TechCrunch: Equifax Hack-Checking Web Site Is Returning Random Results

An anonymous reader quotes security researcher Brian Krebs: The web site that Equifax advertised as the place where concerned Americans could go to find out whether they were impacted by this breach -- equifaxsecurity2017.com -- is completely broken at best, and little more than a stalling tactic or sham at worst. In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat. In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.
TechCrunch has concluded that "the checker site, hosted by Equifax product TrustID, seems to be telling people at random they may have been affected by the data breach." One user reports that entering the same information twice produced two different answers. And ZDNet's security editor reports that even if you just enter Test or 123456, "it says your data has been breached." TechCrunch writes: The assignment seems random. But, nevertheless, they were still asked to continue enrolling in TrustID. What this means is not only are none of the last names tied to your Social Security number, but there's no way to tell if you were really impacted. It's clear Equifax's goal isn't to protect the consumer or bring them vital information. It's to get you to sign up for its revenue-generating product TrustID.
Meanwhile, one web engineer claims the secret 10-digit "security freeze" PIN being issued by Equifax "is just a timestamp of when you made the freeze."

Do the math

[Applehu+Akbar]

The judgement Equifax will have to pay for this breach is massive. Unfortunately, the probability of it staying solvent enough to pay anything is the reciprocal of this amount.

Re:Do the math

+5 funny.

Re:Do the math

[Desler]

I look forward to my "massive" $5 gift certificate.

Re:Do the math

This is a joke right? Equifax made more than $3 billion last year in revenue and has nearly $7 billion in assets. I'm sure they'll be perfectly fine after their slap on the wrist from the Trump Administration.

Re:Do the math

[arth1]

$20 towards signing up for TrustID, I'm sure. Taxes and other fees apply.

Re:Do the math

[Desler]

Ooooh. Very generous.

Re:Do the math

[Dracos]

After the Election Integrity Commission debacle, it wouldn't surprise me if this was plan C to obtain shittons of voter information.

Equifax is going to crash hard, BearStearns/Lehman Brothers style hard.

Re:Do the math

[whoever57]

I predict that they won't pay a penny. Not a single cent.

They are too well connected.

The credit bureaus can already ruin someone's life with wrong information and not suffer any consequences for what should be a crime, or at least libel.

Re:Do the math

Uh huh. And pigs will start flying tomorrow.

Re:Do the math

[mentil]

Nah. Carly, Elop or Meg will take over for a while until they're bought out by Verizon. All the data owned by Equifax will then be used for yet another Verizon targeted advertising scheme, because apparently Verizon wishes it were Google.

Re:Do the math

I *knew* this was all Drumpf's fault somehow!

Re:Do the math

No matter who were in the White House, there would be no difference in outcome.

Re:Do the math

And that justifies anything, how?

Re: Do the math

By stating this is status quo, ergo business as usual, apropos nothing to see here so.move.on.

Seriously what damage is this going to do to (a) millions of people in debt and (b) the millions of people who freeze their security file like good minions? Otherwise it's maybe a few people that are inconvenienced because someone opened (an obviously fraudulent) a credit card in your name?

Ooooooh boogie monster.

Re: Do the math

False. If Gore were in the White House we wouldnâ(TM)t have been lied into a the war in Iraq. Nice try though...

Re:Do the math

[Zocalo]

Pretty much. The only saving grace for Equifax on that front since they apparently have data on EU citizens involved in the breach is that they managed to get taken to the cleaners before the GDPR comes into force next May. If they'd somehow been able to keep the ship afloat that long, then they'd also be on the hook to the EU for 4% of their global annual *turnover* for the last fiscal year, which is probably enough to wipe them out all on its own. I doubt very much the company is going to survive this, even if the government steps in and bails them out - any trust their customers might have had should be long gone by this point.

Of course, that means that all your ID eggs are now going to be in two baskets rather than three, and there's absolutely zero evidence that either of the other two major players are any better at this than Equifax as far as I can see. Good luck with that.

Re: Do the math

[Hognoxious]

If he hadn't invented the internet this hack wouldn't have occurred. Therefore, Obama is a Kenyan. QED.

Re: Do the math

[AuMatar]

Their customers are the lenders. Nobody pays or asks to be in a credit reporters database. And the lenders have no reason to give a shit about this.

Re: Do the math

[Zocalo]

I think that rather depends on whether or not the consumers looking for a loan or other credit related service start looking into who their prospective sources of finance are using for doing background checks. If enough potential creditors start factoring that information into their decision making process - quite possible given the amount of media attention this is getting - then I suspect the lenders are going to start caring a little more than they might do at present. Not that it's going to make much difference; the system is clearly horribly broken and it's probably just a matter of time before Experian and TransUnion get compromised as well.

Re:Do the math

[shentino]

I'm afraid Monsanto has a patent on that

Re: Do the math

I look forward to our flying pig overlords

Re: Do the math

[SharpFang]

Nah. Their wings are delicious though.

Re:Do the math

Math, OK - $7e9 assets / 134e6 affected people = $52 settlement per person. Figure 40-50% lawyer fees, taxes, fines and other assorted fees... yeah, $20 per person seems about right.

Re: Do the math

Wait, it's not yet?

Re:Do the math

Russian trolls sent by Putin did it. You can't blame corporations or our government for their negligence ae911truth dot org

Re: Do the math

[Monster_user]

Uhm, good luck with that. I's suspect most of our front end sales reps don't even know who we use for background credit checks. Its a stacked system, third party, third party, third party. Probably means we use more than one of the big three.

Re:Do the math

[TheRaven64]

Not true. The two political parties in the US are beholden to different special interest groups. For example, the Democrats will never refuse a request from Hollywood and the Republicans will never refuse a request from the oil industry.

Re:Do the math

[Desler]

Protip: DMCA was introduced by a Republican.

