Probably makes too much sense and/or would inhibit their ability to make money

I work in the Vulnerability Management software space. It is completely unsurprising that a critical vulnerability on a middleware component went unpatched for up to four months after discovery (it's possible the vulnerability didn't actually show up on a scan until the end of April depending on their scan frequency so it might have been just 90 days old.) By unsurprising I don't mean "Not Bad" I mean that this is pretty much the standard in organizations with fairly mature Vuln Management processes. As Josh Marshall points out, the credit reporting agencies are unique in that their customers aren't the public so all of the risk of the breach falls on the public and in the long run doesn't affect their core business.

I mean, they could make you subscribe to a device for $5/mo or whatever.

Protip: you can find her on linked in by just searching for "chief security officer equifax"

Lol credit freezing should be free. Anyone giving equifax credit card info to lock their credit is silly.

That's a cost. Even implementing a feature they can charge for is an up-front cost. They would have to decide if making the investment will eventually lead to a payoff.

Also, what happens if they lose your ****? Are they very negatively impacted? Can you stop being their customer somehow? Not afaik. They might get a small slap on the wrist fine, but companies that get hacked tend to do okay after the fact. I'm sure how they handle the response matters, but hell, Target finished up after their breach. Only took like three months or so iirc.

People who think the second sentence logically follows from the first are silly.

Well Equifax never sent me the email for the free credit monitoring. *******s.

I ended up freezing all 3 major credit places plus 2 other ones that were recommended to freeze on the boglehead forum. Cost me $20. (3 were free and 2 were $10 each.)

Social Security numbers were never meant to be used as they are now. The only real fix would be to assign everyone a new social security number and pass a law prohibiting the use of social security numbers for everything except taxes. This will never happen and there will be a lot of identity theft over the next few decades.

For now. This hack will have ramifications for decades.

So it should be super trivial to sort for famous people with this supposed data.

Is A Nation-State Responsible For Equifax Breach?

I have read speculation (elsewhere) that the hacker(s) in this case may not be run-of-the-mill cybercriminals looking to steal identities and siphon money from credit card accounts. What about the possibility of this being a nation-state actor who might have a motivation for striking at the United States via a sudden massive disruption of our financial system?

Right off the bat, I can think of [at least] one nation that might have such a motivation, that nation being North Korea. Remember what happened to Sony Pictures after the studio released that Seth Rogan picture featuring an assassination plot against North Korea's leader? Prior to the release of that film, Kim Jong Un's government was adamant about not wanting that movie released, but Sony went ahead and did it anyway. We all know what the end result of that was ... Sony was hacked and their two top Hollywood executives wound up either losing their jobs or resigning. According to articles I read at the time, the FBI and various intelligence agencies pointed the finger of suspicion at NK, although other sources disputed this so who really knows?

It occurs to me that North Korea would have a strong motivation to try and disrupt our financial system, especially in the event that they are [militarily] attacked - or believe they're about to be attacked. North Korea, if they are in fact the hacker, might be tempted to go ahead and unleash chaos in our financial system if they fear a U.S. attack. It would be a form of preemptive attack that might be preferable to launching missiles and artillery shells into Seoul - an action that would guarantee North Korea's immediate destruction. Launching a cyber attack, on the other hand, might be a more effective means of striking back at the U.S. as it would create chaos and it wouldn't immediately be obvious as to the source of the disruption.

After the latest news concerning Equifax, (i.e. that the first breach was back in February or March and this latest breach was sometime in the May-July timeframe), I'm not aware of a major uptick in [reported] identity theft. I'm no expert on identity theft and cyber crime, but it occurs to me that if this breach was committed by computer nerds living in their parents basement, (i.e. small time crooks), shouldn't we be seeing attempts to exploit the stolen data for profit? If the data thieves are non-state actors, why wouldn't they be attempting to open new credit card accounts and otherwise using all that information to steal money?

There is zero reason to believe a nation-state was behind this. Is it possible, sure. Is there any evidence, no, not one bit.

This was NOT a super-sophisticated hack. People just assume that because it was a huge pile of very valuable info that was stolen that it must have required massive resources to undertake, but that's simply not the case. This was well within the abilities of moderately decent solo hackers.

Use an open source vulnerability scanner that has definitions for struts, sort by the lazy *******s who haven't patched struts, profit.

The other fix is for lending institutions to do some basic diligence on their borrowers before giving them money. The current calculation is that eating fraud losses on identity theft accounts is cheaper than preventing identity theft. That calculation could change if the tools to commit identity theft become dramatically more widespread.

I was trying to book an airbnb the other day, and they had me go through some crazy process where I had to take a picture of my ID and then go through a facial recognition process, just to book a one-night stay somewhere. You don't see banks doing anything like that now, but they could.

That's kind of bad for business, though, right? I'm not saying it's a bad idea. And I think you understand intuitively what I'm about to say. But I think your suggestion just restates the problem: yeah, we could make transactions safer, and consumers wouldn't like it.

