Posts Tagged ‘Equifax breach’

Credit freeze vs Credit lock – which is best?

Posted: October 4, 2017 by IntentionalPrivacy in Equifax, EquiMess, Security Breach, Vulnerabilities
Tags: , , , , , ,

Equifax and the other credit bureaus are trying to convince consumers to put “credit locks” on their credit files instead of credit freezes. Credit locks are – I think – a really bad, bad idea. Why?

  1. Why would you trust anything a company tells you that did not encrypt a database with 145 MILLION records in it? Former Equifax CEO Smith testified yesterday at the House of Representatives that Equifax has a poor record of encrypting data. To read the latest about the EquiMess, click on Wired‘s “6 Fresh Horrors From the Equifax CEO’s Congressional Hearing.” Talk about dancing on the head of a pin!
  2. The credit bureaus claim a lock is “free” and simple to use through an app on your phone … the problem is that nothing is free, and again, why would anyone trust them? They’re selling your information somehow to pay for that lock.
  3. What’s the difference between a lock and a freeze? Well, nobody seems to know. While credit freezes have a cost to set up and remove (which varies from state to state), they’re regulated by state and federal law. When you sign up for a freeze, you do not have to agree to arbitrary credit bureau terms and conditions (such as giving up your right to sue or participate in class-action law suits).

More on credit freezes vs credit locks: “Myths vs. facts: Sorting out confusion surrounding Equifax breach, credit freezes.”

Equifax Happened: What Are We Going to Do About It?

Posted: October 3, 2017 by IntentionalPrivacy in Financial vulnerabilities, Security Breach
Tags: , ,

I have been doing a lot of thinking about Equifax. You can point fingers and say … well, you can say all kinds of things. Equifax should have patched faster, they should have notified faster, they should have been more organized about their response, they should have spent more money on security … While every one of those statements are true, they do not resolve the problem of breach response. They will not prevent future breaches. They do not make us safer.

What is  going to make us safer?

What have we learned from all these breaches? What will keep our information safe going forward? That is what really matters. What happened in the past only matters if we learned something from it (unless you are an attorney running a class-action lawsuit or, God forbid, your identity was stolen).

Regulations

Should the US implement regulations like the European Union’s General Data Protection Regulation (GDPR)? Will more regulation make us safer?

There’s no doubt we need better regulations and oversight, especially on data brokers. There are more than 2500 data brokers in this country; your information is their product. For the most part, you cannot opt out and you cannot control what data brokers do with it. And if your file contains errors, chances are you will not be able to correct those errors. For an interesting overview of data brokers, read Privacy Rights Clearinghouse’s article “Data Brokers and ‘People Search’ Sites.”

Won’t automation or lots of expensive tools keep us safer?

Part of the problem is that big companies in particular want to throw technological solutions at data security. Maybe technological solutions make the board feel safer. Maybe they cannot find personnel. Maybe it is because people are expensive.

Layers of security

When an organization gets breached because they did not patch or no one was paying attention to alerts, management may be surprised because they thought spending money on expensive tools would save them from breaches.  The vendors say it was not their fault because the tools were not correctly implemented. The staff says they did not get training or they were testing it or it does not work the way it is supposed to or there were too many extraneous alerts.

Organizations need tools, but their focus should be on the basics. Organizations should know how their data flows: how it comes in, where it goes internally, and when and where it leaves. Private personal information (PPI) should be encrypted whether it is moving or at rest. Organizations should know what and where their assets are. They should understand that employees are going to make mistakes and plan for them. Back up, disaster recovery, and redundant systems are necessary. Flat networks are a disaster waiting to happen: put things in security zones and implement authorization and authentication practices. Enact user training. Be careful who has administrative privileges. Practice safe passwords. Implement policies and procedures and physical security.

Security people know these layers; management should know and understand them also.

Equifax breach: UPDATE

Posted: September 9, 2017 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Privacy, Security Breach, Vulnerabilities
Tags: , , , , , , ,

The newest large breach, potentially affecting 143 million people in the US, was announced Thursday by Equifax at https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628 . It also affected a small number of consumers in Great Britain and Canada. According to the Equifax PR statement, “Criminals exploited a U.S. website application vulnerability to gain access to certain files.”

There’s been at least one potential class-action suit already filed. The New York State Attorney General, Eric T. Schneiderman, has also opened an investigation.

Based on US Senator Al Franken’s Facebook post on Equifax, it might be a good idea to wait to sign up for Equifax credit monitoring until Equifax clarifies that you are not trading your rights to sue them or join a class-action suit in return for accepting their credit monitoring service. However, you should still visit the Equifax site (http://www.equifaxsecurity2017.com/) to find out if you are one of the affected parties. If your information was not affected (although I would not trust that completely), the site will continue on to give you the date when you will be allowed to sign up for credit monitoring if you should decide to do so. Make sure you note the date, because you will receive no other notice.

Since I cannot sign up for the TrustedID service yet, I have not personally read the agreements that Equifax has put in place.

Furthermore, credit monitoring usually just alerts you to an event that has already happened. It is not always accurate or even timely. Although good to know that something has happened, taking preventive action is better.

What should you do?

Act as if your information was stolen and move to block access to your credit and financial accounts. Yes, it’s painful, but far less painful, expensive, and time-consuming than dealing with identity theft. We need better oversight of credit bureaus, but in the meantime protect yourself. Your personal information is important for credit and insurance availability and costs, getting a job, and even renting an apartment or buying a home.

Brian Krebs has an article about credit freezes and credit monitoring at How I Learned to Stop Worrying and Embrace the Security Freeze. The FTC article on credit freezes is good, but Kreb’s article is more thorough and he explains about his personal experience with credit monitoring services. Here are the actions he recommends:

Update: Unfortunately, the pin that Equifax automatically assigns starts with the date you call you to start the credit freeze (i.e, 090917xxxx). The automatic pin is not random. To change it, you have to call 888-298-0045; the line is only available Monday – Friday 9 am to 5 pm (and the message doesn’t even tell you which time zone). You cannot change the pin on their website.

While Fraud Alerts are free, they have to be updated again every 90 days.

NPR.org is reporting that three Equifax executives sold small amounts of stock shortly after the breach was discovered. You can look at the SEC filings here; open the Beneficial filings to see what the stock sales were. Even though all 3 only sold a small portion of their holdings, it is still a lot of money – about $1.8 million. I find it hard to believe that the CFO was not alerted to a breach of the company. The stock price was $145.09 on July  28, 2017, before the breach (discovered on July 29, 2017); yesterday the stock closed at $123.23.