
Equifax linked customers to my fake phishing version of their site by accident - ceejayoz
https://twitter.com/thesquashSH/status/910512164938665984
======
nikisweeting
(FYI mods this is a repost of my original submission:
[https://news.ycombinator.com/item?id=15294218](https://news.ycombinator.com/item?id=15294218))

Ideally Equifax will listen and either move it to equifax.com, or take down
the site altogether. Since the real version seems to be answering randomly,
they may as well just shut the whole thing down.

But seeing as they're a massive, bumbling, bureaucratic organization, there's
probably a non-zero change they'll try to sue me instead.

If there are any lawyers here, am I in potential legal hot water for making
this site?

~~~
monochromatic
equifaxsecurity2017.com sounds like such a scammy site too. It's exactly the
kind of thing I'd expect a fake site to be named.

Why in the world wouldn't they just put it on their own domain?

~~~
tyingq
Probably because they wanted to farm it out to some agency with zero
dependencies on their known-incompetent internal IT team?

You're right of course, but I'm betting that was the motivation.

~~~
Kluny
You'd think even the world's most incompetent IT team could manage to point a
subdomain at a remote server, but apparently not.

~~~
mdavidn
Not without sending every user's equifax.com cookies to that outside agency's
servers.

~~~
Kluny
Hmm, point. Of course, there are tons of ways to get around that problem.

~~~
wutwutwutwut
Can you share the best?

~~~
Kluny
The first one that comes to mind would be to invalidate all existing cookies
so that the ones accessible to the other server aren't useful. I wouldn't call
that the "best" since invalidating cookies can be annoying for users, but I'm
sure there are other ways.

~~~
wutwutwutwut
If a user has a cookie for example.com (your domain) and type in
vendor.example.com in the web browser how would you invalidate these cookies
before they are sent to the vendor? Or even after they are sent? I struggle a
bit with seeing how this could be done in a secure manner.

------
asmithmd1
This tweet from Equifax to a website spoofing the correct website has been up
since 6pm last night:
[https://twitter.com/Equifax/status/910265181976104960](https://twitter.com/Equifax/status/910265181976104960)

At this point Equifax has repeatedly demonstrated nothing but contempt for
people whose information they have compromised. When are the authorities going
to padlock their doors and shut down this continuing criminally reckless
enterprise?

~~~
yebyen
It's beginning to look a lot like "retiring" both the CISO and CIO right in
the middle of a major security news event... may have been another bad
decision!

I'm with you, it's more criminal that after all they've flubbed, this company
is even still allowed to operate, than that they lost all of our information
to begin with.

Don't we have at least 3 major credit bureaus? Equifax should be shuttered
immediately and with prejudice, the American credit system will be immediately
better off and we can all live without this one. Shareholders be damned.

~~~
krallja
Do you think the other two are any better?

~~~
yebyen
Is that really a question? No, I don't, I consider it to be unauthorized
surveillance, but the fact is that Equifax blew this up, and now continues to
demonstrate their organizational incompetence, while TransUnion and Experian
are not really in the news this week.

Our system of credit operates on these bureaus, and we have two others that
appear to be functioning properly. If I had one server that was obviously
infested with hackers, but two others that were not obviously infested,
assuming that I had isolated them properly and they did not have major parts
that were in common, I'd start by unplugging the one that was already
confirmed to be hacked.

I think it works the same way when corporations that surveilled 50% or more of
the population demonstrate systematic incompetence basically without remorse,
as in this case. They just need to be unplugged, immediately. (I'm not
advocating we shut down the entire credit system, in other words, although I
am terrified it may yet come to that.)

------
BugsJustFindMe
Fun fact from the trenches: I tried enrolling online for their post-hack free
1 year identity monitoring offer, but when it came time to verify myself by
answering questions they clearly started asking me questions about someone
else's profile because none of the questions made any sense. Then when I
answered wrong (of course, because I'm not whoever that person is) I was given
a phone number to call instead.

Combine that info with [https://techcrunch.com/2017/09/08/psa-no-matter-what-
you-wri...](https://techcrunch.com/2017/09/08/psa-no-matter-what-you-write-
equifax-may-tell-you-youve-been-impacted-by-the-hack/) and it's enough to
throw one into paroxysms.

This chaos is maddeningly absurd, and in a just world their business would be
completely shut down by the government.

