[Plura-list] Experian doxes the world (again)

Cory Doctorow doctorow at craphound.com
Fri Apr 30 12:34:54 EDT 2021


Today's links

* Experian doxes the world (again): And the breach is still ongoing.

* This day in history: 2001, 2006, 2011, 2020

* Colophon: Recent publications, upcoming/recent appearances, current
writing projects, current reading

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🙆🏽 Experian doxes the world (again)

The nonconsensually compiled dossiers of personal information that
Experian assembled on the entire population of the USA may currently be
exposed via dozens, perhaps hundreds, of sites, thanks to a grossly
negligent security defect in Experian's API.

The breach was detected by Bill Demirkapi, a security researcher and RIT
sophomore, and reported on by Brian Krebs, the excellent independent
security reporter.

https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/

Experian, like Equifax, has unilaterally arrogated to itself the right
to collect, store and disseminate our personal information, and, like
Equifax, it faces little regulation, including obligations not to harm
us or penalties when it does.

Experian's API allows criminals to retrieve your credit info by
supplying your name and address, information that is typically easy to
find, especially in the wake of multiple other breaches, such as
Doordash's 5m-person 2019 breach and Drizzly's 2.5m-person 2020 breach.

Demirkapi explains that the API is implemented by many, many sites
across the internet, and while Experian assured Krebs that this bug only
affected a single site, it did not explain how it came to that conclusion.

Demirkapi discovered the defect while he was searching for a student
loan vendor. There is a way to defend yourself against this attack:
freeze your credit report. Credit freezes were made free (but opt-in
only) in 2018, after the Equifax breach.

https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/

Indeed, you may have already been thinking about the Equifax breach as
you read this. In many ways, that breach was a wasted opportunity to
seriously re-examine the indefensible practices of the credit-reporting
industry, which had not been seriously scrutinized since 1976.

1976 was the year that Congress amended the Equal Credit Opportunity Act
after hearing testimony about the abuses of the Retail Credit Company -
a company that swiftly changed its name to "Equifax" to distance itself
from the damning facts those hearings brought to light.

Retail Credit/Equifax invented credit reporting when it was founded in
Atlanta in 1899. For more than half a century, it served as a free
market Stasi to whom neighbors could quietly report each other for
violating social norms.

Retail Credit's permanent, secret files recorded who was suspected of
being gay, a "race-mixer" or a political dissident so that banks and
insurance companies could discriminate against them.

https://www.jacobinmag.com/2017/09/equifax-retail-credit-company-discrimination-loans

This practice was only curbed when a coalition of white, straight
conservative men discovered that they'd been misidentified as queers and
commies and demanded action, whereupon Congress gave Americans limited
rights to see and contest their secret files.

But these controls were never more than symbolic. Congress couldn't
truly blunt the power of these private-sector spooks, because the US
government depends on them to determine eligibility for Social Security,
Medicare and Medicaid.

It's a public-private partnership from hell. Credit reporting bureaux
collect data the government is not legally allowed to collect on its
own, then sells that data to the government (Equifax makes $200m/year
doing this).

https://web.archive.org/web/20171004200823/http://www.cetusnews.com/business/Equifax-Work-for-Government-Shows-Company%E2%80%99s-Broad-Reach.HkexS6JAq-.html

These millions are recycled into lobbying efforts to ensure that the
credit reporting bureaux can continue to spy on us, smear us, and
recklessly endanger us by failing to safeguard the files they assemble
on us.

This is bad for America, but it's great for the credit reporting
industry. The Big Three bureaux (Equifax, Experian and Transunion) have
been on a decade-long buying spree, gobbling up hundreds of smaller
companies.

These acquisitions lead directly to breaches: a Big Three company that
buys a startup inherits its baling-wire-and-spit IT system, built in
haste while the company pursued growth and acquisition.

These IT systems have to be tied into the giant acquiring company's own
databases, adding to the dozens of other systems that have been cobbled
together from previous acquisitions.