Re:Do the math

Perhaps they could make the awards a larger amount, and then given to a random subset of the victims -- it would be in keeping with their current methodology.

Re: Do the math

[Old+Man+Kensey]

RFC1925 applies here. Specifically section 3.

Re:Do the math

[thegreatbob]

We'll need your credit card number up front, of course.

Re: Do the math

Mmm tasty pork wings in spicy mustard sauce.

Re: Do the math

It would be better if it didn't stay solvent. Then it won't be possible to use it to do credit report checks. As long as your reporting is frozen at the other credit sites, you'd be ok

Re: Do the math

Good. One less credit reporting agency with false data that I'll have to report to every time I check my credit history, although I would have preferred them to go under in a way that didn't potentially effect my life

Re:Do the math

[MarcQuadra]

> I doubt very much the company is going to survive this

I'm sick of hearing this stuff. I heard it about virtually every Trump-related news story for the last year, I heard it about New Orleans, I heard it about BP. I heard it about Volkswagen.

Look, the market already priced this disaster, based on what data is available. They lost about 15% of their value. They have solid fundamentals that aren't changing in any sort of way that pose an existential threat to the company; unless there's a lot more of this than we can see.

Re: Do the math

Actually, Google badly wants Verizon's data.

Re:Do the math

[DaveSewhuk]

See the John Oliver's Last Week Tonight show about this very topic. https://www.google.com/url?sa=...

Re:Do the math

More like 'One free month of credit protection (with the purchase of 11 months at full price and waiver of right to sue').

The Experian hotline

[timholman]

Today I tried calling the new Equifax help line (set up because of the data breach) and asked the woman I spoke to if Equifax intended to issue new PIN numbers to the people who already had credit freezes.

Long pause. "Sir, have you been to our web site?"

Me: "Yes, I have. According to your own site, my data is at risk. My wife and I froze our credit a couple of years ago, and you issued us 10-number PINs for unfreezing our credit online. Since the hackers now have everything they need to log into your web site with our credentials, I want to know if those PIN numbers were part of the compromised information, and if Equifax intends to issue new PIN numbers."

Another very long pause. "Sir, I don't have that information at this time, but I will log this request."

Me: "Yeah, Equifax doesn't have much information about anything, does it? Have a nice day."

Talk about incompetence compounded. So now it turns out that the PIN is nothing but a timestamp, and Equifax has given up all the information needed for a criminal to unfreeze my credit using their website. Anyone want to bet if that timestamp can be deduced from the information already stolen in the breach?

Re:The Experian hotline

[fustakrakich]

Stop and think for a second. This isn't "incompetence".

HAND indeed!

Re:The Experian hotline

[mentil]

But, but... the lowest bidder PROMISED us security. It was even one of the bullet points on the Powerpoint! /s

Re:The Experian hotline

[Desler]

But what did the Magic Quadrant say?

Re:The Experian hotline

Today I tried calling the new Equifax help line (set up because of the data breach) and asked the woman I spoke to if Equifax intended to issue new PIN numbers to the people who already had credit freezes.

Long pause. "Sir, have you been to our web site?"

Me: "Yes, I have. According to your own site, my data is at risk. My wife and I froze our credit a couple of years ago, and you issued us 10-number PINs for unfreezing our credit online. Since the hackers now have everything they need to log into your web site with our credentials, I want to know if those PIN numbers were part of the compromised information, and if Equifax intends to issue new PIN numbers."

Another very long pause. "Sir, I don't have that information at this time, but I will log this request."

Me: "Yeah, Equifax doesn't have much information about anything, does it? Have a nice day."

Talk about incompetence compounded. So now it turns out that the PIN is nothing but a timestamp, and Equifax has given up all the information needed for a criminal to unfreeze my credit using their website. Anyone want to bet if that timestamp can be deduced from the information already stolen in the breach?

STOP SAYING PIN NUMBERS

Re:The Experian hotline

What does HAND mean in this context?

Re:The Experian hotline

[arth1]

STOP SAYING PIN NUMBERS

Yes, he should have said personal PIN number, so it's not mistaken for a corporate PIN number.

Re:The Experian hotline

[phantomfive]

The incompetence is deep here. Unfortunately, when it comes to software, incompetence doesn't seem to be a crime.

Re:The Experian hotline

> Talk about incompetence compounded

Well, their Chief Security Officer is a liberal arts diversity hire. What do you expect?

Re:The Experian hotline

which is most useful at an automatic ATM machine.

Re:The Experian hotline

[DavidRawling]

Have A Nice Day. Often part of "YHBT. YHL. HAND."

Re: The Experian hotline

[Monster_user]

Depends on how precise the time stamp was, minutes, seconds, milliseconds, nanoseconds. Also depends on how frequently you or an indentity thief was using your credit til it was frozen. Unless it was actually a statement listed in your credit report,...

Re:The Experian hotline

[sfcat]

> Talk about incompetence compounded

Well, their Chief Security Officer is a liberal arts diversity hire. What do you expect?

Experian's Tom King is a diversity hire? Are you sure? Seems like more of a typically corporate exec...

Re:The Experian hotline

Equifax's CSO: https://i.redd.it/82b6jhs2mukz.jpg

Not sure why parent put Experion in the title while talking about Equifax in the body.

Re:The Experian hotline

So now it turns out that the PIN is nothing but a timestamp, and Equifax has given up all the information needed for a criminal to unfreeze my credit using their website. Anyone want to bet if that timestamp can be deduced from the information already stolen in the breach?

I have a freeze on my credit with Equifax, and the PIN is most assuredly not a timestamp for when the freeze took effect. From what I can tell, it doesn't correspond with anything. Same for my PIN with the other bureaus.

Now, that's not to say they haven't changed things since I enabled my freeze, and now you have me worried about my PIN being compromised.

