Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Privacy United States

Equifax Breach Provokes Calls For Serious Data Protection Reforms (wired.com) 193

Equifax's data breach was colossal -- but what should happen next? The Guardian writes: The problem is that companies like Equifax are able to accumulate -- essentially, without limit -- as much sensitive, personal data as they can get their hands on. There is an urgent need for strict regulations on what types of data companies can collect and how much data a company can possess, both in aggregate and about individuals. At the very least, this will lessen the severity and size of (inevitable) data breaches... Without putting hard limits on the data capitalists who extract and exploit our personal information, they will continue to reap the benefit while we bear the risks.
Marc Rotenberg, president of the Electronic Privacy Information Center, adds, "we need to penalize companies that collect SSNs but can't protect [them]." Wired reports: Experts across numerous privacy and security fields agree that the solution to the over-collection and over-use of SSNs isn't one particular replacement, but a diverse array of authentications like individual codes (similar to passwords), biometrics, and even physical tokens to create more variation in the ID process. Some also argue that the government likely won't be the driving force behind the shift. "We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."
Meanwhile TechCrunch argues, "This crass, callow, and lazy treatment of our digital data cannot stand...": We must create new, secure methods for cryptographically securing our data... These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.
This discussion has been archived. No new comments can be posted.

Equifax Breach Provokes Calls For Serious Data Protection Reforms

Comments Filter:
  • by Anonymous Coward on Sunday September 10, 2017 @06:44PM (#55171401)

    An SSN is a good primary key in a database because each SSN should correspond to a unique person. It's a terrible way, however, for proof of identity. We essentially use it as a username, but also as a password, and a password that you're unable to change. Furthermore, by law, you have to provide it to banks and some other institutions to use their services. You need to share your SSN with your employer in order to get paid for your job. And you have to trust that none of these entities will mishandle your SSN.

    How about using the SSN for the primary key it is and doing away with it altogether for proof of identity. Mandate that financial institutions use other proof of identity such as one time use passwords and public key encryption. Devalue the SSN and, at the same time, replace it with a secure means to prove identity. The government does have a role, because they can and do regulate entities like financial institutions.

    • by ls671 ( 1122017 ) on Sunday September 10, 2017 @06:57PM (#55171467) Homepage

      Sure. make SSN a unique key but using it has a primary key is always a bad idea. Use meaningless Object IDs as primary keys which in turn will be used as a foreign key in other tables instead of the SSN.

      You can even put the SSN in a different table or database with added security features/restrictions.

    • by Gim Tom ( 716904 ) on Sunday September 10, 2017 @07:09PM (#55171517)
      The card says it is not to be used for identification. Which is now a joke. Maybe they should just publish everyone's SSN and loose the dogs of war er Law on those that do use it for ID.

      Being an old codger going back to the days of big iron and wide green bar printouts I can remember when old printouts with full SSN, NAME, ADDRESS and other information that is now considered sensitive was freely available for anyone to take home for their kids to color on. We even used the back at work to sketch out program and process flows. Some lawyer should be able to milk the use of SSN's for granting credit for some number of gigabucks to discourage such use.
    • An SSN is a good primary key in a database because each SSN should correspond to a unique person.

      It should, but it doesn't. The converse isn't true either.

    • by ccguy ( 1116865 ) on Sunday September 10, 2017 @07:47PM (#55171647) Homepage

      How about using the SSN for the primary key it is and doing away with it altogether for proof of identity.

      It's not. Any value that can be NULL sucks. Not everyone has a SSN number. Even fact, not everyone lives in a country where such a thing exists. Equifax is a global company. So any solution that mentions SSN is a bad start.

      At some point we'll have to get used to the fact that in order to be safe we'll have to have laws that demand our physical presence somewhere for certain important things in like. Ordering a credit card is one of these things. Would it really kill us to get out of the house, go somewhere, have your identify physically validated (showing documents or hardware that then come home with us and of which no copy is made) ?

      During the process we could create some jobs, too.

    • The government does have a role, because they can and do regulate entities like financial institutions.

      You're wagging the dog. Financial institutions regulate the government.

    • by Reverend Green ( 4973045 ) on Sunday September 10, 2017 @10:46PM (#55172217)

      Naw bro, use a synthetic primary key. Although quite rare, people do occasionally change SSN.

    • by bradley13 ( 1118935 ) on Monday September 11, 2017 @05:23AM (#55173031) Homepage

      This. The SSN offers zero security. So many institutions have it that it just as well be public information. Plus, even after a data breach, you cannot change it.

