
Myequifax.com Bypasses Credit Freeze Pin - deanmoriarty
https://krebsonsecurity.com/2019/03/myequifax-com-bypasses-credit-freeze-pin/
======
zelon88
Equifax has the unique ability to collect the most private information
available, even when they have never or will never interact with that person.

I think the entire credit system needs to be changed. If credit bureau's can't
be responsible then citizens should get a choice in the matter. These
companies have us by the balls and we have no recourse. It's a monopoly
complete with price fixing and everything, except the price is privacy and you
don't get any options.

It reminds me of an episode of Hotel Hell I saw where the front desk stored
all guest credit card numbers, expiration date, and security code in a white
lined notebook unlocked behind the counter. Gordon Ramsay walks up to an
unstaffed counter, grabs the book, and walks off with it.

Now imagine that the hotel blatantly admits to not giving a shit about your
credit card details, and you don't have the option of checking out and taking
your business elsewhere.

~~~
jjeaff
I'm normally not a fan of congressional hearings where everyone is trying to
grandstand, but this one was particularly good.

The congresswoman asked the Equifax CEO to provide his birthday and social
security number publicly for the record. He of course refused and when asked
why, he said because that is sensitive information.

All the while, Equifax attorneys are arguing in court that there is no harm in
leaking private data like SSNs and thus they shouldn't be held liable for any
damages.

[https://www.fastcompany.com/90312551/watch-a-
congresswoman-d...](https://www.fastcompany.com/90312551/watch-a-
congresswoman-destroy-equifax-ceo-mark-begor-in-an-epic-privacy-burn)

~~~
ModernMech
That's all well and good, but what was the concrete result of the hearing?
Nothing actually happened and Equifax continues merrily along doing what it's
always done.

~~~
jdsully
Congressional hearings are about informing law makers (and also for
grandstanding). They are not intended to provide immediate results in the way
a trial would. The results if any will be in the form of legislation at a
later date.

~~~
ModernMech
Results can come a lot sooner and more incrementally than that. For example,
there were congressional hearings very recently involving Michael Cohen and
merely days later, document requests were issued as a result of the statements
he made during he hearing.

So where are the inquiries? Where are the task forces? Where are the
subpoenas? Where are the subcommittees? It's been over a year. Are you
confident with "changes will come at a later date"? Seems to me like changes
will happen never.

[http://fortune.com/2018/09/07/equifax-data-breach-one-
year-a...](http://fortune.com/2018/09/07/equifax-data-breach-one-year-
anniversary/)

~~~
sfifs
To a non-american, the promptness and lack of even thinking or hesitation with
which Michael Cohen answered and the swift "results" it produced make it seem
almost certain that the questions from AOC and others were were pre-
coordinated "set pieces" designed to provide some kind of "parallel
construction" justification for the requests. I wouldn't put much store by
these things.

~~~
enraged_camel
Wow, that’s one hell of a conspiracy theory.

------
mherdeg
A real-life attack based on this kind of hole was discussed at
[https://www.reddit.com/r/personalfinance/comments/ay7aoy/ide...](https://www.reddit.com/r/personalfinance/comments/ay7aoy/identity_thief_is_unfreezing_my_credit_freeze/)
: someone says that an identity thief who knows all their knowledge-based
question answers (because they have a copy of a credit report, no doubt) keeps
somehow removing the freeze and committing more fraud.

~~~
astura
Some KBA questions don't show up on your credit report, that being said, they
can still be guessed with some certainty if you know the person.

Some examples either me or my husband have gotten:

-What month was [person] born? [person] was my mom and one option was "I don't know [person]." Luckily they didn't ask the date, because I don't know that, but I do know the month.

-Which of the following people are/were you associated with?, my ex-roommate as one of the answers. Makes sense to connect us if we had the same address at the same time.

-Which of the following people are/were you associated with?, my ex as one of the answers. This one baffled me because we never lived together and never had a bank account or loan together.

Which town did/does [person] live in? Where [person] was my husband's brother.
Of course, useless if everyone still lives in their hometown.

I've also been asked about the previous cars I've owned, which are from DMV
and insurance databases, not credit reports.

The entire concept of KBA is flawed and pretty shitty all around.

