Slashdot Mirror
TechCrunch: Equifax Hack-Checking Web Site Is Returning Random Results (techcrunch.com)
An anonymous reader quotes security researcher Brian Krebs:
The web site that Equifax advertised as the place where concerned Americans could go to find out whether they were impacted by this breach -- equifaxsecurity2017.com -- is completely broken at best, and little more than a stalling tactic or sham at worst. In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat. In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.
TechCrunch has concluded that "the checker site, hosted by Equifax product TrustID, seems to be telling people at random they may have been affected by the data breach." One user reports that entering the same information twice produced two different answers. And ZDNet's security editor reports that even if you just enter Test or 123456, "it says your data has been breached." TechCrunch writes: The assignment seems random. But, nevertheless, they were still asked to continue enrolling in TrustID. What this means is not only are none of the last names tied to your Social Security number, but there's no way to tell if you were really impacted. It's clear Equifax's goal isn't to protect the consumer or bring them vital information. It's to get you to sign up for its revenue-generating product TrustID.
Meanwhile, one web engineer claims the secret 10-digit "security freeze" PIN being issued by Equifax "is just a timestamp of when you made the freeze."
TechCrunch has concluded that "the checker site, hosted by Equifax product TrustID, seems to be telling people at random they may have been affected by the data breach." One user reports that entering the same information twice produced two different answers. And ZDNet's security editor reports that even if you just enter Test or 123456, "it says your data has been breached." TechCrunch writes: The assignment seems random. But, nevertheless, they were still asked to continue enrolling in TrustID. What this means is not only are none of the last names tied to your Social Security number, but there's no way to tell if you were really impacted. It's clear Equifax's goal isn't to protect the consumer or bring them vital information. It's to get you to sign up for its revenue-generating product TrustID.
Meanwhile, one web engineer claims the secret 10-digit "security freeze" PIN being issued by Equifax "is just a timestamp of when you made the freeze."
The judgement Equifax will have to pay for this breach is massive. Unfortunately, the probability of it staying solvent enough to pay anything is the reciprocal of this amount.
Today I tried calling the new Equifax help line (set up because of the data breach) and asked the woman I spoke to if Equifax intended to issue new PIN numbers to the people who already had credit freezes.
Long pause. "Sir, have you been to our web site?"
Me: "Yes, I have. According to your own site, my data is at risk. My wife and I froze our credit a couple of years ago, and you issued us 10-number PINs for unfreezing our credit online. Since the hackers now have everything they need to log into your web site with our credentials, I want to know if those PIN numbers were part of the compromised information, and if Equifax intends to issue new PIN numbers."
Another very long pause. "Sir, I don't have that information at this time, but I will log this request."
Me: "Yeah, Equifax doesn't have much information about anything, does it? Have a nice day."
Talk about incompetence compounded. So now it turns out that the PIN is nothing but a timestamp, and Equifax has given up all the information needed for a criminal to unfreeze my credit using their website. Anyone want to bet if that timestamp can be deduced from the information already stolen in the breach?
It indeed IS a time stamp. Geezus. It's bad enough it's just a numeric PIN which isn't very secure to begin with, but then to be that obvious. Wow. Hopefully I can get that changed.
The good news is freezing my credit here in Indiana didn't cost me a dime. It's a law we have here.
It has become increasingly obvious that Equifax and their cohorts are running a racket, running roughshod over consumer rights. The congressionally-mandated free annual credit report was inadequate to solve all the problems with their business. I pray that racketeering charges are brought against Equifax, for their practice of punishing people who don't sign up for their protection services whenever Equifax makes a mistaken data entry, and by holding proprietary information over their head limiting access to any significant financial transactions (although lenders are as at fault here too.) Furthermore, 'identity theft' should be an Equifax/lender problem, rather than a consumer problem.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Just ask the Nigerian prince. Quick turnaround if you help him with a little banking snafu.
Table-ized A.I.
with OSX firefox, visiting equifax.com and clicking the big orange button in the middle of the site for https://www.equifaxsecurity2017.com/ yields a browser certificate warning:
------------
www.equifaxsecurity2017.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER
------------
weirdly visiting the same URL w/ chrome or safari yield no such warning.
For as long as I can remember all credit scoring companies always behaved in opaque and obscure ways. That continues right up to this day.
When I was in my twenties the law was they had to disclose "everything" if you asked for it and it came on a form that was printed on a 132-column line printer. So I was in credit trouble (that of course is the age for it) and got turned down for a card so they sent me the free report. Most of what was on it was wrong or benign. The late payments on credit cards that I actually did have were not on the report except for Sears who was always the most aggressive on reporting these things. There was nothing on it that would explain an extremely low credit score even though in my case the low credit score was deserved.
