Equifax hack

Other discussions not related to the Permanent Portfolio

Moderator: Global Moderator

farjean2
Executive Member
Executive Member
Posts: 284
Joined: Thu Feb 23, 2017 12:51 am

Re: Equifax hack

Post by farjean2 » Wed Sep 13, 2017 9:58 am

WiseOne wrote:My sister just checked the Equifax site and had some excellent questions. Her entire family including her two kids, who have no credit history at all not to mention that the family live in Canada, came up as potentially compromised. My sister pointed out that searching a database of 143 million SSNs should take a while, whereas the site instantly comes back with the answer "yes".
It wouldn't have to search 143 million SSNs. It could be that fast using just the two key search.

But....

I thought about this too so I checked it with my first wife's SSN and got a positive hit. She's been dead for 16 years.

So I just started making up bogus names and SSN's. Sure enough every one of them came up positive.

So one of my former employers is run by a bunch of crooks.

Or....

This is making me think even more that the enrollment procedure might be part of the hack to get more personal information than the hackers already have, and maybe I shouldn't have done it. Equifax already had all of that information but now whoever is getting it has my mobile phone number too.
WiseOne
Executive Member
Executive Member
Posts: 2692
Joined: Wed Feb 16, 2022 11:08 am

Re: Equifax hack

Post by WiseOne » Wed Sep 13, 2017 11:49 am

farjean2 wrote:I thought about this too so I checked it with my first wife's SSN and got a positive hit. She's been dead for 16 years.

So I just started making up bogus names and SSN's. Sure enough every one of them came up positive.

So one of my former employers is run by a bunch of crooks.

Or....

This is making me think even more that the enrollment procedure might be part of the hack to get more personal information than the hackers already have, and maybe I shouldn't have done it. Equifax already had all of that information but now whoever is getting it has my mobile phone number too.
Outstanding.

Hopefully, farjean, that site isn't part of the hack - doubt it.

I am very thankful that I froze my credit well before all this went down. But I don't know what to tell my sister. She views the whole thing as just one step away from extortion, and she's not wrong. Something like two-factor authentication should be in place for all credit transactions, and that should have happened a long time ago.
User avatar
Maddy
Executive Member
Executive Member
Posts: 1694
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Post by Maddy » Wed Sep 13, 2017 12:48 pm

Speaking of two-factor authentication, it seems that they're now hijacking cell phones to get around those protections--and doing it with greater ease and success than through ordinary hacking. https://mobile.nytimes.com/2017/08/21/b ... 19&referer
User avatar
I Shrugged
Executive Member
Executive Member
Posts: 2062
Joined: Tue Dec 18, 2012 6:35 pm

Re: Equifax hack

Post by I Shrugged » Wed Sep 13, 2017 4:46 pm

edited, I may have erred.
Last edited by I Shrugged on Wed Sep 13, 2017 4:57 pm, edited 1 time in total.
stuper1
Executive Member
Executive Member
Posts: 1365
Joined: Sun Mar 03, 2013 7:18 pm

Re: Equifax hack

Post by stuper1 » Wed Sep 13, 2017 4:54 pm

For whatever it's worth:

When I checked my name and SSN yesterday, it said potentially affected.

When I checked my wife's name and SSN, it said not potentially affected.
WiseOne
Executive Member
Executive Member
Posts: 2692
Joined: Wed Feb 16, 2022 11:08 am

Re: Equifax hack

Post by WiseOne » Wed Sep 13, 2017 6:22 pm

Maddy wrote:Speaking of two-factor authentication, it seems that they're now hijacking cell phones to get around those protections--and doing it with greater ease and success than through ordinary hacking. https://mobile.nytimes.com/2017/08/21/b ... 19&referer
Maddy, thank you for posting that! This is one scary article, and incidentally it points to a major downside of owning Bitcoins.

It makes me wonder about what would happen if hackers broke into any of my online accounts and stole money or assets out of it. For Fidelity or Vanguard, there is SIPC insurance...not quite sure what that covers.