~~~
lightbyte
>but when it came time to verify myself by answering questions they clearly
started asking me questions about someone else's profile because none of the
questions made any sense

Just a note, this most likely is not what happened. Identify verification
questions typically will ask questions like "Who is your current house
mortgage with?" when you have none and they will include a "None of the above"
answer, which you're supposed to pick. It's totally intentional.

~~~
barkingcat
When I went through one of these there was _NO_ none of the above answers.
Basically, you're screwed because you realize they are asking about someone
else who was at your address 50 years ago, who drives a motorcycle (no option
to say no such thing), has 3 kids who had college loans (no answer to say no
such thing), and is on their 3rd housing mortgage (no option to say no such
thing).

~~~
barkingcat
And what else can you do? You select randomly and then pass the 'id
verification' with flying colours and then on the phone with the customer
service rep, you verbally refute each one. The service rep says that they
don't see any on that on their end.

Basically, it's like a web script that's not hooked up to anything in the
backend... Like their recent "has your information been leaked" web forms.

I suspect that's the case across the entire industry.

------
danso
> _Mr. Sweeting explained in his email that a Linux command, “wget,” allows
> anyone to download the contents of a website, “including all images, HTML,
> CSS, etc.”_

According to my research [0], this is the second time in New York Times
history that the word "wget" has appeared in the NYT.

The first time was in 2014:

[https://www.nytimes.com/2014/02/09/us/snowden-used-low-
cost-...](https://www.nytimes.com/2014/02/09/us/snowden-used-low-cost-tool-to-
best-nsa.html)

> _Evidence presented during Private Manning’s court-martial for his role as
> the source for large archives of military and diplomatic files given to
> WikiLeaks revealed that he had used a program called “wget” to download the
> batches of files. That program automates the retrieval of large numbers of
> files, but it is considered less powerful than the tool Mr. Snowden used._

[0]
[http://query.nytimes.com/search/sitesearch/#/wget/since1851/...](http://query.nytimes.com/search/sitesearch/#/wget/since1851/allresults/1/allauthors/newest/)

~~~
nikisweeting
I'm a huge wget fan! It's the core tech inside my archiving tool:
[https://github.com/pirate/bookmark-
archiver](https://github.com/pirate/bookmark-archiver)

~~~
danso
Very nice. I've been using wget by itself to archive various government pages,
but that approach is reaching its end-life with JS-heavy sites becoming more
prevalent. You use headless Chromium for screenshots; is it possible to use it
to execute a page's JS and save the resulting HTML?

~~~
nikisweeting
Yes, headless chrome `--dump-dom` allows you to dump the <body> html after the
page loads. I opted not to do that in bookmark-archiver since glueing it back
to the <head> code to get a working static page was complicated and error
prone.

------
woah
I implemented a credit check API connection to Equifax recently. The response
data was encoded as a stream of offset-based text, with some offsets
dynamically changing based on fields in the already-parsed data. Lots of work
to write a parser for it.

We initially asked them if they had an updated version of this API using XML
or JSON, and it turned into a call with several of their salespeople trying to
upsell us on some complicated drag and drop rules engine that happened to
return data as JSON. So we just stuck to the legacy API. They struck me as a
pretty incompetent organization.

~~~
pwg
That sounds like a very weird format.

Care to post a mini-example with fake data so we can better understand what
you are describing?

~~~
pythonistic
It sounds like an X12-style EDI format. They'll frequently have fields (or
parts of fields) that can enable alternative blocks that may be of a different
size. I had to write and maintain EDI interfaces for four years at a major
retailer: there's a good business in transforming those documents.

------
lghh
To be clear, I'm not an Equifax customer. I have no business with them,
creditors do. I have little to no recourse against them. I can't stop using
them. Remember that we are not their customers, we're their product.

------
lightheat
[https://i.imgur.com/2kChYIe.png](https://i.imgur.com/2kChYIe.png)

Image backup/mirror of the tweet for when they eventually (?) delete it. As of
this comment, it's still up, nearly 20 hours later.

