Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Privacy Businesses Security United States

TechCrunch: Equifax Hack-Checking Web Site Is Returning Random Results ( 176

An anonymous reader quotes security researcher Brian Krebs: The web site that Equifax advertised as the place where concerned Americans could go to find out whether they were impacted by this breach -- -- is completely broken at best, and little more than a stalling tactic or sham at worst. In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat. In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.
TechCrunch has concluded that "the checker site, hosted by Equifax product TrustID, seems to be telling people at random they may have been affected by the data breach." One user reports that entering the same information twice produced two different answers. And ZDNet's security editor reports that even if you just enter Test or 123456, "it says your data has been breached." TechCrunch writes: The assignment seems random. But, nevertheless, they were still asked to continue enrolling in TrustID. What this means is not only are none of the last names tied to your Social Security number, but there's no way to tell if you were really impacted. It's clear Equifax's goal isn't to protect the consumer or bring them vital information. It's to get you to sign up for its revenue-generating product TrustID.
Meanwhile, one web engineer claims the secret 10-digit "security freeze" PIN being issued by Equifax "is just a timestamp of when you made the freeze."
This discussion has been archived. No new comments can be posted.

TechCrunch: Equifax Hack-Checking Web Site Is Returning Random Results

Comments Filter:
  • Do the math (Score:5, Funny)

    by Applehu Akbar ( 2968043 ) on Sunday September 10, 2017 @12:20AM (#55167701)

    The judgement Equifax will have to pay for this breach is massive. Unfortunately, the probability of it staying solvent enough to pay anything is the reciprocal of this amount.

    • by Anonymous Coward

      +5 funny.

    • Re:Do the math (Score:5, Insightful)

      by Desler ( 1608317 ) on Sunday September 10, 2017 @12:25AM (#55167707)

      I look forward to my "massive" $5 gift certificate.

    • Re:Do the math (Score:4, Informative)

      by Anonymous Coward on Sunday September 10, 2017 @12:30AM (#55167717)

      This is a joke right? Equifax made more than $3 billion last year in revenue and has nearly $7 billion in assets. I'm sure they'll be perfectly fine after their slap on the wrist from the Trump Administration.

      • by Dracos ( 107777 )

        After the Election Integrity Commission debacle, it wouldn't surprise me if this was plan C to obtain shittons of voter information.

        Equifax is going to crash hard, BearStearns/Lehman Brothers style hard.

        • After the Election Integrity Commission debacle, it wouldn't surprise me if this was plan C to obtain shittons of voter information.

          The major parties already have all the information they could want on you. More information is not always better. The most important predictors of your voting behavior are your age, political registration, parents' political registrations, income level, education level and other such things which tend to be either public or legally obtainable. The major parties have this information for the vast majority of citizens. Knowing the details of your past addresses or credit history isn't necessarily going to be

      • by mentil ( 1748130 ) on Sunday September 10, 2017 @12:58AM (#55167773)

        Nah. Carly, Elop or Meg will take over for a while until they're bought out by Verizon. All the data owned by Equifax will then be used for yet another Verizon targeted advertising scheme, because apparently Verizon wishes it were Google.

    • I predict that they won't pay a penny. Not a single cent.

      They are too well connected.

      The credit bureaus can already ruin someone's life with wrong information and not suffer any consequences for what should be a crime, or at least libel.

    • Re:Do the math (Score:5, Interesting)

      by Zocalo ( 252965 ) on Sunday September 10, 2017 @05:18AM (#55168223) Homepage
      Pretty much. The only saving grace for Equifax on that front since they apparently have data on EU citizens involved in the breach is that they managed to get taken to the cleaners before the GDPR comes into force next May. If they'd somehow been able to keep the ship afloat that long, then they'd also be on the hook to the EU for 4% of their global annual *turnover* for the last fiscal year, which is probably enough to wipe them out all on its own. I doubt very much the company is going to survive this, even if the government steps in and bails them out - any trust their customers might have had should be long gone by this point.

      Of course, that means that all your ID eggs are now going to be in two baskets rather than three, and there's absolutely zero evidence that either of the other two major players are any better at this than Equifax as far as I can see. Good luck with that.
      • Their customers are the lenders. Nobody pays or asks to be in a credit reporters database. And the lenders have no reason to give a shit about this.

