Kongar@lemmy.dbzer0.com
on 30 Mar 2024 19:41
nextcollapse
This crap is the new norm. Companies compile your data, don’t secure it, and the whole world becomes victims of identity theft. Then they get free credit monitoring from the companies that screwed then.
Use a strong password manager with unique complicated passwords.
Freeze your credit.
Assume someone is trying to impersonate you and open credit cards in your name at all times.
Sad state of affairs today.
linearchaos@lemmy.world
on 30 Mar 2024 23:38
collapse
Freezing/unfreezing credit needs to be free and easy.
saltesc@lemmy.world
on 31 Mar 2024 00:01
nextcollapse
linearchaos@lemmy.world
on 31 Mar 2024 00:04
collapse
Talking about freezing credit checks, not card usage.
saltesc@lemmy.world
on 31 Mar 2024 04:56
nextcollapse
Ooooh.
NoRodent@lemmy.world
on 31 Mar 2024 10:22
collapse
What does that mean?
linearchaos@lemmy.world
on 31 Mar 2024 17:37
collapse
With your social security number first and last name and some public record information you can apply for credit cards, loans, you name it. For the process to kick off a credit check is performed. The company that is offering to give you the money Will check one or all of the major credit bureaus to get your credit worthiness.
You can write a letter to the three credit bureaus and ask them to lock your credit status so if anyone checks them they will get nothing back. This is a free service as long as you’ve got plenty of time to wait. You can sign up for any one of a dozen different “credit monitoring” services for the rate of about $30 a month they’ll let you turn your credit check on or off at will.
I think the credit bureau should be forced to provide you a portal to authenticate and turn your credit status on and off at will.
NoRodent@lemmy.world
on 31 Mar 2024 19:33
collapse
Ah, thanks for the explanation.
Over here, when you’re applying for a loan, you’re the one who has to bring the proof of your credit worthiness - typically your employment contract, bank statement etc. - they can’t have it automatically without your consent. Also you have to prove your identity with your ID (either the physical card which is mandatory to have, or I guess nowadays a secured electronic identification if you were to do it remotely somehow). So I was genuinely lost in this comment thread, not knowing what the exact process was in America.
linearchaos@lemmy.world
on 02 Apr 2024 03:39
collapse
Yeah, we’re heavily leaning toward making borrowing easy to the point that any security breach puts us at risk. It’s trivial with just a little private data to take out a loan or buy a car in someone else’s name. It really sucks.
Imgonnatrythis@sh.itjust.works
on 31 Mar 2024 00:50
collapse
I’ve found it very easy. I just didn’t know to do it until a couple years ago. I think it should be frozen by default.
Substance_P@lemmy.world
on 30 Mar 2024 19:47
nextcollapse
“it’s not known whether the leak came from within the company or one of its vendors.”
Isn’t it time that big tech companies and their sale of private data get regulated? I see a giant class-action lawsuit in the making here.
Lodra@programming.dev
on 30 Mar 2024 20:22
nextcollapse
This is regulated. And there are penalties for violating those regulations. But it’s just not enough. Even a class action lawsuit won’t help the victims. Most of that money goes to lawyers.
Honestly, I don’t expect any of it to change until the penalties are so severe that major companies go under. Aka a corporate death penalty (which the US used to have). But even then, good software security is extremely hard. Almost everyone screws up something.
rottingleaf@lemmy.zip
on 31 Mar 2024 05:46
collapse
Aka a corporate death penalty (which the US used to have). But even then, good software security is extremely hard. Almost everyone screws up something.
So corps would be regularly “executed” because of not getting it right at some point and that leading to such events.
What’s bad about that?
Companies are market entities, they are supposed to live for some time and die, so that evolutionary process would work.
Right now it’s like titans eating their children, they should die from regulator’s axe, ideally at the very moment when mistakes stop being sufficient to kill them.
coolmojo@lemmy.world
on 30 Mar 2024 22:00
collapse
It is.
The third-party doctrine is a United States legal doctrine that holds that people who voluntarily give information to third parties—such as banks, phone companies, internet service providers (ISPs), and e-mail servers—have “no reasonable expectation of privacy” in that information.
Source
Social Security numbers should really not be considered secret data. Too many places have leaked them.
Maybe – maybe – they’re okay for uniquely-identifying someone, but they’re a really bad way to authenticate someone.
I mean, this breach alone – if these are Americans – is something like 20% of the US population.
You can’t rely on something as authentication data if 20% of the population has irrevocable credentials that are floating around.
cybersandwich@lemmy.world
on 31 Mar 2024 01:49
nextcollapse
I heard a security researcher say something like that a couple decades ago I think. The solution isn’t to “safeguard SSN’s”, it’s to make them pointless to have. Make it so you can’t do anything with them.
