Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Privacy United States

Equifax Breach Provokes Calls For Serious Data Protection Reforms (wired.com) 193

Equifax's data breach was colossal -- but what should happen next? The Guardian writes: The problem is that companies like Equifax are able to accumulate -- essentially, without limit -- as much sensitive, personal data as they can get their hands on. There is an urgent need for strict regulations on what types of data companies can collect and how much data a company can possess, both in aggregate and about individuals. At the very least, this will lessen the severity and size of (inevitable) data breaches... Without putting hard limits on the data capitalists who extract and exploit our personal information, they will continue to reap the benefit while we bear the risks.
Marc Rotenberg, president of the Electronic Privacy Information Center, adds, "we need to penalize companies that collect SSNs but can't protect [them]." Wired reports: Experts across numerous privacy and security fields agree that the solution to the over-collection and over-use of SSNs isn't one particular replacement, but a diverse array of authentications like individual codes (similar to passwords), biometrics, and even physical tokens to create more variation in the ID process. Some also argue that the government likely won't be the driving force behind the shift. "We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."
Meanwhile TechCrunch argues, "This crass, callow, and lazy treatment of our digital data cannot stand...": We must create new, secure methods for cryptographically securing our data... These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.
This discussion has been archived. No new comments can be posted.

Equifax Breach Provokes Calls For Serious Data Protection Reforms

Comments Filter:
  • by Anonymous Coward on Sunday September 10, 2017 @06:44PM (#55171401)

    An SSN is a good primary key in a database because each SSN should correspond to a unique person. It's a terrible way, however, for proof of identity. We essentially use it as a username, but also as a password, and a password that you're unable to change. Furthermore, by law, you have to provide it to banks and some other institutions to use their services. You need to share your SSN with your employer in order to get paid for your job. And you have to trust that none of these entities will mishandle your SSN.

    How about using the SSN for the primary key it is and doing away with it altogether for proof of identity. Mandate that financial institutions use other proof of identity such as one time use passwords and public key encryption. Devalue the SSN and, at the same time, replace it with a secure means to prove identity. The government does have a role, because they can and do regulate entities like financial institutions.

    • by ls671 ( 1122017 )

      Sure. make SSN a unique key but using it has a primary key is always a bad idea. Use meaningless Object IDs as primary keys which in turn will be used as a foreign key in other tables instead of the SSN.

      You can even put the SSN in a different table or database with added security features/restrictions.

      • Nobody will remember the actual primary key, but everybody has to remember their SSN. So for looking up a record, it is the primary field to locate that record. Given it is as unique as the primary key, it is essentially the human readable version/alternative for the primary key.
        • by ls671 ( 1122017 )

          And that's the problem; it is human readable and meaningful. Granted, you will have to lookup the primary key given a SSN in the protected table or database:

          SSN -> primary key

          Primary key is something like: bd3b546d7136432218858eff

          Then search for that primary key (foreign key) in other tables.

          That's exactly what we have to do in our applications. It is a little less convenient but security sometimes conflicts with "human readable".

          Bonus: developers that have access to prod data do not need access to the S

          • You could also use an easily-remembered hash of the primary key, like your "record locator number" for an airline reservation. This combined with some other elementary personal data would be unique.

      • by msauve ( 701917 )
        "Sure. make SSN a unique key but using it has a primary key is always a bad idea."

        It's a perfectly fine key - for the US Social Security system. The issue is all the lazy-ass leeches who want to use it for anything else. Credit and medical industries being major violators.

        I haven't given my SSN to anyone who's not deducting SS from a payroll payment for about 30 years. On very rare occasion, I'll use the "last 4" for some things, but unless I'm being paid and they're adding to my SS account, that's all th
        • by ls671 ( 1122017 )

          I haven't given my SSN to anyone who's not deducting SS from a payroll payment for about 30 years.

          You've got that right. This is actually the only use case for it. Where I live, corporations don't even want to know it if you try to give it to them for other purposes. Shit, even the nice police officer didn't want to know the other day!

          We just went a quantum leap further than what was the topic of this subthread so far but then again: How will the developers using a fixed SSN like field everywhere in their database (primary client key, foreign keys) would cope with your behavior?