~~~
noirbot
I once had a nightmare set of one where I was setting things up over the phone
and had to do KBAs, and asked me who held my Auto Loan. A. Who has my loan has
changed since I got it originally. B. The options they gave were (Names
changed) Wachovia, Ally Bank, Ally Bank Inc, Ally Bank of New York, where the
original lender was Wachovia, and I know it got sold to Ally at some point.

I literally have no way to know which one of these they think is correct. At
least 2 of them were correct at some point, depending on how up-to-date the
data was, and the last three were indistinguishable, even when looking at my
actual statements for my loan... So I failed out of my KBAs 4 straight times
because they kept giving different variants of the same question, just with
different sets of answers, until I could venn diagram out which one must be
right because it was the only one that came up in all 4.

~~~
astura
They really are piss poor low hanging fruit level of effort. I once I got a
question asking which car I owned with four answers and I had owned two cars
listed...

Then, of course, what if you get a question about your sister when she's toxic
and you've cut her out of your life. Or even just naturally lost touch with
her over the years.

------
css
> the data being asked about in these KBA quizzes is culled from public
> records

Yesterday, when opening a savings account with a major US financial
institution, one of the KBA questions asked for my Zodiac sign. The other two
were about a mortgage and the year I was born (±1 year). I do not understand
why any competent institution would find these secure and it appalls me that
is all the information needed to open an account in my name.

Edit: Here is the screenshot
[https://i.imgur.com/Mr8gOOA.jpg](https://i.imgur.com/Mr8gOOA.jpg)

~~~
nkrisc
Zodiac sign? Seriously? I don't know what mine is because that is not a belief
system/religion I subscribe to so I had to Google it. Turns out my birthdate
must be on the border because different sources have it as a different sign.
They might as well ask what color my aura is.

~~~
cedaratlas
Better than the SS administration who ask "Where were you when 9/11 happened"
or "Where were you when JFK was assassinated"...Took a screenshot of these but
cant find it now. My method is picking the common questions like "what street
did you grow up on" and assigning it a random/not true/or another question
such as "I don't know what my favorite street is"

~~~
astura
These are so called "security questions" for that account; the great
grandparent is talking about "knowledge-based authentication," which is a
different thing entirely.

The "security questions" you choose your answers, in "knowledge-based
authentication" the questions and answers are generated based on the
information on your credit reports and other databases, such as insurance
databases. You don't make up answers, they already know the answers.

~~~
voxic11
> Static KBA, also referred to as "shared secrets" or "shared secret
> questions", is commonly used by banks, financial services companies and
> e-mail providers to prove the identity of the customer before allowing
> account access or, as a fall-back, if the user forgets their password.

Wikipedia refers to "security questions" as "Static KBA".

------
deanmoriarty
I've literally noticed this myself last month when I went to temporarily lift
my freeze to apply for a new credit card. I never got asked for the PIN, which
I diligently save and securely store. I remember I was explicitly asked for it
just a year ago (last time I had to do the same to open another card). I felt
like an idiot.

~~~
erichurkman
They don't want to make it hard to use your credit report. The worse job they
do with security theater the more money they make, and the easier it is for
you to obtain credit products. If they actually applied any reasonable
security, the friction of getting new credit would reduce new customer
acquisition.

For my view, that's ideal: people should put real, explicit thought into
obtaining new credit or debt products. It's too easy right now, especially
with products like Credit Karma trivializing getting new credit cards.

~~~
r00fus
> They don't want to make it hard to use your credit report. The worse job
> they do with security theater the more money they make, and the easier it is
> for you to obtain credit products.

This is why we need to legislate these companies now, and re-incentivize them
to do the right thing.

------
dev1n
Can we just shut down equifax already?

~~~
ratling
I will never unfreeze Equifax, regardless of what I do with the other credit
agencies. I can't prevent them from collecting my information but I can
prevent them from profiting off it.

~~~
craftyguy
Why can't they profit from the troves of info they have about you, and will
continue to collect about you, if your 'account' is 'frozen'?

------
fhinson
> SSN and DOB data is widely available for sale in the cybercrime underground
> on almost all U.S. citizens. This has been the reality for years, and was so
> well before Equifax announced its big 2017 breach.

Again, I find that this only reinforces the fact that SSNs are not a useful
identification system because there's nothing secure about them. Can someone
explain where attackers obtain SSN/DOB data with such a widespread success
rate?