Like you point out: this one breach alone could be 1/4 of the us population.
For serious, emergency recovery, what I’d kind of like is some kind of service that performs physical validation of identity. Like, okay, say I lose my credentials to get into a bank account. So the bank gives me a recovery number, and I go down to the police station or something like that, and they do an identity check as part of that and sign off that you’re who you say you are. Then if you’re an identity thief, you’re liable to get arrested right there. Charge a fee to cover the costs. Have a federal government server have to cryptographically sign that they’re doing an identity validation so that the local cops can’t silently sign off on someone else as being you. That should only come up if you’ve lost your credentials to something serious and need to get access again.
As an intermediate form of access, I suppose 2FA, though I’m not totally thrilled about having my keystore on a device that’s network-connected, like a phone or computer, and has software getting put on it. Would rather have a physical USB-C dongle acting as a keystore with a small screen to identify the contents of a transaction being performed, and a physical “approve” button on the dongle. Plug that into a computer or smartphone or whatever. Maybe have different dongles for more- and less-sensitive stuff – one for credit card payments that you carry around, one for insurance or something that you don’t. Use pubkey authentication, not this shared-secret SSN stuff, so that if someone gets a company’s database, it’s useless in terms of letting them authenticate as you.
Treczoks@lemmy.world
on 31 Mar 2024 10:43
collapse
Just because way too many sites have a security that more or less non-existent, this should not be an excuse. Every breach should be severely punished. The only way corporations learn to take customer data safety seriously is through their wallets.
As long as customer data safety is just a cost factor, and penalties are just a mild slap on the wrist, there is no incentive to consider this as “just another cost of running business issue”.
If your information was impacted, you will be receiving an email or letter from us explaining the incident, what information was compromised, and what we are doing for you in response.
I think that you’re gonna have a hard time tracking down 73 million people.
RedEyeFlightControl@lemmy.world
on 31 Mar 2024 00:49
collapse
You think they’re going to send notices to ex-customers? I was an ATT customer for 2 decades and switched a few years ago. I’m wondering if I’m compromised, but won’t get notice because I’m not technically an active customer.
minimalfootprint@discuss.tchncs.de
on 31 Mar 2024 06:08
nextcollapse
Why companies aren’t fined for every customers data they didn’t secure properly is beyond me. This should cost them a specific sum per customer or part of their annual global revenue. Make it hurt.
Otherwise they have no reason to spend money to properly secure people’s data.
webghost0101@sopuli.xyz
on 31 Mar 2024 17:48
collapse
Devils advocate: It would give them additional insensitive to cover up the fact it happend.
My 2 cents: companies cant be trusted with your data and local data containers which you control, can give or reject limited acces to need to become the norm.
douglasg14b@lemmy.world
on 31 Mar 2024 19:43
nextcollapse
I mean yeah it probably would. But that’s essentially just blackmail.
For there should be is an entire branch of government dedicated to regulating and auditing data security in large corporations.
threaded - newest
This crap is the new norm. Companies compile your data, don’t secure it, and the whole world becomes victims of identity theft. Then they get free credit monitoring from the companies that screwed then.
Use a strong password manager with unique complicated passwords.
Freeze your credit.
Assume someone is trying to impersonate you and open credit cards in your name at all times.
Sad state of affairs today.
Freezing/unfreezing credit needs to be free and easy.
American banks charge you for this?
<img alt="" src="https://lemmy.world/pictrs/image/29b6e619-d720-4839-be06-2d4272226c50.png">
Talking about freezing credit checks, not card usage.
Ooooh.
What does that mean?
With your social security number first and last name and some public record information you can apply for credit cards, loans, you name it. For the process to kick off a credit check is performed. The company that is offering to give you the money Will check one or all of the major credit bureaus to get your credit worthiness.
You can write a letter to the three credit bureaus and ask them to lock your credit status so if anyone checks them they will get nothing back. This is a free service as long as you’ve got plenty of time to wait. You can sign up for any one of a dozen different “credit monitoring” services for the rate of about $30 a month they’ll let you turn your credit check on or off at will.
I think the credit bureau should be forced to provide you a portal to authenticate and turn your credit status on and off at will.
Ah, thanks for the explanation.
Over here, when you’re applying for a loan, you’re the one who has to bring the proof of your credit worthiness - typically your employment contract, bank statement etc. - they can’t have it automatically without your consent. Also you have to prove your identity with your ID (either the physical card which is mandatory to have, or I guess nowadays a secured electronic identification if you were to do it remotely somehow). So I was genuinely lost in this comment thread, not knowing what the exact process was in America.