Re:The Experian hotline

So, a personal personal identification number then.

Re:The Experian hotline

Flamebait

And now we have Equifax shills protecting their own. What a bunch of cunts!

Re:The Experian hotline

personal personal identification number number, you missed a number.

Re:The Experian hotline

[bagofbeans]

Froze mine in 2016. Just checked it, and it sure is a timestamp.

Re:The Experian hotline

[Euler]

PI Numbers. Now do you see why redundancy is ok?

Re:The Experian hotline

Hahaha, disregard that drivel I said about Equifax shills somehow modding me down and being cunts, I fuck my own HAND to a picture of my communist and free-software idol, Richard Stallman, rather than pussy because girls hate me and RMS is God. I hope to one day suck his cock and give him a HAND job indeed.

Re:The Experian hotline

The incompetence is deep here. Unfortunately, when it comes to software, incompetence doesn't seem to be a crime.

When software interviews are little more than glorified puzzle solving sessions, what do you expect? I honestly feel like the entire CS industry -- especially in security -- needs a full revamp in its hiring process.

Just Looked at My PIN

It indeed IS a time stamp. Geezus. It's bad enough it's just a numeric PIN which isn't very secure to begin with, but then to be that obvious. Wow. Hopefully I can get that changed.

The good news is freezing my credit here in Indiana didn't cost me a dime. It's a law we have here.

Re:Just Looked at My PIN

[Desler]

Yeah it's ridiculous especially since TransUnion and Experian let you set your own PIN rather than relying on some incompetent to give you a deterministic 'random' PIN.

Re:Just Looked at My PIN

"Incompetent" just doesn't cut it. Their name needs to become a verb. They've fucked up that hard.

"Hey, buddy, don't equifax that document!"

Re: Just Looked at My PIN

Obvious if an attacker knows the exact time the PIN was generated.

Re:Just Looked at My PIN

I think you're on to something here.

Re:Just Looked at My PIN

[mishehu]

Something along the lines of "From this day forth, all the toilets in the kingdom shall be known as... Johns!"

Re: Just Looked at My PIN

[Rockoon]

Knowing where the numbers start is good enough for fun and profit.

Re: Just Looked at My PIN

Think bigger:
"Wow, that leak just Equifaxed the whole corporation."

Re:Just Looked at My PIN

[Solandri]

There's nothing intrinsically wrong with using a timestamp, provided (1) the timestamp has sufficient resolution to make a brute force attack unfeasible. Timestamps are used in some pseudo-random number generators - you use something like the last 8 digits of the exact nanosecond a random number was requested. And (2) Equifax only stores the hash so it can't be reverse-engineered if their password database is stolen.

Unfortunately, it looks like their timestamp only has one minute resolution, meaning there are only 1440 possible timestamps every day. Which means it'll be almost trivial for a identity thief to brute force based on when they lost their ability to use your credit, and what time of day you were likely to be awake and free to request the credit freeze. And even if they're hashing their password database, a hacker who steals it and their hashing algorithm will be able to generate a rainbow table with just a half million entries per year.

Re: Just Looked at My PIN

Weâ(TM)ve all been equif***ed.

Re:Just Looked at My PIN

[blincoln]

There's nothing intrinsically wrong with using a timestamp

Yes, there is, when the topic involves security (which is almost always). Unlike a well-vetted PRNG, truncating a timestamp (at either end) has no mathematical basis for producing high-entropy results.

Just about every modern programming language has a built-in mechanism for generating random numbers with high entropy. There is no reason to not use that functionality in a case like this.

Re:Just Looked at My PIN

sufficient resolution to make a brute force attack unfeasible. ... you use something like the last 8 digits

You need to update your ideas about the feasibility of a brute force attack. Attacks which require brute-forcing 10^20 texts are considered routine nowadays.

Re:Just Looked at My PIN

[Cbs228]

At the risk of saying, "me too," I can also confirm that Equifax security freeze PINs are a timestamp.

PINs do not necessarily need to be "random" in order to be secure. They need only be unpredictable by an outside attacker. Right away, we can see that some digits are predictable. Years are limited by the age of the submitter. Hours are generally limited to those during which the submitter is awake. I'm not sure why they bothered with ten digits when the PIN actually has much less entropy than that.

The security freeze process also generates events which are observable to an outside attacker. The process may result in either credit card transactions or validation/receipt emails. These things might easily be logged with sub-minute time resolution. If attackers breached Equifax's credit card processing database, then all PINs are compromised. Stop.

But even if PINs are purely random and are stored hashed—which is the accepted way to do things—then they would still be compromised in the event of a data breach. Ten numeric digits isn't going to be particularly difficult to brute-force, even with a very expensive salted hash. In 2017, it is easy to purchase massive amounts of compute time... for cheap. The only safe way to store such a short string would be a well-designed Hardware Security Module. That's assuming they care. They don't, of course.

At this point, there has been no indication that the integrity of Equifax's data has been compromised... only its confidentiality. This is a problem for us consumers, as it means that credit issuers can still continue to rely on them to verify creditworthiness.

I would recommend placing a "fraud alert" and keeping it up-to-date every 90 days. It costs nothing, and it provides a little extra security.

Re: Just Looked at My PIN

TransUnion lets you set your own SIX-DIGIT PIN. Wow! 6 whole digits!

Wow! Lord help us all!

And these people are supposed to be our *pillars of society*? They're worse than street thugs! Despite all this, these are the kinds of people we will still reelect to high office. We're doomed! Where's a giant meteor when you need one?

Re:Wow! Lord help us all!

I have a rule, never send a meteor to fix problems that can be washed with one good cascade.

Re:Wow! Lord help us all!

I like cascade but sometimes it leaves water spots on the goblets.

Re: Wow! Lord help us all!