        • by Zocalo ( 252965 )
          I think that rather depends on whether or not the consumers looking for a loan or other credit related service start looking into who their prospective sources of finance are using for doing background checks. If enough potential creditors start factoring that information into their decision making process - quite possible given the amount of media attention this is getting - then I suspect the lenders are going to start caring a little more than they might do at present. Not that it's going to make much
          • Uhm, good luck with that. I's suspect most of our front end sales reps don't even know who we use for background credit checks. Its a stacked system, third party, third party, third party. Probably means we use more than one of the big three.
      • > I doubt very much the company is going to survive this

        I'm sick of hearing this stuff. I heard it about virtually every Trump-related news story for the last year, I heard it about New Orleans, I heard it about BP. I heard it about Volkswagen.

        Look, the market already priced this disaster, based on what data is available. They lost about 15% of their value. They have solid fundamentals that aren't changing in any sort of way that pose an existential threat to the company; unless there's a lot more of thi

  • The Experian hotline (Score:5, Interesting)

    by timholman ( 71886 ) on Sunday September 10, 2017 @12:29AM (#55167713)

    Today I tried calling the new Equifax help line (set up because of the data breach) and asked the woman I spoke to if Equifax intended to issue new PIN numbers to the people who already had credit freezes.

    Long pause. "Sir, have you been to our web site?"

    Me: "Yes, I have. According to your own site, my data is at risk. My wife and I froze our credit a couple of years ago, and you issued us 10-number PINs for unfreezing our credit online. Since the hackers now have everything they need to log into your web site with our credentials, I want to know if those PIN numbers were part of the compromised information, and if Equifax intends to issue new PIN numbers."

    Another very long pause. "Sir, I don't have that information at this time, but I will log this request."

    Me: "Yeah, Equifax doesn't have much information about anything, does it? Have a nice day."

    Talk about incompetence compounded. So now it turns out that the PIN is nothing but a timestamp, and Equifax has given up all the information needed for a criminal to unfreeze my credit using their website. Anyone want to bet if that timestamp can be deduced from the information already stolen in the breach?

  • by Anonymous Coward on Sunday September 10, 2017 @12:30AM (#55167715)

    It indeed IS a time stamp. Geezus. It's bad enough it's just a numeric PIN which isn't very secure to begin with, but then to be that obvious. Wow. Hopefully I can get that changed.

    The good news is freezing my credit here in Indiana didn't cost me a dime. It's a law we have here.

    • Re: (Score:3, Informative)

      by Desler ( 1608317 )

      Yeah it's ridiculous especially since TransUnion and Experian let you set your own PIN rather than relying on some incompetent to give you a deterministic 'random' PIN.

    • Re: (Score:3, Informative)

      by Solandri ( 704621 )
      There's nothing intrinsically wrong with using a timestamp, provided (1) the timestamp has sufficient resolution to make a brute force attack unfeasible. Timestamps are used in some pseudo-random number generators - you use something like the last 8 digits of the exact nanosecond a random number was requested. And (2) Equifax only stores the hash so it can't be reverse-engineered if their password database is stolen.

      Unfortunately, it looks like their timestamp only has one minute resolution, meaning t
      • by blincoln ( 592401 ) on Sunday September 10, 2017 @04:27PM (#55170649) Homepage Journal

        There's nothing intrinsically wrong with using a timestamp

        Yes, there is, when the topic involves security (which is almost always). Unlike a well-vetted PRNG, truncating a timestamp (at either end) has no mathematical basis for producing high-entropy results.

        Just about every modern programming language has a built-in mechanism for generating random numbers with high entropy. There is no reason to not use that functionality in a case like this.

    • by Cbs228 ( 596164 )

      At the risk of saying, "me too," I can also confirm that Equifax security freeze PINs are a timestamp.

      PINs do not necessarily need to be "random" in order to be secure. They need only be unpredictable by an outside attacker. Right away, we can see that some digits are predictable. Years are limited by the age of the submitter. Hours are generally limited to those during which the submitter is awake. I'm not sure why they bothered with ten digits when the PIN actually has much less entropy than that.

      The secu

  • Racketeering (Score:5, Interesting)

    by mentil ( 1748130 ) on Sunday September 10, 2017 @12:50AM (#55167749)

    It has become increasingly obvious that Equifax and their cohorts are running a racket, running roughshod over consumer rights. The congressionally-mandated free annual credit report was inadequate to solve all the problems with their business. I pray that racketeering charges are brought against Equifax, for their practice of punishing people who don't sign up for their protection services whenever Equifax makes a mistaken data entry, and by holding proprietary information over their head limiting access to any significant financial transactions (although lenders are as at fault here too.) Furthermore, 'identity theft' should be an Equifax/lender problem, rather than a consumer problem.

    • Considering the pro business government that it's charge right now, I doubt that Equifax will get more than a slap on the wrist for this breach.

