in your name or makes an inquiry and the time it shows up in your file. So, I'm willing to pay Idendity Guard a monthly fee to do for me what I could probably do for free myself. Anytime a new account is opened in my name or a credit inquiry made thru one of the credit rating agencies (known in banking as a hard hit) they email me within days to alert me. Logging into their system or calling on the phone brings up the details. Early on I tried to downgrade their level of service to a more economical plan. They counter-offered with a very attractive rate for their best plan - so I stayed with it. Whenever I call, their reps answer promptly. All seem to speak good English. It's pretty clear they'd like to retain my business.
There are other cheaper ways to monitor your credit records. I don't mean to plug my provider. Just telling you what I've done.
@hank: Thanks for the suggestion about Identity Guard. The $20 per month plan seems to fit our needs, so I signed up. I just hope it does not result in gremlins popping up on my browser screen asking about more coverage, or virus protection, etc. My former employer's gMail system, which I'm allowed to keep, constantly asks us to upgrade Adobe Flashplayer. Unfortunately, pop-ups for McAfee products are included.
@hank- Thanks much for your detailed description of what happened to you and how it happened. Much food for thought. I'm now thinking that we keep way too much cash in vulnerable checking accounts, and that we should keep better track of that and move much of it to savings accounts, which should be less vulnerable by their very nature.
FWIIW, a company called Intersections, Inc (INTX) owns IdentityGuard. While the stock is up about 8% over the last couple of days, this company could best be called a "distressed small-cap value" issue. They haven't made money, but they certainly ought to be well-positioned given the Equifax fiasco.
Guys, if these are the "stewards" of our credit history, I firmly believe all our information is public. Credit Protection / Monitoring is a scam. IF someone uses your information you know about it, else you don't. There are so many fish in the sea.
I've started telling my family members to ask for receipt and then keep it and give it to me. You never know if 1 of the 8 charges on your credit card @ walmart is legit or not. Unless you have receipts.
I think people are smart enough to play the long game and pay themselves a "salary" rather than steal big and catch attention.
Now if only I can make my family ask and keep those dang receipts.
145 MM X $10 for freezing credit report at each of the 3. Nice. Look for this game to be played in round robin fashion as breaches occur every few years at each Credit Reporting Agency in turn.
I'm afraid that I still don't understand the concept of being required to pay someone else to prevent harm being done to me. This differs from mafia "protection" exactly how?
By some cosmic coincidence, I just went window shopping at an online medical supply store -- and then I checked out the account registration page, which proudly displays an "Equifax Secure Site" mini-banner. I hope they're re-evaluating their security plan.
Comments
Knock on wood, no problems so far.
Derf
https://www.nytimes.com/2017/09/08/business/equifax.html
Sorry if I see conspiracies all over the place. Some companies are going to make money of this from fear-mongering.
It says I may have been impacted. Oh really?
Other random BS variations inputted were either "affected" or "not affected." What kind of first-year computer science random algo generator are they using? Clearly amateur-land response in many ways, as many of us in the industry have been discussing this past 36 hours or so. The more I think about it, that site feels more like a bait-and-switch attempt to get folks worried, enroll, and then unwittingly sign away their right to sue.
BTW there is a 30-day opt-out provision they threw into their ToS mid-day yesterday after the public outcry regarding the arbitration clause. You need to send a snail-mail letter to Equifax in Atlanta, though.
https://techcrunch.com/2017/09/08/equifax-says-it-wont-bar-consumers-from-joining-breach-related-lawsuits/
OH. MY. GAWDS.
For those looking to freeze their credit reporting data this weekend, you may find it pathetically interesting to note that the scheme Equifax uses to generate the PIN for you to thaw the freeze is, I kid you not, the date and time your freeze request transaction was processed: IE, MMDDYYHHMM.
From a security perspective, you can't make this stuff up.
The URL ends in .jsp aka JavaServerPages. Which idiot makes is obvious to hackers the underlying technology behind a website ???
We got Bitcoin right? How about an alternate credit score? Call it BitScore.
Hey now, whoever is going to come up with BlockChain solution please don't forget to send royalty checks to yours truly every month.
