Thread: Data breach at Equifax
View Single Post
Porsche-O-Phile Porsche-O-Phile is offline
Dog-faced pony soldier
 
Porsche-O-Phile's Avatar
 
Join Date: Feb 2004
Location: A Rock Surrounded by a Whole lot of Water
Posts: 34,187
Garage
Another exposure of this company's utter lack of giving a damn (my editorial comments in red below...)

- - - - -

https://www.nytimes.com/2017/09/10/your-money/identity-theft/equifax-breach-credit-freeze.html

- - - - -

After Equifax Breach, Here’s Your Next Worry: Weak PINs

Your Money
By RON LIEBER SEPT. 10, 2017

When Helene Muller-Landau first heard the news about the Equifax security breach, she set about freezing her credit files and those of her husband and mother.

Very quickly, however, Ms. Muller-Landau, a Smithsonian research scientist, noticed something strange: The personal identification numbers that Equifax was assigning her family members (to use for eventually lifting the freezes) were awfully similar.

At first, she thought it was a mistake. Maybe it had to do with the fact that she was in Panama, or that her web browsers were acting up. But no: The Equifax PINs are based on the date and time that you set up your freeze.

“The whole point of a 10-digit PIN is that it’s supposed to be hard to guess,” she said. “And then, they have this totally transparent algorithm for assigning them.”

This is among the worst of the facts that have emerged in the wake of the company’s announcement on Thursday that thieves may have stolen up to 143 million Social Security numbers, dates of birth, names and addresses from its credit files. Armed with that information, thieves, blackmailers and enemies can make a lot of mischief. A credit freeze can prevent thieves from using your information to open new accounts, since lenders want to see a credit report before doing business with you.

On Saturday, many readers sent me tales of outrage and woe. They could not believe that Equifax and the other credit reporting firms, Experian and TransUnion, charge fees to freeze the credit files that they had not asked the companies to set up in the first place. Besides, isn’t keeping that information safe their most important job? [nope, making money for themselves is apparently their most important job! Just look at their priorities in handling this to date!]

Nevertheless, consumers persisted. But when they pulled up the websites of Equifax, Experian and TransUnion, they often found crashed sites (because everyone else was persisting, too) or requests from the companies to write in or call instead. (For a variety of reasons — some of them security-related — the bureaus sometimes refuse online requests for freezes. Just be glad you don’t have to make the request via registered mail as I did back in the old days.) [I simply LOVE the inconsistency here... On the one hand they're saying "mail in your requests (presumably because it's more secure) while they're simultaneously directing everyone to their breach web site... because it's secure. LOL! For the record, I tried three times and was denied three times for a freeze last night - all three major bureaus defaulted to "mail in your request", almost like it's automatic or something (they wouldn't do that hoping that most people would just eventually give up and go away now, would they? Naaaaah. )]
Candy Sagon, in Reston, Va., had a typical experience. Equifax’s system worked fine. “Including the $10 charge they don’t deserve,” she said. But Experian’s site to set up an online freeze didn’t work at first, then kicked her to the snail mail option because she didn’t put in the amount of her monthly mortgage payment correctly when the site attempted to identify her. Then, TransUnion’s phone system disconnected her four times.

Dan Harrison, a Los Angeles media executive who is also a lawyer, said he already had a credit freeze, one that he’d set up after a previous breach involving another company. When he heard about the Equifax breach, his immediate instinct was to contact Equifax to change his PINs. His logic was this: Why assume that those were safe, given the circumstances?

But when he called the company, a representative said that he did not even know what a PIN was and that there were no supervisors with whom Mr. Harrison could speak. The story changed once Mr. Harrison educated the Equifax representative on basic freeze facts. A supervisor did exist, but the one who got on the phone with Mr. Harrison said that it was not possible to change the PIN. He would not answer additional questions, referring Mr. Harrison to the company’s breach site instead.

In an interview on Saturday, Mr. Harrison said that he wouldn’t trust someone swearing on a stack of Bibles that his PIN was safe. [LOL!!! The same thing I'm sure they said about the data and their web site(s) that they keep sending people to in a circular, avoid-the-issue fashion...] “They are going to have to change my PIN,” he said, adding that it is the safety net of last resort for him and every other person who has had their personal information stolen. “I’m going to force them.”

On Sunday afternoon, in an emailed statement, an Equifax spokesman, Wyatt Jefferies, said that no PINs had been compromised in the breach and that the company would soon be changing the PIN generation and reset request process.

“While we have confidence in the current system [that makes one of us!], we understand and appreciate that consumers have questions about how PINs are currently generated,” he wrote. “We are engaged in a process that will provide consumers a randomly generated PIN. We expect this change to be effective within 24 hours.” [we'll see if this becomes effective today or not. My money is on "not". Why can't I just pick my own damn PIN like I can everywhere else?]

Meanwhile, Mr. Harrison said he longed for a legislative or regulatory solution, even if it means the sort of piecemeal, drip-by-drip state actions that have forced the credit bureaus to provide more information and protection to consumers.

A memo to state legislatures: Maybe start with giving everyone access to their credit reports whenever they want to see them, free, at all three bureaus, as the Stanford professor Jeffrey Pfeffer suggested over the weekend in a LinkedIn article. (Currently, you get only one free look at each report each year via annualcreditreport.com.)

Then we could require the bureaus to provide free, top-of-the-line monitoring forever, including free freezes and thaws, whenever a breach occurs at one of their own websites.

Several readers also suggested that freezes simply become the default. Would Equifax fight such an effort? [crystal ball says "yes"] “This is a very complicated issue and we expect to engage with regulators and legislators on this topic in the future,” Mr. Jefferies wrote.

Credit should be hard to get, readers noted. That might also help reduce impulse buys at pushy retailers that hand over store cards with 29.9 percent interest rates, while pretending that the 10 percent off they give you for that day’s purchases somehow makes up for the usurious interest rates. [While I generally don't like laws that exist solely to protect stupid people from themselves (I'm a big believer that life should be harder on dumb people as it makes us stronger as a society a la Darwin) I think the ends would justify the means here... As we saw in 2008, if you get enough stupid people doing the same stupid thing together, it jeopardizes the stability of the system for EVERYONE - including the ones who do nothing wrong and haven't been stupid in their choices / actions, so it's worth pushing the legislative route and insisting that just enough be done to protect the system from the unintended consequences of these sorts of actions by the indiscriminate or stupid... Then again, in an age of chest-thumping "''merica baby!" bravado, a feckless Republican congress shamelessly beholden to big banks, Wall Street and insurance companies and the glorification of excess and boorish, vapid behavior these days, I'm won't be holding my breath...]

Even if any of these things happen — and I’m not holding my breath — it will take many months, at a minimum. In the meantime, we’re on our own, per usual, to protect ourselves.

So keep freezing your credit files. Keep crashing the company’s websites. Every freeze puts a stick in the spoke of the wheel of credit data that has spun far out of control for far too long. [I agree. After being told on three different web sites "you need to mail in your request" I'm only all too happy to do it, knowing that it's much more labor-intensive to process requests that way and it'll end up costing them more, AND to keep re-trying their lousy web sites in the meantime. I was able to get fraud alert set up and that buys me 90 days of SOMETHING until I can get the actual freezes in place everywhere. Good luck to everyone!]
- - - - -

100% agree with this!!!
__________________
A car, a 911, a motorbike and a few surfboards

Black Cars Matter
Old 09-11-2017, 06:02 AM
  Pelican Parts Catalog | Tech Articles | Promos & Specials    Reply With Quote #89 (permalink)