~~~
eridius
Just in time! As of this comment (10 minutes later), it's been deleted.

~~~
nikisweeting
Luckily they tweeted it not once, but 8 times!
[https://twitter.com/MadcapOcelot/status/910533555494760449](https://twitter.com/MadcapOcelot/status/910533555494760449)

~~~
ceejayoz
Tim's in a bit of trouble.

~~~
icpmacdo
This goes way above Tim at this point

------
odammit
That’s funny because when I saw the originally link and the original site I
thought _it_ was a phishing site.

It definitely looks like ol’ Barb in accounting has a nephew that builds web
pages. “I bet he’d build it on the cheap!!1!!”

It’s time for this company to go away.

~~~
hunter2_
I have my home router set to use OpenDNS instead of my ISP's DNS, and OpenDNS
actually resolved the real breach website to their own phishing warning... I
had to turn off WiFi and use LTE (or reconfigure my router) to see it and
contemplate putting my partial SSN into what might or might not have been a
phishing site...

Not sure exactly how long it took OpenDNS to fix that but the false positive
is cleared up now. Funnily enough, I switched from ISP (Verizon) DNS to
OpenDNS to avoid their NXDOMAIN shenanigans, only to end up with other
protective shenanigans.

------
heywot
Perhaps the worst part of this breach is I have had people tell me "that's
okay, I've never been an Equifax customer." The lack of understanding is
almost as saddening as the breach itself. If you have credit, you're impacted.

The constant bungling on Equifax's part would be hilarious if the potential
impacts weren't so sad.

------
beager
I was saying this[0] in the other thread, but I'm not sure this ends with
laughs and `aw shucks`es for Nick. Equifax has been remarkably ham-fisted in
every regard, from their initial exposure, to their inability to patch, to
their getting breached, to their mishandling of disclosure, to their lax and
callous response, etc etc etc. Nick's site looked and acted like a real
phishing site. Equifax, as well as the court of public opinion and an actual
court, might not be able to detect the nuance here and a reasonable case could
be made that this was an attempt to phish off of Equifax's debacle.

The NYT writing it up certainly helps his case, but there were probably more
tactful ways of going about this.

[0]:
[https://news.ycombinator.com/item?id=15297877](https://news.ycombinator.com/item?id=15297877)

~~~
yebyen
No way. There is no better or more tactful way to show how roundly incompetent
the company is, and continues to be, than to put up a domain name that is
confusingly similar to the already confusing, pointless, dangerous domain that
they put up as a response to their breach... and then proceed to watch them as
they tweet it out to half dozen or more of their customers, as if on cue.

There just isn't! It's perfect. Many people who are professional security
types said on Day 1 that this would happen, and sagely advised that it might
be unwise for anyone to put part of their SSN into a two-day old website on a
previously unknown domain that looked like Baby's first PHP, just as news of
the breach was still breaking.

And that it was similarly unwise to ask them to do so! So can we just unplug
Equifax already? Please? It should be clear who the guilty party is here, and
it starts with an Equifax.

~~~
beager
Thoroughly disagree. While I do think Equifax should be raked forcefully over
the coals for their gross and pervasive misconduct, setting up something that
is virtually equivalent to a phishing site does not punish them or create
relief for exposed parties. It just sows more confusion, and creates a
distraction that Equifax could conceivably use to divert attention away from
their own fiasco.

~~~
yebyen
That's understandable. I just don't see how anything good comes from this
breach unless we can get eyeballs on poor security practices. Because nobody
else between you, me, and the wall seems to be paying any attention to this at
all.

There's no relief forthcoming that is possible. The only way things get better
now is if we dismantle the entire credit system as we know it, the cat is out
of the bag. I'm not interested in punishment. I want to see more serious
attention given to prevention.

First, I want to see the license and the keys taken away from the repeat
offending drunk driver. Who gave them keys anyway? I sure as hell didn't sign
up for this, I want to get off Mr. Bones Wild Ride.

------
runeks
I truly don’t know whether to laugh or cry about everything that has been
revealed about Equifax so far. It sounds like a bad sitcom by now.

“Larry... did you accidentally link to a phishing site instead of our
company’s site?”

“Uuhhh...”

 _(Audience laughs)_

“Dammit Larry!”

 _(Audience laughs)_

------
NearAP
The first time I saw that the site was not a sub-domain of Equifax.com, I was
worried that someone would quickly create a copy and I would mistakenly enter
my information on the site.

Subsequently, each time I had to go to the site - to check if my data was
hacked, to enroll for the TrustedID protection (had to try multiple times), I
would always first go to equifax.com and then follow the links from there.

It's sad to see that my fears of the site being easily cloned is true
(although this was a proof of concept to show Equifax that they were wrong but
who knows if there isn't a real malicious site that had already collected
people's information).

Not only can you not enroll immediately they tell you that . your data was
stolen, even when you return on your given enrollment date, you don't get to
complete it that same day. You still have to wait for a few more days to get
an email.

Equifax has really really messed up. I hope the other companies are using this
as a learning experience and are fixing any flaws they have.

------
mxuribe
This would be hilarious if the impact wasn't felt by consumers. But honestly,
its quite sad and frustrating that as consumers we bear the brunt of this
organization's mistakes. This latest episode - their referral of an obviously
fake site - is just plain awful...again for consumers. _sigh_

------
nikisweeting
It looks like Cloudflare just started blocking it, I'll move it off and switch
to self-hosting.

