Pluralistic: 30 Apr 2021

Originally published at: https://pluralistic.net/2021/04/30/dox-the-world/


Today's links



Experian doxes the world (again) (permalink)

The nonconsensually compiled dossiers of personal information that Experian assembled on the entire population of the USA may currently be exposed via dozens, perhaps hundreds, of sites, thanks to a grossly negligent security defect in Experian's API.

The breach was detected by Bill Demirkapi, a security researcher and RIT sophomore, and reported on by Brian Krebs, the excellent independent security reporter.

https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/

Experian, like Equifax, has unilaterally arrogated to itself the right to collect, store and disseminate our personal information, and, like Equifax, it faces little regulation, including obligations not to harm us or penalties when it does.

Experian's API allows criminals to retrieve your credit info by supplying your name and address, information that is typically easy to find, especially in the wake of multiple other breaches, such as Doordash's 5m-person 2019 breach and Drizzly's 2.5m-person 2020 breach.

Demirkapi explains that the API is implemented by many, many sites across the internet, and while Experian assured Krebs that this bug only affected a single site, it did not explain how it came to that conclusion.

Demirkapi discovered the defect while he was searching for a student loan vendor. There is a way to defend yourself against this attack: freeze your credit report. Credit freezes were made free (but opt-in only) in 2018, after the Equifax breach.

https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/

Indeed, you may have already been thinking about the Equifax breach as you read this. In many ways, that breach was a wasted opportunity to seriously re-examine the indefensible practices of the credit-reporting industry, which had not been seriously scrutinized since 1976.

1976 was the year that Congress amended the Equal Credit Opportunity Act after hearing testimony about the abuses of the Retail Credit Company – a company that swiftly changed its name to "Equifax" to distance itself from the damning facts those hearings brought to light.

Retail Credit/Equifax invented credit reporting when it was founded in Atlanta in 1899. For more than half a century, it served as a free market Stasi to whom neighbors could quietly report each other for violating social norms.

Retail Credit's permanent, secret files recorded who was suspected of being gay, a "race-mixer" or a political dissident so that banks and insurance companies could discriminate against them.

https://www.jacobinmag.com/2017/09/equifax-retail-credit-company-discrimination-loans

This practice was only curbed when a coalition of white, straight conservative men discovered that they'd been misidentified as queers and commies and demanded action, whereupon Congress gave Americans limited rights to see and contest their secret files.

But these controls were never more than symbolic. Congress couldn't truly blunt the power of these private-sector spooks, because the US government depends on them to determine eligibility for Social Security, Medicare and Medicaid.

It's a public-private partnership from hell. Credit reporting bureaux collect data the government is not legally allowed to collect on its own, then sells that data to the government (Equifax makes $200m/year doing this).

https://web.archive.org/web/20171004200823/http://www.cetusnews.com/business/Equifax-Work-for-Government-Shows-Company%E2%80%99s-Broad-Reach.HkexS6JAq-.html

These millions are recycled into lobbying efforts to ensure that the credit reporting bureaux can continue to spy on us, smear us, and recklessly endanger us by failing to safeguard the files they assemble on us.

This is bad for America, but it's great for the credit reporting industry. The Big Three bureaux (Equifax, Experian and Transunion) have been on a decade-long buying spree, gobbling up hundreds of smaller companies.

These acquisitions lead directly to breaches: a Big Three company that buys a startup inherits its baling-wire-and-spit IT system, built in haste while the company pursued growth and acquisition.

These IT systems have to be tied into the giant acquiring company's own databases, adding to the dozens of other systems that have been cobbled together from previous acquisitions.

This became painfully apparent after the Equifax breach, so much so that even GOP Congressional Committee chairs called the breach "entirely preventable" and the result of "aggressive growth." But they refused to put any curbs on future acquisitions.

https://thehill.com/policy/technology/420582-house-panel-issues-scathing-report-on-entirely-preventable-equifax-data

A lot has happened since Equifax, so you may have forgotten just how fucked up that situation was. Equifax's IT was so chaotic that they couldn't even encrypt the data they'd installed. Two months later, they "weren't sure" if it had been encrypted.

https://searchsecurity.techtarget.com/news/450429891/Following-Equifax-breach-CEO-doesnt-know-if-data-is-encrypted

Six months before the breach, outside experts began warning Equifax that they were exposing our data:

https://www.vice.com/en/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning

The only action Equifax execs took? They sold off a shit-ton of stock:

https://www.bloomberg.com/news/articles/2018-03-14/sec-says-former-equifax-executive-engaged-in-insider-trading

The Equifax breach exposed the arrogance and impunity of the Big Three. Afterward, Equifax offered "free" credit monitoring to the people they'd harmed. One catch: it was free for a year; after that, they'd automatically bill you, annually, forever.

https://web.archive.org/web/20170911025943/https://therealnews.com/t2/story:19960:Equifax-Data-Breach-is-a-10-out-of-10-Scandal

And you'd pay in another way if you signed up for that "free" service: the fine print took away your right to sue Equifax, forever, no matter how they harmed you:

https://www.ibtimes.com/political-capital/equifax-lobbied-kill-rule-protecting-victims-data-breaches-2587929

