Slashdot Mirror

← Back to Stories (view on slashdot.org)

TechCrunch: Equifax Hack-Checking Web Site Is Returning Random Results (techcrunch.com)

Posted by EditorDavid on from the discredit-reports dept.

An anonymous reader quotes security researcher Brian Krebs: The web site that Equifax advertised as the place where concerned Americans could go to find out whether they were impacted by this breach -- equifaxsecurity2017.com -- is completely broken at best, and little more than a stalling tactic or sham at worst. In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat. In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.
TechCrunch has concluded that "the checker site, hosted by Equifax product TrustID, seems to be telling people at random they may have been affected by the data breach." One user reports that entering the same information twice produced two different answers. And ZDNet's security editor reports that even if you just enter Test or 123456, "it says your data has been breached." TechCrunch writes: The assignment seems random. But, nevertheless, they were still asked to continue enrolling in TrustID. What this means is not only are none of the last names tied to your Social Security number, but there's no way to tell if you were really impacted. It's clear Equifax's goal isn't to protect the consumer or bring them vital information. It's to get you to sign up for its revenue-generating product TrustID.
Meanwhile, one web engineer claims the secret 10-digit "security freeze" PIN being issued by Equifax "is just a timestamp of when you made the freeze."

11 of 176 comments (clear)

  1. Do the math by Applehu+Akbar · · Score: 5, Funny

    The judgement Equifax will have to pay for this breach is massive. Unfortunately, the probability of it staying solvent enough to pay anything is the reciprocal of this amount.

    1. Re:Do the math by Desler · · Score: 5, Insightful

      I look forward to my "massive" $5 gift certificate.

    2. Re:Do the math by arth1 · · Score: 5, Funny

      $20 towards signing up for TrustID, I'm sure. Taxes and other fees apply.

    3. Re:Do the math by Zocalo · · Score: 5, Interesting

      Pretty much. The only saving grace for Equifax on that front since they apparently have data on EU citizens involved in the breach is that they managed to get taken to the cleaners before the GDPR comes into force next May. If they'd somehow been able to keep the ship afloat that long, then they'd also be on the hook to the EU for 4% of their global annual *turnover* for the last fiscal year, which is probably enough to wipe them out all on its own. I doubt very much the company is going to survive this, even if the government steps in and bails them out - any trust their customers might have had should be long gone by this point.

      Of course, that means that all your ID eggs are now going to be in two baskets rather than three, and there's absolutely zero evidence that either of the other two major players are any better at this than Equifax as far as I can see. Good luck with that.

      --
      UNIX? They're not even circumcised! Savages!
    4. Re:Do the math by shentino · · Score: 5, Funny

      I'm afraid Monsanto has a patent on that

  2. The Experian hotline by timholman · · Score: 5, Interesting

    Today I tried calling the new Equifax help line (set up because of the data breach) and asked the woman I spoke to if Equifax intended to issue new PIN numbers to the people who already had credit freezes.

    Long pause. "Sir, have you been to our web site?"

    Me: "Yes, I have. According to your own site, my data is at risk. My wife and I froze our credit a couple of years ago, and you issued us 10-number PINs for unfreezing our credit online. Since the hackers now have everything they need to log into your web site with our credentials, I want to know if those PIN numbers were part of the compromised information, and if Equifax intends to issue new PIN numbers."

    Another very long pause. "Sir, I don't have that information at this time, but I will log this request."

    Me: "Yeah, Equifax doesn't have much information about anything, does it? Have a nice day."

    Talk about incompetence compounded. So now it turns out that the PIN is nothing but a timestamp, and Equifax has given up all the information needed for a criminal to unfreeze my credit using their website. Anyone want to bet if that timestamp can be deduced from the information already stolen in the breach?

    1. Re:The Experian hotline by arth1 · · Score: 5, Funny

      STOP SAYING PIN NUMBERS

      Yes, he should have said personal PIN number, so it's not mistaken for a corporate PIN number.

  3. Just Looked at My PIN by Anonymous Coward · · Score: 5, Interesting

    It indeed IS a time stamp. Geezus. It's bad enough it's just a numeric PIN which isn't very secure to begin with, but then to be that obvious. Wow. Hopefully I can get that changed.

    The good news is freezing my credit here in Indiana didn't cost me a dime. It's a law we have here.

    1. Re:Just Looked at My PIN by Anonymous Coward · · Score: 5, Interesting

      "Incompetent" just doesn't cut it. Their name needs to become a verb. They've fucked up that hard.

      "Hey, buddy, don't equifax that document!"

  4. Racketeering by mentil · · Score: 5, Interesting

    It has become increasingly obvious that Equifax and their cohorts are running a racket, running roughshod over consumer rights. The congressionally-mandated free annual credit report was inadequate to solve all the problems with their business. I pray that racketeering charges are brought against Equifax, for their practice of punishing people who don't sign up for their protection services whenever Equifax makes a mistaken data entry, and by holding proprietary information over their head limiting access to any significant financial transactions (although lenders are as at fault here too.) Furthermore, 'identity theft' should be an Equifax/lender problem, rather than a consumer problem.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  5. Re:firefox: bad certificate for equifaxsecurity201 by arth1 · · Score: 5, Informative

    The GeoTrust Global CA used to sign the GeoTrust DV SSL CA - G3 certificate is ancient (from 2002) and uses an SHA-1 algorithm, which is no longer considered secure..
    So even if the intermediate certificate is SHA-256 sign, the chain is not trusted by clients that require strong security.

    GeoTrust used to own Equifax Security, but sold out in 2006, and then got acquied by Verisign, which in turn got acquired by Symantec. So don't be too surprised at signs of incompetence.