NationalPublicDatacom Hack Exposes a Nations Data Krebs on Security
pA great many readers this month reported receiving alerts that their Social Security Number name address and other personal information were exposed in a breach at a littleknown but aptlynamed consumer data broker called NationalPublicDatacom This post examines what we know about a breach that has exposed hundreds of millions of consumer records Well also take a closer look at the data broker that got hacked a background check company founded by an actor and retired sheriffs deputy from FloridappppOn July 21 2024 denizens of the cybercrime community Breachforums released more than 4 terabytes of data they claimed was stolen from nationalpublicdatacom a Floridabased company that collects data on consumers and processes background checksppThe breach tracking service HaveIBeenPwnedcom and the cybercrimefocused Twitter account vxunderground both concluded the leak is the same information first put up for sale in April 2024 by a prolific cybercriminal who goes by the name USDoDppOn April 7 USDoD posted a sales thread on Breachforums for four terabytes of data 29 billion rows of records they claimed was taken from nationalpublicdatacom The snippets of stolen data that USDoD offered as teasers showed rows of names addresses phone numbers and Social Security Numbers SSNs Their asking price 35 millionppMany media outlets mistakenly reported that the National Public data breach affects 29 billion people that figure actually refers to the number of rows in the leaked data sets HaveIBeenPwnedcoms Troy Hunt analyzed the leaked data and found it is a somewhat disparate collection of consumer and business records including the real names addresses phone numbers and SSNs of millions of Americans both living and deceased and 70 million rows from a database of US criminal recordsppHunt said he found 137 million unique email addresses in the leaked data but stressed that there were no email addresses in the files containing SSN recordsppIf you find yourself in this data breach via HaveIBeenPwnedcom theres no evidence your SSN was leaked and if youre in the same boat as me the data next to your record may not even be correctppNationalpublicdatacom publicly acknowledged a breach in a statement on Aug 12 saying there appears to have been a data security incident that may have involved some of your personal information The incident appears to have involved a thirdparty bad actor that was trying to hack into data in late December 2023 with potential leaks of certain data in April 2024 and summer 2024ppThe company said the information suspected of being breached contained name email address phone number social security number and mailing addressesppWe cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you the statement continues We have also implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systemsppHunts analysis didnt say how many unique SSNs were included in the leaked data But according to researchers at Atlas Data Privacy Corp there are 272 million unique SSNs in the entire records setppAtlas found most records have a name SSN and home address and that approximately 26 percent of those records included a phone number Atlas said they verified 5000 addresses and phone numbers and found the records pertain to people born before Jan 1 2002 with very few exceptionsppIf there is a tiny silver lining to the breach it is this Atlas discovered that many of the records related to people who are now almost certainly deceased They found the average age of the consumer in these records is 70 and fully two million records are related to people whose date of birth would make them more than 120 years old todayppWhere did National Public Data get its consumer data The companys website doesnt say but it is operated by an entity in Coral Springs Fla called Jerico Pictures Inc The website for Jerico Pictures is not currently responding However cached versions of it at archiveorg show it is a film studio with offices in Los Angeles and South FloridappThe Florida Secretary of State says Jerico Pictures is owned by Salvatore Sal Verini Jr a retired deputy with the Broward County Sheriffs office The Secretary of State also says Mr Verini is or was a founder of several other Florida companies including National Criminal Data LLC Twisted History LLC Shadowglade LLC and Trinity Entertainment Inc among othersppMr Verini did not respond to multiple requests for comment Cached copies of Mr Verinis vanity domain salvatoreverinicom recount his experience in acting eg a role in a 1980s detective drama with Burt Reynolds and more recently producing dramas and documentaries for several streaming channelsppSal Verinis profile page at imdbcomppPivoting on the email address used to register that vanity domain DomainToolscom finds several other domains whose history offers a clearer picture of the types of data sources relied upon by National Public DatappOne of those domains is recordschecknet formerly recordscheckinfo which advertises instant background checks SSN traces employees screening and more Another nowdefunct business tied to Mr Verinis email publicrecordsunlimitedcom said it obtained consumer data from a variety of sources including birth marriage and death records voting records professional licenses state and federal criminal recordsppThe homepage for publicrecordsunlimitedcom per archiveorg circa 2017ppIt remains unclear how thieves originally obtained these records from National Public Data KrebsOnSecurity sought comment from USDoD who is perhaps best known for hacking into Infragard an FBI program that facilitates information sharing about cyber and physical threats with vetted people in the private sectorppUSDoD said they indeed sold the same data set that was leaked on Breachforums this past month but that the person who leaked the data did not obtain it from them USDoD said the data stolen from National Public Data had traded hands several times since it was initially stolen in December 2023ppThe database has been floating around for a while USDoD said I was not the first one to get itppUSDoD said the person who originally stole the data from NPD was a hacker who goes by the handle SXUL That user appears to have deleted their Telegram account several days ago presumably in response to intense media coverage of the breachppData brokers like National Public Data typically get their information by scouring federal state and local government records Those government files include voting registries property filings marriage certificates motor vehicle records criminal records court documents death records professional licenses bankruptcy filings and moreppAmericans may believe they have the right to opt out of having these records collected and sold to anyone But experts say these underlying sources of information the abovementioned public records are carved out from every single state consumer privacy law This includes Californias privacy regime which is often held up as the national leader in state privacy regulationsppYou see here in America virtually anyone can become a consumer data broker And with few exceptions there arent any special requirements for brokers to show that they actually care about protecting the data they collect store repackage and sell so freelyppIn