I could only conclude that "everything" report in fact did not have everything on it in clear violation of what the law seemed to say. There was nothing I could do about it and nobody with actual influence seemed to care.
Today I have a very high credit score: at the moment my FICO score 876 out of 900. A few years back I bought a car and the dealership had to run a credit report even though I was paying cash. The guy said he had never seen a score that high and his customers he had sold to included highly successful silicon valley execs. I'm not rich by any means but I can pay my bills so whatever.
So I get a copy of the report and it had scant data on it but has a section "things that can adversely affect your score." It lists things there like "too many accounts with balances open." Say what? I don't owe a dime on any account except my mortgage. I have two credit cards with zero balance for months and I haven't paid a dime of interest or finance charge on them for a decade. But that's a problem: "No recent revolving balances." So if you aren't spending enough that's a negative.
I am pretty sure that none of Bill Gates, Larry Ellison and Elon Musk could get a 900. (Not that they would care, nor anyone giving them credit), My point is if it is impossible to ace the test then it is not a good test. But that's the way the credit industry is built -- a complex data base of hidden rules that they can exploit to make money.
It should surprise nobody that Equifax is using this crisis event to skim cash.
According to my sources, a condition for enrolling is giving up your right to participate in a class action suit against Equifax. At least, read the fine print before signing up.
Personally, I'd just lock my credit records with Equifax. Leave them open with the other agencies, so lenders can still approve loans. Just not with Equifax.
Have gnu, will travel.
Dated September 8, 2017. It's as bad as the article claims https://trustedidpremier.com/s...
The GeoTrust Global CA used to sign the GeoTrust DV SSL CA - G3 certificate is ancient (from 2002) and uses an SHA-1 algorithm, which is no longer considered secure..
So even if the intermediate certificate is SHA-256 sign, the chain is not trusted by clients that require strong security.
GeoTrust used to own Equifax Security, but sold out in 2006, and then got acquied by Verisign, which in turn got acquired by Symantec. So don't be too surprised at signs of incompetence.
"If an otherwise scummy company like BofA or Wells Fargo said they would stop using them..."
The problem here of course is just who owns these Credit Reporting Agencies. For instance, TransUnion is mostly owned by Goldman & Sachs. Remember them?
Pimps own the Whores, even as they hide in the shadows.
Don't even get me started on that mostly American phenomenon- "Title Insurance". If you have Title Insurance on the home that you own, and you almost certainly do, Banks require it, pay attention to the fine print. You are paying for "Insurance" very very rarely needed, that only pays out to the Bank. If there is any cloud at all on the Title initially, you simply can't get the Insurance. BTW, Title Records are Public; you can get them from County Courthouses, usually for only a nominal Copying Fee. (I paid a flat $10; for that, I also snooped on neighboring properties. Clean Title back to 1872(!). I got the Lender to waive the Insurance requirement, since they were the same Lender of the previous Owner, and I was assuming the Loan. They still nailed me on "Points".)
Dumpster fire. Train wreck. Shit sandwich.
You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
I wouldn't be surprised if Equifax just manufactured this breach to push their TrustID product.
If a company were to "manufacture" such a breach, then they would also sell the information on the black market which adds another win.
Essentially, if they say that they were breached, then your data is out there even if they werent breached.
"His name was James Damore."
So, no change there then.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
These data breaches follow an inevitable life-cycle:
1) Initial release: "We had a data breach which effected some, but not all, of our customers. The data breach was limited, and did not include bank account numbers, CC numbers, etc."
2) A week or two later: "The data breach we reported may have included more customers than we initially reported. Some customers may have had sensitive information like CC information and bank account information compromised."
3) A month later (in a quiet press release late on a Friday afternoon): "It was everyone, and they got everything."
SJW: Someone who has run out of real oppression, and has to fake it.
Your scenario hints more at the incompetence of the browser than GeoTrust, in this case (not surprisingly, I'm only seeing this with Firefox). The root CA is self-signed and its security is not impacted by a weak hash. The rest of the chain, where the strength of the hash is important, uses SHA-256 hashes.
