Equifax hack

Other discussions not related to the Permanent Portfolio

Moderator: Global Moderator

User avatar
Maddy
Executive Member
Executive Member
Posts: 1694
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Post by Maddy » Sun Sep 10, 2017 7:49 am

ochotona wrote:
Maddy wrote:
Kriegsspiel wrote:On the subject of freezing credit... If I don't plan on opening any new credit cards or getting a mortgage or using my "credit" in any way... is there any reason not to freeze my credit?
None that I know of. Mine's been frozen for about ten years, and the only time it's ever became an inconvenience (albeit only a very slight one) was when I applied for a mortgage loan. In that instance, all that was required (to the best that I can recall) was a phone call to unfreeze for 48 hours and a second phone call to put the freeze back on.
How many bureaus did you have to unfreeze?
I don't recall whether it was the major three (TransUnion, Equifax, and Experian) or just the one that the lender intended to use. It certainly was no more than that.
gizmo_rat
Executive Member
Executive Member
Posts: 302
Joined: Mon Jan 17, 2011 5:25 am

Re: Equifax hack

Post by gizmo_rat » Mon Sep 11, 2017 10:22 am

I'm surprised this news doesn't seem to be getting a lot of attention. The theft of enough personal information to facilitate the ID theft of 140 million people sounds like the potential death of ez-credit as a policy to me.

At the personal level here's a guide to protect yourself in the short term.

https://arstechnica.com/information-tec ... -now-what/
User avatar
ochotona
Executive Member
Executive Member
Posts: 3353
Joined: Fri Jan 30, 2015 5:54 am

Re: Equifax hack

Post by ochotona » Mon Sep 11, 2017 10:10 pm

IRS Form 14039 - Affidavit of Identity Theft. This may be needed to prevent tax refund theft in the future. I've got a call out to my tax people about this form, whether I should send it in in order to get a PIN assigned to me.
WiseOne
Executive Member
Executive Member
Posts: 2692
Joined: Wed Feb 16, 2022 11:08 am

Re: Equifax hack

Post by WiseOne » Tue Sep 12, 2017 8:29 am

I just checked on Experian's Equifax's website, and yes, my account was one of those compromised.

I thought it would be useful to start a list of forms of identity theft and the easiest preventive measures. Since apparently the responsibility for this is entirely on us. Thus the PP forum's Guide to Identity Theft. Please add/edit at will!

1. Your credit card or bank account number is stolen and someone starts shopping on your nickel

As a YNAB "classic" user, I reconcile credit card and bank accounts every month. I've caught several fraudulent charges that I might otherwise have missed, average 1-2x/year. The credit card companies in question made it very easy to deal with, but the catch is that most require you to report fraudulent charges within 30 days. In some obvious cases (like the huge charge at a restaurant in Vietnam) the company caught the fraudulent charge before I saw it and notified me.

2. Someone breaks into your bank accounts online or via ATM, and starts draining money

Never happened to me, and frankly I don't know what to do about this, other than strong passwords & two factor authentication where available. Plus monthly monitoring.

3. Someone with your SSN and other info starts opening credit accounts in your name

I froze my credit last year. Be sure to get all loans & credit cards you're interested in first, and don't lose the PINS. Also, creating accounts on government websites requires a credit check - I know for sure about Social Security and MyEVerify, not sure about Treasury Direct. Do those things first.

4. Someone with your name and SSN applies for a job in your name

If the employer does a credit check, the freeze should prevent this issue. If they don't do that but do use EVerify, you should detect it on MyEVerify - not sure how often that's the case though. I imagine most dodgy employers taking on someone with an illegally obtained SSN probably do neither, in which case the first you'll hear of it is a tax notice from the IRS about the reported wages.

5. Someone with your SSN files a paper tax return in your name, claiming and getting refunds

This is why I file taxes at the earliest possible date every year: "He who files first, files best." The main limitation is waiting for all tax info from employers etc, which usually takes until about middle to late February. The risk of doing this: 1) tax software company discovers and fixes a bug late in the tax season, after you've already filed, and you only find out two years later when you get a tax notice from the IRS; 2) you get an amended tax document, which happens 2-3x each year for me.
User avatar
I Shrugged
Executive Member
Executive Member
Posts: 2062
Joined: Tue Dec 18, 2012 6:35 pm

Re: Equifax hack

Post by I Shrugged » Tue Sep 12, 2017 9:17 am

I bet in several years we will look back at this and laugh about how weak and vulnerable the electronic transaction system was. The various financial entities wanted to make it painless for consumers, but that is now backfiring. In the future we will have to have some sort of physical verification. Voice, a key thingy, fingerprint, retina, something.

