Thoughts on credit freeze

[nerdogray]

Quote:

Originally Posted by M_Six

Experian is less than trustworthy itself. Sort of ironic that a company you go to for a solution is actually part of the problem.

https://krebsonsecurity.com/2023/11/...u-at-experian/

Well I'd like you to try and opt out of a credit bureau. It's $3/month for the privacy stuff, and the only other service I have is for visibility into my credit with all other bureaus on a monthly basis. What "solution" have I purchased?

And that Krebs article is pretty damned irrelevant. Just put me on ignore if you don't like my posts. You don't have to try so hard.

[cmyx6go]

Quote:

Originally Posted by nerdogray

Well I'd like you to try and opt out of a credit bureau. It's $3/month for the privacy stuff, and the only other service I have is for visibility into my credit with all other bureaus on a monthly basis. What "solution" have I purchased?

And that Krebs article is pretty damned irrelevant. Just put me on ignore if you don't like my posts. You don't have to try so hard.

I'm sure M_Six was calling out Experian, not you.

[BMWGUYinCO]

Quote:

Originally Posted by cmyx6go

Yes, it was from the breach. WTF? And thanks, I'll take a look at the data removal service.

As an FYI...there is a free app on the Apple store called "Permission Slip". It is written by the peeps from Consumer Reports, and it attempts to send formal requests to all the data collection companies on your behalf to remove your tracking and other data. I am using it, - there is an automated feature where it sends these requests automatically for you. Can't hurt, right?

[zx10guy]

Quote:

Originally Posted by nawfoo

I didnt read through the pages. It's ok if you dont need to make big purchases like real estate or vehicles. Or if you need to open a new account.

It's not just about buying things or opening up new credit/accounts. It's how much damage that information can cause for other things.

I'm a victim of some low life trying to commit unemployment fraud. No doubt this dirtbag got my information from either the Experian or OMB breach as it was during Covid and before the latest breach. How I found out was a letter from my state being sent to me saying they're closing out my unemployment claim because I didn't supply additional information they were requesting. I was stunned.

I called the unemployment department to figure what the heck is going on. Found out the dirtbag filed the claim a full year before I got the letter. The state did the extra verification safe guards because of all the fraudulent claims they were receiving.

So I asked how I go about clearing things up. The rep said I needed to send additional documentation verifying my identity to them. Here's where things go off the rails and just the stupidity of the system we all live under. I was told to email those documents to them. I was stunned. I said to her that you know sending sensitive documents via email is a huge security risk. She said that's the only way they can receive documents. I asked if they have a fax number. No. I asked if I could go in person and drop off the documents. The answer again was no. So right now, my "account" with the state is frozen so if I actually do need to file for unemployment, I would have to unlock it then. I would periodically get people laughing at me for my insistence to have a multifunction printer with analog fax capabilities. This is precisely why. Not everything new tech is good and there are times old tech is better.

[reallymarkedup]

Quote:

Originally Posted by zx10guy

I was told to email those documents to them. I was stunned. I said to her that you know sending sensitive documents via email is a huge security risk. She said that's the only way they can receive documents. I asked if they have a fax number. No.

Email is incredibly secure, the primary security risk inherent to sending an email is sending something to the wrong address. The easiest way to mitigate that is to have the third party send you an email you can respond directly to.

If you want an extra layer of security save your documents as a PDF and secure that with a password. If you want even more, secure the PDF with a password and then upload it to a protected server with 2fa requirements so that the receiving party has to log in, download the document, and then still enter their password. But really all of that is theater at that point, you would have been fine just sending the email.

None of the security breaches that have occurred were because of someone hacking an SMTP server. They were all stupidity on the part of the organization we blindly trusted to protect that data.

[zx10guy]

Quote:

Originally Posted by reallymarkedup

Email is incredibly secure, the primary security risk inherent to sending an email is sending something to the wrong address. The easiest way to mitigate that is to have the third party send you an email you can respond directly to.

If you want an extra layer of security save your documents as a PDF and secure that with a password. If you want even more, secure the PDF with a password and then upload it to a protected server with 2fa requirements so that the receiving party has to log in, download the document, and then still enter their password. But really all of that is theater at that point, you would have been fine just sending the email.

None of the security breaches that have occurred were because of someone hacking an SMTP server. They were all stupidity on the part of the organization we blindly trusted to protect that data.

That's a big negative. Email flows through servers and can traverse different servers before arriving to its ultimate destination. Even financial institutions tell people to never send anything over email with sensitive personal information. For my day to day work we are not allowed to send email with sensitive information outside of the organization without first encrypting it with tools such as PGP.

What you don't understand with this state agency is there is no method of doing pseudo two factor authentication. It goes into one general email bin and gets processed from there. Me sending something password locked/encrypted and then following up with an email with the password does nothing in this case. At a minimum my state should have half a brain to set up a secure "drop box" for me to upload my documents which most financial agencies I've worked with now do.

[reallymarkedup]

Okay. Well carry on then.

[JeffL0]

Quote:

Originally Posted by zx10guy

That's a big negative. Email flows through servers and can traverse different servers before arriving to its ultimate destination.

This. SMTP was never intended to be secure, the protocol was implemented before anyone knew how to spell security.

The above mention of encrypting files before sending is the bare minimum, the further suggesting of uploading to a secure sever rather than sending via email is another good measure. Where people often fail in this encryption attempt is they then send the password over the same insecure channel. Better to convey the password over a different/independent method, such as a voice call.

[M_Six]

Quote:

Originally Posted by vreihen16

The latest breach was of a company that did background searches for employers, and somehow they had a private copy of every single SS# ever issued that was stolen.

The news is full of "how to know if your info was stolen" clickbait articles. Rather than read the article, assume that it has been stolen if any digit in your SS# is in the range of 0-9.....

Up until the Age of the Internet, Massachusetts used your SSN for your driver's license number. It was printed right there on your license. Imagine losing such a license today? Full name, DOB, SSN, address, all on one card.

[vreihen16]

Quote:

Originally Posted by M_Six

Up until the Age of the Internet, Massachusetts used your SSN for your driver's license number. It was printed right there on your license. Imagine losing such a license today? Full name, DOB, SSN, address, all on one card.

Funny thing is that NY State used a 17-character driver's license number until converting to a 9-digit number in the 1990's. I still remember mine, because I had to write all 17 characters on racing registration forms every weekend.....