          Those who do that might e

          • by msauve ( 701917 )

            even the nice police officer didn't want to know the other day!

            Strange thing, last time I opened a bank account, they wanted my Driver's License number. WTF? Since when you you have to drive to have a bank account?

            How will the developers using a fixed SSN like field everywhere in their database (primary client key, foreign keys) would cope with your behavior? Those who do that might even have a stored proc to validate the SSN field, I have seen it"

            I can help with that [fakena.me]. Or use 457-55-5462 (Lifelock CEO) or

            • by ls671 ( 1122017 )

              Strange thing, last time I opened a bank account, they wanted my Driver's License number. WTF?

              Yep, driver license is still commonly asked since SSN is no more politically correct to ask for, passport works also...

            • by ls671 ( 1122017 )

              I can help with that [fakena.me]. Or use 457-55-5462 (Lifelock CEO) or 078-05-1120 or 219-09-9999 [ssa.gov]

              Yep, the formula to validate SSN is no big secret although it is not published at large.

      • by Z00L00K ( 682162 )

        There's no point in protecting the SSN, it's a good unique key that should be indexed so that you use it to bring up necessary biometric data to identify a person.

        SSNs can be generated by a computer and then just tried out how well they work and if they work they are good enough for some illegals. Trying to get a SSN to not get into the wrong hands is futile.

        • by ls671 ( 1122017 )

          You are an older schooler than I am!

          Hint: we are now in 2017 and any sensitive information should be protected as well as your certificate authority (CA) although I am exaggerating just a tiny little bit...

          Seriously, what you are suggesting just make leaking much more probable since we have to hide SSN and other sensitive infos repeated all over in the database with obfuscating scripts for people that don't need access for testing and that if we forget only one spot the whole exercise is pointless.

    • by Gim Tom ( 716904 )
      The card says it is not to be used for identification. Which is now a joke. Maybe they should just publish everyone's SSN and loose the dogs of war er Law on those that do use it for ID.

      Being an old codger going back to the days of big iron and wide green bar printouts I can remember when old printouts with full SSN, NAME, ADDRESS and other information that is now considered sensitive was freely available for anyone to take home for their kids to color on. We even used the back at work to sketch out p
    • An SSN is a good primary key in a database because each SSN should correspond to a unique person.

      It should, but it doesn't. The converse isn't true either.

    • by ccguy ( 1116865 )

      How about using the SSN for the primary key it is and doing away with it altogether for proof of identity.

      It's not. Any value that can be NULL sucks. Not everyone has a SSN number. Even fact, not everyone lives in a country where such a thing exists. Equifax is a global company. So any solution that mentions SSN is a bad start.

      At some point we'll have to get used to the fact that in order to be safe we'll have to have laws that demand our physical presence somewhere for certain important things in like. Ordering a credit card is one of these things. Would it really kill us to get out of the house, go somewhe

    • The government does have a role, because they can and do regulate entities like financial institutions.

      You're wagging the dog. Financial institutions regulate the government.

    • Naw bro, use a synthetic primary key. Although quite rare, people do occasionally change SSN.

    • This. The SSN offers zero security. So many institutions have it that it just as well be public information. Plus, even after a data breach, you cannot change it.

      There are so many things wrong with the US credit (and banking) system. Basically anyone can write checks on your account, if only they know your routing and account numbers. SSNs as proof of identity. Etc.. It's all a "good faith" system, with zero security.

      Then these three corporations managing everyone's credit information: Consumers are not the

    • SSN can't be a primary key because not everybody has one.

    • by bluefoxlucid ( 723572 ) on Monday September 11, 2017 @08:37AM (#55173635) Homepage Journal

      The correct answer [slashdot.org] is to use UAF or U2F. The U2F keys all have UAF capability.

      You walk into a bank, present your ID (driver's license, etc.), and they can see it's you. Online, you tell them what car you had in 1999, where you lived 6 years ago, and which bank holds a current loan. One of these is stronger than the other.