Youâ(TM)re just figuring this out now? Lol... weâ(TM)ve all been fucked since Trump won the election.

Racketeering

[mentil]

It has become increasingly obvious that Equifax and their cohorts are running a racket, running roughshod over consumer rights. The congressionally-mandated free annual credit report was inadequate to solve all the problems with their business. I pray that racketeering charges are brought against Equifax, for their practice of punishing people who don't sign up for their protection services whenever Equifax makes a mistaken data entry, and by holding proprietary information over their head limiting access to any significant financial transactions (although lenders are as at fault here too.) Furthermore, 'identity theft' should be an Equifax/lender problem, rather than a consumer problem.

Re:Racketeering

Butchering out a few dozen EF execs would have an immediate salutary effect on the business ethics. Fewer documented crooks in their command-chain. You think ? Eh ... hehehe !

Re:Racketeering

[supremebob]

Considering the pro business government that it's charge right now, I doubt that Equifax will get more than a slap on the wrist for this breach.

I don't think that much will change here until a bunch of congresspeople get their own identities stolen and this becomes a personal issue to them.

Of course, even then they'll all have VIP numbers to call that let them skip the line and get a senior level caseworker to get their credit problems resolved.

Re:Racketeering

[DarkOx]

Right the big problem here is that there is not cost to the agencies to getting it wrong. If the report inaccurate information about it, it may cost you big, costs them nothing.

The 'free credit report' solution was BS. I it should not be my responsibility to verify on a regular basis some entity isnt spreading material falsehoods about me. Mind you making it my responsibility might be the only practical way, if we give the credit agencies the doubt and assume they at least try to get it right, they have no way to address the problem. They need to be penalized for forwarding bad information in some way. Maybe that is making it extra easy for libel(like) civil suits to succeed against this type of a business, with lower standards of proof of harm.

Re: Racketeering

[Monster_user]

Its called outsourcing to the public. Rather than spend money verifying all your accounts are accurate, get the people to verify the data themselves. Next step is to get governments to verify data fpr the intelligence agencies!

Re:Racketeering

Have you tried getting the free credit report from all three credit bureaus?

The last time I did this you go to the free credit report site. Each different company has their own site it will redirect you to. The individuals sites are click fests of misdirection, obscured by AD buttons and attempts to get you to sign up for SPAM, "innovative" credit services and privacy violating associates. At the end I was able to get a copy physically mailed from one (Transunion), an email to a burner address for another and a 'please print this' page for the last.

  The burner address's mailbox shortly imploded from SPAM for credit card offers. I have no clue what double-opt out click box I failed to properly check.

  Sourceforge during the Dice.com days was only marginally better. I'd rather do my taxes. By hand. With no calculator. State return included.

There should be a law. Oh wait, there is. But it's vague and toothless like most of the stained toilet paper for governance that flows from the D.C. swamp.

Faster method

[Tablizer]

Just ask the Nigerian prince. Quick turnaround if you help him with a little banking snafu.

firefox: bad certificate for equifaxsecurity2017

with OSX firefox, visiting equifax.com and clicking the big orange button in the middle of the site for https://www.equifaxsecurity2017.com/ yields a browser certificate warning:

------------
www.equifaxsecurity2017.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER
------------

weirdly visiting the same URL w/ chrome or safari yield no such warning.

Dicey from start to finish

[AlanObject]

For as long as I can remember all credit scoring companies always behaved in opaque and obscure ways. That continues right up to this day.

When I was in my twenties the law was they had to disclose "everything" if you asked for it and it came on a form that was printed on a 132-column line printer. So I was in credit trouble (that of course is the age for it) and got turned down for a card so they sent me the free report. Most of what was on it was wrong or benign. The late payments on credit cards that I actually did have were not on the report except for Sears who was always the most aggressive on reporting these things. There was nothing on it that would explain an extremely low credit score even though in my case the low credit score was deserved.

I could only conclude that "everything" report in fact did not have everything on it in clear violation of what the law seemed to say. There was nothing I could do about it and nobody with actual influence seemed to care.

Today I have a very high credit score: at the moment my FICO score 876 out of 900. A few years back I bought a car and the dealership had to run a credit report even though I was paying cash. The guy said he had never seen a score that high and his customers he had sold to included highly successful silicon valley execs. I'm not rich by any means but I can pay my bills so whatever.

So I get a copy of the report and it had scant data on it but has a section "things that can adversely affect your score." It lists things there like "too many accounts with balances open." Say what? I don't owe a dime on any account except my mortgage. I have two credit cards with zero balance for months and I haven't paid a dime of interest or finance charge on them for a decade. But that's a problem: "No recent revolving balances." So if you aren't spending enough that's a negative.

I am pretty sure that none of Bill Gates, Larry Ellison and Elon Musk could get a 900. (Not that they would care, nor anyone giving them credit), My point is if it is impossible to ace the test then it is not a good test. But that's the way the credit industry is built -- a complex data base of hidden rules that they can exploit to make money.

It should surprise nobody that Equifax is using this crisis event to skim cash.

Re:Dicey from start to finish

the crime here is that an automotive retailer pulled your credit report on a cash transaction. that's total bullshit. title and registration (which includes the taxes on the purchase) filing and the bank's reporting of the large deposit is all that was required here.

Re: Dicey from start to finish

Credit worthiness and net worth are not a linear relationship

Re: Dicey from start to finish

Credit is a scam so wise up and donâ(TM)t use it. Buy things you can afford with money you have.