I see a parallel in all of the stolen emails over the past few years. Why don't organizations implement encryption???? Because it's too inconvenient? Probably. Because it looks suspicious? Maybe. Or is it otherwise not effective in a large organization and their outside contacts?
Jack Jones
Executive Member
Executive Member
Posts: 521
Joined: Mon Aug 24, 2015 3:12 pm

Re: Equifax hack

Post by Jack Jones » Tue Sep 12, 2017 10:16 am

Anyone considering or have experience with taking this sort of thing to small claims court?
User avatar
Xan
Administrator
Administrator
Posts: 4392
Joined: Tue Mar 13, 2012 1:51 pm

Re: Equifax hack

Post by Xan » Tue Sep 12, 2017 10:19 am

I Shrugged wrote:I bet in several years we will look back at this and laugh about how weak and vulnerable the electronic transaction system was. The various financial entities wanted to make it painless for consumers, but that is now backfiring. In the future we will have to have some sort of physical verification. Voice, a key thingy, fingerprint, retina, something.

I see a parallel in all of the stolen emails over the past few years. Why don't organizations implement encryption???? Because it's too inconvenient? Probably. Because it looks suspicious? Maybe. Or is it otherwise not effective in a large organization and their outside contacts?
Biometrics are dangerous. Once compromised, they can't be changed. Also it gives incentives for death and/or mutilation. Not only all that, but you leave your authenticators behind you everywhere you go: fingerprints, your voice, pictures of you. Really they're not very good at all.
farjean2
Executive Member
Executive Member
Posts: 284
Joined: Thu Feb 23, 2017 12:51 am

Re: Equifax hack

Post by farjean2 » Tue Sep 12, 2017 12:21 pm

I was one of the hacked IDs according to the Equifax website - so I enrolled in the Trusted ID Premier program.

Wasn't sure I wanted to at first. They say the hack occurred through the website. So now they have a link to a new program where you give them all your information on the website.

Say what?

How do I know that's not part of the hack of their website. I think it's called cross-site-scripting or page hijacking or something like that. I used to do this kind of stuff for a living but already forgot everything I know after being retired for a year.

The fact that somebody was able to steal 140 million IDs through the website tells you how insecure their system is. That's right through the front door.
User avatar
ochotona
Executive Member
Executive Member
Posts: 3353
Joined: Fri Jan 30, 2015 5:54 am

Re: Equifax hack

Post by ochotona » Tue Sep 12, 2017 12:23 pm

EF says they will waive credit freeze fees for 30 days
farjean2
Executive Member
Executive Member
Posts: 284
Joined: Thu Feb 23, 2017 12:51 am

Re: Equifax hack

Post by farjean2 » Tue Sep 12, 2017 6:15 pm

ochotona wrote:EF says they will waive credit freeze fees for 30 days
How generous of them.

Nice windfall for Experian and TransUnion who aren't waving fees.
WiseOne
Executive Member
Executive Member
Posts: 2692
Joined: Wed Feb 16, 2022 11:08 am

Re: Equifax hack

Post by WiseOne » Wed Sep 13, 2017 7:18 am

farjean2 wrote:
ochotona wrote:EF says they will waive credit freeze fees for 30 days
How generous of them.

Nice windfall for Experian and TransUnion who aren't waving fees.
My sister just checked the Equifax site and had some excellent questions. Her entire family including her two kids, who have no credit history at all not to mention that the family live in Canada, came up as potentially compromised. My sister pointed out that searching a database of 143 million SSNs should take a while, whereas the site instantly comes back with the answer "yes".

In other words, they're not checking anything. They just have a website that makes it look like they are, and then they say yes to everything.

And then consider this: Multiply the credit freeze fees times 143 million people...that's a nice chunk of change. And then there's the one year signup for the ID protection deal. At the end of the year, let's say just 10% decide to pay up and keep the service. Also a nice bit of extra income.

Anyone see where this is going??

The honorable thing would be for all 3 credit bureaus to offer free credit freezes for the next year. YEAR. Not 30 days.
flyingpylon
Executive Member
Executive Member
Posts: 1102
Joined: Fri Jan 06, 2012 9:04 am

Re: Equifax hack

Post by flyingpylon » Wed Sep 13, 2017 9:09 am

WiseOne wrote: My sister just checked the Equifax site and had some excellent questions. Her entire family including her two kids, who have no credit history at all not to mention that the family live in Canada, came up as potentially compromised. My sister pointed out that searching a database of 143 million SSNs should take a while, whereas the site instantly comes back with the answer "yes".