But what about the Perth Mint, or any of the online gold holding companies? I figured Perth Mint would want to defend its reputation as a safe haven, but they don't promise any restitution of assets if a hacking occurs. They do make it very difficult to switch accounts, though.
User avatar
ochotona
Executive Member
Executive Member
Posts: 3353
Joined: Fri Jan 30, 2015 5:54 am

Re: Equifax hack

Post by ochotona » Wed Sep 13, 2017 9:53 pm

WiseOne wrote:
Maddy wrote:Speaking of two-factor authentication, it seems that they're now hijacking cell phones to get around those protections--and doing it with greater ease and success than through ordinary hacking. https://mobile.nytimes.com/2017/08/21/b ... 19&referer
I called my cell phone provider and asked them to impose a six-digit PIN of my choosing. They were happy to.
farjean2
Executive Member
Executive Member
Posts: 284
Joined: Thu Feb 23, 2017 12:51 am

Re: Equifax hack

Post by farjean2 » Fri Sep 15, 2017 3:01 pm

An interesting article with some technical details of the hack if any IT folks are interested....

https://arstechnica.com/information-tec ... h-old-bug/

Apparently a vulnerability was discovered in some open source software (Apache Struts) and a patch was distributed for it but Equifax had not yet installed it two months later when the breach occurred. Anybody who finds that hard to believe has never worked in an IT department in a large company like Equifax. I was once an employee of Equifax but at the time of my retirement I was working at a spin-off company, then bought by an even larger company, and I would seriously doubt whether they applied the patch within two months either. A project would have to have been initiated, approved, and prioritized and that process all by itself can take months. Try telling a company bureaucrat that your request is "urgent". They will laugh in your face (more likely they will just ignore you because you can't even see their face). Before I was forcibly retired I made a very minor change to a program to fix a security flaw and it took me six weeks just to get it implemented. I had to submit a "ticket" which had to be approved by 8 different departments, most of whom I had no idea who they were or where in the world they were even located or why their approval was needed.

As I understand it, according to the article, applying this patch involved rebuilding all of the programs that used the open source software in question. The actual work of doing that may or may not have been a big deal, assuming there was even anybody on staff who could do it, but all of those programs would have to have been tested and put through all kinds of quality controls even before they got to my 6 week implementation nightmare.

This is why I've never regretted being forced to retire for even a moment. Let younger folks pull out their hair.
User avatar
ochotona
Executive Member
Executive Member
Posts: 3353
Joined: Fri Jan 30, 2015 5:54 am

Re: Equifax hack

Post by ochotona » Fri Sep 15, 2017 6:06 pm

WiseOne
Executive Member
Executive Member
Posts: 2692
Joined: Wed Feb 16, 2022 11:08 am

Re: Equifax hack

Post by WiseOne » Fri Sep 15, 2017 9:57 pm

Is it common for institutions with reams of highly sensitive data to use open source software???

Given what they're holding, Equifax's security should be more like the NSA, the Pentagon, and major banks like Chase. It shouldn't be run like a video game company. I'm a little shocked that they were using open source software, and still more shocked that the lawyers who should be crawling around all over the place allowed such a thing. Because, you know, there has to be someone to sue when something goes wrong.
farjean2
Executive Member
Executive Member
Posts: 284
Joined: Thu Feb 23, 2017 12:51 am

Re: Equifax hack

Post by farjean2 » Sat Sep 16, 2017 4:14 am

WiseOne wrote:Is it common for institutions with reams of highly sensitive data to use open source software???

Given what they're holding, Equifax's security should be more like the NSA, the Pentagon, and major banks like Chase. It shouldn't be run like a video game company. I'm a little shocked that they were using open source software, and still more shocked that the lawyers who should be crawling around all over the place allowed such a thing. Because, you know, there has to be someone to sue when something goes wrong.
About 75% of the WWW uses open source software. If you want proprietary you can always go with Microsoft but as everyone knows you can still end up with the same vulnerability problems. Even proprietary products we got from IBM were built using open source software if you looked close enough under the covers.
User avatar
Maddy
Executive Member
Executive Member
Posts: 1694
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Post by Maddy » Sat Sep 16, 2017 6:14 am

You all know my biases, but I can't help but wonder why people continue to embrace technology as they do. Seems like the majority of my day--every day--is spent troubleshooting computer problems (mine or somebody else's), dealing with tech-dominated bureaucracies that can't solve a simple problem if it's not pre-programmed into their "system," or taking defensive action against computer-driven intrusions into my personal life and privacy. And I've disconnected myself from all but the most basic technologies.

I wonder whether today's young people even remember a time when life didn't involve a constant barrage of technology-related stresses. Are they even aware of how much their "toys" are costing them in terms of quality of life?
User avatar
Xan
Administrator
Administrator
Posts: 4392
Joined: Tue Mar 13, 2012 1:51 pm

Re: Equifax hack

Post by Xan » Sat Sep 16, 2017 3:07 pm

There's nothing inherently insecure about collaboratively-developed software. Equifax could have developed their own everything, I suppose, but it would have been enormously expensive and it's a virtual certainty it would be much, much worse security-wise than anything from the Apache project.
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sun Sep 17, 2017 12:13 pm

WiseOne wrote:
farjean2 wrote:
ochotona wrote:EF says they will waive credit freeze fees for 30 days
How generous of them.