Re:Dicey from start to finish

Companies can pull any person's Credit Reports, for any reason, at any time. It is perfectly Legal; it is not a Crime... as long as they pay the freight. Whether it should be a Crime is up to the various Legislatures, with their varying levels of corruption.
What the Agencies can't do is Libel or Slander you based on what is in those Reports. For instance, Landlords (Technically...) can't pass Credit Reports among themselves concerning "Bad Tenants"; the Law is clear on this; each Landlord must purchase their own Credit Reports and treat the information therein as confidential, and as long as kept so, they can do with that information whatever they like.
Before applying for an Auto Loan, the Salesman may request that you stand on your head and sing "Yankee Doodle". Why such information might be in your Credit Reports will remain a Mystery. It's Confidential. If this Equifax Hack reveals anything, it will be just how much absolutely irrelevant information that they collect on their Product: You.

The Credit Reporting Industry in the US is so broken that it can't be fixed. It is just a big pile of Bullshit lying on the ground, and poking at it with one's big toe achieves nothing, it just moves the shit around. If Equifax went under tomorrow, and those three Executives who cashed out, just before the news broke, were hung from the nearest lamp posts by their balls, Experian, TransUnion, and Innovis will just take up the slack, and divide what little Equifax uniquely knew amongst themselves.
I have no solution to offer, other than stocking up on piano wire and doing some really good Lamp Post Surveying.
(Actually, I do have a solution- I haven't used any Credit since 1989. My Scores must be dismal. I pay cash for everything, including my last Mercedes, and my last Beneteau. I have easily saved over $100K by not paying for "Credit". I am not a unique case, but I am rare: "The only winning move is not to play.".)

Re:Dicey from start to finish

Some people who don't carry balances on their credit cards are those avoiding using them because they can't trust themselves, which is why it can be a negative. The reports seem too broad-brush, though, and lack enough longitudinal analysis over time. That could probably be addressed by better application of machine learning ir statistical analysis

Re:Dicey from start to finish

A few years back I bought a car and the dealership had to run a credit report even though I was paying cash.

Uhh, (presuming this was in the U.S.) if you brought your own outside financing or paying in cash, the dealership doesn't need to run credit check on you. They need your ID to report a cash sale over $10,000 to the IRS. Why would you authorize them to run a credit check? How does that even make sense to you?

You: I have cash today!!1
Dealer: Well, great. Let's just check your credit score anyway. I need your SSN, DOB, address...
You: OK.

Re: Dicey from start to finish

They can't just get your report for no reason if you're not applying for credit or giving them permission. Otherwise I'd form a "company" and get reports on all my enemies

Re:Dicey from start to finish

[drinkypoo]

But that's the way the credit industry is built -- a complex data base of hidden rules that they can exploit to make money.

That's the way the insurance industry is built, as well. No one should ever be required to pay for a thing whose price is determined by secret formula.

Re:Dicey from start to finish

[nasch]

As long as you can get quotes and shop around for insurance, why do you need to know what the formula is?

Re: Dicey from start to finish

Then go ahead and do that. You'll find that it's perfectly legal.

Re:Dicey from start to finish

[Shados]

I am pretty sure that none of Bill Gates, Larry Ellison and Elon Musk could get a 900

850 is the max for the scale people generally refer to when talking about credit scores. Googling around, some banks seem to use internally a different score scale, but let's set that aside for a sec.

People can, and in fact do get perfect score. If you understand exactly how it works, its' not that difficult. It has very little to do with how much money you make, and is a pretty artificial metric.

When you get a report and it says things like "too many accounts with balances open", it doesn't mean "you have too many accounts with balances open". It just means you don't have -precisely- the amount of accounts the algorithm uses for a perfect score, so you lost a non-zero amount of points for it, and since you said you have a mortgage, it's probably what it's referring to.

To get a perfect score, you need a bunch of accounts open, that were opened several years ago (none recently), that are used but have 0 balance at the moment they were audited. Your available credit across those account has to be very high, and you need multiple accounts from different credit providers. There are a few other factors, but if you do it just right its pretty simple, given enough time, to manipulate your credit to get a perfect score.

In fact, some people make a game out of it. The only gotcha is you have to use those accounts sometimes but they have to be at 0 or nearly 0 the moment they're reported, and you never know when that will be (since it can change). So often you'll hover between 845 and 850 (or whatever other scale you're looking at, though those may have slightly different criterias)

Re:Dicey from start to finish

A few years back I bought a car and the dealership had to run a credit report even though I was paying cash.

Just say no.

"We have to run a credit check."

"No, you don't."

"Yes, we really do."

"Goodbye."

"Oh wait, no we don't!"

It's amazing how much bullshit just disappears when their commission is at risk.

Re: Dicey from start to finish

[Desler]

But the person did give them permission.

Re: Dicey from start to finish

[AlanObject]

They can't just get your report for no reason

Correct. The dealership had to get my sign-off to get the report for which they paid. (At least up front -- I am sure they made a profit off the sale). I signed off because I didn't feel any reason not to but I wonder what they would have done had I refused.

As for "reason" I suppose they consider themselves vulnerable to scams. When I said "cash" I really meant personal check which of course be kited. Of course also they could have called the bank to clear it. Maybe they had some kind of insurance that protected them as long as they had a credit report on the customer.

Re: Dicey from start to finish

[AlanObject]

Credit is a scam so wise up and don't use it. Buy things you can afford with money you have.

Credit is a scam on those willing to be scammed. The term "loan shark" is quite honest about this.

However the credit card companies offer lots of benefits and perks. If you don't fall into the interest and finance charge trap (mostly by living beyond your means) credit cards are quite worth having.

Try renting a car or buying an airline ticket or checking into a hotel without a credit card. It can be done but it is a hassle.

On top of that I get airline miles with every purchase and that indeed is a good deal.

Re:Dicey from start to finish

[sfcat]

I am pretty sure that none of Bill Gates, Larry Ellison and Elon Musk could get a 900

850 is the max for the scale people generally refer to when talking about credit scores. Googling around, some banks seem to use internally a different score scale, but let's set that aside for a sec.