The credit bureaux bill themselves as arbiters of the public's ability to take responsibility for their choices, but after the breach, the CEO blamed the entire affair on a single "forgetful" flunky:

https://www.engadget.com/2017-10-03-former-equifax-ceo-blames-breach-on-one-it-employee.html

Then he stepped down and pocketed a $90m salary that his board voted in favor of:

https://fortune.com/2017/09/26/equifax-ceo-richard-smith-net-worth/

Of course they did! His actions made the company so big that even after the breach, the IRS picked it to run its anti-fraud. Equifax got $7.5m from Uncle Sucker, and would have kept it except that its anti-fraud site was serving malware:

https://www.cbsnews.com/news/equifax-irs-data-breach-malware-discovered/

Equifax eventually settled all the claims against it for $700m in 2019:

https://nypost.com/2019/07/19/equifax-agrees-to-pay-700m-after-massive-data-breach/

But it continued to average five errors per credit report:

https://www.washingtonpost.com/technology/2019/02/11/rep-alexandria-ocasio-cortez-takes-aim-equifax-credit-scoring/

And it continued to store sensitive user-data in an unencrypted database whose login and password were "admin" and "admin":

https://finance.yahoo.com/news/equifax-password-username-admin-lawsuit-201118316.html

Congress introduced multiple bills to force Equifax, Experian and Transunion to clean up their act.

None of those bills passed.

https://www.axios.com/after-equifaxs-mega-breach-nothing-changed-1536241622-baf8e0cf-d727-43db-b4d4-77c7599fff1e.html

The IRS shrugged its shoulders at America, telling the victims of Equifax's breach that their information had probably already leaked before Equifax doxed them, so no biggie:

https://thehill.com/policy/cybersecurity/355862-irs-significant-number-of-equifax-victims-already-had-info-accessed-by

Since then there have been other mass breaches, most recently the Facebook breach that exposed 500m people's sensitive data. That data can be merged with data from other breaches and even from "anonymized" data-sets that were deliberately released:

https://pluralistic.net/2021/04/21/re-identification/#pseudonymity

And while you can theoretically prevent your data from being stolen using the current Experian vulnerability by freezing your account, that's not as secure as it sounds.

Back in 2017, Brian Krebs reported that Experian's services were so insecure that anyone could retreive the PIN to unlock a frozen credit report by ticking a box on a website:

https://krebsonsecurity.com/2017/09/experian-site-can-give-anyone-your-credit-freeze-pin/

That was just table-stakes – it turned out that all the credit bureaux had an arrangement with AT&T's telecoms credit agency that was so insecure that anyone could unlock your locked credit report:

https://krebsonsecurity.com/2018/05/another-credit-freeze-target-nctue-com/

These companies came into existence to spy on Americans in order to facilitate mass-scale, racist, ideological and sexual discrimination. They gather data of enormous import and sensitivity – data no one should be gathering, much less retaining and sharing.

They handle this data in cavalier ways, secure in the knowledge that their integration with the US government wins them powerful stakeholders who will ensure that the penalties for the harm they inflict add up to less than profits those harms generate for their shareholders.

This is why America needs a federal privacy law with a "private right of action" – the ability to sue companies that harm you, rather than hoping that federal prosecutors or regulators will decide to enforce the law.

https://pluralistic.net/2021/04/16/where-it-hurts/#sue-facebook

Experian promises that this breach only affects one company that mis-implemented its API. We would be suckers to take it at its word. It didn't know about this breach until a college sophomore sent in a bug report – how would it know if there were others?

(Image: KC Green)



This day in history (permalink)

#20yrsago Norwegian Linux nerds implement IP-over-Carrier-Pigeon https://www.blug.linux.no/rfc1149/

#15yrsago Barenaked Ladies frontman on copyright reform https://web.archive.org/web/20060505032617/http://www.canada.com/nationalpost/news/issuesideas/story.html?id=3367a219-f395-4161-a9b9-95256c613824

#10yrsago HOWTO Make a Portal Sentry Turret egg-cup https://www.instructables.com/Make-your-own-Portal-Sentry-Turret-Egg-Cup/

#10yrsago Troubletwisters: Garth Nix and Sean Williams’ action-packed new kids’ fantasy https://memex.craphound.com/2011/04/30/troubletwisters-garth-nix-and-sean-williams-action-packed-new-kids-fantasy/

#10yrsago RIP, Joanna Russ http://nielsenhayden.com/makinglight/archives/012974.html#547586

#1yrago AMC: "We will never show another Universal movie" https://pluralistic.net/2020/04/30/day-and-date/#vertical-integration



Colophon (permalink)

Today's top sources: Slashdot (https://slashdot.org/).

Currently writing:

  • A Little Brother short story about pipeline protests. RESEARCH PHASE
  • A short story about consumer data co-ops. PLANNING

  • A Little Brother short story about remote invigilation. PLANNING

  • A nonfiction book about excessive buyer-power in the arts, co-written with Rebecca Giblin, "The Shakedown." FINAL EDITS

  • A post-GND utopian novel, "The Lost Cause." FINISHED

  • A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Past Performance is Not Indicative of Future Results https://craphound.com/news/2021/03/28/past-performance-is-not-indicative-of-future-results/
Upcoming appearances:

Recent appearances:

Latest book:

Upcoming books:

  • The Shakedown, with Rebecca Giblin, nonfiction/business/politics, Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/web/accounts/303320

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla