Categories: world

MyEquifax.com is yet another security disaster – TechCrunch

One would think that having one of the most high-profile breaches in recent memory would make a company take security, but Equifax is full of surprises. The latest is its MyEquifax.com site, which the company offers its poor security practices to freeze and freeze their credit itself has extremely poor security. It's all documented by security researcher Brian Krebs, who discovered the issue not in some special investigation but in the process of signing up at the site himself. What he found was that "getting an account at MyEquifax.com was easy. In fact, it was too easy. ” In matters of banking and credit, identity is a very important thing to establish. When you go to MyEquifax.com, it asks you for an email, then for your Social Security number and date of birth. Slight problem: SSN and DOB were among the personal data leaked in the Equifax breach to begin with! And it doesn't even check that you submit the email address you submit. It does ask a few verification questions, but as Krebs points out these are often public information, such as the street you live on, or your mother's maiden name, and as rather worthless for security purposes. One you have been " verified ”with this process, you can immediately request a security freeze on your credit report, or unfreeze it if it's frozen. Oh, and don't worry &#821 1; if you are established as a PIN for this purpose when setting this up previously, you won't need…

One would think that having one of the most high-profile breaches in recent memory would make a company take security, but Equifax is full of surprises. The latest is its MyEquifax.com site, which the company offers its poor security practices to freeze and freeze their credit itself has extremely poor security.

It’s all documented by security researcher Brian Krebs, who discovered the issue not in some special investigation but in the process of signing up at the site himself. What he found was that “getting an account at MyEquifax.com was easy. In fact, it was too easy. ”

In matters of banking and credit, identity is a very important thing to establish. When you go to MyEquifax.com, it asks you for an email, then for your Social Security number and date of birth.

Slight problem: SSN and DOB were among the personal data leaked in the Equifax breach to begin with! And it doesn’t even check that you submit the email address you submit. It does ask a few verification questions, but as Krebs points out these are often public information, such as the street you live on, or your mother’s maiden name, and as rather worthless for security purposes.

One you have been ” verified ”with this process, you can immediately request a security freeze on your credit report, or unfreeze it if it’s frozen.

Oh, and don’t worry &#821

1; if you are established as a PIN for this purpose when setting this up previously, you won’t need that. Yes, this poorly secured website, does require a PIN, though a PIN is required for the same requests via phone or email. When depicted a company representative about this, they explained:

We deployed an experience that embraces both security standards (using a multi-factor and layered approach to verify the consumer’s identity) and reflects specific consumer feedback on managing security freezes and fraud. Alerts online without the use of a PIN. The account set-up process, which involves the creation of a username and password, relies on both user inputs and other factors to securely establish, verify, and authenticate that the consumer’s identity is connected to the consumer every time. that’s true. Even elementary security standards like confirming the email address are “embraced,” and multi-factor authentication is trivial to bypass.

This is bad at least Equifax isn’t alone: ​​It looks like credit reporting agencies Transunion and Experian also have ways of getting around PINs. You’d just think that Equifax should have been so badly at security before, it would like to make its setup a little more robust – even meeting basic standards would be good.

If Krebs points out, however, it’s in your interest to set up an account with your actual email address and information, since if you don’t, it seems pretty much anyone with a few data points you can do so, gaining the ability to freeze and unfreeze your credit.

Share
Published by
Faela