People can, and in fact do get perfect score. If you understand exactly how it works, its' not that difficult. It has very little to do with how much money you make, and is a pretty artificial metric.

Another big misconception about credit scores is that a "perfect" score is best. A credit score isn't how likely you are to pay back a debt, its a measure of how much money a lender makes on average on your debt. So if you always pay on time or ahead of time, then your credit score can actually go down. Keeping a small balance on your credit cards causes your credit score to go up because you are paying interest. So a good credit score can actually better for you than a perfect one as it means that you are paying less interest than others even if you might (but probably won't) get a higher insurance premium. This makes sense if you understand that their customers are not individuals, they are insurance companies, banks and the like.

Re:Dicey from start to finish

The key to understanding credit scores and using them as a rating system is not to grade individual's financial competency, but to rate chances for lenders to earn money. It is strange, although not unpredictable then, that people who take loans often will give the money suckers more of their earnings.

Re: Dicey from start to finish

Money isn't more real than credit. It's just a human concept.

Re: Dicey from start to finish

[splorp!]

Just FYI, maximum credit score is 850 (both FICO and current Vantage score, since 2013. Previous Vantage score had a max of 990). Unless your 876 was prior to 2013, I have to call you on that.

Re: Dicey from start to finish

That's bogus. I have bought cars with credit cards. They had no reason to pull your report.

Re: Dicey from start to finish

That's a myth that has been debunked over and over. Carrying a balance is stupid.

Re: Dicey from start to finish

[shentino]

Don't forget that credit scores cost money.

Re: Dicey from start to finish

Your website has a bug in the footer. It's also pretty badly coded. I'd go with a static site generator, myself. Perhaps jekyll, although it's hard to recommend it wholeheartedly. Jekyll plus free hosting from Github, however, is a no-brainer for a tech blog.

Re:Dicey from start to finish

> at the moment my FICO score 876 out of 900

FAIL!

Beware of TrustID

[PPH]

According to my sources, a condition for enrolling is giving up your right to participate in a class action suit against Equifax. At least, read the fine print before signing up.

Personally, I'd just lock my credit records with Equifax. Leave them open with the other agencies, so lenders can still approve loans. Just not with Equifax.

Re:Beware of TrustID

[dunkindave]

Personally, I'd just lock my credit records with Equifax. Leave them open with the other agencies, so lenders can still approve loans. Just not with Equifax.

Is your name, address, birthdate, social security number, etc., with TransUnion and Experian different than the information leaked by Equifax? If so, why do you only worry about locking Equifax?

Re:Beware of TrustID

[supernova87a]

He's not thinking too clearly...

Re:Beware of TrustID

[Rockoon]

A lot of people arent.

Given the comments on the related articles, it seems to me that a lot of people here have never had credit except for maybe their government guaranteed student loan for their gender studies.

Re:Beware of TrustID

you're a moron.

Re:Beware of TrustID

[Khyber]

Your sources are incapable of reading, direct from the site - "2). NO WAIVER OF RIGHTS FOR THIS CYBER SECURITY INCIDENT
In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."

Re:Beware of TrustID

[PPH]

why do you only worry about locking Equifax?

Because they are fuck-ups and don't deserve my business. There's nothing I can do about information that is already out there. But I can discourage banks and other lenders from taking my business to Equifax by never granting an unlock request for credit through them.

Re:Beware of TrustID

[Desler]

All you'll do is discourage those banks and lenders from doing business WITH YOU and nothing more.

Re:Beware of TrustID

[PPH]

Fine. There are other banks.

Re:Beware of TrustID

[PPH]

Six months down the road, my credit goes to shit because of the hackers. And TrustID proves to be useless. Where did I indicate that I applied for it specifically because of this incident? Absent that, standard TOS will apply. We can't even get a straight answer as to whether we are or are not a part of the affected group (the subject of this thread).

Re:Beware of TrustID

[sfcat]

All you'll do is discourage those banks and lenders from doing business WITH YOU and nothing more.

I disagree, this is the first good idea about what to do about Equifax I've heard. If many many people all locked their Equifax accounts, then lenders would start expecting that this is common, rational behavior. They would then stop seeing the need to use Equifax. This is the first real idea that has a chance at actually impacting their business which is the only way to reform this horribly broken industry.

Re:Beware of TrustID

[Desler]

But everyone is not going to do it. A tiny fraction might and not much more. That's why no bank or lender is gonna care because they can move on to the millions of other people who aren't a hassle to deal with.

creimer == lardo

Equifax is going to crash hard

lol right. What next? You'll claim that creimer will stop being a fatass?

Re: creimer == lardo

Have you stopped raping your neighbor's goats yet?

Re: creimer == lardo

Hey, that goat come on to me!

Re: creimer == lardo

Geez, how many people have goats in Silicon Valley?

Tin Foil Hat Time

It's clear Equifax's goal isn't to protect the consumer or bring them vital information. It's to get you to sign up for its revenue-generating product TrustID.

I wouldn't be surprised if Equifax just manufactured this breach to push their TrustID product.

Re:Tin Foil Hat Time

[Rockoon]

I wouldn't be surprised if Equifax just manufactured this breach to push their TrustID product.

If a company were to "manufacture" such a breach, then they would also sell the information on the black market which adds another win.

Essentially, if they say that they were breached, then your data is out there even if they werent breached.

Boycot

You, as a consumer can boycott by not paying Danegeld for their "protection". The real power brokers here are the banks and large property managers. They can really soak these guys by coming out and saying that they won't pull scores from these guys. That's their bread and butter. I doubt they'll do that though, because they all suck just as bad... but maybe, just maybe, some of them are looking for some "good will". If an otherwise scummy company like BofA or Wells Fargo said they would stop using them, that could really get the bankruptcy ball rolling.

