Equifax Data Breach

[Silvic]

Companies can not do credit checks when your account is frozen. You have to temporarily unfreeze.

Thanks that is exactly what I had hoped the answer was. The freeze keeps this company from doing an unauthorized hard check on my credit.

As an aside my employer did credit checks on employees several years ago with the claim that the military contract required them to do so. Those were not authorized either. These were separate from security background investigations.

 

[mjarrels]

Congress will hold hearings and act shocked, then when the cameras are off, back slap each other, take Equifax money, fly equifax private jets to country clubs to play.

mark

 

[ericm979]

What password manager do you use?

I use one that I wrote for my personal use. Lastpass was one that I would have recommended but there was a serious flaw discovered not long ago. They patched it quickly but it's the kind of thing that shouldn't have been possible. They're probably still one of the better ones. And using a password manager, even one that's a little flawed, but with good strong passwords is still better than using weak passwords. But I can't give an unqualified recommendation.

 

[aczlan]

How about KeePass?

Aaron Z

 

[buckeyefarmer]

I use lastpass

 

[rekees4300]

I've been working in data security and encryption for 20 years. At one point Equifax was using one of the encryption products I designed.

According to news stories, they didn't bother to encrypt Social Security Numbers... a big no-no

Congress will hold hearings and act shocked, then when the cameras are off, back slap each other, take Equifax money, fly equifax private jets to country clubs to play.

mark

Cynical but true, a made-for-TV dog and pony show resulting in no action.

How about KeePass?

Aaron Z

I've been using KeePass for a few years. It's biggest plus is that your data is stored locally. Biggest minus is its flexibility/complexity make it user-unfriendly for non technical folks.

 

[JRobyn]

I've been happy with Dashlane. I suppose I'm fixin to hear that it is crap;-)

 

[ericm979]

According to news stories, they didn't bother to encrypt Social Security Numbers... a big no-no

From what I can find, the attackers got SSNs. (i.e. see https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/).
That doesn't mean that the SSNs were not encrypted. Most solutions that companies use to encrypt data in the database rely on some authentication to determine if the data should be decrypted by the requester. Often there's a lot of requesters that are not humans but are other computers. For example it's common for both internal and external facing portals to have some sort of server (like a web server) which receives the request and in turn asks one or more databases for data. The usual setup is for the web server to authenticate the client making the request from it, and then to use a different set of credentials to authenticate to the database. Often there's only one set. Which means that it an attacker can penetrate the web server, she can use those credentials to do whatever the web server could to do the database.

The database may be storing the data encrypted but will decrypt it for an authenticated user. And indeed what happened in this case was the attackers broke into webservers via a flaw in Struts.

There's ways to set up a system that has authentication from client to back end DB but hardly any company does it. Only when they are building a new system from scratch and have security people on staff. I've only seen one company do this in 12 years in this part of the security business. Everyone else glues encryption into an existing system and does it poorly.

 

[ericm979]

I've been happy with Dashlane. I suppose I'm fixin to hear that it is crap;-)

All software is crap. Sometimes you just haven't found the crap yet.

 

[rekees4300]

According to news stories, they didn't bother to encrypt Social Security Numbers... a big no-no

From what I can find, the attackers got SSNs. (i.e. see The Equifax Breach: What You Should Know — Krebs on Security).
That doesn't mean that the SSNs were not encrypted.

I tried to find the answer but at the present time it is unclear if the Social Security Numbers and other data were stored and/or stolen as text or encrypted. It's hard to get accurate info about this incident since every Tom-Dick-Harry "expert" is writing speculative articles about it and those articles are inconsistent. Hopefully Congress will have hearings with the Equifax execs under oath and details will be disclosed.