[Cryptography] Was Zero Knowledge: Have I Been Pwned? Is Equifax in real life
Tom Mitchell
mitch at niftyegg.com
Mon Sep 11 15:57:11 EDT 2017
On Sun, Sep 10, 2017 at 11:25 AM, Henry Baker <hbaker1 at pipeline.com> wrote:
> FYI --
> https://www.troyhunt.com/introducing-306-million-
> freely-downloadable-pwned-passwords/
>
> Introducing 306 Million Freely Downloadable Pwned Passwords.
....
> "The entire collection of 306 million hashed passwords can be directly
> downloaded
>
....
>
> Ok, all you crypto wizards: here's a real-world problem that needs to be
> solved.
>
This is only one of numerous toxic and poisonous nuts in the set of Equifax
generated problems.
Equifax and other credit validation services have a series of risks
that are ill defined in the law.
They (EquiFax) were contracted to watch dog Target customers... now they
may be in breach of the Target payments and settlements especially if they
abused the information they got from Target. Target wrote the contract and
thus has a liability risk as that tree shakes as does Equifax...
Equifax seems to be slurping up data left and right in the wake of this and
apparently
the 1 in 1000 social security number plus name hack creates more risk than
is obvious.
i.e. Name plus Last 6 Digits of Social Security Number...
Equifax might have been used by a real estate company and not notify the
client which financial service check was used. So anyone is at risk...
Credit locks may need to be made in half a dozen perhaps more services.
The process of locking and unlocking is not free...
https://www.nytimes.com/2017/09/08/your-money/identity-theft/equifaxs-instructions-are-confusing-heres-what-to-do-now.html
https://www.wsj.com/articles/putting-a-freeze-on-credit-thieves-a-look-at-your-protection-options-1505150917
See reported "PIN Generation for Security Freezes" flaw.
Customers and others need to address exactly this zero knowledge problem
to discover if they have a risk from the Equifax breach to not leak more
secrets.
https://yro.slashdot.org/story/17/09/10/0128214/techcrunch-equifax-hack-checking-web-site-is-returning-random-results
At best the web page was a quickly thrown together hack now fixed web page
at worst it is phishing for confidential data and illegal. The illegal bit
does not go away the evidence might.
Then there was the stock transactions by insiders dumping stock in advance
of the public announcement. Brokers now have a liability to not obfuscate
these transactions...
brokerage houses might have used Equifax when an account was opened... now
they have a disclosure issue.
Some have observed the hack on Equifax was so extensive that they cannot be
relied on to continue their business. If so how can they be part of the
solution...
So this zero knowledge topic is very timely.
How to not leak information in the clean up ... is the trick question...
--
T o m M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170911/826cdf7d/attachment.html>
More information about the cryptography
mailing list