
Equifax security freeze PINs are the timestamp of when you request the freeze - moonka
https://twitter.com/webster/status/906346071210778625
======
encoderer
True thing: until recently you could remove hard inquiries from your credit
report merely by pulling your own credit so often in one month using an array
of daily monitoring services that you would overflow the field and bump off
legit inquiries.

I did this in 2009-10, it had been going on for a while, and lasted for a
while but sadly I hear they've solved it seemingly by nightly batch job to
remove your own credit pulls.

These companies are just barely functional for their purpose.

Experian seemed to have their act together a bit more.

~~~
subroutine
I recently turned down a job offer at Experian; it (at least their San Diego
office) was a shitshow.

~~~
throwaway762
I used to work for Experian. When I left, they paid me an extra month's wages
before their payroll caught up to the fact that I was gone, then had to ask
for it back. (I paid them back, FWIW.) If you can't run your own payroll, why
should you be trusted with a credit bureau?

------
Keeeeeeeks
This is embarrassing at this point; a credit authority printing dividends is
too busy placating shareholders to even pretend to give a shit about the data
of the people who _involuntarily_ have their PII stored on their platform.

Whoever files a class action should make a motion such that anyone can purge
their PII from a credit authority that's experienced a public hack such that
their PII was exposed, or some other sort of incentive for these too-big-to-
improve companies to do their job

~~~
FLUX-YOU
>purge their PII from a credit authority

I can't see that happening if they do any kind of offsite back up and
archiving. They will purge you from the current master, say they purged you,
and you'll be none-the-wiser.

~~~
eicnix
The best solution for this would be to enable similar data protection laws
like the ones that will become active in 2018 in the EU.

A breach of this law would cost a company 2-4% of their revenue as a fine.
Seeing how these big companies operate there would be a lot of breaches.

~~~
solomatov
>The best solution for this would be to enable similar data protection laws
like the ones that will become active in 2018 in the EU.

I like GDPR, but a lot of people claim it to be too draconian. We'll see how
it works out in EU.

------
solomatov
It's time to have a mandatory certification for people who develop critical
systems. After such certification, you can consider such an implementation a
malpractice, and sue them for it (of course the penalty is paid by the
insurance company which sold the malpractice insurance).

Doctors, lawyers, and many other professions have such system, why can't we
have it as well?

~~~
ranci
"Critical systems" pretty vague, and could be used to describe any system that
processes payments or other basic things we use.

It's fundamentally different from malpractice in my opinion. In health care
malpractice has obvious pieces of data - we know who the doctor is, we know
their credentials, we know what information they had and when they had it, we
know what they decided, what they prescribed, what they said.

Software engineering is a team based endeavor. Who exactly is responsible for
unrecognized vulnerabilities? Everyone? No one? One dude who everyone sorta
thought handled security stuff? It's as clear as mud.

~~~
stonogo
Real engineers have a system in place for this. It's called "Professional
Engineer" and it's managed by NCEES. There is no possible reason that practice
cannot directly apply to software engineering, except for the cultural refusal
of software engineers to take responsibility for anything.

~~~
avenoir
While I agree, how do you apply software engineering practices in a field
where a good chunk of the workforce doesn't have formal computer science
education?

~~~
ksenzee
Even if the whole workforce had formal computer science degrees, most of us
_still_ wouldn't have formal engineering education. The CS programs turn out
computer scientists, not professional engineers.

~~~
nol13
And even if they did have formal engineering education and formal CS degrees
and formal whatever most(all?) would still be incapable of
writing/designing/implementing bulletproof code.

------
tvaughan
And the hits just keep on coming...

www.equifaxsecurity2017.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown. The
server might not be sending the appropriate intermediate certificates. An
additional root certificate may need to be imported.

Error code: SEC_ERROR_UNKNOWN_ISSUER

~~~
gregmac
This is such an awful domain to use in the first place. It's conditioning
users in exactly the wrong way, aside from there being a security warning for
some users.

How do you explain to your father/grandfather/whoever that
equifaxsecurity2017.com is ok, but equifax-security-breach.com,
checkyourequifaxaccount.com, equifaxsecurity-2017.com and
equifaxsecurity2018.com are not legit?

Stick to your top level domain. Something like security2017.equifax.com or
equifax.com/security2017 would be okay.

