Ok, So Equifax is Incompetent But What Should You Do?

Unless the remake of IT scared you so bad that you've been hiding under a chair for the last week avoiding all news, then you have probably heard a little bit about the Equifax data breach.

On 9/7/2017 Equifax confirmed that due to a security breach that resulted in the release of data of 144 MILLION Americans. This isn't just your everyday password hack folks; this is your credit history, social security numbers, bank accounts - you name it - over half of all Americans.

Equifax responded by putting up a site https://www.equifaxsecurity2017.com/ where if you enter a portion of your social security number the site would tell you if you were affected on a stock install of WordPress -- not exactly secure software. Also, when I initially looked at the site, I wondered "Why not put this on Equfaix.com instead of a different name? (More on this later) It also seems the check is useless at best.

The problem being, not only did they screw up the security certificate for the site making the legit site look like a phishing attempt to browsers connected to OpenDNS. They also left the username and password of the administration on a page where it was easily found by Dan Goodin @ Arstechinca - amongst other things.



OK - so that's bad right? Well, it gets worse. We find out on September 19th there was another breach in March 2017 that they did not disclose and, to date, have not released the details of that breach beside the fact that it was from the same hacking group.

Now, we find members of their customer service team, via tweets, were directing people to a potential phishing site (SecurityEquifax2017.com) instead of the actual EquifaxSecurity2017.com ... Insert a Screaming OMGWTF!!!! Fortunately for those users and Equifax, that "phishing" site was actually set up by a security researcher, @SwiftOnSecurity, who purchased the domain to show how ridiculous it was to put the Equifax "check for damage "site on a domain other than Equifax.com

Why recount the history? All this certainly promotes zero confidence in Equifax's ability to protect our vital data or trust anything they are saying. Which means you have to assume that your credit data is compromised and the information it takes to get credit in yuor name is out there.

So, what should you do? Four words: Freeze Your Credit Now!

Security Freezing gives you control over when your information is access or added to. Unlike credit monitoring, a Security Freeze stops identity theft before it happens as opposed to notifying you after a potential fraud has occurred. A security freeze can cost anywhere from $0 - $10 depending on the state you live. Once applied, the freeze locks your credit file at each bureau with your unique PIN. That PIN must be used for anyone to access your credit file for any reason. In the future, when you apply for credit just log in and type in your PIN to give tempory access for credit agencies to run reports and get your information.

The Bureaus recommend Credit Monitoring because they make more money with monitoring - both by continuing to sell the inquiries and selling you the service - but it is virtually worthless.

To place a security freeze on your credit, you must personally contact the-the credit bureaus to verify your identity. You can register online or call if you like. Here are the addresses and numbers.

Equifax: (866) 349-5191 https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

Transunion: (888) 909-8872 https://www.transunion.com/credit-freeze/place-credit-freez2

Experian: (888) 397-3742 https://www.experian.com/freeze/center.html

Hope this helps.

comments powered by Disqus