TechCrunch: Equifax Hack-Checking Web Site Is Returning Random Results

An anonymous reader quotes security researcher Brian Krebs: The web site that Equifax advertised as the place where concerned Americans could go to find out whether they were impacted by this breach -- equifaxsecurity2017.com -- is completely broken at best, and little more than a stalling tactic or sham at worst. In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat. In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.
TechCrunch has concluded that "the checker site, hosted by Equifax product TrustID, seems to be telling people at random they may have been affected by the data breach." One user reports that entering the same information twice produced two different answers. And ZDNet's security editor reports that even if you just enter Test or 123456, "it says your data has been breached." TechCrunch writes: The assignment seems random. But, nevertheless, they were still asked to continue enrolling in TrustID. What this means is not only are none of the last names tied to your Social Security number, but there's no way to tell if you were really impacted. It's clear Equifax's goal isn't to protect the consumer or bring them vital information. It's to get you to sign up for its revenue-generating product TrustID.
Meanwhile, one web engineer claims the secret 10-digit "security freeze" PIN being issued by Equifax "is just a timestamp of when you made the freeze."

Re:Do the math

This is a joke right? Equifax made more than $3 billion last year in revenue and has nearly $7 billion in assets. I'm sure they'll be perfectly fine after their slap on the wrist from the Trump Administration.

Re:Just Looked at My PIN

[Desler]

Yeah it's ridiculous especially since TransUnion and Experian let you set your own PIN rather than relying on some incompetent to give you a deterministic 'random' PIN.

Dicey from start to finish

[AlanObject]

For as long as I can remember all credit scoring companies always behaved in opaque and obscure ways. That continues right up to this day.

When I was in my twenties the law was they had to disclose "everything" if you asked for it and it came on a form that was printed on a 132-column line printer. So I was in credit trouble (that of course is the age for it) and got turned down for a card so they sent me the free report. Most of what was on it was wrong or benign. The late payments on credit cards that I actually did have were not on the report except for Sears who was always the most aggressive on reporting these things. There was nothing on it that would explain an extremely low credit score even though in my case the low credit score was deserved.

I could only conclude that "everything" report in fact did not have everything on it in clear violation of what the law seemed to say. There was nothing I could do about it and nobody with actual influence seemed to care.

Today I have a very high credit score: at the moment my FICO score 876 out of 900. A few years back I bought a car and the dealership had to run a credit report even though I was paying cash. The guy said he had never seen a score that high and his customers he had sold to included highly successful silicon valley execs. I'm not rich by any means but I can pay my bills so whatever.

So I get a copy of the report and it had scant data on it but has a section "things that can adversely affect your score." It lists things there like "too many accounts with balances open." Say what? I don't owe a dime on any account except my mortgage. I have two credit cards with zero balance for months and I haven't paid a dime of interest or finance charge on them for a decade. But that's a problem: "No recent revolving balances." So if you aren't spending enough that's a negative.

I am pretty sure that none of Bill Gates, Larry Ellison and Elon Musk could get a 900. (Not that they would care, nor anyone giving them credit), My point is if it is impossible to ace the test then it is not a good test. But that's the way the credit industry is built -- a complex data base of hidden rules that they can exploit to make money.

It should surprise nobody that Equifax is using this crisis event to skim cash.

Re:Dicey from start to finish

[Shados]

I am pretty sure that none of Bill Gates, Larry Ellison and Elon Musk could get a 900

850 is the max for the scale people generally refer to when talking about credit scores. Googling around, some banks seem to use internally a different score scale, but let's set that aside for a sec.

People can, and in fact do get perfect score. If you understand exactly how it works, its' not that difficult. It has very little to do with how much money you make, and is a pretty artificial metric.

When you get a report and it says things like "too many accounts with balances open", it doesn't mean "you have too many accounts with balances open". It just means you don't have -precisely- the amount of accounts the algorithm uses for a perfect score, so you lost a non-zero amount of points for it, and since you said you have a mortgage, it's probably what it's referring to.

To get a perfect score, you need a bunch of accounts open, that were opened several years ago (none recently), that are used but have 0 balance at the moment they were audited. Your available credit across those account has to be very high, and you need multiple accounts from different credit providers. There are a few other factors, but if you do it just right its pretty simple, given enough time, to manipulate your credit to get a perfect score.

In fact, some people make a game out of it. The only gotcha is you have to use those accounts sometimes but they have to be at 0 or nearly 0 the moment they're reported, and you never know when that will be (since it can change). So often you'll hover between 845 and 850 (or whatever other scale you're looking at, though those may have slightly different criterias)

Beware of TrustID

[PPH]

According to my sources, a condition for enrolling is giving up your right to participate in a class action suit against Equifax. At least, read the fine print before signing up.

Personally, I'd just lock my credit records with Equifax. Leave them open with the other agencies, so lenders can still approve loans. Just not with Equifax.

Re:firefox: bad certificate for equifaxsecurity201

[arth1]

The GeoTrust Global CA used to sign the GeoTrust DV SSL CA - G3 certificate is ancient (from 2002) and uses an SHA-1 algorithm, which is no longer considered secure..
So even if the intermediate certificate is SHA-256 sign, the chain is not trusted by clients that require strong security.

GeoTrust used to own Equifax Security, but sold out in 2006, and then got acquied by Verisign, which in turn got acquired by Symantec. So don't be too surprised at signs of incompetence.

Re:Just Looked at My PIN

[Solandri]

There's nothing intrinsically wrong with using a timestamp, provided (1) the timestamp has sufficient resolution to make a brute force attack unfeasible. Timestamps are used in some pseudo-random number generators - you use something like the last 8 digits of the exact nanosecond a random number was requested. And (2) Equifax only stores the hash so it can't be reverse-engineered if their password database is stolen.

Unfortunately, it looks like their timestamp only has one minute resolution, meaning there are only 1440 possible timestamps every day. Which means it'll be almost trivial for a identity thief to brute force based on when they lost their ability to use your credit, and what time of day you were likely to be awake and free to request the credit freeze. And even if they're hashing their password database, a hacker who steals it and their hashing algorithm will be able to generate a rainbow table with just a half million entries per year.