      So what you do, you walk into a bank, present your ID, and then you take a brand-new, personally-owned, $20 security key to their terminal. You plug it in or wave it at the NFC, and it sends separate keys to Equifax, TransUnion, etc. Done. You now have an established trust with the credit reporting agency.

      When you open a new credit account, the bank checks the CRA for your history. If you have a hold on your credit, the CRA tells them no loans. Same deal: when the bank talks to the CRA, the CRA sends a challenge; you use your security key to digitally sign the response, proving your physical possession of the correct key, thus your identity. Generally this is RSA or elliptical curve; and the devices are non-cloneable.

      Lost your key? Call your bank and tell them. They'll put your trusts on hold with the CRA. You show up with ID and your key to re-establish trust. In the mean time, it's impossible to open a new loan account.

      People can't hack the CRA or the bank and steal your identity to open new loans in your name if there's no shared secret to steal. You have the only secret; you can prove you have that secret; and you can prove it without revealing the secret. An adversary can only steal the secret by stealing a physical device; and they use secure hardware that resists physical and logical attack, so cloning is destructive at best, and destructive attacks tend to completely-fail on these devices.

      That's the solution. It's the cheapest, most-effective, simplest option available today.

  • by geekpowa ( 916089 ) on Sunday September 10, 2017 @06:44PM (#55171403)

    These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.

    About as insightful as the apper guy. Blockchain magic fixes everything. Also since when did the age of a company was a good predictor of an internal cowboy culture?

    • I also heard that blockchain will stop global warming, cure cancer, and find Jimmy Hoffa!
    • by MSG ( 12810 )

      My thoughts exactly. Blockchain credit history? Great! Now every fraudulent entry is there permanently, and can't be removed! Brilliant!

  • by supernova87a ( 532540 ) <(kepler1) (at) (hotmail.com)> on Sunday September 10, 2017 @06:46PM (#55171409)
    I have a very simple solution for policymakers to implement:

    - Name + phone hacked = $2 penalty
    - Name + address hacked = $3 penalty
    - Name + SSN hacked = $5 penalty
    - etc., and combinations of the above, just multiply.

    Things would get fixed right quick.
    • You need about 6-7 more zeros, and you need to apply the fines to the personal assets of the board and c suite. Worldwide.
      • and you need to apply the fines to the personal assets of the board and c suite

        Pretty much impossible legally. That's why they're Limited Liability Corporations, after all.

        In fact, that's the whole point of a Corporation - to make the corporation liable, and not its employees (like, you know, the CEO)....

    • by ccguy ( 1116865 )
      I'd say

      - Any of those things hacked: Your company, and not the affected individual, has to prove innocence if anything happens. Someone managed to open a $20,000 credit line to the name of someone affected by the Equifax fiasco? Equifax pays those $20,000.

      No statue of limitation here. As long as the breached data can be used for identity theft, Equifax is responsible.

      Of course they are free to lobby for a major reform so that no stolen data can be useful for more than one year or so for _anything_ rel
      • That's a good idea, but it will never happen. It makes too much sense.
        • It makes too much sense.

          Actually, it doesn't make sense at all. Equifax had a profit of about $600M last year. That is about $2 per American. They can't possibly afford millions of $20k payouts. The money just isn't there.

          The solution is to fix the idiotic system that allows "identity theft" by knowing a name, SSN and DOB. Equifax did not create that system, so why should they be penalized for it?

          • by Cederic ( 9623 )

            Wait? A company offering ID&V products isn't responsible for market acceptance of adequate ID&V?

            It's possible to say, "That's insufficient information to identify the individual" and refuse to ID&V an individual; of course, that would reduce revenue so fuck consumers?

    • by west ( 39918 )

      At least until they start implementing real security measures that start affecting voters. What do you mean there's an extra $50 on the loan or vehicle processing charge. What do you mean that they need an extra week to verify my identity? I need that money *now*!

      In every single case outside of "they stole my credit card last week", I've never seen more than a tiny minority of North American consumers opt for security over convenience. Every single time.

      As a businesses, you don't want to be in the botto

    • Fines or not, imposing arbitrary rules is not a free market.