Nice windfall for Experian and TransUnion who aren't waving fees.
My sister just checked the Equifax site and had some excellent questions. Her entire family including her two kids, who have no credit history at all not to mention that the family live in Canada, came up as potentially compromised. My sister pointed out that searching a database of 143 million SSNs should take a while, whereas the site instantly comes back with the answer "yes".
A lookup just to see if an SSN is in a database should take a few disk accesses, totaling considerably less than a second. And that's if they aren't using SSDs, which would make it much faster.

Of course the fastest way is to use a bit map, which would take 125 MB of RAM (a pittance these days) and could return the answer within a few CPU clock cycles (each of which takes less than a nanosecond).
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sun Sep 17, 2017 1:18 pm

WiseOne wrote:Is it common for institutions with reams of highly sensitive data to use open source software???

Given what they're holding, Equifax's security should be more like the NSA, the Pentagon, and major banks like Chase. It shouldn't be run like a video game company. I'm a little shocked that they were using open source software, and still more shocked that the lawyers who should be crawling around all over the place allowed such a thing. Because, you know, there has to be someone to sue when something goes wrong.
Open source is no less secure than proprietary code.

It might be more secure because more people can look for and fix bugs.

"Security through obscurity" doesn't work, for code at least.
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sun Sep 17, 2017 1:19 pm

So does that mean that the music stopped?
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sun Sep 17, 2017 1:20 pm

Maddy wrote:You all know my biases, but I can't help but wonder why people continue to embrace technology as they do. Seems like the majority of my day--every day--is spent troubleshooting computer problems (mine or somebody else's), dealing with tech-dominated bureaucracies that can't solve a simple problem if it's not pre-programmed into their "system," or taking defensive action against computer-driven intrusions into my personal life and privacy. And I've disconnected myself from all but the most basic technologies.
So are you using Morse code or smoke signals to post here?
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sun Sep 17, 2017 1:28 pm

Maddy wrote:Speaking of two-factor authentication, it seems that they're now hijacking cell phones to get around those protections--and doing it with greater ease and success than through ordinary hacking. https://mobile.nytimes.com/2017/08/21/b ... 19&referer
Right. Don't use your cell phone for the second factor, if you have a choice. Use your email address, which is harder to take over.
User avatar
Maddy
Executive Member
Executive Member
Posts: 1694
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Post by Maddy » Sun Sep 17, 2017 1:44 pm

Libertarian666 wrote:
Maddy wrote:You all know my biases, but I can't help but wonder why people continue to embrace technology as they do. Seems like the majority of my day--every day--is spent troubleshooting computer problems (mine or somebody else's), dealing with tech-dominated bureaucracies that can't solve a simple problem if it's not pre-programmed into their "system," or taking defensive action against computer-driven intrusions into my personal life and privacy. And I've disconnected myself from all but the most basic technologies.
So are you using Morse code or smoke signals to post here?
Compared to most of you, a slow satellite internet connection that works about half the time is pretty basic. But for the fact that telephone service here is frequently down and there's no cell phone reception, having internet service at least part of the time provides at least some assurance that in the event of an emergency (wild fire, for example) I'd have some way of knowing what's going on. Were it not for that need, I'd disconnect entirely. In fact, I'm getting into ham radio, which makes much for sense all the way around.

I never claimed to be a purist. In my case, it's not about ideology, but rather a practical choice to do without the stress and aggravation.
Libertarian666
Executive Member
Executive Member
Posts: 5994
Joined: Wed Dec 31, 1969 6:00 pm

Re: Equifax hack

Post by Libertarian666 » Sun Sep 17, 2017 1:58 pm

Maddy wrote:
Libertarian666 wrote:
Maddy wrote:You all know my biases, but I can't help but wonder why people continue to embrace technology as they do. Seems like the majority of my day--every day--is spent troubleshooting computer problems (mine or somebody else's), dealing with tech-dominated bureaucracies that can't solve a simple problem if it's not pre-programmed into their "system," or taking defensive action against computer-driven intrusions into my personal life and privacy. And I've disconnected myself from all but the most basic technologies.
So are you using Morse code or smoke signals to post here?
Compared to most of you, a slow satellite internet connection that works about half the time is pretty basic. But for the fact that telephone service here is frequently down and there's no cell phone reception, having internet service at least part of the time provides at least some assurance that in the event of an emergency (wild fire, for example) I'd have some way of knowing what's going on. Were it not for that need, I'd disconnect entirely. In fact, I'm getting into ham radio, which makes much for sense all the way around.

I never claimed to be a purist. In my case, it's not about ideology, but rather a practical choice to do without the stress and aggravation.
Ham radio makes a lot of sense for emergency conditions. That's why I set up a station for Y2K, although I haven't participated in the last 10 years or so.