In other words, they're not checking anything. They just have a website that makes it look like they are, and then they say yes to everything.
Not disagreeing here at all, but have you noticed how long it takes Google to return results for a search? (not long)
User avatar
drumminj
Executive Member
Executive Member
Posts: 319
Joined: Wed Jul 22, 2015 9:16 pm

Re: Equifax hack

Post by drumminj » Wed Sep 13, 2017 9:12 am

WiseOne wrote:
farjean2 wrote: The honorable thing would be for all 3 credit bureaus to offer free credit freezes for the next year. YEAR. Not 30 days.
Absolutely agree with this. I've not frozen through Equifax yet because honestly I don't want to give them any money for their own f-up. But they absolutely should foot the bill for anyone to freeze their credit across all bureaus.

I suppose one could take them to small claims court for that, but for $30 (my cost at least) it's just not worth the time/effort.
farjean2
Executive Member
Executive Member
Posts: 284
Joined: Thu Feb 23, 2017 12:51 am

Re: Equifax hack

Post by farjean2 » Wed Sep 13, 2017 9:58 am

WiseOne wrote:My sister just checked the Equifax site and had some excellent questions. Her entire family including her two kids, who have no credit history at all not to mention that the family live in Canada, came up as potentially compromised. My sister pointed out that searching a database of 143 million SSNs should take a while, whereas the site instantly comes back with the answer "yes".
It wouldn't have to search 143 million SSNs. It could be that fast using just the two key search.

But....

I thought about this too so I checked it with my first wife's SSN and got a positive hit. She's been dead for 16 years.

So I just started making up bogus names and SSN's. Sure enough every one of them came up positive.

So one of my former employers is run by a bunch of crooks.

Or....

This is making me think even more that the enrollment procedure might be part of the hack to get more personal information than the hackers already have, and maybe I shouldn't have done it. Equifax already had all of that information but now whoever is getting it has my mobile phone number too.
WiseOne
Executive Member
Executive Member
Posts: 2692
Joined: Wed Feb 16, 2022 11:08 am

Re: Equifax hack

Post by WiseOne » Wed Sep 13, 2017 11:49 am

farjean2 wrote:I thought about this too so I checked it with my first wife's SSN and got a positive hit. She's been dead for 16 years.

So I just started making up bogus names and SSN's. Sure enough every one of them came up positive.

So one of my former employers is run by a bunch of crooks.

Or....

This is making me think even more that the enrollment procedure might be part of the hack to get more personal information than the hackers already have, and maybe I shouldn't have done it. Equifax already had all of that information but now whoever is getting it has my mobile phone number too.
Outstanding.

Hopefully, farjean, that site isn't part of the hack - doubt it.

I am very thankful that I froze my credit well before all this went down. But I don't know what to tell my sister. She views the whole thing as just one step away from extortion, and she's not wrong. Something like two-factor authentication should be in place for all credit transactions, and that should have happened a long time ago.
User avatar
Maddy
Executive Member
Executive Member
Posts: 1694
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Post by Maddy » Wed Sep 13, 2017 12:48 pm

Speaking of two-factor authentication, it seems that they're now hijacking cell phones to get around those protections--and doing it with greater ease and success than through ordinary hacking. https://mobile.nytimes.com/2017/08/21/b ... 19&referer
User avatar
I Shrugged
Executive Member
Executive Member
Posts: 2062
Joined: Tue Dec 18, 2012 6:35 pm

Re: Equifax hack

Post by I Shrugged » Wed Sep 13, 2017 4:46 pm

edited, I may have erred.
Last edited by I Shrugged on Wed Sep 13, 2017 4:57 pm, edited 1 time in total.
stuper1
Executive Member
Executive Member
Posts: 1365
Joined: Sun Mar 03, 2013 7:18 pm

Re: Equifax hack

Post by stuper1 » Wed Sep 13, 2017 4:54 pm

For whatever it's worth:

When I checked my name and SSN yesterday, it said potentially affected.

When I checked my wife's name and SSN, it said not potentially affected.
WiseOne
Executive Member
Executive Member
Posts: 2692
Joined: Wed Feb 16, 2022 11:08 am

Re: Equifax hack

Post by WiseOne » Wed Sep 13, 2017 6:22 pm

Maddy wrote:Speaking of two-factor authentication, it seems that they're now hijacking cell phones to get around those protections--and doing it with greater ease and success than through ordinary hacking. https://mobile.nytimes.com/2017/08/21/b ... 19&referer
Maddy, thank you for posting that! This is one scary article, and incidentally it points to a major downside of owning Bitcoins.

It makes me wonder about what would happen if hackers broke into any of my online accounts and stole money or assets out of it. For Fidelity or Vanguard, there is SIPC insurance...not quite sure what that covers.