Yeah, we’re heavily leaning toward making borrowing easy to the point that any security breach puts us at risk. It’s trivial with just a little private data to take out a loan or buy a car in someone else’s name. It really sucks.
I’ve found it very easy. I just didn’t know to do it until a couple years ago. I think it should be frozen by default.
“it’s not known whether the leak came from within the company or one of its vendors.”
Isn’t it time that big tech companies and their sale of private data get regulated? I see a giant class-action lawsuit in the making here.
This is regulated. And there are penalties for violating those regulations. But it’s just not enough. Even a class action lawsuit won’t help the victims. Most of that money goes to lawyers.
Honestly, I don’t expect any of it to change until the penalties are so severe that major companies go under. Aka a corporate death penalty (which the US used to have). But even then, good software security is extremely hard. Almost everyone screws up something.
So corps would be regularly “executed” because of not getting it right at some point and that leading to such events.
What’s bad about that?
Companies are market entities, they are supposed to live for some time and die, so that evolutionary process would work.
Right now it’s like titans eating their children, they should die from regulator’s axe, ideally at the very moment when mistakes stop being sufficient to kill them.
It is. The third-party doctrine is a United States legal doctrine that holds that people who voluntarily give information to third parties—such as banks, phone companies, internet service providers (ISPs), and e-mail servers—have “no reasonable expectation of privacy” in that information. Source
Social Security numbers should really not be considered secret data. Too many places have leaked them.
Maybe – maybe – they’re okay for uniquely-identifying someone, but they’re a really bad way to authenticate someone.
I mean, this breach alone – if these are Americans – is something like 20% of the US population.
You can’t rely on something as authentication data if 20% of the population has irrevocable credentials that are floating around.
I heard a security researcher say something like that a couple decades ago I think. The solution isn’t to “safeguard SSN’s”, it’s to make them pointless to have. Make it so you can’t do anything with them.
Like you point out: this one breach alone could be 1/4 of the us population.
For serious, emergency recovery, what I’d kind of like is some kind of service that performs physical validation of identity. Like, okay, say I lose my credentials to get into a bank account. So the bank gives me a recovery number, and I go down to the police station or something like that, and they do an identity check as part of that and sign off that you’re who you say you are. Then if you’re an identity thief, you’re liable to get arrested right there. Charge a fee to cover the costs. Have a federal government server have to cryptographically sign that they’re doing an identity validation so that the local cops can’t silently sign off on someone else as being you. That should only come up if you’ve lost your credentials to something serious and need to get access again.
As an intermediate form of access, I suppose 2FA, though I’m not totally thrilled about having my keystore on a device that’s network-connected, like a phone or computer, and has software getting put on it. Would rather have a physical USB-C dongle acting as a keystore with a small screen to identify the contents of a transaction being performed, and a physical “approve” button on the dongle. Plug that into a computer or smartphone or whatever. Maybe have different dongles for more- and less-sensitive stuff – one for credit card payments that you carry around, one for insurance or something that you don’t. Use pubkey authentication, not this shared-secret SSN stuff, so that if someone gets a company’s database, it’s useless in terms of letting them authenticate as you.
Just because way too many sites have a security that more or less non-existent, this should not be an excuse. Every breach should be severely punished. The only way corporations learn to take customer data safety seriously is through their wallets.
As long as customer data safety is just a cost factor, and penalties are just a mild slap on the wrist, there is no incentive to consider this as “just another cost of running business issue”.
www.att.com/support/article/my-account/000101995?…
I think that you’re gonna have a hard time tracking down 73 million people.
You think they’re going to send notices to ex-customers? I was an ATT customer for 2 decades and switched a few years ago. I’m wondering if I’m compromised, but won’t get notice because I’m not technically an active customer.
Why companies aren’t fined for every customers data they didn’t secure properly is beyond me. This should cost them a specific sum per customer or part of their annual global revenue. Make it hurt.
Otherwise they have no reason to spend money to properly secure people’s data.
Devils advocate: It would give them additional insensitive to cover up the fact it happend.
My 2 cents: companies cant be trusted with your data and local data containers which you control, can give or reject limited acces to need to become the norm.
I mean yeah it probably would. But that’s essentially just blackmail.
For there should be is an entire branch of government dedicated to regulating and auditing data security in large corporations.
Cant cover it up if the hackers take credit. And with the info collected it won’t take much time to pin point where it came from.
Its happened before that leaks where covered up for months though, gives them time to sell stocks before public backlash .
So, basically every AT&T customer.
.