Equifax breach.... WTF

I'm linking here an article from the New York Times: Equifax’s Instructions Are Confusing. Here’s What to Do Now.

It’s time for all of us to play defense, because Equifax clearly did not.

In the wake of the epic breach of as many as 143 million of our Social Security numbers, names and addresses from the company’s credit files, the company put up a website that attempted to make sense of things for consumers.

The company’s first order of business ought to have been to create a simple way for people to figure out if their data was potentially compromised. On this count, Equifax failed at first.

On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax web page. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand.

By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.

Why am I pointing to this article (which you should go and read)? Because this is getting ridiculous. Credit companies have so much personal information, information we DO NOT want them to have, but we are forced to give it to them by the way the BS credit system works in this country.
It's time for the credit companies and the whole financial industry to get its act together with security. We are the ones suffering from their lack of basic security - yes, at that level basic security also means red teaming, pentesting, and a whole lot more things, not just the stupid PCI checklist or the cover your ass checklist.



Here's a great article from Arstechnica that points to some really bad things.

For starters, the page they have set up: www.equifaxsecurity2017.com
It does look like a phishing domain, righr? On top of that, quoting Arstechnica:

It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details. It's no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.

And then...

Screen Shot 2017-09-10 at 5.52.32 AM.png

I tried to see if my info was stolen, so of course I entered my real name and my real last 6 of my SSN:

Name: Bubufuck
Kast 6 of SSN: 123456

But then I tried all my friends' information. I entered 21 random strings of text and 21 random last 6 SSN, they were ALL compromised! Man, these hackers were good!

The best is when Equifax leaves debugging info for security purposes:

Yes, go read the whole article, but it's not surprising that 3 high level execs sold their stock right before announcing the (several weeks old) breach.


From The Verge's article

Screen Shot 2017-09-11 at 5.55.24 AM.png