~~~
misingnoglic
This is how every class action lawsuits do their websites too and it blows my
mind! It looks so sketchy.

~~~
jawns
Bear in mind that in general, those class action settlement websites are run
by the lawyers behind the class action, not by the company that was sued and
has agreed to settle.

It is in the best interests of the settling company to keep distance between
those sites and their primary domain.

------
rokhayakebe
Something worth taking into consideration is these companies are not
Engineering/Tech companies at the core. They were probably born as paper-
companies and digitized their operations later on. I am hoping for the day
something and more appropriate for this age will make them irrelevant.

~~~
dheera
How does Equifax, a private company, have the rights to access my personal
data in the first place? Who exactly is giving it to them without my explicit
consent, and why?

~~~
guroot
You do give your consent. Everytime you deal with a financial, or credit
issuing institution.

~~~
int_19h
Of course, effectively, you don't have a choice - you need those financial
institutions to live a normal life. Equifax (and other bureaus) are coercive
monopolies.

I hope that this story will bring down the hammer on their heads - not just
Equifax, all of them.

------
buildbot
I am curious what programmer would make such a choice vs. calling random or
asking the user.

However, while undeniably stupid, hopefully they have rate limiting in place
so guessing the PIN would not be feasible even if you know the day the credit
freeze was put into place.

~~~
noway421
maybe there was no way to save and transfer the pin from one place of the
system to another, and the only way to do it is to guess on the other side by
timestamp.

pretty hacky implementation but oh well

~~~
rocqua
Hash with a secret key (a pepper) solves that. Heck, hashing with a salt or
even just plain hashing would be miles better than this.

~~~
scentoni
Hash? I wouldn't trust the folks at Equifax to know the difference between a
one-way function, a cannabis concentrate, and a fried potato dish.

------
anigbrowl
I'd like if Equifax was just shut down and the assets redistributed to the
affected parties. Shareholders have no incentive to hire ethical and competent
managers if they don't have to bear the losses stemming from bad decisions.

------
justherefortart
Outsourcing/H1b costing a lot more than they save is my guess.

If you develop in-house software, you ARE A SOFTWARE COMPANY, whether you want
to be or not.

Amazing how this good old boy network still thinks like it's 1970.

------
pcurve
Serious question... if there are 3-5 attempt lock out, would this be any less
secure than randomly generated number?

~~~
mikeash
Very much so. If you can guess when someone froze their stuff to within a day,
for example, then 5 tries gives you a 1 in 288 chance of getting in. A proper
random number would be more like 1 in a trillion trillion trillion trillion
trillion trillion trillion trillion.

~~~
usaphp
But then you also have to guess their ssn and last name on top of guessing the
correct day in order for it to be 1 in 288 chance, no?

~~~
mikeash
Or look it up in the breached info.

------
ulkesh
It's like the Keystone Cops are running Equifax. They are now a complete joke.
And it's sadly not funny.

------
withdavidli
Anyone else confirmed this? Don't know who Tony is, usually like more sources
that a tweet.

~~~
anyfoo
Just try it out for yourself, like others did:
[https://news.ycombinator.com/item?id=15204573](https://news.ycombinator.com/item?id=15204573)

~~~
withdavidli
I'm not using anything that Equifax set up in case it waives any of my rights.
This is how bad it's gotten, people are afraid/untrusting of their
security/protection measures.

Thank you for linking to more accounts of this.

~~~
wglb
They can't waive your rights. See
[https://twitter.com/AGSchneiderman/status/906195350532304896](https://twitter.com/AGSchneiderman/status/906195350532304896)

------
paultopia
At this point, I will be _legit shocked_ if there aren't actual lines forming
around courthouses, full of plaintiff-side lawyers trying to get a piece of
this unbelievably stupid and negligent company. Holy shit.

------
krzrak
OK, what is "Equifax security freeze"?

~~~
chris_st
A security freeze (which you can get from all three credit reporting agencies
for small fee, $10 or $20) prevents them from giving your credit information
to a bank (or car company, or college loan agency, or...) asking about you,
when you ask for a loan. I don't know if they charge for this service or not.

It also prevents them from _selling_ your credit information to credit card
companies (and, I'm sure, insurance agencies and many other businesses). These
businesses want a list of people with good credit history to market their
wares to.

Essentially, you're "taking yourself off their sales shelf", so they do not
want you doing this, and will make it as hard as they legally can.

Also note that you pretty much cannot get a loan while your credit records at
these firms are frozen, but it's actually easy to get them un-frozen and then
frozen again once you get the loan.

In fact, you should find out which credit agency your bank (car dealer,
whatever) uses and then only unfreeze that one.

