Experian Credit Firm Hacked

coliver

@DustinB3403 said:

Fines don't correct the problem, its seen as the cost of doing business for these places.

Start fire Squading the people that allow these security gaps and then things will change, or Hit the stock directly by forcing them out of the market and maybe they'll understand that doing risky things in the name of making money isn't working.

Isn't the whole point that doing risky things in the name of making money works extremely well? Even if we implement fines and punishable offences they are still going to be making money.

scottalanmiller

@coliver said:

@DustinB3403 said:

Fines don't correct the problem, its seen as the cost of doing business for these places.

Start fire Squading the people that allow these security gaps and then things will change, or Hit the stock directly by forcing them out of the market and maybe they'll understand that doing risky things in the name of making money isn't working.

Isn't the whole point that doing risky things in the name of making money works extremely well? Even if we implement fines and punishable offences they are still going to be making money.

The entire business model of a credit agency is to put people at risk to make money.

coliver

@scottalanmiller said:

@coliver said:

@DustinB3403 said:

Fines don't correct the problem, its seen as the cost of doing business for these places.

Start fire Squading the people that allow these security gaps and then things will change, or Hit the stock directly by forcing them out of the market and maybe they'll understand that doing risky things in the name of making money isn't working.

Isn't the whole point that doing risky things in the name of making money works extremely well? Even if we implement fines and punishable offences they are still going to be making money.

The entire business model of a credit agency is to put people at risk to make money.

Right, that's what I was getting at.

Dashrender

@scottalanmiller said:

The entire business model of a credit agency is to put people at risk to make money.

Explain that one to me, please.

scottalanmiller

@Dashrender said:

@scottalanmiller said:

The entire business model of a credit agency is to put people at risk to make money.

Explain that one to me, please.

Their business is collected unauthorized and unverified private information about people and selling it. Since they don't have authorization and don't verify whom they are collecting information about or that the information is correct they create a ton of risk, but the risk is to people who are not their customers - you, me and other normal people. They generate and sell potentially damaging information about third parties without their consent and often without their knowledge.

marcinozga

Offering credit monitoring to affected customers is really like putting band aid on ruptured artery. Credit monitoring agencies are slow to detect anything, and can't prevent anything fraudulent. I had one year after Home Depot or Target breach, it took them over a month to notify me that I opened new credit card, or there was no reaction at all when additional credit cards were compromised.
What they need to offer is free credit freeze for life.

Dashrender

Without the credit agencies, how do other countries do credit checks?

marcinozga

@Dashrender said:

Without the credit agencies, how do other countries do credit checks?

My country of origin, Poland, has credit agencies. I wasn't really aware of the fact, as I have never applied there for a credit. One thing that differentiate it from US credit agencies is that it's impossible to get a credit without permanent job. Here, anybody with decent credit score can at least get a credit card - I don't know about other loans, but I expect that with the exception of mortgage, nobody is really asking for proof of income or employment.

scottalanmiller

@Dashrender said:

Without the credit agencies, how do other countries do credit checks?

Credit checks aren't such a part of daily life elsewhere. They probably have something like that, they probably also have laws about misrepresenting people that the US lacks. In the US, there is no federal ID system so nothing to base anonymous credit on!

DustinB3403

@coliver My point is that they are putting people at risk, by not only running these kinds of businesses but also avoiding best practice, one such best practice Updating for Security Patches.

Which without any more details I can almost guarantee that is what they didn't do.

Reid Cooper

This is ridiculous. Of all companies, someone like Experian should have incredible security measures in place.

StrongBad

We can only hope that the penalties are severe. The problem here is that the free market will not regulate this because the people who are put at risk are not the people who choose to let their data be collected and exposed by the service. So there is no means by which anyone can protect themselves, not even by avoiding the company.

marcinozga

@Reid-Cooper said:

This is ridiculous. Of all companies, someone like Experian should have incredible security measures in place.

Their security measures are a joke. A few years ago I tried to obtain annual credit report for my wife, and couldn't do it online. I had to verify her identity over the phone. So I called one of the credit bureaus, and pretended to be my wife. The only questions they asked me was about some credit cards she had. And apparently I did a crappy job faking female voice, because at the end of the call the guy call me sir.
I can only imagine that a bit of social engineering, and someone convinced some of theirs (not the brightest) employees to install some malware. Mission accomplished.

stacksofplates

@marcinozga said:

@Reid-Cooper said:

This is ridiculous. Of all companies, someone like Experian should have incredible security measures in place.

Their security measures are a joke. A few years ago I tried to obtain annual credit report for my wife, and couldn't do it online. I had to verify her identity over the phone. So I called one of the credit bureaus, and pretended to be my wife. The only questions they asked me was about some credit cards she had. And apparently I did a crappy job faking female voice, because at the end of the call the guy call me sir.
I can only imagine that a bit of social engineering, and someone convinced some of theirs (not the brightest) employees to install some malware. Mission accomplished.

I did a similar thing with a co-worker a few years ago but with Verizon. He needed to switch his phone and asked me if I could do it. They needed verification from his wife since she was on the account also. So they had her get on to confirm and she thought I was him! At the time we had a good laugh about it, but it's scary seeing how easy it is to get past these measures.

scottalanmiller

I've mistaken MYSELF for other people when I have heard a recording of myself.