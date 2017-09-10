Equifax Breach Provokes Calls For Serious Data Protection Reforms (wired.com) 66
Equifax's data breach was colossal -- but what should happen next? The Guardian writes: The problem is that companies like Equifax are able to accumulate -- essentially, without limit -- as much sensitive, personal data as they can get their hands on. There is an urgent need for strict regulations on what types of data companies can collect and how much data a company can possess, both in aggregate and about individuals. At the very least, this will lessen the severity and size of (inevitable) data breaches... Without putting hard limits on the data capitalists who extract and exploit our personal information, they will continue to reap the benefit while we bear the risks.
Marc Rotenberg, president of the Electronic Privacy Information Center, adds, "we need to penalize companies that collect SSNs but can't protect [them]." Wired reports: Experts across numerous privacy and security fields agree that the solution to the over-collection and over-use of SSNs isn't one particular replacement, but a diverse array of authentications like individual codes (similar to passwords), biometrics, and even physical tokens to create more variation in the ID process. Some also argue that the government likely won't be the driving force behind the shift. "We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."
Meanwhile TechCrunch argues, "This crass, callow, and lazy treatment of our digital data cannot stand...": We must create new, secure methods for cryptographically securing our data... These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.
Marc Rotenberg, president of the Electronic Privacy Information Center, adds, "we need to penalize companies that collect SSNs but can't protect [them]." Wired reports: Experts across numerous privacy and security fields agree that the solution to the over-collection and over-use of SSNs isn't one particular replacement, but a diverse array of authentications like individual codes (similar to passwords), biometrics, and even physical tokens to create more variation in the ID process. Some also argue that the government likely won't be the driving force behind the shift. "We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."
Meanwhile TechCrunch argues, "This crass, callow, and lazy treatment of our digital data cannot stand...": We must create new, secure methods for cryptographically securing our data... These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.
Re: (Score:2)
I'll believe that corporations are people when I see one executed. As the saying goes.
Big targets, big money, relentless attackers (Score:1)
Mandate that SSNs are not proof of identity (Score:5, Insightful)
An SSN is a good primary key in a database because each SSN should correspond to a unique person. It's a terrible way, however, for proof of identity. We essentially use it as a username, but also as a password, and a password that you're unable to change. Furthermore, by law, you have to provide it to banks and some other institutions to use their services. You need to share your SSN with your employer in order to get paid for your job. And you have to trust that none of these entities will mishandle your SSN.
How about using the SSN for the primary key it is and doing away with it altogether for proof of identity. Mandate that financial institutions use other proof of identity such as one time use passwords and public key encryption. Devalue the SSN and, at the same time, replace it with a secure means to prove identity. The government does have a role, because they can and do regulate entities like financial institutions.
Re: (Score:1)
Re: (Score:2)
Sure. make SSN a unique key but using it has a primary key is always a bad idea. Use meaningless Object IDs as primary keys which in turn will be used as a foreign key in other tables instead of the SSN.
You can even put the SSN in a different table or database with added security features/restrictions.
Re: Mandate that SSNs are not proof of identity (Score:2)
Re: (Score:2)
And that's the problem; it is human readable and meaningful. Granted, you will have to lookup the primary key given a SSN in the protected table or database:
SSN -> primary key
Primary key is something like: bd3b546d7136432218858eff
Then search for that primary key (foreign key) in other tables.
That's exactly what we have to do in our applications. It is a little less convenient but security sometimes conflicts with "human readable".
Bonus: developers that have access to prod data do not need access to the S
Re: (Score:2)
Being an old codger going back to the days of big iron and wide green bar printouts I can remember when old printouts with full SSN, NAME, ADDRESS and other information that is now considered sensitive was freely available for anyone to take home for their kids to color on. We even used the back at work to sketch out p
Re: (Score:1)
The card says it is not to be used for identification. Which is now a joke.
Your social security number is not supposed to be used for identification. But there is a very simple reason why everyone uses it for exactly that purpose -- it is the only unique identifier that exists.
Re: (Score:3)
Using an SSN (or other nationally valid identifier) for "identity" is one thing; using it as *proof* of identity (i.e., as an authenticator) is another. Any business using an SSN as an authenticator and trying to hang a debt around the neck of the person identified by the SSN should be laughed out of court.
The burden should not be on the shoulders of the "identity theft" victim to prove the negative (that they did not get the goods/services the creditor is claiming that they got), but rather on the should
Re: Mandate that SSNs are not proof of identity (Score:1)
Re: (Score:2)
It should, but it doesn't. The converse isn't true either.
