Equifax hack

Other discussions not related to the Permanent Portfolio

Moderator: Global Moderator

User avatar
sophie
Executive Member
Executive Member
Posts: 2431
Joined: Mon Apr 23, 2012 7:15 pm

Re: Equifax hack

Postby sophie » Thu Sep 21, 2017 2:29 am

technovelist wrote:
Maddy wrote:Speaking of two-factor authentication, it seems that they're now hijacking cell phones to get around those protections--and doing it with greater ease and success than through ordinary hacking. https://mobile.nytimes.com/2017/08/21/b ... 19&referer


Right. Don't use your cell phone for the second factor, if you have a choice. Use your email address, which is harder to take over.


Are you sure about that??

It might depend on where you have your email address. A university or small company's email server would probably be less safe than a cell phone. Gmail probably pretty good, but who knows. If you used to think that Yahoo was safe, you must have gotten quite a surprise a while back.
User avatar
ochotona
Executive Member
Executive Member
Posts: 1451
Joined: Fri Jan 30, 2015 5:54 am

Re: Equifax hack

Postby ochotona » Thu Sep 21, 2017 5:25 am

Charles Schwab gave me a token which has a six digit PIN for account access. The code changes every 30 seconds or so. I feel much safer than otherwise, though I'm sure some criminal knows the algo used generate the codes. Nothing is perfectly safe. They have a hacking guarantee anyway, they will restore theft from hacking.
User avatar
Mountaineer
Executive Member
Executive Member
Posts: 3502
Joined: Tue Feb 07, 2012 10:54 am

Re: Equifax hack

Postby Mountaineer » Thu Sep 21, 2017 6:39 am

This is my experience with Equifax after the hack. I decided to see if my wife and I were affected by the Equifax hack on their website. We were. I then decided to enroll in the "free" TrustedID Premier service they were offering. I filled out the online form and submitted. Was told on the online site I would receive an email in a couple of days to verify my information and complete the signup process. I received that email after 3 or 4 days, and tried to complete the enrollment - got an error message that I would need to call their customer care number to complete the enrollment as it could not be done on line. Over the next two days, after being on hold for extended periods each time, I spoke with three different customer care agents. The first two did not speak English as a first language, I could not understand much of what they said; they gave up and said to call back later (with the excuse their computers were out of service temporarily). The third agent I spoke with had very good diction in English but clearly did not have an understanding of the language. He kept transposing digits when repeating them back to me. He asked me the same questions three or four times. There were several other mistakes on his part. I came to the conclusion he had no comprehention of English or what he was doing so I asked to speak to his supervisor. Finally, he agreed and put me on hold ... then the call was disconnected. All in all, I probably spent three plus hours trying to enroll.

My conclusion: Buyer beware!!!!!!!! I would no more trust Equifax to perform well with their "TrustedID Premier" service than I would trust a used car salesman to sell me a slightly used Yugo. It seemed to me that both their computer systems and their people are incompetent, at least those that I dealt with. I have little confidence that the credit freeze I placed with Equifax will actually work. The credit freezes I established at the other agencies went smoothly.
For the time is coming when people will not endure sound teaching, but having itching ears they will accumulate for themselves teachers to suit their own passions, and will turn away from listening to the truth and wander off into myths. Left untreated, the itching ears syndrome is spiritually fatal.
User avatar
Xan
Administrator
Administrator
Posts: 1790
Joined: Tue Mar 13, 2012 1:51 pm

Re: Equifax hack

Postby Xan » Thu Sep 21, 2017 11:08 am

sophie wrote:Are you sure about that??

It might depend on where you have your email address. A university or small company's email server would probably be less safe than a cell phone. Gmail probably pretty good, but who knows. If you used to think that Yahoo was safe, you must have gotten quite a surprise a while back.


Sophie, you and I seem to have different instincts on things like this. Like the other day with your presumption was that open-source software is less secure than closed-source.

From my perspective, I would think that your email at a university or small company would be much LESS hackable than a big provider like Google. If nothing else, because Google has a "forgot my password" feature, and the small company or university probably require you to go talk to an admin. Google is a big target with known procedures, and every university or small company has a different setup.

But I do this kind of thing for a living, so it makes sense that my perspective might be different. What's weird is that I hadn't considered that anybody would think otherwise on either of those two questions.

So now I'm REALLY wondering what kind of medical ideas I might have in my head which you'd think are totally bonkers!
User avatar
sophie
Executive Member
Executive Member
Posts: 2431
Joined: Mon Apr 23, 2012 7:15 pm

Re: Equifax hack

Postby sophie » Fri Sep 22, 2017 2:27 am

Well, open source software is not intended to be super-secure. It's meant to give people a free, self-maintained option which is great for, say, a small business. Somehow that doesn't translate to a company that should have security standards far higher than your average Silicon Valley startup, or higher even than a chain retailer like Target or Home Depot. So I'd always assumed that banks, for example, have tightly managed closed systems.

My experience with university accounts is that they're EXTREMELY hackable. Every university account I've ever held has been hacked at one time or another, and a lot of my colleagues have experienced the same. I've also had my SSN spilled several times by university IT depts, so the Equifax hack doesn't make a bit of difference to me. This isn't really surprising. University IT depts are typically underpaid, underfunded, and understaffed. I assume the same is true of most ISPs, which is the only other source of email accounts for most people.