Re: Boycot

Or people could stop doing business with cunts like Wells Fargo, Bank of America and Chase. If you have a clue you donâ(TM)t do business with these criminals.

Re:Boycot

"If an otherwise scummy company like BofA or Wells Fargo said they would stop using them..."

The problem here of course is just who owns these Credit Reporting Agencies. For instance, TransUnion is mostly owned by Goldman & Sachs. Remember them?
Pimps own the Whores, even as they hide in the shadows.

Don't even get me started on that mostly American phenomenon- "Title Insurance". If you have Title Insurance on the home that you own, and you almost certainly do, Banks require it, pay attention to the fine print. You are paying for "Insurance" very very rarely needed, that only pays out to the Bank. If there is any cloud at all on the Title initially, you simply can't get the Insurance. BTW, Title Records are Public; you can get them from County Courthouses, usually for only a nominal Copying Fee. (I paid a flat $10; for that, I also snooped on neighboring properties. Clean Title back to 1872(!). I got the Lender to waive the Insurance requirement, since they were the same Lender of the previous Owner, and I was assuming the Loan. They still nailed me on "Points".)

Really?

Here's the thing:

Equifax was used for credit reporting for everyone. This hack is going to turn out to be bigger than initially reported. Basically, if you are an American and you have or have ever had a credit line (credit card, car loan, home loan, etc.) expect your SSN, Name and address released in this hack.

Also, they will pay little to no fine. The company is massive, and has the financial tools in the right places within Washington to make sure they feel nothing.

Have a nice day, you don't get a choice or say in the matter.

Re: Really?

Keep voting for Republicans and youâ(TM)ll be right.

Re:Really?

[MerlTurkin]

I agree. Slap on the wrist and that's it. We're fucked.

Wow

[XSportSeeker]

It's like they don't have any shame at all...
Oh wait, they don't. Of course they don't.

It's a company that profits from digging up people's information, storing it in an insecure manner, where executives thought it was fine and dandy to hold up breach information for just enough time do some insider trading, save their own asses, and leave costumers to burn.

And can you take a wild guess on what side the current administration in which no one watches the watchmen will take?

Re: Wow

Trump is masturbating on consumers tears. His voters are clapping in approval. They are too dumb to realize Trump is fucking them in the ass.

Do read the ToS of equifaxsecurity2017.com

[Trax3001BBS]

Dated September 8, 2017. It's as bad as the article claims https://trustedidpremier.com/s...

Re:firefox: bad certificate for equifaxsecurity201

[arth1]

The GeoTrust Global CA used to sign the GeoTrust DV SSL CA - G3 certificate is ancient (from 2002) and uses an SHA-1 algorithm, which is no longer considered secure..
So even if the intermediate certificate is SHA-256 sign, the chain is not trusted by clients that require strong security.

GeoTrust used to own Equifax Security, but sold out in 2006, and then got acquied by Verisign, which in turn got acquired by Symantec. So don't be too surprised at signs of incompetence.

LOVE IT

[WolfgangVL]

Dumpster fire. Train wreck. Shit sandwich.

As Angus Deayton used to say ...

[Hognoxious]

So, no change there then.

This wouldn't be a problem

If americans didn't use their SSN like some magic password.
I did an internship there and received an SSN. Am I fucked now too, even though I don't live there anymore?
Fuck this bullshit. And no one has even released the hacked info so we can actually check what's in there.

Re: This wouldn't be a problem

Pretty sure they didn't bother asking the typical American for permission before the practice was started.

The SSN was never intended for the purposes it is used for today, yet here we are.

Assign the blame to the right parties if you're going to go down that path.

Everyone...it was everyone

[elrous0]

These data breaches follow an inevitable life-cycle:

1) Initial release: "We had a data breach which effected some, but not all, of our customers. The data breach was limited, and did not include bank account numbers, CC numbers, etc."

2) A week or two later: "The data breach we reported may have included more customers than we initially reported. Some customers may have had sensitive information like CC information and bank account information compromised."

3) A month later (in a quiet press release late on a Friday afternoon): "It was everyone, and they got everything."

Re:Everyone...it was everyone

[DavidRawling]

Point 3 will no doubt be released at the same time as they announce they have expelled 76 Soviet diplomats.

Re:Everyone...it was everyone

Don't forget 0): Executives sell personal stock in the company shortly before the initial press release.

Re:Everyone...it was everyone

[sad_]

followed by a statement that 'they take security very seriously'.

Code for "verifying" whether you are affected

[crazyray]

If you are curious about why the TrustedID site returns false answers when you input bogus info, here is a pretty good hint. https://twitter.com/rayjwatson...

Re:Code for "verifying" whether you are affected

not curious enough to look at a twooter url.

What's this credit score thing about?

As a non-usain, what's exactly this credit score thing about and why is handled by private entities?

1st world/USA problem...

Re:firefox: bad certificate for equifaxsecurity201

[chihowa]

Your scenario hints more at the incompetence of the browser than GeoTrust, in this case (not surprisingly, I'm only seeing this with Firefox). The root CA is self-signed and its security is not impacted by a weak hash. The rest of the chain, where the strength of the hash is important, uses SHA-256 hashes.

SHA1 is depreciated so all currently generated root CAs will use SHA2, but there is no security impact of a root CA with a SHA1 hash.