~~~
nikisweeting
Ok, it is now off Cloudflare.

~~~
nikisweeting
And now it's taken down completely. No analytics were collected (post-
cloudflare), and I kept no access logs.

------
carapace
Does anyone know what you have to do to join the Amish?

All jokes aside, every time I try to explain to a "normal" what is going on in
"computer security" I feel like shit. The entire industry is a tire fire. And
it's getting worse.

At least we have DRM in the browsers now, eh?

~~~
cat199
Pretty sure you can just convert and start living with them provided you can
find a willing community to take you on.

Also - don't be fooled - using the CMM as a metric, the Amish are probably one
of the more technologically mature societies around, since they have a clearly
defined process around technology usage...

[https://en.wikipedia.org/wiki/Capability_Maturity_Model](https://en.wikipedia.org/wiki/Capability_Maturity_Model)

" There are five levels defined along the continuum of the model and,
according to the SEI: "Predictability, effectiveness, and control of an
organization's software processes are believed to improve as the organization
moves up these five levels. While not rigorous, the empirical evidence to date
supports this belief".[15]

    
    
        Initial (chaotic, ad hoc, individual heroics) - the starting point for use of a new or undocumented repeat process.
        Repeatable - the process is at least documented sufficiently such that repeating the same steps may be attempted.
        Defined - the process is defined/confirmed as a standard business process
        Capable - the process is quantitatively managed in accordance with agreed-upon metrics.
        Efficient - process management includes deliberate process optimization/improvement.
    

Within each of these maturity levels are Key Process Areas which characterise
that level, and for each such area there are five factors: goals, commitment,
ability, measurement, and verification. These are not necessarily unique to
CMM, representing — as they do — the stages that organizations must go through
on the way to becoming mature.

The model provides a theoretical continuum along which process maturity can be
developed incrementally from one level to the next. Skipping levels is not
allowed/feasible. "

------
marenkay
At this point, can someone explain me why that company is not taken out of
business or _at least_ put under state control to verify they actually fix
their issues and stop posing a threat to their customers lives?

~~~
zeveb
> At this point, can someone explain me why that company is not taken out of
> business or _at least_ put under state control …

After the OPM breach, I have zero confidence that the United States have any
more competence at this than Equifax.

[0]
[https://en.wikipedia.org/wiki/Office_of_Personnel_Management...](https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach)

------
aerovistae
Wait, what is the real link?

~~~
ceejayoz
[https://www.equifaxsecurity2017.com/](https://www.equifaxsecurity2017.com/)

Pretty much the only way to verify that's the right site is the fact that
Equifax.com links to it, although this tweet indicates even _that_ isn't
necessarily a reason to trust it.

Why it's not a subdomain of Equifax.com is completely beyond me.

(Even better, the eligibility / credit monitoring signup takes you to
_another_ domain,
[https://trustedidpremier.com/](https://trustedidpremier.com/))

~~~
jdavis703
The certificate lists the registered organization as "GeoTrust Inc." Shouldn't
it be registered to "Equifax Inc?" I'm not sure what other services (such as
web hosting) GeoTrust might also offer, but I wouldn't trust this website
actually belongs to Equifax.

