[snomad]

The hack isn't just SSNs - it includes address history, date of birth, drivers license number - everything reasonably necessary to establish identity. Not sure why the focus is SSNs, any solution needs to be even higher. This is about companies stockpiling our personal information and us having little say in the matter.

[pasbesoin]

In particular, I've observed reliance on address history, recently. I had a forced pension cash-out, from a place I last worked years ago, and that has since been sold to / merged (and perhaps remerged) into a different entity.

In short, the pension cash-out was handed over to a third party. And a primary factor that party used in establishing that I was indeed the beneficiary, when I called to discuss the details, was to ask me questions about my address history.

In fact, where did they get these details? From an outfit like Equifax, or from the same set of data brokers from whom Equifax acquired them.

The mitigations against such a breach are so obvious -- technical "lockdown" aside. Data rate/query limits. Ongoing auditing that targets anomalous data flows and data rates for mandated attention. Etc. Etc.

You don't have to have "perfect" technology. In fact, you should expect and plan for never having perfect technology.

It shouldn't have been too hard to pick up such a sweeping outflow of records; it should have become apparent that the request channel was (systematically, once you analyse and determine the specific system being used) working its way through the U.S. population.

As for Equifax, if I had my druthers, this would be a corporate death sentence. They've demonstrated a fundamental breach of trust and a fundamental incompetence.

Criminal investigators should squeeze them like hell, flipping smaller fish to fully determine the chain of command and responsibility that decided upon and implemented this catastrophic neglect.

As for the shareholders? Well, ultimately they bet on a company that has demonstrated itself a complete failure. They were happy to take the profits, including the greater profits made by not paying for proper systems and staffing. If their investment now evaporates -- well, I'm getting to the point of simply saying, "So be it."

A few shareholder "disasters", like this, and there will be a lot less pressure for laissez faire short-term profit maximizing, and a lot more for oversight -- internal and external -- and regulation that prevents them from being screwed by incompetently or corruptly negligent management.

[shakestheclown]

I can't wait until the credit verification questions get even harder.

"What check number did you use to pay the 13,753rd dollar of your car loan in 2001?"

"In 2014, you signed up for an American Express Gold card. Which version of Firefox did you use to complete the application?"

[o_____________o]

When the Musk Mesh is in place, this will be a captcha: "To submit this form, think about the ex you still have feelings for"

[uobytx]

The reason the focus is on the SSN is because it enables credit. Privacy is important, but so is protecting your finances.

[jmkb]

Date of birth and address history (in addition to SSN of course) are often used by financial organizations to verify user identity online and on the phone.

Recently I called to report a lost credit card, for instance, and the operator read through a list of 10 addresses. I had to confirm which ones I'd lived at at some point in my life, in order to verify my identity.

[njarboe]

I have had previous addresses also used as a identity check. Fortunately I knew the one that I have never lived at that is on my credit reports. Trying to fix the mistake was not worth the time to me. Hopefully that does not bite me in the ass someday. Maybe the credit bureaus could check your credit rating and, if it is high enough, let you correct your credit report without much hassle. :)

[nindalf]

Wouldn't it have been simpler and more secure to ask you for the address? I can rattle off all the addresses I've stayed at in the last 15 years with ease.

[bbarn]

I couldn't. I am a city dweller living in a climate where almost like clockwork a post-two year rent hike makes me decide to move. not only that, being on a grid system every address tends to be some 4 digit combination of numbers very similar. Was that 1124 or 1421 10 years ago? I'd have to sit and picture the cross streets to figure it all out.

[vageli]

When applying for credit, especially online, have you not been asked to verify some current loans from a list, or to pick out a past address from a list of addresses? I know I have. That data also enables credit.

[567arlo]

And any central database of this information is vulnerable to a one time leak. One period of vulnerability and potentially this information is out there forever. Once that happens automated identity verification becomes much less reliable/convenient and there will potentially be a need for a more Turing-complete and/or hardware dependent process.