      There are so many things wrong with the US credit (and banking) system. Basically anyone can write checks on your account, if only they know your routing and account numbers. SSNs as proof of identity. Etc.. It's all a "good faith" system, with zero security.

      Then these three corporations managing everyone's credit information: Consumers are not their customers, so they have little incentive to ensure that your data is correct, or to respond to problems. The consumers are, at best, sheep for them to fleece for a bit of extra money, with their so-called "trust' programs.

    • by Applehu Akbar ( 2968043 ) on Monday September 11, 2017 @06:18AM (#55173139)

      SSN can't be a primary key because not everybody has one.

    • by bluefoxlucid ( 723572 ) on Monday September 11, 2017 @08:37AM (#55173635) Homepage Journal

      The correct answer [slashdot.org] is to use UAF or U2F. The U2F keys all have UAF capability.

      You walk into a bank, present your ID (driver's license, etc.), and they can see it's you. Online, you tell them what car you had in 1999, where you lived 6 years ago, and which bank holds a current loan. One of these is stronger than the other.

      So what you do, you walk into a bank, present your ID, and then you take a brand-new, personally-owned, $20 security key to their terminal. You plug it in or wave it at the NFC, and it sends separate keys to Equifax, TransUnion, etc. Done. You now have an established trust with the credit reporting agency.

      When you open a new credit account, the bank checks the CRA for your history. If you have a hold on your credit, the CRA tells them no loans. Same deal: when the bank talks to the CRA, the CRA sends a challenge; you use your security key to digitally sign the response, proving your physical possession of the correct key, thus your identity. Generally this is RSA or elliptical curve; and the devices are non-cloneable.

      Lost your key? Call your bank and tell them. They'll put your trusts on hold with the CRA. You show up with ID and your key to re-establish trust. In the mean time, it's impossible to open a new loan account.

      People can't hack the CRA or the bank and steal your identity to open new loans in your name if there's no shared secret to steal. You have the only secret; you can prove you have that secret; and you can prove it without revealing the secret. An adversary can only steal the secret by stealing a physical device; and they use secure hardware that resists physical and logical attack, so cloning is destructive at best, and destructive attacks tend to completely-fail on these devices.

      That's the solution. It's the cheapest, most-effective, simplest option available today.

  • by geekpowa ( 916089 ) on Sunday September 10, 2017 @06:44PM (#55171403)

    These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.

    About as insightful as the apper guy. Blockchain magic fixes everything. Also since when did the age of a company was a good predictor of an internal cowboy culture?

  • by supernova87a ( 532540 ) <kepler1.hotmail@com> on Sunday September 10, 2017 @06:46PM (#55171409)
    I have a very simple solution for policymakers to implement:

    - Name + phone hacked = $2 penalty
    - Name + address hacked = $3 penalty
    - Name + SSN hacked = $5 penalty
    - etc., and combinations of the above, just multiply.

    Things would get fixed right quick.
    • by Ryanrule ( 1657199 ) on Sunday September 10, 2017 @07:37PM (#55171619)
      You need about 6-7 more zeros, and you need to apply the fines to the personal assets of the board and c suite. Worldwide.
    • by ccguy ( 1116865 ) on Sunday September 10, 2017 @07:42PM (#55171629) Homepage
      I'd say

      - Any of those things hacked: Your company, and not the affected individual, has to prove innocence if anything happens. Someone managed to open a $20,000 credit line to the name of someone affected by the Equifax fiasco? Equifax pays those $20,000.

      No statue of limitation here. As long as the breached data can be used for identity theft, Equifax is responsible.

      Of course they are free to lobby for a major reform so that no stolen data can be useful for more than one year or so for _anything_ related to money.
    • by west ( 39918 ) on Sunday September 10, 2017 @07:56PM (#55171687)

      At least until they start implementing real security measures that start affecting voters. What do you mean there's an extra $50 on the loan or vehicle processing charge. What do you mean that they need an extra week to verify my identity? I need that money *now*!

      In every single case outside of "they stole my credit card last week", I've never seen more than a tiny minority of North American consumers opt for security over convenience. Every single time.

      As a businesses, you don't want to be in the bottom 10th percentile of security. But dear God will your customers crucify you if your product costs more, or even worse, is less convenient, than your competitors. It's got the point that I feel security improvements beyond the minimal only come if you have a monopoly and can inflict better security against your customers will.