      The free market only has one outcome - monopoly, and its resultant abuses. It's the ultimate corrupt system.

    • Check out the liability for spilled Protected Health Information in the Massachusetts Data Security act. IIRC it's $1000 per PHI *record* - not per patient. So you spill a database with a million rows, you're liable for 1 billion dollars. Believe me, that kind of liability will put the fear of God into even the biggest company.

      Source: years ago, while working on medical research software, I was legal custodian for the PHI of about a million patients in Massachusetts.

  • by sgage ( 109086 ) on Sunday September 10, 2017 @06:46PM (#55171413)

    ... horse escapes from wide-open barn! Farmer encouraged to shut the f-ing door!

    Bright godz, what a mess...

    • by Anonymous Coward on Sunday September 10, 2017 @06:56PM (#55171459)
      A large number of horses escape from a rented stable where the door was left wide open. To determine if your horse was lost, you must place another horse in the stable and agree to a binding arbitration clause regarding the loss of the new + original horse.
  • by 140Mandak262Jamuna ( 970587 ) on Sunday September 10, 2017 @06:54PM (#55171447) Journal

    Regulatory filings show the three Equifax executives — Chief Financial Officer John Gamble, U.S. Information Solutions President Joseph Loughran and Workforce Solutions President Rodolfo Ploder — completed stock sales on Aug. 1 and 2.

    Wait, that guy is named John Gamble? and he is the damned CEO?

    • We obviously need someone who can provide checks and oversight on his leadership. Someone so strongly invested in such a process [wikipedia.org] that it would similarly be reflected in their own last name.

  • by IonOtter ( 629215 ) on Sunday September 10, 2017 @06:55PM (#55171449) Homepage

    Right now, it's in the best interests of the corporation to allow the details to be stolen.

    Assuming the customer even catches the theft, they're still responsible for the first $50 dollars. And if the company chooses to dispute the customer's claim, they might get more than that.

    The seller and processor all file claims with their insurance company, and get their money back.

    In short, everyone but the victim wins.

    Until that changes, this will continue to happen.

    • Really? The insurance company just pays out all the time and never denies a claim coming from a seller or processor? And they never raise the rates on the policy? Does the insurance company have a magic goose out back or something?
  • by at10u8 ( 179705 ) on Sunday September 10, 2017 @06:56PM (#55171451)
    Penalties are aiming in the wrong direction because leaks will continue to happen. Better to change finance law so that the victim is presumed innocent until proven guilty. A victim should not be penalized. Rather, the lender who fails to perform due diligence and verify identity before extending credit should lose. That would be a powerful motivation for the finance industry to adopt new techniques that minimize their risk of losing.
  • by 140Mandak262Jamuna ( 970587 ) on Sunday September 10, 2017 @06:56PM (#55171461) Journal
    Freezing credit lines does squat to stop the identity thieves from hijacking your accounts. They got social security number, driver license number and dates of birth.

    In no place this should be considered "credentials". But the US financial institutions pretend these are secret passwords.

  • The current system is designed so that when a breach happens US citizens can band together for a class action suit.
    This means that a law firm will make millions or tens of millions of dollars and the REAL victims will get $1.23 (less taxes).

    And all up, this costs the corporation less money than doing the job properly.

    The system is working exactly as it was intended to.

    God, some people think rich people are just made of money, do you not know how much a Ferrari costs these days
    • by lucm ( 889690 )

      You forget the trickle-down economy. When the lawyers make millions suing companies for losses experienced by someone else, they can afford to hire pool boy to clean the pubic hair and soiled condoms from their infinity pool filters. Then the pool boy can afford to buy a $5 iTune gift card for that special someone who's gonna spend it on Kanye West albums. In turn, Kanye West can use that money to buy more drugs and create more scandals at the MTV music awards, which attracts advertisers and viewers.

      Lawyers

  • by shanen ( 462549 ) on Sunday September 10, 2017 @07:11PM (#55171523) Homepage Journal

    (1) We should have control over our personal information, and no one should be allowed to collect it, sell it, and most importantly, use it against us or to manipulate us without our knowledge. I think that must start with the right to control WHERE that personal knowledge is stored (because possession is still 9 points of the law).