February 2023 PeopleConnect the owners of the background search services TruthFinder and Instant Checkmate acknowledged a breach affecting 20 million customers who paid the data brokers to run background checks The data exposed included email addresses hashed passwords first and last names and phone numbersppIn 2019 malicious hackers stole data on more than 15 billion people from People Data Labs a San Francisco data broker whose peoplesearch services linked hundreds of millions of email addresses LinkedIn and Facebook profiles and more than 200 million valid cell phone numbersppThese data brokers are the digital equivalent of massive oil tankers wandering the coast without GPS or an anchor because when they get hacked the effect is very much akin to the ecological and economic fallout from a giant oil spillppIts an apt analogy because the dissemination of so much personal data all at once has ripple effects for months and years to come as this information invariably feeds into a vast underground ocean of scammers who are already equipped and staffed to commit identity theft and account takeovers at scaleppIts also apt because much like with reallife oil spills the cleanup costs and effort from data spills even just vast collections of technically public documents like the NPD corpus can be enormous and most of the costs associated with that fall to consumers directly or indirectlyppShould you worry that your SSN and other personal data might be exposed in this breach That isnt necessary for people whove been following the advice here for years which is to freeze ones credit file at each of the major consumer reporting bureaus Having a freeze on your files makes it much harder for identity thieves to create new accounts in your name and it limits who can view your credit informationppThe main reason I recommend the freeze is that all of the information ID thieves need to assume your identity is now broadly available from multiple sources thanks to the multiplicity of data breaches weve seen involving SSN data and other key static data points about peopleppBut beyond that there are numerous cybercriminal services that offer detailed background checks on consumers including full SSNs These services are powered by compromised accounts at data brokers that cater to private investigators and law enforcement officials and some are now fully automated via Telegram instant message bots Meaning if youre an American who hasnt frozen their credit files and you havent yet experienced some form of new account fraud the ID thieves probably just havent gotten around to you yetppAll Americans are also entitled to obtain a free copy of their credit report weekly from each of the three major credit bureaus It used to be that consumers were allowed one free report from each of the bureaus annually but in October 2023 the Federal Trade Commission announced the bureaus had permanently extended a program that lets you check your credit report once a week for freeppIf you havent done this in a while now would be an excellent time to order your files To place a freeze you need to create an account at each of the three major reporting bureaus Equifax Experian and TransUnion Once youve established an account you should be able to then view and freeze your credit file Dispute any inaccuracies you may find If you spot errors such as random addresses and phone numbers you dont recognize do not ignore them Identity theft and new account fraud are not problems that get easier to solve by letting them festerppMr Verini probably didnt respond to requests for comment because his company is now the subject of a classaction lawsuit NB the lawsuit also erroneously claims 3 billion people were affected These lawsuits are practically inevitable now after a major breach but they also have the unfortunate tendency to let regulators and lawmakers off the hookppAlmost every time theres a major breach of SSN data Americans are offered credit monitoring services Most of the time those services come from one of the three major consumer credit bureaus the same companies that profit by compiling and selling incredibly detailed dossiers on consumers financial lives The same companies that use dark patterns to trick people into paying for credit lock services that achieve a similar result as a freeze but still let the bureaus sell your data to their partnersppBut classactions alone will not drive us toward a national conversation about what needs to change Americans currently have very few rights to opt out of the personal and financial surveillance data collection and sale that is pervasive in todays techbased economyppThe breach at National Public Data may not be the worst data breach ever But it does present yet another opportunity for this countrys leaders to acknowledge that the SSN has completely failed as a measure of authentication or authorization It was never a good idea to use as an authenticator to begin with and it is certainly no longer suitable for this purposeppThe truth is that these data brokers will continue to proliferate and thrive and get hacked and relieved of their data until Congress begins to realize its time for some consumer privacy and data protection laws that are relevant to life in the 21st centuryppFurther reporting National Public Data Published Its Own PasswordsppUpdate Aug 16 800 am ET Corrected the story to note that consumers can now obtain a free credit report from each of the three consumer reporting bureaus weekly instead of just annuallyppUpdate Aug 23 1233 pm ET Added link to latest story on NPD breachpp
This entry was posted on Thursday 15th of August 2024 0638 PM
ppWhat I dont understand is where National Public Data got the SSNs from The public sources cited property voter marriage etc typically do not have SSNs associated with themppWe have the technology to own our personal information But it would require a public key and a trusted personal storage service and an authority that manages requests to USE BUT NOT KNOW personal information FROM OUR PRIVATE VAULT ONLY WITH OUR PERMISSION Paranoid folks can lock that down Average folks can use some sort of default policy that at least tracks awho asked for what when and whyppIn the US this will be impossible to implement because of Money and legitimate fear of government incompetence Add concerns about losing the private key Leading to ideas about injecting an RFID tag with the private key signed by a central authority under your skin AKA the Mark of the Beast Also were all terrified prime factoring with quantum computing will lead to brute force cracking of data with known plain text ppMeanwhile you can be sure that anyone with no scruples can pull up a list of Name SSN Emails Cracked Passwords Health Information etc ppCompare this with escalation around breaking and entering Locks get picked Someone invents a better lock Burglars and robbers switch to smashing in a door or window or chainsawing a hole in the wall Homeowners buy pistols Robbers carry submachine pistolsppThe difference is in theory the virtual nature of information allows me to make my house invisible encase it in two inch thick steel and create 700 bogus empty virtual houses That last choice would be the easiest but current laws would result in being convicted of felony fraud Only criminals will create fake accounts ppCalifornia requires data brokers to register httpsoagcagovdatabrokers with the state in order to fall under the protection of the law giving them Carte Blanche to gather advertise sell etc any public records on anyone If they are not registered they can not operate as a protected data broker The link above takes you to a 2023 list of data brokers who have registered however that is an incomplete list as California has decided to no longer maintain it yet still requires data brokers to register There is a registration page link within the page the link takes you to so you can see the limited information required in order to register as a data broker This action was taken in order to amend the act and went into place effective Jan 1 2024 which weakened the original act Thank you Mr NewsomppBrianKrebsppYou might update your information on free credit reports only being available for free annually via annualcreditreportcom as they are now available on a weekly basis see URL link below pphttpsconsumerftcgovconsumeralerts202310younowhavepermanentaccessfreeweeklycreditreportsppI have found it difficult to obtain some reports via that website and therefore go directly to each CRAs website to do so After setting up an account on each there is no obligation to pay or sign up for locking or other pay services However the Experian site makes it a little less obvious that you can ignore their extra services Innovis may also provide a weekly report but I have not tested that yetppQuid
After setting up an account on each there is no obligation to pay or sign up for locking or other pay services
Locking is not the same as Freezing Freezing was created in the Fair Credit Reporting Act FCRA and prevents anyone from running a credit check with a CRA reply like request denied file frozen Locking is an invention of the CRAs and a reply would be like here is the file but file is locked so do not use Why A frozen file makes the CRAs less money BTW the CRAs have been playing fast and loose with their process of freezing and thawing almost to the point making it undesirable for consumers to use itppAs a former Credit Bureau employee and one who developed the original file freeze process at TransUnion a Lock and a Freeze are technically the same What it does to your credit report to stop your credit report from being returned in nonexempt permissible purpose situations is the same For example if a credit pull is in connection with a credit application both a locked and frozen file will not be returned That is a nonexempt permissible purpose It the credit request is for the collection of a debt an exempt permissible purpose then the credit file will be returned fully to the requestor for both locked and frozen filesppThe difference is user experience The Lock is a feature that is incorporated in to the credit bureau certainly at TU for profit monitoring products The file freeze is what is offered by the bureaus directly and in compliance with state laws there is no federal law on file freezesppEssentially a lock is just a rebranding of a file freeze Works behind the scenes exactly the same And when I was at TU you went directly in to a credit file a lock would look just like a freezeppIf the lock is the same as the freeze why create confusing new terminology Are you saying the lock doesnt allow more info sharing for the bureausppI would like to hear Steves answer to this as wellppThe difference is user experience The Lock is a feature that is incorporated in to the credit bureau certainly at TU for profit monitoring products The file freeze is what is offered by the bureaus directly and in compliance with state laws there is no federal law on file freezesppIm going to guess that means they can use locked credit data for internal marketing of financial products directly so the paying user can see their data through the service portal but nobody else can access it for the usual credit checks Whereas the freeze is just all blocked to comply with laws as its mandated to be offered So a lock makes the agency money potentially a freeze does not My guessppIts simply branding File freeze was a term coined by the State of California when they passed the first file freeze law Other states copied that and once there was a critical mass of states the bureaus just made freezes available to everyone ppBut the terms are wonky You freeze the file If you want to remove it you could unfreeze it If you wanted to temporarily remove it to process a loan the legal term was usually lift or temporarily lift Others would say thawppAnd then there were two ways to temporarily lift it One with a date specific range where it would be unfrozen At TU that range could be between 3 and 30 days The other way was to use a PIN The PIN would be valid for a range of time yet had to be provided to the company running the report If they input it when requesting the file it would come through No PIN or wrong PIN file was still frozen Problem was most report users had no way to accept the PINs in their archaic systems So we would always recommend the date rangeppAll of this is confusing Locking Unlocking sounds better is more easily understood and aligned with terminology card issuers were using where you could lock your card Discover was one of the originators of thatppFrankly the file freeze thing was a mess for more than a decade It has more or less normalized now The Equifax breach pushed that along However I still believe the industry would benefit from federal law creating consistency and hopefully updated terminologyppIf you really want to go bonkers look at some of the state laws on freezing files for minors commonly referred to as protected consumers In addition to minors it typically includes people living under conservatorships For the former they shouldnt have a credit file So how do you freeze something that doesnt exist You have to create a file for the minor and freeze it Yet creating that file can make it more likely to expose a minors SSN etc Happy readingppThanks I somehow missed that memo Ive updated the storyppGovernment files also include drivers licenses hunting licenses fishing licenses gun licenses any professional licenses building permits speeding tickets its a very long list And you cant opt out The money from the sale of government information goes into a shush fund of the government sellers Its all offbudget They are are addicted to the sweet sweet money from selling your information Government service is a license to stealppYou should provide evidence of that slush fund offbudget claim like Mr Krebs does when he presents information Not just random accusations ppI thought BreachForums was seized after several domain takeovers
They created a new domain againppThe site was again shut down and the domain seized on May 15 2024 though the domain was back under the owners control just hours later wikippI dont know about yours but my SS card says For social security and tax purposes not for identification
Dohppthis is plain theory of identity Your SS card is an attribute document not an identity document because the entity that issues your SS card does not have an authoritative citizen register Only entities with an official citizen register can issue identity documents
Many people dont care about this difference but it is the case anywhere in the world Passports and identity cards in countries that have them practically all except US and UK are issued by the ministry of interior which oversees the local authorities that lead the citizen registry or registries
Any other official documents drivers licenses voting cards whatever are issued by another entity under a different ministry which is not allowed to have a source register They rely on information from the authoritative register and only indirectly point to it
In other words a Passport or ID card says I country X hereby confirm that I have a citizen with the name and information stated in this document Any other official document says I the Y authority of country X hereby confirm that the citizen referred to the name on this card if they really exist which I cannot ultimately verify has the attribute Z eg may drive a car of class B2 or is a licensed attorney or whateverppIt means that physical possession of a social security card cannot be used to prove that it belongs to the person presenting it Thats allppThe SSN is the only truly unique global person identifier we have in the US There is absolutely nothing wrong with having such an identifier Quite the opposite it makes sense to have such a number and it is very helpful given that many people share the same name The problem lies not with the existence of a unique identifier but with various entities obviously false assumption that this number is only known to the person to whom it belongs and as such their reliance on it for authentication purposesppMy parents got me an SSN when I was born 1958 and I still have the original little cardboard explanatory holder to which the Social Security card was attached It explained all about how some day when you enter the workforce you will need this information But my favorite line on that entire card was NOTE your Social Security number should never be used as a form of personal identificationppBrianKrebs your last paragraph is spot onppThe truth is that these data brokers will continue to proliferate and thrive and get hacked and relieved of their data until Congress begins to realize its time for some consumer privacy and data protection laws that are relevant to life in the 21st centuryppWe have GDPR in Europe which protects individuals citizens in general and when acting as customers and implies significant costs for breached companies not having this in place so you definitely need something similarppGDPR do not protect you against identity theftsppBut it does aim to keep your PII in fewer places and hopefully more securely soppLike someone has pointed out annualcreditreportcom can be obtained on the weekly basis now But the process is anything but easy I bet it is deliberately designed to discourage people In my case it doesnt even work One bureau refuses my login and always tells me to call them I tried it once and was put in an endless call waiting I eventually hung up ppAlso freezing your record is less than ideal It may affect your insurance premiums because those companies check your record behind your back Ive gone through this before when my auto insurance premium started going upppThe only way to ensure we as consumers have a fix for this problem is through the federal legislation that will impose a heavy monetary fine on any company that loses our PIA In the US unfortunately money is the language of securityppannualcreditreportcom appears to be worthless if you live overseas since it requires a current US address for you to request your credit reports Unless Im missing something the comment section doesnt even provide an entry for email address so they cant even respond to you if you ask a questionppI lived overseas for many years up until last year It is indeed difficult to access your US credit reports directly or via annualcreditreportcom from overseas but it is not impossibleppFirst of all you need to use a VPN that shows your IP address as located in the US All the credit bureaus and the reporting website block access from nonUS IP addresses so without doing this you will ever get past the login screensppSecond you need to merely input a VALID US address It does not have to be your current address it just needs to be a US address that passes a simple verification check to show that it is a valid address Although you could pick any US address you shouldnt because the credit bureaus sell your info which means that credit offers and junk mail will be sent to your name to whatever address you use even if you have opted out of having your info sold for advertising purposes I used a family members address as they did not mind getting the junk mailppThird you MUST input a valid US mobile telephone number It does not have to be yours but it needs to belong to someone can quickly relay a texted singleuse security code to youppIf you do these three things you can look at your US credit bureau reports from overseasppDennis comment is correct
One of the 3 credit bureaus web sites to request your credit report does not work and has not for some time now I have tried many times requesting either my credit report or my wifes and after entering all of the information it comes back asnot available at this time I emailed Annual credit Report asking about the problem and was sent a form to request my credit report via snail mail That is not a solutionppFor a year or more Ive been able to freeze then thaw my accounts at four CRAs Experian Equifax TransUnion and NCTUEppNot that you dont have a Real Problem but perhaps further effort would resolve this clearing cache trying a different browser etcppGood luck Our lives are fer shure real complicatedppFYI Equifax has had a 5year knownissue with locking users out of their Equifax account when trying to login to freezeunfreeze Just search Equifax login on Reddit The best solution so far is to call Equifax support and choose the option to lift freeze then request an actual agent Tell the agent you have no luck accessing site and to send a pw reset link Hope this helpsppThe real hacker behind this breach is Wumpus aka Anthony Garced He hacked Zackscom and he hacked thisppIs there a way to schedule a recurring request to have your credit reports sentppLocal state and Federal governments are so grossly negligent with our personal information being stored on databases connected to the Internet or selling the data without redaction It is disgusting Then governments think we are so stupid to go for Digital ID and digital money so we can all wake up broke They truly are crazy ppHere is the lawsuit that has been filed and all the ways the hackers can use your data httpswwwbloomberglawcompublicdesktopdocumentHofmannvJericoPicturesIncDocketNo024cv61383SDFlaAug012024CourtDocdocidX6S27DVM6H69DSQO6MTRAQRIVBSppLooks like Salvatore Verini is running for the hills His Florida office has a voice mail referring calls to the California office A real person answered the phone in CA and I left my name and number for him to call me as he wants to charge for fixing 25 critical items and 1 high profile item NPD has collected information on me for 38 years and if it wasnt for the news I would not have known Both myself and a family member have phone numbers that are out of state in our records and never belonged to us We also have credit monitoring and neither of us were