      I don't think that much will change here until a bunch of congresspeople get their own identities stolen and this becomes a personal issue to them.

      Of course, even then they'll all have VIP numbers to call that let them skip the line and get a senior level caseworker to get their credit problems resolved.

    • Re:Racketeering (Score:4, Insightful)

      by DarkOx ( 621550 ) on Sunday September 10, 2017 @08:33AM (#55168597) Journal

      Right the big problem here is that there is not cost to the agencies to getting it wrong. If the report inaccurate information about it, it may cost you big, costs them nothing.

      The 'free credit report' solution was BS. I it should not be my responsibility to verify on a regular basis some entity isnt spreading material falsehoods about me. Mind you making it my responsibility might be the only practical way, if we give the credit agencies the doubt and assume they at least try to get it right, they have no way to address the problem. They need to be penalized for forwarding bad information in some way. Maybe that is making it extra easy for libel(like) civil suits to succeed against this type of a business, with lower standards of proof of harm.

      • Its called outsourcing to the public. Rather than spend money verifying all your accounts are accurate, get the people to verify the data themselves. Next step is to get governments to verify data fpr the intelligence agencies!
  • by Tablizer ( 95088 ) on Sunday September 10, 2017 @12:53AM (#55167755) Journal

    Just ask the Nigerian prince. Quick turnaround if you help him with a little banking snafu.

  • by Anonymous Coward

    with OSX firefox, visiting and clicking the big orange button in the middle of the site for yields a browser certificate warning:

    ------------ uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER


    • by arth1 ( 260657 ) on Sunday September 10, 2017 @03:05AM (#55168007) Homepage Journal

      The GeoTrust Global CA used to sign the GeoTrust DV SSL CA - G3 certificate is ancient (from 2002) and uses an SHA-1 algorithm, which is no longer considered secure..
      So even if the intermediate certificate is SHA-256 sign, the chain is not trusted by clients that require strong security.

      GeoTrust used to own Equifax Security, but sold out in 2006, and then got acquied by Verisign, which in turn got acquired by Symantec. So don't be too surprised at signs of incompetence.

      • by chihowa ( 366380 )

        Your scenario hints more at the incompetence of the browser than GeoTrust, in this case (not surprisingly, I'm only seeing this with Firefox). The root CA is self-signed and its security is not impacted by a weak hash. The rest of the chain, where the strength of the hash is important, uses SHA-256 hashes.

        SHA1 is depreciated so all currently generated root CAs will use SHA2, but there is no security impact of a root CA with a SHA1 hash.

        • by Asgard ( 60200 )

          The issue there is that the server is sending a server cert that isn't signed by the Root CA, it is signed by GeoTrust DV SSL CA - G3 -- and that was not sent by the server. It is the servers responsibility to provide certificates that link the server cert with the root cert.

          • by chihowa ( 366380 )

            True, but the URI for the missing intermediate certificate is included in the "CA Issuers ( )" field. It's not ideal, but it's not worth refusing to connect over. If downloading the intermediate from that URI failed, the chain should definitely be considered broken.

  • by AlanObject ( 3603453 ) on Sunday September 10, 2017 @01:03AM (#55167779)

    For as long as I can remember all credit scoring companies always behaved in opaque and obscure ways. That continues right up to this day.

    When I was in my twenties the law was they had to disclose "everything" if you asked for it and it came on a form that was printed on a 132-column line printer. So I was in credit trouble (that of course is the age for it) and got turned down for a card so they sent me the free report. Most of what was on it was wrong or benign. The late payments on credit cards that I actually did have were not on the report except for Sears who was always the most aggressive on reporting these things. There was nothing on it that would explain an extremely low credit score even though in my case the low credit score was deserved.

    I could only conclude that "everything" report in fact did not have everything on it in clear violation of what the law seemed to say. There was nothing I could do about it and nobody with actual influence seemed to care.

    Today I have a very high credit score: at the moment my FICO score 876 out of 900. A few years back I bought a car and the dealership had to run a credit report even though I was paying cash. The guy said he had never seen a score that high and his customers he had sold to included highly successful silicon valley execs. I'm not rich by any means but I can pay my bills so whatever.

    So I get a copy of the report and it had scant data on it but has a section "things that can adversely affect your score." It lists things there like "too many accounts with balances open." Say what? I don't owe a dime on any account except my mortgage. I have two credit cards with zero balance for months and I haven't paid a dime of interest or finance charge on them for a decade. But that's a problem: "No recent revolving balances." So if you aren't spending enough that's a negative.

