The hack isn't just SSNs - it includes address history, date of birth, drivers license number - everything reasonably necessary to establish identity. Not sure why the focus is SSNs, any solution needs to be even higher. This is about companies stockpiling our personal information and us having little say in the matter.
<i>In 2008, the Federal Trade Commission created the Red Flags Rule, which required businesses and organizations to collect personally identifying information from their customers, even if not necessary for service. This put Social Security numbers into the hands of utility companies, telecom providers, doctors and countless other unreliable custodians.</i><p>This is the first I've heard of this, and it's a different characterization than what one finds on e.g. Wikipedia (excepting the last section of that page). Still, I believe TFA. It's remarkable how often the impetus to "do something" leads to precisely the wrong thing being done.
Consumers don't use the credit reporting database, we have very little access to it besides restricted annual or paid for reports. The real users are the B2C companies like retail banks, cell phone companies, apartments, background checkers, etc. These B2Cs use the db in both read and write modes with little verification. The main incentive of the reporting agencies is to make it very easy for B2Cs to read and write to their db. Any strong encryption scheme would have to take into account the needs of the B2C's. Nothing is going to happen unless congress demands it because their is no market incentive to secure it. The data is already known to be frequently inaccurate but businesses don't care, they'd rather have a bunch of false positives than one deadbeat customer.
<i>The Republic of Estonia uses such a system to identify members of its e-Residency program, even with no physical presence. Each e-resident has a public numerical key that serves as a unique identifier, and a corresponding private key that is never revealed.</i><p>So an example to emulate then!<p>Except: <i>Estonia suffered an embarrassing blow to its much-vaunted ID cards that underpin everything from electronic voting to online banking [...] a security risk that affects almost 750,000 ID cards and that would enable a hacker to steal a person’s identity.</i><p><a href="https://www.ft.com/content/874359dc-925b-11e7-a9e6-11d2f0ebb7f0" rel="nofollow">https://www.ft.com/content/874359dc-925b-11e7-a9e6-11d2f0ebb...</a>
It's something that people don't talk about much, but just the allowed existence of credit agencies violates human/civil rights.<p>These companies earn revenue by selling access to a database of all humans, which ranks each of us as to how valuable/risky we are to profit off of.<p>Many companies are starting to make hiring decisions based on this data, and obviously whether or not you are worthy of a loan has been much of the purpose of a credit rating (and these loans are necessary for nearly everyone in the US, unless you're exceptionally wealthy).<p>Disputing an unfair or illegal mark against your credit is an absurd process with very little recourse.<p>This is far worse than what the NSA has done, in my opinion, and it continues without much criticism.<p>Obviously this giant hack of Equifax is a very serious issue. But why should these credit companies be allowed to keep this kind of data about us anyway?
So since anyone who has access to the breached info can impersonate nearly anyone in the country...<p>1) Are we about to see the end of "Name, DoB, last four" as an authentication? (Damn well should if anybody can be me now)<p>2) Are the credit reporting agencies discredited as a business model? The other two are likely either hacked already or about to be, and given this standard of reporting we wouldn't know till months from now anyway.<p>Can't trust em, don't use em, don't trust anybody that does.<p>Oh joy.
"The only thing Social Security numbers should be used for is to pay our taxes, which identity thieves are welcome to do."<p>Likely they may not be paying taxes, but have already found a way to circumvent the system such that they collect something (aid, EI, etc).
<i>Before the digital age, a stash of nine-digit numbers could be kept reasonably secure in a locked filing cabinet behind closed doors. So long as consumers volunteered the numbers judiciously, most people could make it through life without ever suffering a theft of identity.</i><p>Old guy here. The reason I know my SSN by heart is that it was my student ID number in college and had to be given at the beginning of each semester to get my course list, later for grades, etc.<p>I had a credit union account from the 80's and as of the 90's my SSN was printed on each monthly statement.<p>Both were before the "digital age" and neither could be considered "in a locked filing cabinet" nor under my control.
I'm very worried about this.<p>I've done a lot to try and build my credit and protect my identity by restricting the information I give out. Now I can do nothing to protect it now besides hope someone doesn't target me.<p>Anyone have ideas on how to ensure an identity is not stolen?
SWIM used to have access to Equivax data from home. In the early 90s, you could log into Equifax, type in a strangers address, and get their credit history, social, bills, and prior addresses among other things. Access was through tymnet using an <account_id>+<password>. That is it. The account_id was a ~16 digit number. The password was a 1 alpha + 1 alphanumeric. In those days it was security through obscurity, so I presume. Get an account number and after 936, you are in. Given this recent breach has nothing to do with how Equivfax/CBI was run years ago, it does make me cringe a bit.
Well of course it didn't have to be this bad. But when criminal negligence for corporations remains unpunished in an industry for 40+ years, you're not going to have corporations that dedicate the time, let alone the money, to do things right.