This became painfully apparent after the Equifax breach, so much so that
even GOP Congressional Committee chairs called the breach "entirely
preventable" and the result of "aggressive growth." But they refused to
put any curbs on future acquisitions.

https://thehill.com/policy/technology/420582-house-panel-issues-scathing-report-on-entirely-preventable-equifax-data

A lot has happened since Equifax, so you may have forgotten just how
fucked up that situation was. Equifax's IT was so chaotic that they
couldn't even encrypt the data they'd installed. Two months later, they
"weren't sure" if it had been encrypted.

https://searchsecurity.techtarget.com/news/450429891/Following-Equifax-breach-CEO-doesnt-know-if-data-is-encrypted

*Six months* before the breach, outside experts began warning Equifax
that they were exposing our data:

https://www.vice.com/en/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning

The *only* action Equifax execs took? They sold off a shit-ton of stock:

https://www.bloomberg.com/news/articles/2018-03-14/sec-says-former-equifax-executive-engaged-in-insider-trading

The Equifax breach exposed the arrogance and impunity of the Big Three.
Afterward, Equifax offered "free" credit monitoring to the people they'd
harmed. One catch: it was free for a year; after that, they'd
automatically bill you, annually, forever.

https://web.archive.org/web/20170911025943/https://therealnews.com/t2/story:19960:Equifax-Data-Breach-is-a-10-out-of-10-Scandal

And you'd pay in another way if you signed up for that "free" service:
the fine print took away your right to sue Equifax, forever, no matter
how they harmed you:

https://www.ibtimes.com/political-capital/equifax-lobbied-kill-rule-protecting-victims-data-breaches-2587929

The credit bureaux bill themselves as arbiters of the public's ability
to take responsibility for their choices, but after the breach, the CEO
blamed the entire affair on a single "forgetful" flunky:

https://www.engadget.com/2017-10-03-former-equifax-ceo-blames-breach-on-one-it-employee.html

Then he stepped down and pocketed a $90m salary that his board voted in
favor of:

https://fortune.com/2017/09/26/equifax-ceo-richard-smith-net-worth/

Of course they did! His actions made the company so big that even after
the breach, the IRS  picked it to run its anti-fraud. Equifax got $7.5m
from Uncle Sucker, and would have kept it except that its anti-fraud
site was *serving malware*:

https://www.cbsnews.com/news/equifax-irs-data-breach-malware-discovered/

Equifax eventually settled all the claims against it for $700m in 2019:

https://nypost.com/2019/07/19/equifax-agrees-to-pay-700m-after-massive-data-breach/

But it continued to average five errors per credit report:

https://www.washingtonpost.com/technology/2019/02/11/rep-alexandria-ocasio-cortez-takes-aim-equifax-credit-scoring/

And it continued to store sensitive user-data in an unencrypted database
whose login and password were "admin" and "admin":

https://finance.yahoo.com/news/equifax-password-username-admin-lawsuit-201118316.html

Congress introduced multiple bills to force Equifax, Experian and
Transunion to clean up their act.

None of those bills passed.

https://www.axios.com/after-equifaxs-mega-breach-nothing-changed-1536241622-baf8e0cf-d727-43db-b4d4-77c7599fff1e.html

The IRS shrugged its shoulders at America, telling the victims of
Equifax's breach that their information had probably already leaked
before Equifax doxed them, so no biggie:

https://thehill.com/policy/cybersecurity/355862-irs-significant-number-of-equifax-victims-already-had-info-accessed-by

Since then there have been other mass breaches, most recently the
Facebook breach that exposed 500m people's sensitive data. That data can
be merged with data from other breaches and even from "anonymized"
data-sets that were deliberately released:

https://pluralistic.net/2021/04/21/re-identification/#pseudonymity

And while you can theoretically prevent your data from being stolen
using the current Experian vulnerability by freezing your account,
that's not as secure as it sounds.

Back in 2017, Brian Krebs reported that Experian's services were so
insecure that anyone could retreive the PIN to unlock a frozen credit
report by ticking a box on a website:

https://krebsonsecurity.com/2017/09/experian-site-can-give-anyone-your-credit-freeze-pin/

That was just table-stakes - it turned out that *all* the credit bureaux
had an arrangement with AT&T's telecoms credit agency that was so
insecure that *anyone* could unlock your locked credit report:

https://krebsonsecurity.com/2018/05/another-credit-freeze-target-nctue-com/

These companies came into existence to spy on Americans in order to
facilitate mass-scale, racist, ideological and sexual discrimination.
They gather data of enormous import and sensitivity - data no one should
be gathering, much less retaining and sharing.

They handle this data in cavalier ways, secure in the knowledge that
their integration with the US government wins them powerful stakeholders
who will ensure that the penalties for the harm they inflict add up to
less than profits those harms generate for their shareholders.

This is why America needs a federal privacy law with a "private right of
action" - the ability to sue companies that harm you, rather than hoping
that federal prosecutors or regulators will decide to enforce the law.

https://pluralistic.net/2021/04/16/where-it-hurts/#sue-facebook

Experian promises that this breach only affects one company that
mis-implemented its API. We would be suckers to take it at its word. It
didn't know about this breach until a college sophomore sent in a bug
report - how would it know if there were others?


