Thursday, September 07, 2017

Equifax lays an egg

One of the U.S. three main credit reporting agencies, Equifax, is reporting a hack that could expose 140 million people to identity theft, info including social security number, birth date, and home address (which conceivably could be used for targeting by foreign agents, although there is some safety in the mere size of the hack).   Milo Yiannopoulos has his own story on this. 

It’s unclear if hackers print credit cards in the names of the people if they would really get anywhere.  Equifax will have to recognize illegitimate transactions in the subject’s name that the subject will never know about or see a bill for.  Equifax says that no credit reports or scores were compromised.
 Does it know?  Can Equifax make the same search of the Dark Web that Experian offers (and that’s even part of “online reputation”)? 

It’s rather amazing, though, to see mortgages and car loans taken out on stolen identities and not getting caught by normal due diligence. But, then again, the 2007 subprime scandal was shocking.

Maybe it would be interesting to “own” a house you don’t know exists.  Enough movie stars own multiple condos that someone could slip one by, and even keep it rented on Airbnb. 

Update:  Sept. 9

Craig Timberg has a speculative article on p A11 of the Washington Post Saturday morning, in which he says overseas hackers could use stolen identities to commit crimes not even imagined.  Presumably he refers to child pornography, sex trafficking, and terror recruiting or money laundering with fake accounts (probably on the Dark Web) in using targets' PII.

One is reminded of risks discussed before, of a computer being infected with a virus depositing c.p., a and discovered by repairmen, a risk covered on these blogs back in the summer of 2013.  In most cases, it's probably pretty easy to prove that a fake account is not yours.  (That's been pretty easy with Facebook and social media so far, because fake accounts prop up and get reported and taken down;  Facebook is getting good at automatic detection of these.)   But there is always the remote risk of having to defend yourself against litigation or prosecution, which could increase when traveling abroad, as well as of job termination.  I have some defense in that I don't have or use P2P (although that would have changed had I hosted anyone like an asylum seeker).  In the end, you are responsible for your own reputation, no mater what.

Update: Sept. 10

Consumer Reports offers this advice.  Note the possible risk to 401(k)'s which should be closely watched.  But larger companies usually have medallion signature and verification policies. 

No comments: