Equifax Data Breach

buckeyefarmer · Sep 11, 2017

lennyzx11 said:
Please do your due diligence before visiting that site.
1. The credit monitoring service is only monitoring not protection.
2. In the fine print when you accept the free credit monitoring, you waive the right to participate in a class action lawsuit involving this matter.
3. If you do sign up, it will automatically renew and you will be charged after the one year free period is completed.

Oh crap

KubotainNH · Sep 11, 2017

Seems some of this has been updated including the class action thing. Also, on #3 how can they renew something that you do not give a credit card number for?

California · Sep 11, 2017

KubotainNH said:
... how can they renew something that you do not give a credit card number for?

They know all your credit card #'s?

KubotainNH · Sep 11, 2017

So? You think they will just charge my card without me authorizing it? I have already put my info in the site, no where did I authorize payment.

6 Equifax hack rumors fact-checked - Sep. 11, 217

duffer · Sep 11, 2017

I'm a retired financial advisor, and a few years ago I went to a workshop on identity theft, that was run by a guy who did work for the NSA. the bottom line is that if you want to protect your identity the best way possible, change your usernames and passwords regularly, and especially now, after Equifax "gave" all your info (more than you think) to the hackers. Start with all your financial accts first. (banks, cc's, investments)

Worst case scenario...it can't hurt to change them.

rekees4300 · Sep 11, 2017

lennyzx11 said:
Please do your due diligence before visiting that site.
1. The credit monitoring service is only monitoring not protection. -> True
2. In the fine print when you accept the free credit monitoring, you waive the right to participate in a class action lawsuit involving this matter. -> Was True but now False
3. If you do sign up, it will automatically renew and you will be charged after the one year free period is completed. -> Was True but now False

Cybersecurity Incident & Important Consumer Information | Equifax

I really HATE dealing with the credit bureaus

but guess due to the seriousness of this breach it is prudent. :banghead: Got so-called "enrollment date" from them and will signup for TrustedID Premier this week. Of course nothing with them is easy, have to do everything twice, me and again for wife. :thumbdown:

ericm979 · Sep 11, 2017

I've been working in data security and encryption for 20 years. At one point Equifax was using one of the encryption products I designed.

The more up to date recommendation is rather than changing passwords often, just use good ones. Good passwords are long strings of random characters. Or long passphrases. The former are impossible to remember, so you need a password manager. The latter can be remembered but are difficult to type. See the new NIST password recomendations: NIST’s new password rules – what you need to know – Naked Security

Even better is to use two factor auth. A problem with that is that you need your phone to be working and with you. There are attacks on two factor auth (for example it's possible for attackers to intercept or redirect SMS/MMS messages) so it's not perfect but it's better than even the best passwords.

The Equifax data that was leaked won't include authentication information for your bank etc. accounts. Changing passwords or turning on two factor auth will make it harder for attackers to get into those accounts but won't prevent identity theft. That data is kept in many places (like Equifax) that are not associated with your accounts.

cqaigy2 · Sep 12, 2017

ericm979 said:
I've been working in data security and encryption for 20 years. At one point Equifax was using one of the encryption products I designed.

The more up to date recommendation is rather than changing passwords often, just use good ones. Good passwords are long strings of random characters. Or long passphrases. The former are impossible to remember, so you need a password manager. The latter can be remembered but are difficult to type. See the new NIST password recomendations: NIST’s new password rules – what you need to know – Naked Security

Even better is to use two factor auth. A problem with that is that you need your phone to be working and with you. There are attacks on two factor auth (for example it's possible for attackers to intercept or redirect SMS/MMS messages) so it's not perfect but it's better than even the best passwords.

The Equifax data that was leaked won't include authentication information for your bank etc. accounts. Changing passwords or turning on two factor auth will make it harder for attackers to get into those accounts but won't prevent identity theft. That data is kept in many places (like Equifax) that are not associated with your accounts.

Thank you for good information!

What password manager do you use?

Silvic · Sep 12, 2017

Does anyone know if doing a credit freeze prevents a company from doing a credit check or does it only prevent an account for credit being created?

I ask as one company routinely does a credit check on me that I did a one time authorization for many years ago and they still randomly do one without permission. My understanding is a credit check authorization is a one time event not a running permanent authorization.

If I freeze the credit will it prevent them from doing it again?

rekees4300 · Sep 12, 2017

Silvic said:
Does anyone know if doing a credit freeze prevents a company from doing a credit check or does it only prevent an account for credit being created?

I ask as one company routinely does a credit check on me that I did a one time authorization for many years ago and they still randomly do one without permission. My understanding is a credit check authorization is a one time event not a running permanent authorization.