      (Latest example - why does EMV in the States mostly use signature rather than PIN? Because there's enough competition in the US that consumer's preferences for less security couldn't be ignored, unlike, for example, Canada that has better security now only because the ATM cartel (Interac) made sure they had no choice.)

    • by evanh ( 627108 ) on Sunday September 10, 2017 @09:48PM (#55172047)

      Fines or not, imposing arbitrary rules is not a free market.

      The free market only has one outcome - monopoly, and its resultant abuses. It's the ultimate corrupt system.

    • by Reverend Green ( 4973045 ) on Sunday September 10, 2017 @10:53PM (#55172243)

      Check out the liability for spilled Protected Health Information in the Massachusetts Data Security act. IIRC it's $1000 per PHI *record* - not per patient. So you spill a database with a million rows, you're liable for 1 billion dollars. Believe me, that kind of liability will put the fear of God into even the biggest company.

      Source: years ago, while working on medical research software, I was legal custodian for the PHI of about a million patients in Massachusetts.

  • by sgage ( 109086 ) on Sunday September 10, 2017 @06:46PM (#55171413)

    ... horse escapes from wide-open barn! Farmer encouraged to shut the f-ing door!

    Bright godz, what a mess...

    • by Anonymous Coward on Sunday September 10, 2017 @06:56PM (#55171459)
      A large number of horses escape from a rented stable where the door was left wide open. To determine if your horse was lost, you must place another horse in the stable and agree to a binding arbitration clause regarding the loss of the new + original horse.
  • by 140Mandak262Jamuna ( 970587 ) on Sunday September 10, 2017 @06:54PM (#55171447) Journal

    Regulatory filings show the three Equifax executives — Chief Financial Officer John Gamble, U.S. Information Solutions President Joseph Loughran and Workforce Solutions President Rodolfo Ploder — completed stock sales on Aug. 1 and 2.

    Wait, that guy is named John Gamble? and he is the damned CEO?

  • by IonOtter ( 629215 ) on Sunday September 10, 2017 @06:55PM (#55171449) Homepage

    Right now, it's in the best interests of the corporation to allow the details to be stolen.

    Assuming the customer even catches the theft, they're still responsible for the first $50 dollars. And if the company chooses to dispute the customer's claim, they might get more than that.

    The seller and processor all file claims with their insurance company, and get their money back.

    In short, everyone but the victim wins.

    Until that changes, this will continue to happen.

  • by at10u8 ( 179705 ) on Sunday September 10, 2017 @06:56PM (#55171451)
    Penalties are aiming in the wrong direction because leaks will continue to happen. Better to change finance law so that the victim is presumed innocent until proven guilty. A victim should not be penalized. Rather, the lender who fails to perform due diligence and verify identity before extending credit should lose. That would be a powerful motivation for the finance industry to adopt new techniques that minimize their risk of losing.
  • by 140Mandak262Jamuna ( 970587 ) on Sunday September 10, 2017 @06:56PM (#55171461) Journal
    Freezing credit lines does squat to stop the identity thieves from hijacking your accounts. They got social security number, driver license number and dates of birth.

    In no place this should be considered "credentials". But the US financial institutions pretend these are secret passwords.

  • by sit1963nz ( 934837 ) on Sunday September 10, 2017 @06:57PM (#55171469)
    The current system is designed so that when a breach happens US citizens can band together for a class action suit.
    This means that a law firm will make millions or tens of millions of dollars and the REAL victims will get $1.23 (less taxes).

    And all up, this costs the corporation less money than doing the job properly.

    The system is working exactly as it was intended to.

    God, some people think rich people are just made of money, do you not know how much a Ferrari costs these days
    • by lucm ( 889690 ) on Sunday September 10, 2017 @10:56PM (#55172251)

      You forget the trickle-down economy. When the lawyers make millions suing companies for losses experienced by someone else, they can afford to hire pool boy to clean the pubic hair and soiled condoms from their infinity pool filters. Then the pool boy can afford to buy a $5 iTune gift card for that special someone who's gonna spend it on Kanye West albums. In turn, Kanye West can use that money to buy more drugs and create more scandals at the MTV music awards, which attracts advertisers and viewers.

      Lawyers are the linchpin of our economy.

  • by shanen ( 462549 ) on Sunday September 10, 2017 @07:11PM (#55171523) Homepage Journal

    (1) We should have control over our personal information, and no one should be allowed to collect it, sell it, and most importantly, use it against us or to manipulate us without our knowledge. I think that must start with the right to control WHERE that personal knowledge is stored (because possession is still 9 points of the law).