~~~
sevensor
So if everybody knows your SSN/DOB, I'd say that makes a very good identity
system in the sense that we can all unambiguously refer to the same person.
It's just not any use as a means of authenticating that you are the person who
has that identity.

~~~
orky56
SSN on its own is sufficient for verifying identity. SSN coupled with a phone
verification step is more secure for authenticating than DOB.

~~~
craftyguy
> SSN on its own is sufficient for verifying identity.

No. It's sufficient for identifying someone, but not at all sufficient (not
even close) for verifying someone is who they say they are.

------
trjordan
If you require the PIN to lift a credit freeze, some people will lose their
PIN and never be able to lift the credit freeze.

So there must be a workaround that relies on verifying identity, based on non-
random information (e.g. no PINs, no passwords).

They've made it too easy, but until we can request that a credit agency
blacklist an SSN and forget all associated information, this will keep
happening.

------
JustSomeNobody
> “We deployed an experience that embraces both security standards (using a
> multi-factor and layered approach to verify the consumer’s identity) and
> reflects specific consumer feedback on managing security freezes and fraud
> alerts online without the use of a PIN,” she continued. “The account set-up
> process, which involves the creation of a username and password, relies on
> both user inputs and other factors to securely establish, verify, and
> authenticate that the consumer’s identity is connected to the consumer every
> time.”

She tosses around the word security, but really what she is saying is that
Equifax decided to make the experience as simple as possible because having
people create accounts with them without the need for boosting CSR headcount
is more important that securing those accounts.

------
RandomCitizen
I just made upper management aware at Equifax. Let's see how long this takes
until they require the FUCKING PIN number to unfreeze your credit on their
website. What a joke.

~~~
smush
Thanks for posting this, please reply back and let us know their reaction. It
might be popcorn worthy, or it might be 'meh' \- either way, it is of interest
to me and I suspect HN.

------
benatkin
I lost my PIN since I moved twice after freezing my credit and apparently
didn't store it in my computer. I was able to temporarily lift my security
freeze without it, and I found it convenient but a bit unsettling. Glad I'm
not the only one.

------
beart
My guess is the pin is largely pointless anyway. This new system was put in
place because a large number of people forget or lose their pin. This would
require a support ticket every time. The new system is intended to reduce
support costs.

------
mrhappyunhappy
Serious question: what’s to stop a startup or 2 or 3 from creating an
alternative credit check system that’s not as horrendous as the current one,
thus displacing the current overlords?

~~~
mikeash
Only the difficulty of convincing financial companies to report to and pull
info from your system.

------
joeblau
Is there anything a regular individual can do to help get this company shut
down?

------
turtlegrids
Secure for thee, but not for me!

------
jiveturkey
password policy for my.equifax.com is ... not best practice. at least they
allow up to 20 characters. must include one special character from a set of
... FIVE. and those are the only allowed special characters.

~~~
criddell
Whenever they limit the number of characters to something small, it makes me
wonder if they are storing the password in their database rather than some
hash of the password.

I complained about this to my old bank (Wells Fargo) and they told me not to
worry about it because I'm protected from fraud.

~~~
mjevans
It generally means they're not handling it in a secure way. Worst case
scenario is that if the checks you see client side aren't also server side
someone might be able to inject things that run as... whatever the server side
processes are.

Usually anyplace that has a limit less than 512 characters (often 1024, but
some string buffers are small) or on the characters you can use, at all, isn't
doing it right.

~~~
jiveturkey
It generally means that yes. But sometimes it also has to do with CSR calls.
eg, by not allowing spaces in passwords, you eliminate an entire class of
PEBKAC errors.

I don't for a second believe that's why my.equifax.com is doing it. It's
certainly not why there's a 20 character limit. (I personally use 64 char
passwords wherever such long ones are allowed.)

------
qrbLPHiKpiux
When can we all agree that nothing connected to the internet is secure. Ever.

?