For instance, anyone who has had to relocate for a short or even a long period of period of time to northern Europe (e.g., Sweden, Denmark, Finland) knows that it's very hard to do a bunch of very simple transactions without a bank account. But getting a Swedish bank account, for instance, is basically impossible unless you're a Swede and have a personnummer -- basically, their equivalent of a SSN. Minor transactions like subscribing to magazines become huge hassles, bordering on impossible. The choke-point/bottleneck are the inability for people to get bank accounts.

So obviously our financial systems COULD erect a bunch of barriers that increase data safety but that would almost surely come at the cost of efficiency. I think it culturally 'works' in northern Europe because (glibly, but with lots of experience in the business culture there) they are pretty insular and they sort of perceive they are making enough money that they don't need to cater to outsiders or people who struggle integrating with their banking systems. I think Americans have different perceptions both about privacy but also how simple transactions can and should be (e.g., your editorial comment that airbnb put you through a 'crazy' process).

Where I disagree is that I think a big driver of how secure systems are against identity theft is how much money banks actually end up losing due to insecurity. (As opposed to consumer preferences, cultural attitudes, even the regulatory environment.) Currently, banks just accept that they open a certain number of fraudulent accounts that they have to just write them off. That's the cost of making it easy to open up credit card accounts, get more business, and make money from real customers. If, on the other hand, there are lots of Russian hackers running around with infinite Equifax data to open accounts with, the banks might conclude that the fraud losses are too much and they need to change their approach.

The fact that you can currently open a credit card account with a SSN and three pieces of biographical information about a person is just a business decision by banks.

Anyone successfully signed up for Equifax's identity theft protection? I signed up a week ago, on the day they told me to sign up when the breach first happened, and the signup process said I should get an email in a few days. Since then, nothing.

Robin Hood ID theft: buy 10000 sets of stolen details and open 10000 claims on behalf of the real person

Never got the email. Ended up just freezing my credit instead.

I read on bogleheads forum that people who didn't get the email had to sign up again before they finally got it.

In case you thought this couldn't get worse:

https://gizmodo.com/equifax-has-been...g-s-1818588764

Note: semi-click baity title

Lol equifax.

Ars Technica has story on that too.

https://arstechnica.com/information-...fication-site/

Sure, but applying for a loan or credit card isn't quite an everyday transaction like buying a magazine subscription, right? Like, I think consumers would understand jumping through a few extra hoops when they're getting a car loan or a student loan if it means increased id theft protection. As an everyday consumer, it seems bonkers that getting a credit card requires fewer hoops to jump through than withdrawing my McGregor money from an online bookie.

The last company I worked for was a mail order retailer that would open credit accounts by phone with the customer needing to verify nothing but the last four of their social.

I probably didn't articulate my point well, but I think you both underestimate the difficulty a lot of consumers would have meeting more stringent requirements. Or maybe you don't, but just see that as justifiable: some people will lose access to credit that they have now, thems the breaks.

My point about Sweden and northern Europe was that they make it very hard to get integrated with their banking system(s) and get access to credit. Which is analogous to the direction that I think you guys want to move. But the result is that without access to credit and banking, being a consumer can be very miserable and businesses do suffer. That you can probably imagine without the reminder, but firms inevitably lose some amount off revenue since they can't sell to the cash poor (as I noted about the business culture, they just seemingly deal with that). And it's not a HUGE deal because it's a relatively wealthy culture without that many poor people, or immigrants, they all intuitively understand forms, the Swedish tax number system thing is generally well organized, the country only has 9 million people or whatever instead of 300 million, etc. I'm not convinced it would be received the same way in the US: I think consumers would revolt once the consequences became clear and I think commerce would suffer. That's been the apprehension from implementing more strident security measures all along. It's the core of the problem: jumping through extra hoops makes consumers and businesses suffer.

I think somewhere in the "well, just make getting credit really hard to access, erect all the barriers there" we assume all consumers will either find some way to meet the revised barriers or buy what they need without access to credit and banking.

But I don't think that's true. Ultimately, I think your suggestions are regressive. We can and should understandably be wary and critical of some aspects to cheap and easy access to credit and banking instruments but it's not all bad, it serves an important function, it's a function of America being highly stratified but having a robust consumption economy nonetheless. I think it's sort of like the voting ID debates: it borders on cavalier to assume everyone will just go through the process of filling out the extra paper work and have the necessary backup documentation, etc. to satisfy more robust checks. A lot of poorer Americans are already under-banked and credit starved. But relative to other countries that have large, diverse populations and relatively high economic stratification (e.g., say India or Brazil) our banking and credit for middle class and below is like a wonderland of options and ease of access. It's a long way of saying we have a sophisticated finance/banking system. I think that's a curse and a blessing, but one blessing (when it's not predatory) is that America's poorer people can get relatively easy access to consumer credit instruments without needing huge overhead.

I'm not saying we shouldn't move in the direction you guys are describing but I don't think it's an obvious choice either. Erecting a bunch of barriers to access credit/banking will necessarily leave a lot of people out of the system. Places that are closer to what you're describing have that phenomenon but different cultural and economic contexts make it acceptable. I'm not convinced America isn't exceptional here; I think we are.