    (2) Those parts of our personal information that have become public should be visible to ALL of the public. As it might apply in an improved Slashdot, I would thus be able use that public information to save time by ignoring people with low reputations. No insult intended [to the authors of rather mindless comments on today's Slashdot?], but I'd prefer to spend as much time as possible consorting with people who are nicer and smarter than I am and zero time (or less) being distracted by trolls.

    (3) I'd be willing to help pay for such systems, both in terms of development and ongoing costs.

    Feeling like a broken record stuck on an old joke, but lots of detailed suggestions available upon polite request. Even nicer if you have some better ideas, but if you have nothing to say, then why don't you say nothing?

  • by Snotnose ( 212196 ) on Sunday September 10, 2017 @07:24PM (#55171567)
    A) Equifax gets sued out of existence
    B) The Equifax Security Cxx is held personally liable, and faces serious prison time
    C) The other Cxx's are held personally liable, and get to eat based on how many cans they can dig out of trash dumpsters.

    Until something like this happens you and I are fucked, while the 1% glide along with no problem.
    • by uncqual ( 836337 )

      What criminal law do you think the "Equifax Security Cxx" broke?

      "The other Cxx's are held personally liable, and get to eat based on how many cans they can dig out of trash dumpsters." -- if it turns out to have been the result of an oversight in administration or a programming bug, shouldn't the IT staff that failed to do their job and/or the programmer that caused the bug (or chose to use open source software which had the bug) also be be held personally liable? They are the subject matter experts. Depend

      • Because if the CEO wants to take the lion share of the profits when things go good they better be willing to put their neck on the line when things go bad. Otherwise they are just thieves. I might be more willing to have sympathy for the CEO if they weren't making hundreds of times what the average worker wants.

        TL;DR don't take the reward if you aren't willing to accept the risk.
      • by Cederic ( 9623 )

        What criminal law do you think the "Equifax Security Cxx" broke?

        Well, potentially the UK DPA for a start.

        But why do you think people are calling for serious data protection reforms? Right now US data protection is largely absent, health data is about the only consumer data with legal constraints.

        Equifax may get sued senseless here but unless there are clear corporate governance failures it's unlikely there'll be criminal charges in relation to the breach.

        (Rather more likely in relation to the post-breach sale of shares though)

  • Take all the assets of the board and c suite. Everything they have, everything their immediate family has. Put them on the street.
    • by Cederic ( 9623 )

      Under which law? Doesn't the US have a law specifically against this? Technically two, I think you're suggesting breaking the 4th and 8th amendments.

  • by manu0601 ( 2221348 ) on Sunday September 10, 2017 @07:38PM (#55171623)

    It is weird to see proposal to introduce high tech solutions to fix the reliance on SSN: cryptography, biometry... All that solutions will have flaws

    Another option could be to look at the numerous other countries in the world, where knowing your SSN has never been enough to get a credit on your behalf, or to sell your house.

    • by houghi ( 78078 )

      Belgium is such a country. You have a National Number YYYYMMDD-XXX-ZZ
      Date backward, counter, The last two are gender and a control number. So the first baby born on 20170911 will get 20170911-001-12 (Or something similar) Well, not born, but officially mentioned, so that could be somebody who comes to Belgium at the age of 60. He will not be number 001 for that day, bit 857 or whatever.

      If that number is abused, they could give you a new number. However that national number by itself means nothing. You also

  • Solution (Score:5, Informative)

    by thisisauniqueid ( 825395 ) on Sunday September 10, 2017 @07:42PM (#55171633)
    SSNs, birthdates and associated names should all be considered public knowledge, since none of them are revokable (or realistically revokable, in the case of SSNs and names). Relying on an SSN and/or birthdate as a password is madness.
    • Re:Solution (Score:5, Informative)

      by AtomicSymphonic ( 2570041 ) on Sunday September 10, 2017 @07:56PM (#55171689)

      Until our country's people come around to the idea of a secure National ID card, SSNs and passwords are all American industries are gonna get.