    I am pretty sure that none of Bill Gates, Larry Ellison and Elon Musk could get a 900. (Not that they would care, nor anyone giving them credit), My point is if it is impossible to ace the test then it is not a good test. But that's the way the credit industry is built -- a complex data base of hidden rules that they can exploit to make money.

    It should surprise nobody that Equifax is using this crisis event to skim cash.

    • But that's the way the credit industry is built -- a complex data base of hidden rules that they can exploit to make money.

      That's the way the insurance industry is built, as well. No one should ever be required to pay for a thing whose price is determined by secret formula.

      • by nasch ( 598556 )

        As long as you can get quotes and shop around for insurance, why do you need to know what the formula is?

      • I have worked for both the health insurance industry and now the property casualty side. Both use what is called "Predictive Modeling". The company I work for now uses 91 different "points" to assign you a "model rate code". One of those "points" is your Equifax credit score! Any time a policy is rated "numbers" are sent into the Predictive Modeling system it takes those "numbers" and gathers other information including your Equifax credit score (we store them in our databases and if we don't have it we cal

    • by Shados ( 741919 ) on Sunday September 10, 2017 @11:23AM (#55169093)

      I am pretty sure that none of Bill Gates, Larry Ellison and Elon Musk could get a 900

      850 is the max for the scale people generally refer to when talking about credit scores. Googling around, some banks seem to use internally a different score scale, but let's set that aside for a sec.

      People can, and in fact do get perfect score. If you understand exactly how it works, its' not that difficult. It has very little to do with how much money you make, and is a pretty artificial metric.

      When you get a report and it says things like "too many accounts with balances open", it doesn't mean "you have too many accounts with balances open". It just means you don't have -precisely- the amount of accounts the algorithm uses for a perfect score, so you lost a non-zero amount of points for it, and since you said you have a mortgage, it's probably what it's referring to.

      To get a perfect score, you need a bunch of accounts open, that were opened several years ago (none recently), that are used but have 0 balance at the moment they were audited. Your available credit across those account has to be very high, and you need multiple accounts from different credit providers. There are a few other factors, but if you do it just right its pretty simple, given enough time, to manipulate your credit to get a perfect score.

      In fact, some people make a game out of it. The only gotcha is you have to use those accounts sometimes but they have to be at 0 or nearly 0 the moment they're reported, and you never know when that will be (since it can change). So often you'll hover between 845 and 850 (or whatever other scale you're looking at, though those may have slightly different criterias)

      • by sfcat ( 872532 )

        I am pretty sure that none of Bill Gates, Larry Ellison and Elon Musk could get a 900

        850 is the max for the scale people generally refer to when talking about credit scores. Googling around, some banks seem to use internally a different score scale, but let's set that aside for a sec.

        People can, and in fact do get perfect score. If you understand exactly how it works, its' not that difficult. It has very little to do with how much money you make, and is a pretty artificial metric.

        Another big misconception about credit scores is that a "perfect" score is best. A credit score isn't how likely you are to pay back a debt, its a measure of how much money a lender makes on average on your debt. So if you always pay on time or ahead of time, then your credit score can actually go down. Keeping a small balance on your credit cards causes your credit score to go up because you are paying interest. So a good credit score can actually better for you than a perfect one as it means

        • >Another big misconception about credit scores is that a "perfect" score is best. A credit score isn't how likely you are to pay back a debt,

          A credit score, like the FICO, is literally the inverse band-percentage of the chances you will default on a debt. That's it's entire point.

          There is huge incentive in the financial industry to get away from FICO and the CRA's stranglehold on consumer data, but the problem is, they have an accurate model that predicts reliably consumer behavior. The FICO bands do a

    • "No recent revolving balances". Not really an issue of "not spending enough", as far as I can tell from Googling. If you have at least a few cards open, the complaint is you haven't put any spend on some of them for a while. Why that's considered bad I have no idea. So, same spend but distributed over all the cards would clear this up. Or, if you can close some unused ones and still maintain the other criteria, that's an option.

      I hadn't realized this myself, and do in fact have 3 -- soon to be 4 -- no-AF
    • Just FYI, maximum credit score is 850 (both FICO and current Vantage score, since 2013. Previous Vantage score had a max of 990). Unless your 876 was prior to 2013, I have to call you on that.
      • I just checked again. It is service provided by citibank's account page "check your FICO® score". The values are Mar: 867, Apr: 863, May: 867, Jun: 867, Jul: 856, Aug: 856.

        My guess is the drop in July had to do with us getting a line of credit against the equity in our house.

        At the bottom of the chart it says "Score ranges is 250 to 900." I have never found an explanation as to why credit score ranges don't use a more intuitive scale, such as 0-100 but they have always done this.