    (2) Those parts of our personal information that have become public should be visible to ALL of the public. As it might apply in an improved Slashdot, I would thus be able use that public information to save time by ignoring people with low reputations. No insult intended [to the authors of rather mindless comments on today's Slashdot?], but I'd prefer to spend as much time as possible consorting with people who are nicer and smarter than I am and zero time (or less) being distracted by trolls.

    (3) I'd be willing to help pay for such systems, both in terms of development and ongoing costs.

    Feeling like a broken record stuck on an old joke, but lots of detailed suggestions available upon polite request. Even nicer if you have some better ideas, but if you have nothing to say, then why don't you say nothing?

  • by Snotnose ( 212196 ) on Sunday September 10, 2017 @07:24PM (#55171567)
    A) Equifax gets sued out of existence
    B) The Equifax Security Cxx is held personally liable, and faces serious prison time
    C) The other Cxx's are held personally liable, and get to eat based on how many cans they can dig out of trash dumpsters.

    Until something like this happens you and I are fucked, while the 1% glide along with no problem.
    • by uncqual ( 836337 ) on Sunday September 10, 2017 @09:07PM (#55171909)

      What criminal law do you think the "Equifax Security Cxx" broke?

      "The other Cxx's are held personally liable, and get to eat based on how many cans they can dig out of trash dumpsters." -- if it turns out to have been the result of an oversight in administration or a programming bug, shouldn't the IT staff that failed to do their job and/or the programmer that caused the bug (or chose to use open source software which had the bug) also be be held personally liable? They are the subject matter experts. Depending on circumstances (which hopefully some Senate and House hearings get to the bottom of), what you are proposing may be like holding the CEO of GM personally responsible for an accident caused by an improperly tightened brake line because a line worker failed to tighten it properly.

      "Equifax gets sued out of existence" - that would be a nice outcome but I'm not holding my breath.

      • by antifoidulus ( 807088 ) on Sunday September 10, 2017 @11:09PM (#55172283) Homepage Journal
        Because if the CEO wants to take the lion share of the profits when things go good they better be willing to put their neck on the line when things go bad. Otherwise they are just thieves. I might be more willing to have sympathy for the CEO if they weren't making hundreds of times what the average worker wants.

        TL;DR don't take the reward if you aren't willing to accept the risk.
      • by Cederic ( 9623 ) on Monday September 11, 2017 @10:14AM (#55174207) Journal

        What criminal law do you think the "Equifax Security Cxx" broke?

        Well, potentially the UK DPA for a start.

        But why do you think people are calling for serious data protection reforms? Right now US data protection is largely absent, health data is about the only consumer data with legal constraints.

        Equifax may get sued senseless here but unless there are clear corporate governance failures it's unlikely there'll be criminal charges in relation to the breach.

        (Rather more likely in relation to the post-breach sale of shares though)

  • by Ryanrule ( 1657199 ) on Sunday September 10, 2017 @07:36PM (#55171613)
    Take all the assets of the board and c suite. Everything they have, everything their immediate family has. Put them on the street.
  • by manu0601 ( 2221348 ) on Sunday September 10, 2017 @07:38PM (#55171623)

    It is weird to see proposal to introduce high tech solutions to fix the reliance on SSN: cryptography, biometry... All that solutions will have flaws

    Another option could be to look at the numerous other countries in the world, where knowing your SSN has never been enough to get a credit on your behalf, or to sell your house.

  • Solution (Score:5, Informative)

    by thisisauniqueid ( 825395 ) on Sunday September 10, 2017 @07:42PM (#55171633)
    SSNs, birthdates and associated names should all be considered public knowledge, since none of them are revokable (or realistically revokable, in the case of SSNs and names). Relying on an SSN and/or birthdate as a password is madness.
    • Re:Solution (Score:5, Informative)

      by AtomicSymphonic ( 2570041 ) on Sunday September 10, 2017 @07:56PM (#55171689)

      Until our country's people come around to the idea of a secure National ID card, SSNs and passwords are all American industries are gonna get.

      It's still politically toxic for the American right-wing to even consider national ID. The solution is political. No amount of superior "wizz-bang" super-duper innovations in security such as blockchain will get these people off their seats. They're perfectly content extracting money from the corporation that lost their data and not much else.

      They don't want "big brother" to know who they are, except they already have a passport and a birth certificate...

  • by scdeimos ( 632778 ) on Sunday September 10, 2017 @07:49PM (#55171657)

    "We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."