      It's still politically toxic for the American right-wing to even consider national ID. The solution is political. No amount of superior "wizz-bang" super-duper innovations in security such as blockchain will get these people off their seats. They're perfectly content extracting money from the corporation that lost their data and not much else.

      They don't want "big brother" to know who they are, except they already have a passport and a birth certificate...

  • "We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."

    How the heck does MFA help this situation? MFA guards the login portal, sure, but doesn't do anything to stop companies creating SQL injection attacks or just storing customer data on public S3 buckets (which is how a lot of these breaches are enabled).

  • This will cost money - fail. This will require people who collect a salary - huge fail.

    People need to understand that the internet is not their friend. Places like Equifax identify more with the people who hack them than their customers.

  • by Tora ( 65882 ) on Sunday September 10, 2017 @07:56PM (#55171691)

    Regulation can be dangerous, but it seems this is a situation where it is called for: when a citizen's liberty is being trampled; and the Equifax breach will trample on people's liberty for decades to come – yet they are offering a pittance of one year's credit monitoring as if this will help for a lifetime of damage. Perhaps the EU's GDPR takes things a bit too far for the USA, but it can be used as a reference point, and we need something in our citizen's rights to their own identity in this modern world.

    There are many technical solutions available, but out the gate, it seems like we should be seeking some greater level of culpability on behalf of those holding this data, perhaps even considering the GDPR in context. We can at least ask that of our government. A petition has been started [change.org] to at least raise visibility of this to congress. Start the dialog at the right levels, and hope it will not get steamrolled by lobbyists.

    • by jmccue ( 834797 )

      A petition has been started [change.org] to at least raise visibility of this to congress. Start the dialog at the right levels, and hope it will not get steamrolled by lobbyists.

      Well since I suspect many congress people's and their relations personal information was in the breach, maybe we will finally see some real action taken. But the cynic in me thinks there will be two regulations, one for the powerful and another for the peons

    • by Uberbah ( 647458 )

      Regulation can be dangerous

      Mmm, sounds like a libertarian tautology. Regulation is no more dangerous than any other human construct, like business contracts or deeds. The lack of regulation, though, has caused plenty of harm including deaths, though: the people who died on the Deep Horizon rig during Katrina, the dozens to hundreds of people who burned up in that London highrise because better materials would have cost a few thousand pounds, those chemical plants in Texas that have leaked or blown up, who

  • Industry will somehow, with a straight face, claim that the answer will be getting government out of the way. The *only* reason this could have possibly happened is because of onerous, confusing regulations.

    Why?

    Memories are short.

  • by hwstar ( 35834 ) on Sunday September 10, 2017 @08:06PM (#55171721)

    Nothing will happen at the federal level right away because of this.

    The banks are too powerful. These are the same guys who pushed binding arbitration in consumer contracts of adhesion.

    States will need to take the initiative first. Let's hope that the banks don't have the power to pass a federal law to preempt the flurry of state laws which will come out of this.

    Death by a thousand cuts at the state level might prompt a 'watered down' federal update to the Federal Credit Reporting Act, but it will end up pre-empting any state laws with a decent set of teeth.

    Sometimes I worry about the rule of law and equal protection under the law in the US. It the banking cartel can rip off everyone by sidestepping the rule of law with binding arbitration, why can't a sniper take out a banker or two?

  • ...is to be be financially responsible for any breaches where the cost of non-compliance far, far outweighs the cost of compliance.

  • You want to store personally identifiable information of ANY kind? No problem. We'll create security guidelines that you have to implement, you get audited once a year (at your expense) and if you fail, you pay 1% of your annual gross revenue per day in fines until your security is up to par.

    Don't like it? Don't store the information. Easy solution.

  • Imposing fines for arbitrary rules is not a free market.

    The free market only has one outcome - monopoly, and its resultant abuses. It's the ultimate corrupt system.

  • My info was compromised, so was my special lady's. I'm not happy about it or how pitiful EF's offered remedy is. I'll happily accept regulating them out of existence.

"If you want to eat hippopatomus, you've got to pay the freight." -- attributed to an IBM guy, about why IBM software uses so much memory

Working...