notified of this breach So Life Lock and the rest are a waste of money adding to the fraudulent environment we all currently live in ppWe froze our accounts however it is pretty much useless with TransUnion as they provide no confirmation number to unfreeze and will use your personal information published all over the dark web to unfreeze Sorry but you cant cure dumb It is literally impossible to have privacy thanks to the incompetency starting at the top of the pyramid of the WEF Davos and IMF group and trickling on down Even my state lost my birth certificate for the National ID drivers license without any explanation and I had to provide it again Three months after renewal the news reported the Chinese hacked the drivers data base I think I am starting to understand the sovereigns which is sad that they are more right than wrongppConsidering the magnitude of this breach Ive been surprised how little coverage there has been about this in mainstream media And the expert they use in their story usually isnt very expert about what happened or how to react just rehashing whats already been saidppIts also frustrating to know that about the only thing we can do is freeze our credit knowing that the credit bureaus are making it increasingly easier to for someone else to unfreeze without a PIN by supplying KBA using what is now publicly available datappRecalling the ease that Experian allowed accounts to be hijacked going back to 2022 does anyone know if they ever fixed that or is their account security still incredibly badppI dont think they ever fixed it I checked a few months ago and it still allowed anyone to resign up as anyone else Notification email only after someone has assumed your identityaccountppAlso freezing your record is less than ideal It may affect your insurance premiums because those companies check your record behind your back Ive gone through this before when my auto insurance premium started going upppThats how they coerce you into compliance with the whole credit report system Fiscal punishment for doing nothing but legitimately logically and legally protecting access to your personal information Plus its such an intrusion on your right to privacy A bank may need to know my credit worthiness but it really is not an employers business IMHO Nor anybody elses really unless Im doing a business transaction that requires credit Its so sad that without that credit report and a good credit rating it is much harder to live in AmericappHence when I crossed a certain threshold in age I froze it all they can kiss my derriere on the whole credit thing and Ive been diligently trying to get my credit score to zero before I give up the tent Its taken me years but Ive gotten it down to the score of 4ppRemember where to check to see if your stuff is running outside of the barn
httpshaveibeenpwnedcomppWhat about the impact of resetting account passwords where only an email address and social is needed For example go to PayPalcom click Forgot Password put your email select reset with Social put that in enter new password youre now in My Account with full access In my case I have 2FA setup and it didnt even ask for this after changing my password Shocking I also checked Chasecom just need your card number and social and boom it not only then reveals your username onscreen it lets you reset password again bypassing 2FA These compaines need to update their password reset processes to not be based off socialppIt should never have been based on SSN in the first place Thats ridiculousppgo to PayPalcom click Forgot Password put your email select reset with SocialppI think you need to reconsider the setup config for 2FA in your PayPal account The only 2FA option I have chosen for account access is a hardware security key Therefore for account recovery purposes that is the only 2FA option PayPal offers me after entering my email address You need to actively remove the less secure options from your PayPal security settings ie Social SMS etc and ONLY use OTP codes Authenticator app or a hardware security keyppThe banking institutions however are a totally different kettle of fish In my jurisdiction not the US https2fadirectory lists 3 main categories of interest Banking Finance and Payment Platforms all have wildly different attitudes towards 2FA implementation Only 10 out of 30 30 banks offer the service that is 2 thirds DONT Whereas finance and payment platforms list 33 out of 43 77 and 29 out of 35 83 respectively that DOppI personally have linked any banking and finance services that require online activities to my PayPal account because of their security and charge back features Anything else I visit the branch personally Convenience be damnedppFor credit card masking use Privacycom or IronvestcomppThe second reference to Have I Been Pwned use the incorrect address haveibeenownedcom
I thought it was odd when my browser told me I could not connect using httpsppOne thing that isnt getting much mention is now that almost everyones SSN is public there is a high likelihood of increased tax fraud It is probably best to go ahead in request a PIN from the IRS in addition to everything else we need to do to protect ourselves Better yet would be if the IRS acknowledged the need and proactively issued taxpayer PINs to everyoneppThank you just did thisppWhy do these data broker websites all look like they were created in 1997 When NPD breach was first reported and I did a bit of research on them I just assumed it was a criminal front to begin with based on the childlike website but now I see all of these data broker outfits lookfeel the sameppI think Im now back in the theyre all criminal fronts campppThank you BK for shining the light on this awful industry Keep the pressure up on the credit bureaus tooppAmericans are offered credit monitoring services Most of the time those services come from one of the three major consumer credit bureausppAnd some noncredit bureau monitoring is worthless if you freeze your reports Got free monitoring due to a breach with IDX Except they never show anything about my credit files Put in several support tickets but never get a responseppI suspect its because my reports are frozen Of course with by reports frozen the monitoring isnt really needed but still My free but tries to upsell continuously Experian account does tell me about changes to my credit file thoughppComments are closedppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
This entry was posted on Thursday 15th of August 2024 0638 PM