Re: Insurance is secrert formulas

[gabrieltss]

I have worked for both the health insurance industry and now the property casualty side. Both use what is called "Predictive Modeling". The company I work for now uses 91 different "points" to assign you a "model rate code". One of those "points" is your Equifax credit score! Any time a policy is rated "numbers" are sent into the Predictive Modeling system it takes those "numbers" and gathers other information including your Equifax credit score (we store them in our databases and if we don't have it we call a "secure" web service at Equifax to get it, once we have it - we store it. The "Model Rate Code" that is produced is a single digit number it can be from a negative number, a zero or a positive number. That number is then multiplied by the "rate" initially generated and then you are told how much your premium will be. The 91 different "Points" we rate on are HIGHLY guarded the ONLY people allowed to know what those "points" are, are the Actuaries, and there are only TWO of them that are allowed to know them. So just to make you feel even BETTER - many companies can do the same thing with your Credit score information - pay Equifax to use their "secure" web service and get your information and then store it on THEIR systems. So while your worried about Equifax - think about how many other companies have your information and may be even LESS secure than Equifax!!!

No recent revolving balances

[SpammersAreScum]

"No recent revolving balances". Not really an issue of "not spending enough", as far as I can tell from Googling. If you have at least a few cards open, the complaint is you haven't put any spend on some of them for a while. Why that's considered bad I have no idea. So, same spend but distributed over all the cards would clear this up. Or, if you can close some unused ones and still maintain the other criteria, that's an option.

I hadn't realized this myself, and do in fact have 3 -- soon to be 4 -- no-AF mothballed cards. So I need to consider this myself.

Re:No recent revolving balances

I think their idea - from the credit risk perspective - is that you could at some point charge them all to the max and then stop paying. Although, credit available vs revolving credit as a ratio would be a better metric to watch.

Re:firefox: bad certificate for equifaxsecurity201

deh-preh-kated. deprecated. not depreciated. your publicly-funded education has failed you. demand a refund.

Welp

This is what happens when you Affirmative Action a female college MUSIC MAJOR into your Chief Security Officer role. Good job liberals, Equifax is on you.

Re: firefox: bad certificate for equifaxsecurity20

[Monster_user]

Autocorrect failure perhaps?

Re:firefox: bad certificate for equifaxsecurity201

Says the guy who doesn't properly use capitalization, punctuation, or proper sentence structure. The irony is lost on you, I'm sure.

Re:firefox: bad certificate for equifaxsecurity201

[Asgard]

The issue there is that the server is sending a server cert that isn't signed by the Root CA, it is signed by GeoTrust DV SSL CA - G3 -- and that was not sent by the server. It is the servers responsibility to provide certificates that link the server cert with the root cert.
 

I agree....

[MerlTurkin]

When I checked it just gave me a sign up date which I ASSume means I got hit. Ironic that it wants the last 6 digits and last name

Re:firefox: bad certificate for equifaxsecurity201

[chihowa]

True, but the URI for the missing intermediate certificate is included in the "CA Issuers ( 1.3.6.1.5.5.7.48.2 )" field. It's not ideal, but it's not worth refusing to connect over. If downloading the intermediate from that URI failed, the chain should definitely be considered broken.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

PIN Number

[antdude]

Stop saying "PIN Number" too. PIN = Personal Identification Number. Why say "number" twice? :P

Re:PIN Number

wooooosh

Hmm

[bagofbeans]

So Equifax continues to provide credit scores even when the target has frozen it?

Re:Hmm

people act like freezing your credit does anything... I bought a car with my credit frozen. the dealer comes back and says 'your credit is frozen i'm going to have to verify your identity." he copied my cellphone number of my loan application onto a sticky not, walked into the other room, called my cellphone and asked me if My name was correct. hung up, walked back out and said, 'looks good'.

bait

[shentino]

Let's see, you have to give up your right to sue in a class action, and all you get is random bullshit that tells you nothing anyway.

This smells like nothing more than bait for an immunity grab.

Predictive

[Tenebrousedge]

After the Election Integrity Commission debacle, it wouldn't surprise me if this was plan C to obtain shittons of voter information.

The major parties already have all the information they could want on you. More information is not always better. The most important predictors of your voting behavior are your age, political registration, parents' political registrations, income level, education level and other such things which tend to be either public or legally obtainable. The major parties have this information for the vast majority of citizens. Knowing the details of your past addresses or credit history isn't necessarily going to be any better of a predictor of your behavior than knowing that you're left-handed and like sushi, and it's not like you're able to do more targeted advertising based on this information.

So the simplest answer here is that your credit score doesn't have all that much to do with your political opinions. The cynical answer is that if it did, the major parties would probably have legal access to it already. My general impression of the tech writeups of the recent campaigns seems to be that they are drowning in data, and they're more or less incompetent at doing anything with it. Which to my mind is all to the good.

Funding Sources

[Tenebrousedge]

Protip: One counterexample does not negate decades of history.

Entertainment lobbying has been solidly blue for decades, and the energy lobby is even more extremely biased in the other direction. The DMCA specifically had broad bipartisan support, passing the Senate unanimously. The entertainment industry tends to have broader representation of LGBTQ persons, and is also heavily unionized, and the Republican party opposes both of these things. The 2016 election shows the same bias in funding, with HRC getting the vast majority of entertainment industry funding and also being the only 'D' on this list. This is not exactly new or controversial.

But...

[bagofbeans]

...did you buy outright, or get a loan from the dealer? Sounds like the former, so credit frozen didn't affect the transaction.

FICO?

[AlanObject]

I just checked again. It is service provided by citibank's account page "check your FICO® score". The values are Mar: 867, Apr: 863, May: 867, Jun: 867, Jul: 856, Aug: 856.

My guess is the drop in July had to do with us getting a line of credit against the equity in our house.

At the bottom of the chart it says "Score ranges is 250 to 900." I have never found an explanation as to why credit score ranges don't use a more intuitive scale, such as 0-100 but they have always done this.

Good riddance!

[martinfb]

Equifax needs to go away anyway.
It is a totally incompetent company anyway; a useless, outdated service that serves only it's stockholders.
Umm, I mean USED to serve it's stockholders. Now it serves no one. Go away.

Re:Good riddance!

[martinfb]

BTW: Equifax owes me - big time!