Identity theft monitoring services always scare me. It seems like you are dumping a huge amount of information into a single system and just hoping the vendor is secure. I have access to one but refuse to put much information in. Is this mindset incorrect?
It reminds me of the recent Crowdstrike fiasco: apparently kernel level access was needed for their anti-malware to be able to properly work (because that way their net can cover the entire OS basically), but that high level of access meant that when CrowdStrike fucked up with an update, people’s computers were useless. (Disclaimer, I am not a cybersecurity person and am not offering judgement either way on whether Crowdstrike’s claim about kernel level access was bullshit or not)
In a similar way, in order for identity theft monitoring services to work, they surely will need to hold a heckton of data about you. This is fine if they can be trusted to hold that data securely, but otherwise… ¯\_ (ツ)_/¯
I share your unease, though I don’t feel able to comment on the correctness of your mindset. Though I will say that on an individual level, keeping an eye on your credit reports in general (from the major credit agencies) will go a long way to helping there (rather than paying for serviced that give you a score and other fancy “features”, you can request either free or v. low cost report which just has the important stuff you need to know.)
I also know that if you want to be extra cautious, you can manually freeze your credit so basically no new lines of credit can be opened in your name. This is most useful for people who have already been a victim of fraud, or they expect to be at risk (such as by shitty family, or a data breach). I don’t know how one sets this up, but I know that if you did want to set up a new line of credit, you can call to unfreeze your credit, and then freeze it again when your application for the new credit is all done. I have a friend who has had this as their default for years now because of shitty family.
Go ahead, steal my identity. See if you have any better luck with it.
I keep all my credit reports frozen. These days, everyone should.
Keep in mind there are 4 providers now, not 3!
Oh? Who’s the new one?
There are actually more than 3 providers and you should put a freeze on everything you can. You only need unfrozen credit for applying for new lines of credit (loans, credit cards, etc), and unfreezing is a quick process (15 minutes or so).
Here’s a pretty comprehensive guide for protecting yourself: https://old.reddit.com/r/IdentityTheft/comments/uvv3ij/psa_freezing_your_three_main_credit_reports_is/
It’s better to take these steps before you get your identity stolen rather than after. These steps can prevent your leaked information from being used against you.
Nope, I’m serious. https://innovis.com/
They’ve grown enough to require locking. There’s also https://www.chexsystems.com/ which many banks use for opening checking accounts. They’re unique because they handle stuff that doesn’t show up in a credit report.
“Please enter your full name, address and SSN to check if you were exposed!”
Oh well I feel at this point every man woman and child already had this done to them in United States and our government not doing shit about it.
I get a mailer probably every quarter
This one is way more than just the US.
2 billion social security numbers? What’s the population of the US?
Alrighty, brainstorming time people. If you could write some practical laws, what protections do we need to stop these from happening.
I’m thinking 3 categories: Reporting, oversight, and accountability.
Reporting: all entities holding personally identifiable information (PII) must reach out once every 12 months. This hopefully unveils seedy brokers relying on obscurity. Maybe a policy to postpone notification up to 5 years (something like that) may be available as opt-in.
Oversight: targets of PII have oversight of what is collected/used. Sensitive information may be purged permanently upon request.
Accountability: set minimum fines for types of data stored. This monetary risk can then be calculated and factored into business operations. Unnecessary data would be a liability and worth purging.
PII data at rest (i.e. in a database) must be encrypted.
If the DB is running, it’s not at rest. Clients side encrypted data would be the way.
I think my definition is pretty standard: https://en.m.wikipedia.org/wiki/Data_at_rest
How about a government-sponsored, non-profit authentication service? That is, it should be impossible to get a loan, open a line of credit, or anything else in somebody’s name, without the lending institution verifying that it’s actually on behalf of the named individual. Eliminate the security-through-obscurity technique of using bits of easily-leaked personal information as a poor substitute for actual authentication.
I mean, (as a comparative example) I have to go through an OAuth2 consent dialog to connect a third-party app to my email account, yet somebody can saddle me with huge debts based on knowing a 9-digit number that just about everybody knows? It’s the system that’s broken, tightening up the laws on PII is just a band-aid.
The US system is broken. I have a tax file number in Australia, which is the broad equivalent of a US SSN, and you know what someone can do with it if they also have my name and DOB? Fuck-all, except file my taxes for me, because you can’t use it as an identifier anywhere else than the Australian tax office.
If I want a loan or a credit card or to open a bank account or any number of things , I need enough verifiable documents including photo ID to satisfy the other party that I am really them. Basically it’s a points system where any form of government photo ID gives you about 80 points and any other item of identifiable data gives you 10-20 points and usually you have to clear 100 points to be “identified”.
So my passport plus my driver’s licence is enough. My driver’s licence plus my non photo ID government Medicare card or my official original copy of my birth certificate is enough. My driver’s licence and two bank or credit cards is enough. About 5 or 6 things like my birth certificate, electricity bills in my name or local government rates notices and bank cards is sometimes enough, although photo ID from somewhere is usually required, or you need a statutory declaration from someone in good standing saying that you are who you say you are.
This kind of thing, while slightly more inconvenient, requires a number of physical items that can’t be easily stolen en-masse. I carry enough of them in my wallet that I can do anything I need to do, as my driver’s licence provides photo ID. People who don’t drive or have a passport can scrape together enough bits and pieces to usually get by.