Gmail seems a much safer alternative to me. Ironic given that that the shabby university security is supposed to be safeguarding medical information, and this is the reason why they won't use the Lion/Gmail option.

BTW I can attest that credit freezes, at least in general, work. I tried to create an SSA account after freezing my accounts, and discovered I couldn't. Have to go in person to the nearest SS office.
User avatar
Xan
Administrator
Administrator
Posts: 1790
Joined: Tue Mar 13, 2012 1:51 pm

Re: Equifax hack

Postby Xan » Fri Sep 22, 2017 8:50 am

I'll cede your point on university systems. You have more experience in that realm than I do.

Well, open source software is not intended to be super-secure. It's meant to give people a free, self-maintained option which is great for, say, a small business. Somehow that doesn't translate to a company that should have security standards far higher than your average Silicon Valley startup, or higher even than a chain retailer like Target or Home Depot. So I'd always assumed that banks, for example, have tightly managed closed systems.


The development methodology of the software doesn't necessarily have anything to do with how secure it is. It all depends on the priorities of the developers. I would submit that unless the user of the software can see and examine the code themselves, then it is less secure than any other option, because they don't even really know what it's doing.

Open source gives you that from the start. It may be that the code for secretly-developed software could be examined by a customer if they were big enough and paid enough money.

Regardless, a "tightly managed" system will be fine, but that has nothing to do with whether or not the code is open. You can have a well-managed open-source based setup, or a poorly-managed closed-source setup, or vice-versa.

Any security advantage of being closed-source per se is simply security-through-obscurity, which has long been recognized to not work. The holes will be found. And when they are, you're at the mercy of the vendor to fix them; nobody else can.
technovelist
Executive Member
Executive Member
Posts: 4214
Joined: Wed Sep 15, 2010 11:20 pm

Re: Equifax hack

Postby technovelist » Fri Sep 22, 2017 10:53 am

Xan wrote:I'll cede your point on university systems. You have more experience in that realm than I do.

Well, open source software is not intended to be super-secure. It's meant to give people a free, self-maintained option which is great for, say, a small business. Somehow that doesn't translate to a company that should have security standards far higher than your average Silicon Valley startup, or higher even than a chain retailer like Target or Home Depot. So I'd always assumed that banks, for example, have tightly managed closed systems.


The development methodology of the software doesn't necessarily have anything to do with how secure it is. It all depends on the priorities of the developers. I would submit that unless the user of the software can see and examine the code themselves, then it is less secure than any other option, because they don't even really know what it's doing.

Open source gives you that from the start. It may be that the code for secretly-developed software could be examined by a customer if they were big enough and paid enough money.

Regardless, a "tightly managed" system will be fine, but that has nothing to do with whether or not the code is open. You can have a well-managed open-source based setup, or a poorly-managed closed-source setup, or vice-versa.

Any security advantage of being closed-source per se is simply security-through-obscurity, which has long been recognized to not work. The holes will be found. And when they are, you're at the mercy of the vendor to fix them; nobody else can.


All of this is correct.

(BTW, I'm pretty sure that there are a few Microsoft customers who have source-code access to Windows.)
User avatar
Maddy
Executive Member
Executive Member
Posts: 563
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Postby Maddy » Sat Sep 23, 2017 8:25 am

If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/
technovelist
Executive Member
Executive Member
Posts: 4214
Joined: Wed Sep 15, 2010 11:20 pm

Re: Equifax hack

Postby technovelist » Sat Sep 23, 2017 4:33 pm

Maddy wrote:If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/


So you're saying it's really secure then? :P
User avatar
Maddy
Executive Member
Executive Member
Posts: 563
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Postby Maddy » Sat Sep 23, 2017 7:23 pm

technovelist wrote:
Maddy wrote:If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/


So you're saying it's really secure then? :P


No, I'm saying that the same bad guys who have your credit file probably have your PIN (or whatever personal information the agency uses to verify your identify) as well. If your credit report is frozen, they can simply unfreeze it. What a mess.
technovelist
Executive Member
Executive Member
Posts: 4214
Joined: Wed Sep 15, 2010 11:20 pm

Re: Equifax hack

Postby technovelist » Sat Sep 23, 2017 8:07 pm

Maddy wrote:
technovelist wrote:
Maddy wrote:If you're relying upon the "freezing" of your credit report to protect you, consider this: The "unfreezing" of a credit report requires no verification of identity other than knowledge of the very same information that was released in the security breach. https://krebsonsecurity.com/2017/09/exp ... reeze-pin/


So you're saying it's really secure then? :P


No, I'm saying that the same bad guys who have your credit file probably have your PIN (or whatever personal information the agency uses to verify your identify) as well. If your credit report is frozen, they can simply unfreeze it. What a mess.


Yes, I was being sarcastic, thus the :P .
farjean2
Executive Member
Executive Member
Posts: 221
Joined: Thu Feb 23, 2017 12:51 am

Re: Equifax hack

Postby farjean2 » Thu Oct 12, 2017 3:25 pm

They've been hacked again....

https://www.cnbc.com/2017/10/12/equifax-says-it-might-have-been-breached-again.html

Apparently, one of their web pages was hacked to download malware which makes me feel not so paranoid about thinking their whole Trusted ID thing was just another hack.

Return to “Other Discussions”

Who is online

Users browsing this forum: Google [Bot] and 7 guests