------
chris_wot
Whoa... one guy said on Twitter this was the case in 2007!!

~~~
ranci
9:38 PM - 8 Sep 2017

~~~
MichaelApproved
OP was referring to the top reply to the linked tweet.

> Verified PIN format w/ several people who froze today. And I got my PIN in
> 2007—same exact format. Equifax has been doing this for A DECADE.

[https://twitter.com/webster/status/906361966645710849](https://twitter.com/webster/status/906361966645710849)

------
nogbit
The only solution is to put the data in our hands only and we authorize access
to it on an as needed basis. It should not be centralized anywhere.

~~~
mrguyorama
How do you prevent User X from lying then?

~~~
nogbit
Credit card x,y, and z all know my current balance, place of residence and
payment history. They let me and only me know that info via some method that
can be trusted by anyone (blockchain?).

At a later date, I autorize credit card w to access some computed score that I
compute and verify via other trusted means (another blockchain or whatever).
Credit card w never sees all my data and the verifier gets access to only what
it needs. Nobody needs to trust anyone and instead trusts the chain. Just an
idea.

------
nytesky
What would be the best credit monitoring service then? Any recs of ones that
have their act together?

------
ryanqian
What a joke.

------
mdip
There are a few things here that _shouldn 't_ surprise me[0], but do. A credit
reporting agency's one product is personal data (basically, it's you). Leaking
that data basically makes it worthless (or worth a lot less) and besides
affecting the people who's data was leaked[1], it damages the product of their
competitors. You'd _think_ that would be something that's protected with _so
many layers_ that a breach of their web property wouldn't make much of a
difference[2].

At previous employers, without going into terribly much detail, we had an
asset that was treated with the kind of security that something like this
should have been treated with. It was on a segregated network that could only
be accessed through proxy hosts, requiring two-factor authentication. The
proxy hosts were hardened (only the specific, needed, services/components
installed/running, audited and firewalled to death). The devices in the secure
network could not see the corporate network, let alone the Internet and the
corporate network/internet could not see these devices. Even special
'management interfaces' for corporate devices were segregated. This was _in
addition_ to all of the rigor put in to securing each endpoint.

Companies need to realize that security is purely a defense related behavior.
You have to be "perfect" 100% of the time, but your attacker need only be
right a small number of times. The goal is to _increase the number of times_
an attacker has to be _right_ to get at your data. From ensuring your database
accounts can only execute specific things[2], that your web servers are
hardened and isolated to limit exposure, to properly configured firewalls
(including application-layer firewalls/log analysis). And ensuring that
employee access to high-value targets is as minimal as possible and protected
thoroughly. There are both "preventative" and "reductive" technologies that
need to be put in place. Preventative is designed to stop a breach, reductive
is designed to ensure that if breached, the breach is either worthless (i.e.
proper password hashing) or caught and interrupted before _all_ of the data is
exfiltrated. It's a lot easier to explain to investors (and your fellow
countrymen) that a couple of million user accounts were exposed than it is to
explain that 124 million of them left.

From the _looks_ of it, it appears Equifax treats security like most large,
non-tech businesses -- an expense that should be cut as deeply as possible.
It's probably fitting that they have the word "fax" in their name. If I had a
guess, they probably have mandatory security auditing requirements, they paid
the least they could to meet that regulation, and got the answer they paid for
(or found someone to give them the answer). I'll also guess that this PIN
issue will turn out _not_ to be the worst of the security practices in place
-- I mean, how many weeks did they wait to report this[3]?

[0] I have a few years' history at a large corporation working in and around
security. I've seen the ugly, though I feel that we handled things very well
(incredibly well compared against Equifax!)

[1] i.e. _not_ their customers.

[2] I'm thinking in terms of a typical SQL server, where one can eliminate
table/view level access in favor of stored procedures that limit what they
provide and require a level of knowledge of the operation of the system (and
can be tracked by logging in a manner that identifies behavior that's not
normal).

[3] And is it just me being overly cynical or does anyone else think that they
waited until a historic hurricane would dominate the news cycle before going
public with it? It was pretty good timing, really -- coming right off of
Harvey and right into Irma, it's easy to miss this story among the other big
news (one 'general news/politics' site that I expected to see _all kinds_ of
headlines on had it quite low on the fold for a day and nowhere to be found,
today). Or maybe they were just waiting to give time for more of their higher-
ups to sell stock. /s

------
Axsuul
Calling all hackers, brute force much?

------
bitxbitxbitcoin
Equifax is also the only one out of the big three that shows your SSN in
plaintext while you type it in on that online request form. They're just
lacking in all departments it seems.