So it’s time for a change. But it doesn’t have to involve technology or a huge shift in the way of doing things. It just requires a points system similar to what I describe. Whether the US can effect that change now with the millions of systems that rely on a SSN for a trivial key in a database in some small retailer somewhere, I don’t know.
That’s basically how it works in the US too. For example, for a form I-9, Employment Eligibility Verification, you need a passport, OR both proof of identity and proof of citizenship: https://www.uscis.gov/i-9-central/form-i-9-acceptable-documents
It’s similar for stuff like state drivers’ licenses.
The thing is, a federal domestic ID is all but prohibited. We have to have passports for international travel, but too many people are against federal ID because of “muh privacy”, even though it means we just end up misusing SSNs and companies like this one compensate by collecting multiple data points on each person.
This so much. In fact, go a step further and have a few competing auth services, with some regulatory oversight for managing that much pii.
Oversight: I would add a mandatory security audit annually, that they have to pay for, and which occurs during a given quarter at random (so you can’t “put on your best face” for a single day).
The security audit cost is partially subsidized if they agree to a second audit 6-9 months after the first (tax funded).
Accountability: I would add Prison time as a minimum penalty for the CEO and CIO, and the punitive damages must be a percentage of their profits (no flat rates), which is in addition to any compensatory damages awarded to plaintiffs. The penalty shall be used to help pay for future audits.
Is this why I got the latest scam email saying I need to pay $4k in bitcoin else a video of me wanking would be leaked.
Oh shit sorry. I must have accidentally sent that email to the wrong person. I meant to send that to my dad.
How about you send it to me instead and I’ll pay you the 4k
Good god. Thats like, every person that has ever used a computer probably. Fuck.
I like how my social security card explicitly says not to be for identification and tax purposes only. But I need for absolutely fucking everything and to identify I’m a citizen. Can hardly sign up for a new email without a SSN. (Exaggerating of course about the email)
to identify I’m a citizen.
It’s kinda worse than that — it’s used to authenticate yourself as a citizen.
My SSN should at most be an ID, no different from a name. I can identify myself as Darth Vader or 4200-69-1337, but that shouldn’t matter, because I should never be able to authenticate myself as either of those.
I think you miss typed a number, that one doesnt seem to be working
Any company accumulating, aggregating, and centralizing every piece of private and public under the sun about people is a ticking time bomb (and that is a lot of companies these days).
We need harsher penalties for these assholes, and a privacy amendment so that we actually have some rights when dealing with them.
Also, from a national security perspective we need to make sure this isn’t a slow attack to make westerners more vulnerable than other places that aren’t liberal democracies.
How did this company leak 2.9 billion people’s info, including SSNs, when the population of the US is only ~350M?
Is “National Public Data” collecting info on everyone internationally? So many questions…
Read the article? Your questions are answered there.
When applying to a US government position with a certain security clearance, they will do background checks of you, your family and extended family, if need be.
And I’m sure that can be the case for any employer who needs background checks. That being said, I also suspect some of these people in the database are dead.
I just assume ssn is for a us audience and its worlwide with equivalent numbers but who knows. I mean there are only 8 bil on the planet so thats like everyone except maybe china, india, and africa
the U.S. and other countries “around the world”
meaning, for those of us living on other planets, we are completely safe … such a relief ! /s
It’s best to say around the world just so who ever is reading it doesn’t think it region specific.
For example, they could say “the U.S. and other countries in the western hemisphere.”
How do you like : “worldwide (including self centered U.S.A.)” 🤣 ?
The other way works better since National Public Data is based in Florida and because of the name of the company. If it said “International” instead of “National” the readers would assume it is international data.
Based on the location, name of the company, and the breach mentioning social security numbers, stating the US first is the most logical.
This is why I don’t go to the National House of Pancakes.
The personal data of 2.9 billion people, which includes full names, former and complete addresses going back 30 years, Social Security Numbers, and more, was stolen from National Public Data by a cybercriminal group that goes by the name USDoD. The complaint goes on to explain that the hackers then tried to sell this huge collection of personal data on the dark web to the tune of $3.5 million. It’s worth noting that due to the sheer number of people affected, this data likely comes from both the U.S. and other countries around the world.
What makes the way National Public Data did this more concerning is that the firm scraped personally identifiable information (PII) of billions of people from non-public sources. As a result, many of the people who are now involved in the class action lawsuit did not provide their data to the company willingly.
What exactly makes this company so different from the hacking group that breached them? Why should they be treated differently?
Same with the big three credit reporting bureaus Equifax and whoever the fuck. Did anyone ever give them permission to horde all of their personal info? I don’t think so.
All depends on the terms of use from those that provide the data to them that they scraped from. I bet they never expected a customer to do it.
A complaint submitted to the US District Court for the Southern District of Florida claims the exposed personal data belongs to a public records data provider named National Public Data, which specializes in background checks and fraud prevention.
What’s with these companies nobody has heard of causing massive fuck ups?
It’s capitalism. Do you hate America or something?
Worth noting looks like this breach was first reported at the start of June
There is a small silver lining, according to the VX team: “The database DOES NOT contain information from individuals who use data opt-out services. Every person who used some sort of data opt-out service was not present.” So, we guess this is a good lesson in opting out.
Wonder what the best opt-out service is.