~~~
ceejayoz
That's the SSL vendor (and a prominent one). You'll find Amazon's cert comes
from Symantec, for example.

~~~
jdavis703
Yes, but my understanding is the organization name is supposed to be the
entity you're doing business with. How else do you know that the owner of that
domain is who the webpage claims they are if the organization and SSL vendor
are the same? I'm not doing business with GeoTrust, it's with Equifax.

------
ezekielknight
You're on The Late Show!
[https://youtu.be/LyIEd5QVkyc?t=3m44s](https://youtu.be/LyIEd5QVkyc?t=3m44s)

------
middleclick
How can they be so incompetent?

~~~
p49k
Because they know there are no real consequences for their actions?

------
addedlovely
Any other Uk visitors see this on
[https://trustedidpremier.com/](https://trustedidpremier.com/) \- thought a
few thousand UK accounts were tied up in this...

ERROR

The request could not be satisfied.

The Amazon CloudFront distribution is configured to block access from your
country. Generated by cloudfront (CloudFront) Request ID: ZU-
LJh21L1Px18Bz5n20R3Nb1aApdzyce_Q6ZeeSIZ0OYiJk2v0eIA==

~~~
dordoka
I see the same thing, but from Spain

~~~
yebyen
Non-US citizens won't be able to enter the last 6 digits of their US Social
Security Number so the site is not going to be of value to you. (Although I'm
not sure why they block Europe, there are certainly US citizens living abroad
now.)

I don't know where to send you, but I would advise against sending at this
point any additional responsibility or personal information to Equifax if you
haven't already.

------
athenot
What would be the impact of requesting a total remove of one's information
from Equifax? There are still 2 other credit bureaus who could be used when
applying for loans.

Obviously this does nothing for the information that's already compromised,
but if enough people do it, it would help kill off Equifax (lenders will rely
less and less on it, thus depriving them of revenue).

~~~
politician
> What would be the impact of requesting a total remove of one's information
> from Equifax?

Nothing. Your request would be ignored because we don't have legislation like
the GDPR in this country to protect the rights of individuals to the privacy
of the information collected about them.

------
yellowapple
This is why I hate it when companies create new domain names for things
instead of using something more sensible (like subdomains). Teaching users
that other domains besides the primary are totally legit is a recipe for a
disaster of the phishing variety, not to mention how much money is going to
inevitably be wasted every year.

------
pards
Procom in Canada insists on using Equifax for background and credit checks for
consulting contracts.

Upon receiving queries about security, they insisted that Equifax Canada
wasn't compromised and that the clients insist on using them.

It really irks me that we have no control over whether or not our data gets
sent to Equifax.

------
yev
Do you guys think Tim will be fired?

------
sschueller
This incompetence is truly hilarious at this point. I wouldn't be surprised if
other large institutions holding sensitive data are just as reckless. Student
loans? Health insurance companies?

I hope they aren't big to be held responsible.

~~~
adjkant
Paise be to HIPPA.

------
ScottBurson
"... before thousands of people loose their info to phishing sites"

I suppose you don't care, but it should be "lose" :-)

~~~
Varcht
idk, still works pretty well.

(transitive) To let loose, to free from restraints. (intransitive) Of a grip
or hold, to let go.

------
ineedasername
Does anyone here happen to have a spare face-palm? I seem to be all out of
them at the moment and could really use another here...

------
rhizome
Equifax needs to be executed and their data destroyed, as a warning to others.

------
firemancoder
Not by accident, by carelessness. There's a difference.

------
eternalban
These jokers are guilty of criminal negligence.

------
quuquuquu
>"We apologize for the confusion", said Equifax

...

No, Equifax, apologies are not spendable currency in the real world. You can't
apologize for your horrific and criminal errors.

This isn't business school. You don't fail the test and then apologize to the
professor and beg for a C.

You guys are laughably incompetent and it is a shame that the government
hasn't found a way to forcibly shut you down yesterday.

If you weren't a big and powerful corporation, you would all be in "pre-trial
detention" like the rest of us.

------
Exuma
This is seriously enraging where I have to stop looking at stuff about this
because my neck is hot and prickles with fury.

[https://pbs.twimg.com/media/DKLbd1FW0AEsx_Q.jpg](https://pbs.twimg.com/media/DKLbd1FW0AEsx_Q.jpg)