ppWhat I dont understand is where National Public Data got the SSNs from The public sources cited property voter marriage etc typically do not have SSNs associated with themppWe have the technology to own our personal information But it would require a public key and a trusted personal storage service and an authority that manages requests to USE BUT NOT KNOW personal information FROM OUR PRIVATE VAULT ONLY WITH OUR PERMISSION Paranoid folks can lock that down Average folks can use some sort of default policy that at least tracks awho asked for what when and whyppIn the US this will be impossible to implement because of Money and legitimate fear of government incompetence Add concerns about losing the private key Leading to ideas about injecting an RFID tag with the private key signed by a central authority under your skin AKA the Mark of the Beast Also were all terrified prime factoring with quantum computing will lead to brute force cracking of data with known plain text ppMeanwhile you can be sure that anyone with no scruples can pull up a list of Name SSN Emails Cracked Passwords Health Information etc ppCompare this with escalation around breaking and entering Locks get picked Someone invents a better lock Burglars and robbers switch to smashing in a door or window or chainsawing a hole in the wall Homeowners buy pistols Robbers carry submachine pistolsppThe difference is in theory the virtual nature of information allows me to make my house invisible encase it in two inch thick steel and create 700 bogus empty virtual houses That last choice would be the easiest but current laws would result in being convicted of felony fraud Only criminals will create fake accounts ppCalifornia requires data brokers to register httpsoagcagovdatabrokers with the state in order to fall under the protection of the law giving them Carte Blanche to gather advertise sell etc any public records on anyone If they are not registered they can not operate as a protected data broker The link above takes you to a 2023 list of data brokers who have registered however that is an incomplete list as California has decided to no longer maintain it yet still requires data brokers to register There is a registration page link within the page the link takes you to so you can see the limited information required in order to register as a data broker This action was taken in order to amend the act and went into place effective Jan 1 2024 which weakened the original act Thank you Mr NewsomppBrianKrebsppYou might update your information on free credit reports only being available for free annually via annualcreditreportcom as they are now available on a weekly basis see URL link below pphttpsconsumerftcgovconsumeralerts202310younowhavepermanentaccessfreeweeklycreditreportsppI have found it difficult to obtain some reports via that website and therefore go directly to each CRAs website to do so After setting up an account on each there is no obligation to pay or sign up for locking or other pay services However the Experian site makes it a little less obvious that you can ignore their extra services Innovis may also provide a weekly report but I have not tested that yetppQuid
After setting up an account on each there is no obligation to pay or sign up for locking or other pay services
Locking is not the same as Freezing Freezing was created in the Fair Credit Reporting Act FCRA and prevents anyone from running a credit check with a CRA reply like request denied file frozen Locking is an invention of the CRAs and a reply would be like here is the file but file is locked so do not use Why A frozen file makes the CRAs less money BTW the CRAs have been playing fast and loose with their process of freezing and thawing almost to the point making it undesirable for consumers to use itppAs a former Credit Bureau employee and one who developed the original file freeze process at TransUnion a Lock and a Freeze are technically the same What it does to your credit report to stop your credit report from being returned in nonexempt permissible purpose situations is the same For example if a credit pull is in connection with a credit application both a locked and frozen file will not be returned That is a nonexempt permissible purpose It the credit request is for the collection of a debt an exempt permissible purpose then the credit file will be returned fully to the requestor for both locked and frozen filesppThe difference is user experience The Lock is a feature that is incorporated in to the credit bureau certainly at TU for profit monitoring products The file freeze is what is offered by the bureaus directly and in compliance with state laws there is no federal law on file freezesppEssentially a lock is just a rebranding of a file freeze Works behind the scenes exactly the same And when I was at TU you went directly in to a credit file a lock would look just like a freezeppIf the lock is the same as the freeze why create confusing new terminology Are you saying the lock doesnt allow more info sharing for the bureausppI would like to hear Steves answer to this as wellppThe difference is user experience The Lock is a feature that is incorporated in to the credit bureau certainly at TU for profit monitoring products The file freeze is what is offered by the bureaus directly and in compliance with state laws there is no federal law on file freezesppIm going to guess that means they can use locked credit data for internal marketing of financial products directly so the paying user can see their data through the service portal but nobody else can access it for the usual credit checks Whereas the freeze is just all blocked to comply with laws as its mandated to be offered So a lock makes the agency money potentially a freeze does not My guessppIts simply branding File freeze was a term coined by the State of California when they passed the first file freeze law Other states copied that and once there was a critical mass of states the bureaus just made freezes available to everyone ppBut the terms are wonky You freeze the file If you want to remove it you could unfreeze it If you wanted to temporarily remove it to process a loan the legal term was usually lift or temporarily lift Others would say thawppAnd then there were two ways to temporarily lift it One with a date specific range where it would be unfrozen At TU that range could be between 3 and 30 days The other way was to use a PIN The PIN would be valid for a range of time yet had to be provided to the company running the report If they input it when requesting the file it would come through No PIN or wrong PIN file was still frozen Problem was most report users had no way to accept the PINs in their archaic systems So we would always recommend the date rangeppAll of this is confusing Locking Unlocking sounds better is more easily understood and aligned with terminology card issuers were using where you could lock your card Discover was one of the originators of thatppFrankly the file freeze thing was a mess for more than a decade It has more or less normalized now The Equifax breach pushed that along However I still believe the industry would benefit from federal law creating consistency and hopefully updated terminologyppIf you really want to go bonkers look at some of the state laws on freezing files for minors commonly referred to as protected consumers In addition to minors it typically includes people living under conservatorships For the former they shouldnt have a credit file So how do you freeze something that doesnt exist You have to create a file for the minor and freeze it Yet creating that file can make it more likely to expose a minors SSN etc Happy readingppThanks I somehow missed that memo Ive updated the storyppGovernment files also include drivers licenses hunting licenses fishing licenses gun licenses any professional licenses building permits speeding tickets its a very long list And you cant opt out The money from the sale of government information goes into a shush fund of the government sellers Its all offbudget They are are addicted to the sweet sweet money from selling your information Government service is a license to stealppYou should provide evidence of that slush fund offbudget claim like Mr Krebs does when he presents information Not just random accusations ppI thought BreachForums was seized after several domain takeovers