SHA1 is depreciated so all currently generated root CAs will use SHA2, but there is no security impact of a root CA with a SHA1 hash.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
I have worked for both the health insurance industry and now the property casualty side. Both use what is called "Predictive Modeling". The company I work for now uses 91 different "points" to assign you a "model rate code". One of those "points" is your Equifax credit score! Any time a policy is rated "numbers" are sent into the Predictive Modeling system it takes those "numbers" and gathers other information including your Equifax credit score (we store them in our databases and if we don't have it we call a "secure" web service at Equifax to get it, once we have it - we store it. The "Model Rate Code" that is produced is a single digit number it can be from a negative number, a zero or a positive number. That number is then multiplied by the "rate" initially generated and then you are told how much your premium will be. The 91 different "Points" we rate on are HIGHLY guarded the ONLY people allowed to know what those "points" are, are the Actuaries, and there are only TWO of them that are allowed to know them. So just to make you feel even BETTER - many companies can do the same thing with your Credit score information - pay Equifax to use their "secure" web service and get your information and then store it on THEIR systems. So while your worried about Equifax - think about how many other companies have your information and may be even LESS secure than Equifax!!!
The Truth is a Virus!!!
"No recent revolving balances". Not really an issue of "not spending enough", as far as I can tell from Googling. If you have at least a few cards open, the complaint is you haven't put any spend on some of them for a while. Why that's considered bad I have no idea. So, same spend but distributed over all the cards would clear this up. Or, if you can close some unused ones and still maintain the other criteria, that's an option.
I hadn't realized this myself, and do in fact have 3 -- soon to be 4 -- no-AF mothballed cards. So I need to consider this myself.
Autocorrect failure perhaps?
not curious enough to look at a twooter url.
The issue there is that the server is sending a server cert that isn't signed by the Root CA, it is signed by GeoTrust DV SSL CA - G3 -- and that was not sent by the server. It is the servers responsibility to provide certificates that link the server cert with the root cert.
When I checked it just gave me a sign up date which I ASSume means I got hit. Ironic that it wants the last 6 digits and last name
True, but the URI for the missing intermediate certificate is included in the "CA Issuers ( 1.3.6.1.5.5.7.48.2 )" field. It's not ideal, but it's not worth refusing to connect over. If downloading the intermediate from that URI failed, the chain should definitely be considered broken.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
I agree. Slap on the wrist and that's it. We're fucked.
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
Stop saying "PIN Number" too. PIN = Personal Identification Number. Why say "number" twice? :P
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
So Equifax continues to provide credit scores even when the target has frozen it?
Let's see, you have to give up your right to sue in a class action, and all you get is random bullshit that tells you nothing anyway.
This smells like nothing more than bait for an immunity grab.
After the Election Integrity Commission debacle, it wouldn't surprise me if this was plan C to obtain shittons of voter information.
The major parties already have all the information they could want on you. More information is not always better. The most important predictors of your voting behavior are your age, political registration, parents' political registrations, income level, education level and other such things which tend to be either public or legally obtainable. The major parties have this information for the vast majority of citizens. Knowing the details of your past addresses or credit history isn't necessarily going to be any better of a predictor of your behavior than knowing that you're left-handed and like sushi, and it's not like you're able to do more targeted advertising based on this information.
So the simplest answer here is that your credit score doesn't have all that much to do with your political opinions. The cynical answer is that if it did, the major parties would probably have legal access to it already. My general impression of the tech writeups of the recent campaigns seems to be that they are drowning in data, and they're more or less incompetent at doing anything with it. Which to my mind is all to the good.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
Protip: One counterexample does not negate decades of history.
Entertainment lobbying has been solidly blue for decades, and the energy lobby is even more extremely biased in the other direction. The DMCA specifically had broad bipartisan support, passing the Senate unanimously. The entertainment industry tends to have broader representation of LGBTQ persons, and is also heavily unionized, and the Republican party opposes both of these things. The 2016 election shows the same bias in funding, with HRC getting the vast majority of entertainment industry funding and also being the only 'D' on this list. This is not exactly new or controversial.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
...did you buy outright, or get a loan from the dealer? Sounds like the former, so credit frozen didn't affect the transaction.
I just checked again. It is service provided by citibank's account page "check your FICO® score". The values are Mar: 867, Apr: 863, May: 867, Jun: 867, Jul: 856, Aug: 856.
My guess is the drop in July had to do with us getting a line of credit against the equity in our house.
At the bottom of the chart it says "Score ranges is 250 to 900." I have never found an explanation as to why credit score ranges don't use a more intuitive scale, such as 0-100 but they have always done this.
Equifax needs to go away anyway.
It is a totally incompetent company anyway; a useless, outdated service that serves only it's stockholders.
Umm, I mean USED to serve it's stockholders. Now it serves no one. Go away.
Self-importance and self-indulgence is the root of ALL evil.