But what about the Perth Mint, or any of the online gold holding companies? I figured Perth Mint would want to defend its reputation as a safe haven, but they don't promise any restitution of assets if a hacking occurs. They do make it very difficult to switch accounts, though.
User avatar
ochotona
Executive Member
Executive Member
Posts: 3353
Joined: Fri Jan 30, 2015 5:54 am

Re: Equifax hack

Post by ochotona » Wed Sep 13, 2017 9:53 pm

WiseOne wrote:
Maddy wrote:Speaking of two-factor authentication, it seems that they're now hijacking cell phones to get around those protections--and doing it with greater ease and success than through ordinary hacking. https://mobile.nytimes.com/2017/08/21/b ... 19&referer
I called my cell phone provider and asked them to impose a six-digit PIN of my choosing. They were happy to.
farjean2
Executive Member
Executive Member
Posts: 284
Joined: Thu Feb 23, 2017 12:51 am

Re: Equifax hack

Post by farjean2 » Fri Sep 15, 2017 3:01 pm

An interesting article with some technical details of the hack if any IT folks are interested....

https://arstechnica.com/information-tec ... h-old-bug/

Apparently a vulnerability was discovered in some open source software (Apache Struts) and a patch was distributed for it but Equifax had not yet installed it two months later when the breach occurred. Anybody who finds that hard to believe has never worked in an IT department in a large company like Equifax. I was once an employee of Equifax but at the time of my retirement I was working at a spin-off company, then bought by an even larger company, and I would seriously doubt whether they applied the patch within two months either. A project would have to have been initiated, approved, and prioritized and that process all by itself can take months. Try telling a company bureaucrat that your request is "urgent". They will laugh in your face (more likely they will just ignore you because you can't even see their face). Before I was forcibly retired I made a very minor change to a program to fix a security flaw and it took me six weeks just to get it implemented. I had to submit a "ticket" which had to be approved by 8 different departments, most of whom I had no idea who they were or where in the world they were even located or why their approval was needed.

As I understand it, according to the article, applying this patch involved rebuilding all of the programs that used the open source software in question. The actual work of doing that may or may not have been a big deal, assuming there was even anybody on staff who could do it, but all of those programs would have to have been tested and put through all kinds of quality controls even before they got to my 6 week implementation nightmare.

This is why I've never regretted being forced to retire for even a moment. Let younger folks pull out their hair.
User avatar
ochotona
Executive Member
Executive Member
Posts: 3353
Joined: Fri Jan 30, 2015 5:54 am

Re: Equifax hack

Post by ochotona » Fri Sep 15, 2017 6:06 pm

WiseOne
Executive Member
Executive Member
Posts: 2692
Joined: Wed Feb 16, 2022 11:08 am

Re: Equifax hack

Post by WiseOne » Fri Sep 15, 2017 9:57 pm

Is it common for institutions with reams of highly sensitive data to use open source software???

Given what they're holding, Equifax's security should be more like the NSA, the Pentagon, and major banks like Chase. It shouldn't be run like a video game company. I'm a little shocked that they were using open source software, and still more shocked that the lawyers who should be crawling around all over the place allowed such a thing. Because, you know, there has to be someone to sue when something goes wrong.
farjean2
Executive Member
Executive Member
Posts: 284
Joined: Thu Feb 23, 2017 12:51 am

Re: Equifax hack

Post by farjean2 » Sat Sep 16, 2017 4:14 am

WiseOne wrote:Is it common for institutions with reams of highly sensitive data to use open source software???

Given what they're holding, Equifax's security should be more like the NSA, the Pentagon, and major banks like Chase. It shouldn't be run like a video game company. I'm a little shocked that they were using open source software, and still more shocked that the lawyers who should be crawling around all over the place allowed such a thing. Because, you know, there has to be someone to sue when something goes wrong.
About 75% of the WWW uses open source software. If you want proprietary you can always go with Microsoft but as everyone knows you can still end up with the same vulnerability problems. Even proprietary products we got from IBM were built using open source software if you looked close enough under the covers.
User avatar
Maddy
Executive Member
Executive Member
Posts: 1694
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Post by Maddy » Sat Sep 16, 2017 6:14 am

You all know my biases, but I can't help but wonder why people continue to embrace technology as they do. Seems like the majority of my day--every day--is spent troubleshooting computer problems (mine or somebody else's), dealing with tech-dominated bureaucracies that can't solve a simple problem if it's not pre-programmed into their "system," or taking defensive action against computer-driven intrusions into my personal life and privacy. And I've disconnected myself from all but the most basic technologies.

I wonder whether today's young people even remember a time when life didn't involve a constant barrage of technology-related stresses. Are they even aware of how much their "toys" are costing them in terms of quality of life?
Post Reply