They created a new domain againppThe site was again shut down and the domain seized on May 15 2024 though the domain was back under the owners control just hours later wikippI dont know about yours but my SS card says For social security and tax purposes not for identification
Dohppthis is plain theory of identity Your SS card is an attribute document not an identity document because the entity that issues your SS card does not have an authoritative citizen register Only entities with an official citizen register can issue identity documents
Many people dont care about this difference but it is the case anywhere in the world Passports and identity cards in countries that have them practically all except US and UK are issued by the ministry of interior which oversees the local authorities that lead the citizen registry or registries
Any other official documents drivers licenses voting cards whatever are issued by another entity under a different ministry which is not allowed to have a source register They rely on information from the authoritative register and only indirectly point to it
In other words a Passport or ID card says I country X hereby confirm that I have a citizen with the name and information stated in this document Any other official document says I the Y authority of country X hereby confirm that the citizen referred to the name on this card if they really exist which I cannot ultimately verify has the attribute Z eg may drive a car of class B2 or is a licensed attorney or whateverppIt means that physical possession of a social security card cannot be used to prove that it belongs to the person presenting it Thats allppThe SSN is the only truly unique global person identifier we have in the US There is absolutely nothing wrong with having such an identifier Quite the opposite it makes sense to have such a number and it is very helpful given that many people share the same name The problem lies not with the existence of a unique identifier but with various entities obviously false assumption that this number is only known to the person to whom it belongs and as such their reliance on it for authentication purposesppMy parents got me an SSN when I was born 1958 and I still have the original little cardboard explanatory holder to which the Social Security card was attached It explained all about how some day when you enter the workforce you will need this information But my favorite line on that entire card was NOTE your Social Security number should never be used as a form of personal identificationppBrianKrebs your last paragraph is spot onppThe truth is that these data brokers will continue to proliferate and thrive and get hacked and relieved of their data until Congress begins to realize its time for some consumer privacy and data protection laws that are relevant to life in the 21st centuryppWe have GDPR in Europe which protects individuals citizens in general and when acting as customers and implies significant costs for breached companies not having this in place so you definitely need something similarppGDPR do not protect you against identity theftsppBut it does aim to keep your PII in fewer places and hopefully more securely soppLike someone has pointed out annualcreditreportcom can be obtained on the weekly basis now But the process is anything but easy I bet it is deliberately designed to discourage people In my case it doesnt even work One bureau refuses my login and always tells me to call them I tried it once and was put in an endless call waiting I eventually hung up ppAlso freezing your record is less than ideal It may affect your insurance premiums because those companies check your record behind your back Ive gone through this before when my auto insurance premium started going upppThe only way to ensure we as consumers have a fix for this problem is through the federal legislation that will impose a heavy monetary fine on any company that loses our PIA In the US unfortunately money is the language of securityppannualcreditreportcom appears to be worthless if you live overseas since it requires a current US address for you to request your credit reports Unless Im missing something the comment section doesnt even provide an entry for email address so they cant even respond to you if you ask a questionppI lived overseas for many years up until last year It is indeed difficult to access your US credit reports directly or via annualcreditreportcom from overseas but it is not impossibleppFirst of all you need to use a VPN that shows your IP address as located in the US All the credit bureaus and the reporting website block access from nonUS IP addresses so without doing this you will ever get past the login screensppSecond you need to merely input a VALID US address It does not have to be your current address it just needs to be a US address that passes a simple verification check to show that it is a valid address Although you could pick any US address you shouldnt because the credit bureaus sell your info which means that credit offers and junk mail will be sent to your name to whatever address you use even if you have opted out of having your info sold for advertising purposes I used a family members address as they did not mind getting the junk mailppThird you MUST input a valid US mobile telephone number It does not have to be yours but it needs to belong to someone can quickly relay a texted singleuse security code to youppIf you do these three things you can look at your US credit bureau reports from overseasppDennis comment is correct
One of the 3 credit bureaus web sites to request your credit report does not work and has not for some time now I have tried many times requesting either my credit report or my wifes and after entering all of the information it comes back asnot available at this time I emailed Annual credit Report asking about the problem and was sent a form to request my credit report via snail mail That is not a solutionppFor a year or more Ive been able to freeze then thaw my accounts at four CRAs Experian Equifax TransUnion and NCTUEppNot that you dont have a Real Problem but perhaps further effort would resolve this clearing cache trying a different browser etcppGood luck Our lives are fer shure real complicatedppFYI Equifax has had a 5year knownissue with locking users out of their Equifax account when trying to login to freezeunfreeze Just search Equifax login on Reddit The best solution so far is to call Equifax support and choose the option to lift freeze then request an actual agent Tell the agent you have no luck accessing site and to send a pw reset link Hope this helpsppThe real hacker behind this breach is Wumpus aka Anthony Garced He hacked Zackscom and he hacked thisppIs there a way to schedule a recurring request to have your credit reports sentppLocal state and Federal governments are so grossly negligent with our personal information being stored on databases connected to the Internet or selling the data without redaction It is disgusting Then governments think we are so stupid to go