  • Beware of TrustID (Score:2, Informative)

    by PPH ( 736903 )

    According to my sources, a condition for enrolling is giving up your right to participate in a class action suit against Equifax. At least, read the fine print before signing up.

    Personally, I'd just lock my credit records with Equifax. Leave them open with the other agencies, so lenders can still approve loans. Just not with Equifax.

    • Re:Beware of TrustID (Score:5, Interesting)

      by dunkindave ( 1801608 ) on Sunday September 10, 2017 @01:21AM (#55167811)

      Personally, I'd just lock my credit records with Equifax. Leave them open with the other agencies, so lenders can still approve loans. Just not with Equifax.

      Is your name, address, birthdate, social security number, etc., with TransUnion and Experian different than the information leaked by Equifax? If so, why do you only worry about locking Equifax?

      • He's not thinking too clearly...
        • A lot of people arent.

          Given the comments on the related articles, it seems to me that a lot of people here have never had credit except for maybe their government guaranteed student loan for their gender studies.
      • by PPH ( 736903 )

        why do you only worry about locking Equifax?

        Because they are fuck-ups and don't deserve my business. There's nothing I can do about information that is already out there. But I can discourage banks and other lenders from taking my business to Equifax by never granting an unlock request for credit through them.

        • by Desler ( 1608317 )

          All you'll do is discourage those banks and lenders from doing business WITH YOU and nothing more.

          • by PPH ( 736903 )

            Fine. There are other banks.

          • Re:Beware of TrustID (Score:5, Interesting)

            by sfcat ( 872532 ) on Sunday September 10, 2017 @01:18PM (#55169819)

            All you'll do is discourage those banks and lenders from doing business WITH YOU and nothing more.

            I disagree, this is the first good idea about what to do about Equifax I've heard. If many many people all locked their Equifax accounts, then lenders would start expecting that this is common, rational behavior. They would then stop seeing the need to use Equifax. This is the first real idea that has a chance at actually impacting their business which is the only way to reform this horribly broken industry.

            • by Desler ( 1608317 )

              But everyone is not going to do it. A tiny fraction might and not much more. That's why no bank or lender is gonna care because they can move on to the millions of other people who aren't a hassle to deal with.

    • by Khyber ( 864651 )

      Your sources are incapable of reading, direct from the site - "2). NO WAIVER OF RIGHTS FOR THIS CYBER SECURITY INCIDENT
      In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."

      • by PPH ( 736903 )

        Six months down the road, my credit goes to shit because of the hackers. And TrustID proves to be useless. Where did I indicate that I applied for it specifically because of this incident? Absent that, standard TOS will apply. We can't even get a straight answer as to whether we are or are not a part of the affected group (the subject of this thread).

  • It's like they don't have any shame at all...
    Oh wait, they don't. Of course they don't.

    It's a company that profits from digging up people's information, storing it in an insecure manner, where executives thought it was fine and dandy to hold up breach information for just enough time do some insider trading, save their own asses, and leave costumers to burn.

    And can you take a wild guess on what side the current administration in which no one watches the watchmen will take?

  • Dated September 8, 2017. It's as bad as the article claims []

  • Dumpster fire. Train wreck. Shit sandwich.

  • So, no change there then.

  • by elrous0 ( 869638 ) on Sunday September 10, 2017 @07:55AM (#55168491)

    These data breaches follow an inevitable life-cycle:

    1) Initial release: "We had a data breach which effected some, but not all, of our customers. The data breach was limited, and did not include bank account numbers, CC numbers, etc."

    2) A week or two later: "The data breach we reported may have included more customers than we initially reported. Some customers may have had sensitive information like CC information and bank account information compromised."

    3) A month later (in a quiet press release late on a Friday afternoon): "It was everyone, and they got everything."

  • If you are curious about why the TrustedID site returns false answers when you input bogus info, here is a pretty good hint. []
    • by Anonymous Coward
      not curious enough to look at a twooter url.
  • When I checked it just gave me a sign up date which I ASSume means I got hit. Ironic that it wants the last 6 digits and last name
  • Let's see, you have to give up your right to sue in a class action, and all you get is random bullshit that tells you nothing anyway.

    This smells like nothing more than bait for an immunity grab.

  • Equifax needs to go away anyway.
    It is a totally incompetent company anyway; a useless, outdated service that serves only it's stockholders.
    Umm, I mean USED to serve it's stockholders. Now it serves no one. Go away.

"Remember, extremism in the nondefense of moderation is not a virtue." -- Peter Neumann, about usenet