_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🙆🏽 This day in history

#20yrsago Norwegian Linux nerds implement IP-over-Carrier-Pigeon
https://www.blug.linux.no/rfc1149/

#15yrsago Barenaked Ladies frontman on copyright reform
https://web.archive.org/web/20060505032617/http://www.canada.com/nationalpost/news/issuesideas/story.html?id=3367a219-f395-4161-a9b9-95256c613824

#10yrsago HOWTO Make a Portal Sentry Turret egg-cup
https://www.instructables.com/Make-your-own-Portal-Sentry-Turret-Egg-Cup/

#10yrsago Troubletwisters: Garth Nix and Sean Williams’ action-packed
new kids’ fantasy
https://memex.craphound.com/2011/04/30/troubletwisters-garth-nix-and-sean-williams-action-packed-new-kids-fantasy/

#10yrsago RIP, Joanna Russ
http://nielsenhayden.com/makinglight/archives/012974.html#547586

#1yrago AMC: "We will never show another Universal movie"
https://pluralistic.net/2020/04/30/day-and-date/#vertical-integration

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🙆🏽 Colophon

Today's top sources: Slashdot (https://slashdot.org/).

Currently writing:

* A Little Brother short story about pipeline protests.  RESEARCH PHASE

* A short story about consumer data co-ops.  PLANNING

* A Little Brother short story about remote invigilation.  PLANNING

* A nonfiction book about excessive buyer-power in the arts, co-written
with Rebecca Giblin, "The Shakedown."  FINAL EDITS

* A post-GND utopian novel, "The Lost Cause."  FINISHED

* A cyberpunk noir thriller novel, "Red Team Blues."  FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Past Performance is Not Indicative of Future Results
https://craphound.com/news/2021/03/28/past-performance-is-not-indicative-of-future-results/

Upcoming appearances:

* Book launch for Aminder Dhaliwal's Cyclopedia Exotica (Indigo), May
13, https://www.crowdcast.io/e/udbva8py/register

* Seize the Means of Computation, Ryerson Centre for Free Expression,
May 19,
https://cfe.ryerson.ca/events/how-destroy-surveillance-capitalism-seize-means-computation

Recent appearances:

* The Right to Repair Movement, Monopolies, and Solarpunk
https://www.youtube.com/watch?v=mmosdDCrL-4

* The surveillance state, digital monopolies, and why we should be
worried (Podsongs)
https://anchor.fm/podsongs/episodes/Cory-Doctorow-on-the-Surveillance-State--digital-monopolies--and-why-we-should-be-worried-eso43k

* Conspiracy Theories (Utopian Horizons):
https://soundcloud.com/utopianhorizons/conspiracy-theory-w-cory-doctorow

Latest book:

* "Attack Surface": The third Little Brother novel, a standalone
technothriller for adults. The *Washington Post* called it "a political
cyberthriller, vigorous, bold and savvy about the limits of revolution
and resistance." Order signed, personalized copies from Dark Delicacies
https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html

* "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet
analyzing the true harms of surveillance capitalism and proposing a
solution.
https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59
(print edition:
https://bookshop.org/books/how-to-destroy-surveillance-capitalism/9781736205907)
(signed copies:
https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)

* "Little Brother/Homeland": A reissue omnibus edition with a new
introduction by Edward Snowden:
https://us.macmillan.com/books/9781250774583; personalized/signed copies
here:
https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html

* "Poesy the Monster Slayer" a picture book about monsters, bedtime,
gender, and kicking ass. Order here:
https://us.macmillan.com/books/9781626723627. Get a personalized, signed
copy here:
https://www.darkdel.com/store/p1562/_Poesy_the_Monster_Slayer.html.

Upcoming books:

* The Shakedown, with Rebecca Giblin, nonfiction/business/politics,
Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license.
That means you can use it any way you like, including commercially,
provided that you attribute it to me, Cory Doctorow, and include a link
to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are
included either under a limitation or exception to copyright, or on the
basis of a separate license. Please exercise caution.

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🙆🏽 How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/web/accounts/303320

Twitter (mass-scale, unrestricted, third-party surveillance and
advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"*When life gives you SARS, you make sarsaparilla*" -Joey "Accordion
Guy" DeVilla


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mail.flarn.com/pipermail/plura-list/attachments/20210430/4f2e97b7/attachment.sig>


More information about the Plura-list mailing list