This is why, absent regulatory laws, they didn't care about the accuracy of the data and didn't even let you see what information they have about you. It's only since the advent of the Fair Credit Reporting Act (FCRA) and amendments that they've had to pay the least bit of attention the public. It wasn't until 2003 that they had to conduct a "reasonable" investigation into data you contested. Even now, they don't have to remove data in dispute, though you can have them add a note to your file for whatever good that will do.
The risks of identity theft, invasion of privacy, and misuse have grown much larger as more and more data has been concentrated in a few CRAs (as well as freely passed around by businesses). As much of a problem as it may appear now, concentrating and expanding that data in a single place, whether that is a private company or the federal government would further aggravate the situation. This is why privacy and civil rights organizations have long opposed national IDs.
This is not a new problem. It's over a century in the making - the first major CRA, the Retail Credit Company, started in 1899 and gradually evolved into Equifax. (See Epic link below.) Nor is this the first time, even in recent history, that there's been a CRA breach of millions of records with SSNs (Experian 15M in 2015).
It seems to be only when large numbers of people are simultaneously put at actual risk that anyone takes notice. No suggested solutions here, just observing how a century of inattention by the public is only occasionally interrupted by short periods of concern.
EPIC, The Fair Credit Reporting Act (FCRA) and the Privacy of Your Credit Report
ACLU, https://www.aclu.org/other/5-problems-national-id-cards (See #3, regarding a national database)
Does anyone know of an insurance policy or monitoring agency that can insure your life savings? And if your savings are stolen, can you be insured from total loss? I think I would buy that insurance.
mfs states, Suggested path forward, anyone? The government insures savings accounts (FDIC). Can/should they also insure individuals from the loss of their retirement savings?
Just my own personal perspective from having been victimized (although no money was lost).
1) I think it's unfortunate that the "Big 3" (Experian, Equifax, TransUnion) won't let you put the "verify identity first" restriction on your credit files until after you've been a victim of identity theft and filed a written police report. Our 7-year time limit is approaching. I know that the initial 7-year window can be extended a number of additional years. But I'm not sure how easy it is to do so. I'll certainly try. (BTW - Having that restriction hasn't in any way hampered my ability to open new accounts or receive new credit lines.)
2) I simply assume that all my data (SS#, DOB, previous employers, etc.) is out there somewhere in cyberspace. So constant awareness is the best safeguard. As my experience probably suggested, I'm kind of "lax" when it comes to regularily monitoring my credit files (which of course isn't hard to do). But there's also also a time-lag (probably a month or more) between the time someone opens a new account in your name or makes an inquiry and the time it shows up in your file. So, I'm willing to pay Idendity Guard a monthly fee to do for me what I could probably do for free myself. Anytime a new account is opened in my name or a credit inquiry made thru one of the credit rating agencies (known in banking as a hard hit) they email me within days to alert me. Logging into their system or calling on the phone brings up the details. Early on I tried to downgrade their level of service to a more economical plan. They counter-offered with a very attractive rate for their best plan - so I stayed with it. Whenever I call, their reps answer promptly. All seem to speak good English. It's pretty clear they'd like to retain my business.
There are other cheaper ways to monitor your credit records. I don't mean to plug my provider. Just telling you what I've done.
Thank you for your efforts with the "name, SSN and pin number" experiment at Equifax and alerting us to the bogus situation.
Regards,
Catch
Regards- OJ
https://www.yahoo.com/finance/news/new-website-lets-automatically-sue-equifax-click-214730288.html
Derf
I didn't known about this "freeze". I think I will freeze credit access to my report tomorrow with all 3 agencies. Money well spent I think.
@hank, thanks for your thoughts and sharing of your experiences.
I've started telling my family members to ask for receipt and then keep it and give it to me. You never know if 1 of the 8 charges on your credit card @ walmart is legit or not. Unless you have receipts.
I think people are smart enough to play the long game and pay themselves a "salary" rather than steal big and catch attention.
Now if only I can make my family ask and keep those dang receipts.
145 MM X $10 for freezing credit report at each of the 3. Nice. Look for this game to be played in round robin fashion as breaches occur every few years at each Credit Reporting Agency in turn.
Does anyone understand the difference between their monitoring products?
Thanks
the insanity continues......
Equifax had 'admin' as login and password in Argentina
http://www.bbc.com/news/technology-41257576