
Equifax or Equiphish? - wglb
https://krebsonsecurity.com/2017/09/equifax-or-equiphish/
======
amluto
> the messages do not exactly come across as having emanated from a company
> that cares much about trying to regain the public’s trust.

Regain? Equifax's business model has never depended on having the public's
trust in the first place.

~~~
noitsnot
Sure it did. You gave your information and they provided an accurate credit
history. You trusted that information was correct, and if it didn't line up
you would be contacting authorities or credit agencies trying to counter fraud
and fix your life.

~~~
rubyn00bie
No, I never gave them my information-- someone, or something, else did without
my explicit consent. If anything I would've explicitly denied them storing any
and all of my information but I was never given that choice.

Your grasp of how this all works is unsettling.

~~~
chii
But you "agreed" even you signed the loan or credit card (or anything really).

~~~
tremon
An "agreement" isn't meaningful if there is no informed choice. And choice
isn't meaningful if there is no realistic alternative.

------
QUFB
Since Equifax didn't bother, at least whitehats have registered
[http://premiertrustedid.com/](http://premiertrustedid.com/) and
[https://premieridtrusted.com/](https://premieridtrusted.com/)

------
LambdaComplex
>Social Security numbers, dates of birth and other sensitive data

Dates of birth are considered sensitive data? That's pretty sad

~~~
wyldfire
IIRC the social security number is not a globally unique identifier (only 1e9
unique values). However, in practice, the (SSN, birthdate) tuple generally is
unique.

This is probably why it's considered "sensitive."

~~~
Diederich
To date, less than half of the total possible SSNs have been used. They are
not re-used at this time. (1)

1) I worked in a large hospital in medical information systems, and the edge
cases of SSN included the (required) SSN for newborns and unidentified
patients. For the former, we re-used the SSN of the mother, but added a
suffix. (So in our database, it wasn't just a 9 digit integer, it was a >9
character string. I can't recall how long.) When the newborn got an SSN
assigned, we updated it. For John/Jane Doe folks, we used something like all
zeros or some such, with an 'auto-incrementing' character suffix. These were
re-used.

~~~
IncRnd
ID Analytics did a study in 2010 that found 40 million out of 290 million SSNs
were assigned to more than one person. The conclusion is that the odds of
someone else having your SSN are roughly 1:6.

Other highlights of the study include:

    
    
      1) How many SSNs do you have? – 6.1 percent of
         Americans have at least two SSNs associated
         with their name. More than 100,000 Americans
         have five or more SSNs associated with their name.
    
      2) Some SSNs are very popular – More than 15 percent
         of SSNs are associated with two or more people.
         More than 140,000 SSNs are associated with five
         or more people. Significantly, more than 27,000
         SSNs are associated with 10 or more people.*
    

[http://www.idanalytics.com/blog/press-releases/20-million-
am...](http://www.idanalytics.com/blog/press-releases/20-million-americans-
multiple-social-security-numbers-associated-name/)

~~~
dragonwriter
> ID Analytics did a study in 2010 that found 40 million out of 290 million
> SSNs were assigned to more than one person.

Since their count of duplication the other way was based on SSNs associated
with _names_ , I wonder if they made the same mistake for that direction
(assuming name = person). People can both share identical names and have
different names over their lifetime, so even if SSNs were 1:1 with people
there would be SSNs associated with multiple names and names with multiple
associated SSNs.

~~~
IncRnd
I doubt they did, based upon the news reporters reposting examples from the
study for the last 7 years. In particular where the name is identical or
almost the same, DOB is the same, State of Birth is the same, but the birth
city or county differs.

You read the _name_ reference from the first sentence of a blog. The blog
entry also mentions two of the main reasons, data entry errors and fraud.

------
throwaway2016a
It's almost as if they don't want people to sign up for their "free" credit
monitoring...

~~~
IncRnd
It's just to lower their liability, whether people accept the free offer or
not.

------
danjoc
Where's the data dump? The hackers said they'd dump Sept 15 if not paid.

[http://archive.is/648A5](http://archive.is/648A5)

------
vpribish
Wow. They continue to dig deeper in this mess. I got that email and it looked
so sketchy that I marked it as phishing. Do they have no one actually thinking
this through?

It's a shame we have to wait for the lawsuits to have an impact on them since
we aren't their customers and can't take our business elsewhere.

~~~
thephyber
> we aren't their customers and can't take our business elsewhere

This is an understatement. We are literally a cost center for them. Complying
with the Fair Credit Reporting Act is the only reason they bother listening to
our complaints, yet that same Fair Credit Reporting Act has effectively
enshrined the big 3 credit bureaus with a moat against effective competition.

------
patcheudor
Here's a more in-depth analysis from the perspective of trying to figure out
if the e-mail and site are legit which covers all the various things Equifax
did wrong:

[https://www.linkedin.com/pulse/equifax-how-can-you-
phished-t...](https://www.linkedin.com/pulse/equifax-how-can-you-phished-
today-jerry-decime/)

~~~
politician
> Equifax is missing a lot of basics when it comes to communications and web
> security and must take steps to increase the trust between themselves and
> their customers by:

A great analysis marred only by a misunderstanding of who Equifax considers
their customers.

~~~
patcheudor
Ha! In this case make no mistake, the product is also the customer. At some
point they will switch from free to charge for their monitoring service.

~~~
FireBeyond
At some point? Before the breach you paid ($17.95/mo IIRC) for "TrustedID
Premier".

And during this breach, the first year is all that's free. You need to
entering billing data to enroll, and they -will- start billing after the free
period unless you cancel first.

------
IncRnd
How about using trustedid.equifax.com?

If you had security people on staff at equifast, you'd already have realized
how to stop your security bumbling, fumbling, and stumbling. Of course, you'd
need to listen to their advice, first.