Re: (Score:2)
How about using the SSN for the primary key it is and doing away with it altogether for proof of identity.
It's not. Any value that can be NULL sucks. Not everyone has a SSN number. Even fact, not everyone lives in a country where such a thing exists. Equifax is a global company. So any solution that mentions SSN is a bad start.
At some point we'll have to get used to the fact that in order to be safe we'll have to have laws that demand our physical presence somewhere for certain important things in like. Ordering a credit card is one of these things. Would it really kill us to get out of the house, go somewhe
Re: (Score:1)
National ID cards are a non-starter for ultra-conservatives/wingnuts that want no extra regulation on their lives. Let alone the fact that most people already have passports.
As much as it sucks to say this, but the solution is political, it isn't blockchain-based or creating some new security. Until those wingnuts are affected by such data breaches in a personal way, they will not come around to supporting national ID laws.
Bad tech journalism must die (Score:5, Insightful)
These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.
About as insightful as the apper guy. Blockchain magic fixes everything. Also since when did the age of a company was a good predictor of an internal cowboy culture?
Re: (Score:2)
as they say, "let the free market decide" (Score:4, Interesting)
- Name + phone hacked = $2 penalty
- Name + address hacked = $3 penalty
- Name + SSN hacked = $5 penalty
- etc., and combinations of the above, just multiply.
Things would get fixed right quick.
Re: as they say, "let the free market decide" (Score:2)
The free market has decided that since losing your PII to hackers effectively costs them nothing, they're going to keep cutting costs on data security.
The free market does not prioritize the best interests of customers. It prioritizes profits. If repeatedly fucking over customers or allowing others to do so is profitable - and right now it is - then customers are going to need copious lube and ice for their buttholes for the indeterminate future.
Re: (Score:2)
Re: (Score:1)
Apparently you don't do math. Combine those for $30 per violation, and 143 million violations, and we're into the billions on penalties.
Also - fining an individual for the actions or mistakes of others would be egregious and not within the law. In other words I hope your kids don't make mistakes, because in your worldview we would find a way to make you pay big time.
Re: (Score:2)
- Any of those things hacked: Your company, and not the affected individual, has to prove innocence if anything happens. Someone managed to open a $20,000 credit line to the name of someone affected by the Equifax fiasco? Equifax pays those $20,000.
No statue of limitation here. As long as the breached data can be used for identity theft, Equifax is responsible.
Of course they are free to lobby for a major reform so that no stolen data can be useful for more than one year or so for _anything_ rel
Re: (Score:2)
At least until they start implementing real security measures that start affecting voters. What do you mean there's an extra $50 on the loan or vehicle processing charge. What do you mean that they need an extra week to verify my identity? I need that money *now*!
In every single case outside of "they stole my credit card last week", I've never seen more than a tiny minority of North American consumers opt for security over convenience. Every single time.
As a businesses, you don't want to be in the botto
In other news... (Score:5, Funny)
... horse escapes from wide-open barn! Farmer encouraged to shut the f-ing door!
Bright godz, what a mess...
Re: In other news... (Score:1)
Re: Time for a replaceable social security number (Score:1)
Three executives dump shares (Score:2)
Regulatory filings show the three Equifax executives — Chief Financial Officer John Gamble, U.S. Information Solutions President Joseph Loughran and Workforce Solutions President Rodolfo Ploder — completed stock sales on Aug. 1 and 2.
Wait, that guy is named John Gamble? and he is the damned CEO?
Re: (Score:2)
We obviously need someone who can provide checks and oversight on his leadership. Someone so strongly invested in such a process [wikipedia.org] that it would similarly be reflected in their own last name.
Cost to Profit Ratio Too Low (Score:2)
Right now, it's in the best interests of the corporation to allow the details to be stolen.
Assuming the customer even catches the theft, they're still responsible for the first $50 dollars. And if the company chooses to dispute the customer's claim, they might get more than that.
The seller and processor all file claims with their insurance company, and get their money back.
In short, everyone but the victim wins.
Until that changes, this will continue to happen.
Re: (Score:2)
innocent until proven guilty (Score:5, Interesting)
Re: innocent until proven guilty (Score:1)
Account hijack is a bigger threat (Score:5, Insightful)
In no place this should be considered "credentials". But the US financial institutions pretend these are secret passwords.
WRONG (Score:2)
This means that a law firm will make millions or tens of millions of dollars and the REAL victims will get $1.23 (less taxes).
And all up, this costs the corporation less money than doing the job properly.