If I freeze the credit will it prevent them from doing it again?

Companies can not do credit checks when your account is frozen. You have to temporarily unfreeze. The process is a PITA but in recent years it's been made easier. Now when you unfreeze it you can specify a number of days then it will be automatically refrozen without your intervention. The main thing to remember is that when you initially freeze the account you will be given a PIN number. Be sure to remember and/or store that number for future use. Without the PIN number you will essentially be locked out of your account and you won't be able to unfreeze it without getting a new PIN (I assume an enormous amount of hassle/time).

Silvic · Sep 12, 2017

rekees4300 said:
Companies can not do credit checks when your account is frozen. You have to temporarily unfreeze.

Thanks that is exactly what I had hoped the answer was. The freeze keeps this company from doing an unauthorized hard check on my credit.

As an aside my employer did credit checks on employees several years ago with the claim that the military contract required them to do so. Those were not authorized either. These were separate from security background investigations.

mjarrels · Sep 12, 2017

Congress will hold hearings and act shocked, then when the cameras are off, back slap each other, take Equifax money, fly equifax private jets to country clubs to play.

mark

ericm979 · Sep 12, 2017

cqaigy2 said:
What password manager do you use?

I use one that I wrote for my personal use. Lastpass was one that I would have recommended but there was a serious flaw discovered not long ago. They patched it quickly but it's the kind of thing that shouldn't have been possible. They're probably still one of the better ones. And using a password manager, even one that's a little flawed, but with good strong passwords is still better than using weak passwords. But I can't give an unqualified recommendation.

aczlan · Sep 13, 2017

How about KeePass?

Aaron Z

buckeyefarmer · Sep 13, 2017

I use lastpass

rekees4300 · Sep 13, 2017

ericm979 said:
I've been working in data security and encryption for 20 years. At one point Equifax was using one of the encryption products I designed.

According to news stories, they didn't bother to encrypt Social Security Numbers... a big no-no

mjarrels said:
Congress will hold hearings and act shocked, then when the cameras are off, back slap each other, take Equifax money, fly equifax private jets to country clubs to play.

mark

Cynical but true, a made-for-TV dog and pony show resulting in no action.

aczlan said:
How about KeePass?

Aaron Z

I've been using KeePass for a few years. It's biggest plus is that your data is stored locally. Biggest minus is its flexibility/complexity make it user-unfriendly for non technical folks.

JRobyn · Sep 13, 2017

I've been happy with Dashlane. I suppose I'm fixin to hear that it is crap;-)

ericm979 · Sep 13, 2017

rekees4300 said:
According to news stories, they didn't bother to encrypt Social Security Numbers... a big no-no

From what I can find, the attackers got SSNs. (i.e. see https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/).
That doesn't mean that the SSNs were not encrypted. Most solutions that companies use to encrypt data in the database rely on some authentication to determine if the data should be decrypted by the requester. Often there's a lot of requesters that are not humans but are other computers. For example it's common for both internal and external facing portals to have some sort of server (like a web server) which receives the request and in turn asks one or more databases for data. The usual setup is for the web server to authenticate the client making the request from it, and then to use a different set of credentials to authenticate to the database. Often there's only one set. Which means that it an attacker can penetrate the web server, she can use those credentials to do whatever the web server could to do the database.

The database may be storing the data encrypted but will decrypt it for an authenticated user. And indeed what happened in this case was the attackers broke into webservers via a flaw in Struts.

There's ways to set up a system that has authentication from client to back end DB but hardly any company does it. Only when they are building a new system from scratch and have security people on staff. I've only seen one company do this in 12 years in this part of the security business. Everyone else glues encryption into an existing system and does it poorly.

ericm979 · Sep 13, 2017

JRobyn said:
I've been happy with Dashlane. I suppose I'm fixin to hear that it is crap;-)

All software is crap. Sometimes you just haven't found the crap yet.

rekees4300 · Sep 13, 2017

rekees4300 said:
According to news stories, they didn't bother to encrypt Social Security Numbers... a big no-no

ericm979 said:
From what I can find, the attackers got SSNs. (i.e. see The Equifax Breach: What You Should Know — Krebs on Security).
That doesn't mean that the SSNs were not encrypted.

I tried to find the answer but at the present time it is unclear if the Social Security Numbers and other data were stored and/or stolen as text or encrypted. It's hard to get accurate info about this incident since every Tom-Dick-Harry "expert" is writing speculative articles about it and those articles are inconsistent. Hopefully Congress will have hearings with the Equifax execs under oath and details will be disclosed.