    How the heck does MFA help this situation? MFA guards the login portal, sure, but doesn't do anything to stop companies creating SQL injection attacks or just storing customer data on public S3 buckets (which is how a lot of these breaches are enabled).

  • by Ol Olsoc ( 1175323 ) on Sunday September 10, 2017 @07:51PM (#55171671)
    This will cost money - fail. This will require people who collect a salary - huge fail.

    People need to understand that the internet is not their friend. Places like Equifax identify more with the people who hack them than their customers.

  • by Tora ( 65882 ) on Sunday September 10, 2017 @07:56PM (#55171691)

    Regulation can be dangerous, but it seems this is a situation where it is called for: when a citizen's liberty is being trampled; and the Equifax breach will trample on people's liberty for decades to come – yet they are offering a pittance of one year's credit monitoring as if this will help for a lifetime of damage. Perhaps the EU's GDPR takes things a bit too far for the USA, but it can be used as a reference point, and we need something in our citizen's rights to their own identity in this modern world.

    There are many technical solutions available, but out the gate, it seems like we should be seeking some greater level of culpability on behalf of those holding this data, perhaps even considering the GDPR in context. We can at least ask that of our government. A petition has been started [change.org] to at least raise visibility of this to congress. Start the dialog at the right levels, and hope it will not get steamrolled by lobbyists.

    • by jmccue ( 834797 ) on Sunday September 10, 2017 @09:34PM (#55172005) Homepage

      A petition has been started [change.org] to at least raise visibility of this to congress. Start the dialog at the right levels, and hope it will not get steamrolled by lobbyists.

      Well since I suspect many congress people's and their relations personal information was in the breach, maybe we will finally see some real action taken. But the cynic in me thinks there will be two regulations, one for the powerful and another for the peons

    • by Uberbah ( 647458 ) on Sunday September 10, 2017 @11:29PM (#55172337)

      Regulation can be dangerous

      Mmm, sounds like a libertarian tautology. Regulation is no more dangerous than any other human construct, like business contracts or deeds. The lack of regulation, though, has caused plenty of harm including deaths, though: the people who died on the Deep Horizon rig during Katrina, the dozens to hundreds of people who burned up in that London highrise because better materials would have cost a few thousand pounds, those chemical plants in Texas that have leaked or blown up, who's owners argued for lax regulations....

  • by sandbagger ( 654585 ) on Sunday September 10, 2017 @08:05PM (#55171713)

    Industry will somehow, with a straight face, claim that the answer will be getting government out of the way. The *only* reason this could have possibly happened is because of onerous, confusing regulations.

    Why?

    Memories are short.

  • by hwstar ( 35834 ) on Sunday September 10, 2017 @08:06PM (#55171721)

    Nothing will happen at the federal level right away because of this.

    The banks are too powerful. These are the same guys who pushed binding arbitration in consumer contracts of adhesion.

    States will need to take the initiative first. Let's hope that the banks don't have the power to pass a federal law to preempt the flurry of state laws which will come out of this.

    Death by a thousand cuts at the state level might prompt a 'watered down' federal update to the Federal Credit Reporting Act, but it will end up pre-empting any state laws with a decent set of teeth.

    Sometimes I worry about the rule of law and equal protection under the law in the US. It the banking cartel can rip off everyone by sidestepping the rule of law with binding arbitration, why can't a sniper take out a banker or two?

  • by Rick Zeman ( 15628 ) on Sunday September 10, 2017 @08:39PM (#55171803)

    ...is to be be financially responsible for any breaches where the cost of non-compliance far, far outweighs the cost of compliance.

  • by Opportunist ( 166417 ) on Sunday September 10, 2017 @08:52PM (#55171857)

    You want to store personally identifiable information of ANY kind? No problem. We'll create security guidelines that you have to implement, you get audited once a year (at your expense) and if you fail, you pay 1% of your annual gross revenue per day in fines until your security is up to par.

    Don't like it? Don't store the information. Easy solution.

  • by evanh ( 627108 ) on Sunday September 10, 2017 @09:02PM (#55171891)

    Imposing fines for arbitrary rules is not a free market.

    The free market only has one outcome - monopoly, and its resultant abuses. It's the ultimate corrupt system.

  • by sabbede ( 2678435 ) on Monday September 11, 2017 @11:44AM (#55174853)
    My info was compromised, so was my special lady's. I'm not happy about it or how pitiful EF's offered remedy is. I'll happily accept regulating them out of existence.

Heard that the next Space Shuttle is supposed to carry several Guernsey cows? It's gonna be the herd shot 'round the world.

Working...