The system is working exactly as it was intended to.
God, some people think rich people are just made of money, do you not know how much a Ferrari costs these days
Fundamental principles of personal data (Score:3)
(1) We should have control over our personal information, and no one should be allowed to collect it, sell it, and most importantly, use it against us or to manipulate us without our knowledge. I think that must start with the right to control WHERE that personal knowledge is stored (because possession is still 9 points of the law).
(2) Those parts of our personal information that have become public should be visible to ALL of the public. As it might apply in an improved Slashdot, I would thus be able use that public information to save time by ignoring people with low reputations. No insult intended [to the authors of rather mindless comments on today's Slashdot?], but I'd prefer to spend as much time as possible consorting with people who are nicer and smarter than I am and zero time (or less) being distracted by trolls.
(3) I'd be willing to help pay for such systems, both in terms of development and ongoing costs.
Feeling like a broken record stuck on an old joke, but lots of detailed suggestions available upon polite request. Even nicer if you have some better ideas, but if you have nothing to say, then why don't you say nothing?
From the No Shit Sherlock Instution (Score:3)
B) The Equifax Security Cxx is held personally liable, and faces serious prison time
C) The other Cxx's are held personally liable, and get to eat based on how many cans they can dig out of trash dumpsters.
Until something like this happens you and I are fucked, while the 1% glide along with no problem.
Another idea (Score:1)
Sinple (Score:2)
High tech solutions (Score:4, Insightful)
It is weird to see proposal to introduce high tech solutions to fix the reliance on SSN: cryptography, biometry... All that solutions will have flaws
Another option could be to look at the numerous other countries in the world, where knowing your SSN has never been enough to get a credit on your behalf, or to sell your house.
Solution (Score:3)
Re: (Score:1)
Until our country's people come around to the idea of a secure National ID card, SSNs and passwords are all American industries are gonna get.
It's still politically toxic for the American right-wing to even consider national ID. The solution is political. No amount of superior "wizz-bang" super-duper innovations in security such as blockchain will get these people off their seats. They're perfectly content extracting money from the corporation that lost their data and not much else.
They don't want "big brot
MFA? What? (Score:2)
"We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."
How the heck does MFA help this situation? MFA guards the login portal, sure, but doesn't do anything to stop companies creating SQL injection attacks or just storing customer data on public S3 buckets (which is how a lot of these breaches are enabled).
Stop it with the blockchain nonsense (Score:1)
Blockchain:
- Unclear accountability (the real reason for popularity)
- You're putting data on lots of computers, in different jurisdictions.
- Can't really delete anything (privacy nightmare)
- Not really anonymous.
- Encryption will be broken in time.
- Power not really distributed, just obfuscated (lies with devs).
- Slow and overly complex.
Sources:
http://estsjournal.org/article... [estsjournal.org]
https://medium.com/enspiral-ta... [medium.com]
https://www.forbes.com/sites/j... [forbes.com]
https://www.theatlantic.com/te... [theatlantic.com]
https://blog.ethereum.org/201 [ethereum.org]
Not going to happen (Score:2)
People need to understand that the internet is not their friend. Places like Equifax identify more with the people who hack them than their customers.
Newsflash! (Score:1)
Encourage Simple Gov Regulation (Score:2)
Regulation can be dangerous, but it seems this is a situation where it is called for: when a citizen's liberty is being trampled; and the Equifax breach will trample on people's liberty for decades to come – yet they are offering a pittance of one year's credit monitoring as if this will help for a lifetime of damage. Perhaps the EU's GDPR takes things a bit too far for the USA, but it can be used as a reference point, and we need something in our citizen's rights to their own identity in this modern
This will get co-opted by degregulators (Score:2)
Industry will somehow, with a straight face, claim that the answer will be getting government out of the way. The *only* reason this could have possibly happened is because of onerous, confusing regulations.
Why?
Memories are short.
Witness the power of this fully functional lobby (Score:3)
Nothing will happen at the federal level right away because of this.
The banks are too powerful. These are the same guys who pushed binding arbitration in consumer contracts of adhesion.
States will need to take the initiative first. Let's hope that the banks don't have the power to pass a federal law to preempt the flurry of state laws which will come out of this.
Death by a thousand cuts at the state level might prompt a 'watered down' federal update to the Federal Credit Reporting Act, but it will end up pre-empting any state laws with a decent set of teeth.
Sometimes I worry about the rule of law and equal protection under the law in the US. It the banking cartel can rip off everyone by sidestepping the rule of law with binding arbitration, why can't a sniper take out a banker or two?