And for the rest, I was pulling your leg.
User avatar
Maddy
Executive Member
Executive Member
Posts: 1694
Joined: Sun Jun 21, 2015 8:43 am

Re: Equifax hack

Post by Maddy » Sun Sep 17, 2017 4:42 pm

Libertarian666 wrote: I was pulling your leg.
Oh good. :)
WiseOne
Executive Member
Executive Member
Posts: 2692
Joined: Wed Feb 16, 2022 11:08 am

Re: Equifax hack

Post by WiseOne » Thu Sep 21, 2017 2:29 am

Libertarian666 wrote:
Maddy wrote:Speaking of two-factor authentication, it seems that they're now hijacking cell phones to get around those protections--and doing it with greater ease and success than through ordinary hacking. https://mobile.nytimes.com/2017/08/21/b ... 19&referer
Right. Don't use your cell phone for the second factor, if you have a choice. Use your email address, which is harder to take over.
Are you sure about that??

It might depend on where you have your email address. A university or small company's email server would probably be less safe than a cell phone. Gmail probably pretty good, but who knows. If you used to think that Yahoo was safe, you must have gotten quite a surprise a while back.
User avatar
ochotona
Executive Member
Executive Member
Posts: 3353
Joined: Fri Jan 30, 2015 5:54 am

Re: Equifax hack

Post by ochotona » Thu Sep 21, 2017 5:25 am

Charles Schwab gave me a token which has a six digit PIN for account access. The code changes every 30 seconds or so. I feel much safer than otherwise, though I'm sure some criminal knows the algo used generate the codes. Nothing is perfectly safe. They have a hacking guarantee anyway, they will restore theft from hacking.
User avatar
Mountaineer
Executive Member
Executive Member
Posts: 4959
Joined: Tue Feb 07, 2012 10:54 am

Re: Equifax hack

Post by Mountaineer » Thu Sep 21, 2017 6:39 am

This is my experience with Equifax after the hack. I decided to see if my wife and I were affected by the Equifax hack on their website. We were. I then decided to enroll in the "free" TrustedID Premier service they were offering. I filled out the online form and submitted. Was told on the online site I would receive an email in a couple of days to verify my information and complete the signup process. I received that email after 3 or 4 days, and tried to complete the enrollment - got an error message that I would need to call their customer care number to complete the enrollment as it could not be done on line. Over the next two days, after being on hold for extended periods each time, I spoke with three different customer care agents. The first two did not speak English as a first language, I could not understand much of what they said; they gave up and said to call back later (with the excuse their computers were out of service temporarily). The third agent I spoke with had very good diction in English but clearly did not have an understanding of the language. He kept transposing digits when repeating them back to me. He asked me the same questions three or four times. There were several other mistakes on his part. I came to the conclusion he had no comprehention of English or what he was doing so I asked to speak to his supervisor. Finally, he agreed and put me on hold ... then the call was disconnected. All in all, I probably spent three plus hours trying to enroll.

My conclusion: Buyer beware!!!!!!!! I would no more trust Equifax to perform well with their "TrustedID Premier" service than I would trust a used car salesman to sell me a slightly used Yugo. It seemed to me that both their computer systems and their people are incompetent, at least those that I dealt with. I have little confidence that the credit freeze I placed with Equifax will actually work. The credit freezes I established at the other agencies went smoothly.
DNA has its own language (code), and language requires intelligence. There is no known mechanism by which matter can give birth to information, let alone language. It is unreasonable to believe the world could have happened by chance.
User avatar
Xan
Administrator
Administrator
Posts: 4392
Joined: Tue Mar 13, 2012 1:51 pm

Re: Equifax hack

Post by Xan » Thu Sep 21, 2017 11:08 am

WiseOne wrote:Are you sure about that??

It might depend on where you have your email address. A university or small company's email server would probably be less safe than a cell phone. Gmail probably pretty good, but who knows. If you used to think that Yahoo was safe, you must have gotten quite a surprise a while back.
WiseOne, you and I seem to have different instincts on things like this. Like the other day with your presumption was that open-source software is less secure than closed-source.

From my perspective, I would think that your email at a university or small company would be much LESS hackable than a big provider like Google. If nothing else, because Google has a "forgot my password" feature, and the small company or university probably require you to go talk to an admin. Google is a big target with known procedures, and every university or small company has a different setup.

But I do this kind of thing for a living, so it makes sense that my perspective might be different. What's weird is that I hadn't considered that anybody would think otherwise on either of those two questions.

So now I'm REALLY wondering what kind of medical ideas I might have in my head which you'd think are totally bonkers!
Post Reply