for Digital ID and digital money so we can all wake up broke They truly are crazy ppHere is the lawsuit that has been filed and all the ways the hackers can use your data httpswwwbloomberglawcompublicdesktopdocumentHofmannvJericoPicturesIncDocketNo024cv61383SDFlaAug012024CourtDocdocidX6S27DVM6H69DSQO6MTRAQRIVBSppLooks like Salvatore Verini is running for the hills His Florida office has a voice mail referring calls to the California office A real person answered the phone in CA and I left my name and number for him to call me as he wants to charge for fixing 25 critical items and 1 high profile item NPD has collected information on me for 38 years and if it wasnt for the news I would not have known Both myself and a family member have phone numbers that are out of state in our records and never belonged to us We also have credit monitoring and neither of us were notified of this breach So Life Lock and the rest are a waste of money adding to the fraudulent environment we all currently live in ppWe froze our accounts however it is pretty much useless with TransUnion as they provide no confirmation number to unfreeze and will use your personal information published all over the dark web to unfreeze Sorry but you cant cure dumb It is literally impossible to have privacy thanks to the incompetency starting at the top of the pyramid of the WEF Davos and IMF group and trickling on down Even my state lost my birth certificate for the National ID drivers license without any explanation and I had to provide it again Three months after renewal the news reported the Chinese hacked the drivers data base I think I am starting to understand the sovereigns which is sad that they are more right than wrongppConsidering the magnitude of this breach Ive been surprised how little coverage there has been about this in mainstream media And the expert they use in their story usually isnt very expert about what happened or how to react just rehashing whats already been saidppIts also frustrating to know that about the only thing we can do is freeze our credit knowing that the credit bureaus are making it increasingly easier to for someone else to unfreeze without a PIN by supplying KBA using what is now publicly available datappRecalling the ease that Experian allowed accounts to be hijacked going back to 2022 does anyone know if they ever fixed that or is their account security still incredibly badppI dont think they ever fixed it I checked a few months ago and it still allowed anyone to resign up as anyone else Notification email only after someone has assumed your identityaccountppAlso freezing your record is less than ideal It may affect your insurance premiums because those companies check your record behind your back Ive gone through this before when my auto insurance premium started going upppThats how they coerce you into compliance with the whole credit report system Fiscal punishment for doing nothing but legitimately logically and legally protecting access to your personal information Plus its such an intrusion on your right to privacy A bank may need to know my credit worthiness but it really is not an employers business IMHO Nor anybody elses really unless Im doing a business transaction that requires credit Its so sad that without that credit report and a good credit rating it is much harder to live in AmericappHence when I crossed a certain threshold in age I froze it all they can kiss my derriere on the whole credit thing and Ive been diligently trying to get my credit score to zero before I give up the tent Its taken me years but Ive gotten it down to the score of 4ppRemember where to check to see if your stuff is running outside of the barn
httpshaveibeenpwnedcomppWhat about the impact of resetting account passwords where only an email address and social is needed For example go to PayPalcom click Forgot Password put your email select reset with Social put that in enter new password youre now in My Account with full access In my case I have 2FA setup and it didnt even ask for this after changing my password Shocking I also checked Chasecom just need your card number and social and boom it not only then reveals your username onscreen it lets you reset password again bypassing 2FA These compaines need to update their password reset processes to not be based off socialppIt should never have been based on SSN in the first place Thats ridiculousppgo to PayPalcom click Forgot Password put your email select reset with SocialppI think you need to reconsider the setup config for 2FA in your PayPal account The only 2FA option I have chosen for account access is a hardware security key Therefore for account recovery purposes that is the only 2FA option PayPal offers me after entering my email address You need to actively remove the less secure options from your PayPal security settings ie Social SMS etc and ONLY use OTP codes Authenticator app or a hardware security keyppThe banking institutions however are a totally different kettle of fish In my jurisdiction not the US https2fadirectory lists 3 main categories of interest Banking Finance and Payment Platforms all have wildly different attitudes towards 2FA implementation Only 10 out of 30 30 banks offer the service that is 2 thirds DONT Whereas finance and payment platforms list 33 out of 43 77 and 29 out of 35 83 respectively that DOppI personally have linked any banking and finance services that require online activities to my PayPal account because of their security and charge back features Anything else I visit the branch personally Convenience be damnedppFor credit card masking use Privacycom or IronvestcomppThe second reference to Have I Been Pwned use the incorrect address haveibeenownedcom
I thought it was odd when my browser told me I could not connect using httpsppOne thing that isnt getting much mention is now that almost everyones SSN is public there is a high likelihood of increased tax fraud It is probably best to go ahead in request a PIN from the IRS in addition to everything else we need to do to protect ourselves Better yet would be if the IRS acknowledged the need and proactively issued taxpayer PINs to everyoneppThank you just did thisppWhy do these data broker websites all look like they were created in 1997 When NPD breach was first reported and I did a bit of research on them I just assumed it was a criminal front to begin with based on the childlike website but now I see all of these data broker outfits lookfeel the sameppI think Im now back in the theyre all criminal fronts campppThank you BK for shining the light on this awful industry Keep the pressure up on the credit bureaus tooppAmericans are offered credit monitoring services Most of the time those services come from one of the three major consumer credit bureausppAnd some noncredit bureau monitoring is worthless if you freeze your reports Got free monitoring due to a breach with IDX Except they never show anything about my credit files Put in several support tickets but never get a responseppI suspect its because my reports are frozen Of course with by reports frozen the monitoring isnt really needed but still My free but tries to upsell continuously Experian account does tell me about changes to my credit file thoughppComments are closedppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
