One would think that having one of the most high-profile breaches in recent memory would make a company take security to heart, but Equifax is full of surprises. The latest is that its MyEquifax.com site, to which the company invites those affected by its poor security practices to freeze and unfreeze their credit, itself has extremely poor security.
It’s all documented by security researcher Brian Krebs, who discovered the issue not in some special investigation but in the process of signing up at the site himself. What he found was that “getting an account at MyEquifax.com was easy. In fact, it was too easy.”
In matters of banking and credit, identity is a very important thing to establish. That’s why when you go to MyEquifax.com, it asks you for an email, then for your Social Security number and date of birth.
Slight problem: SSN and DOB were among the personal data leaked in the Equifax breach to begin with! And it doesn’t even check that you own the email address you submit. It does ask a few verification questions, but as Krebs points out these are often public information, such as the street you live on, or your mother’s maiden name, and as such rather worthless for security purposes.
One you have been “verified” with this process, you can immediately request a security freeze on your credit report, or unfreeze it if it’s frozen.
Oh, and don’t worry — if you established a PIN for this purpose when setting this up previously, you won’t need that. Yes, this poorly secured website specifically does not require a PIN, though a PIN is required for the same requests via phone or email. When Krebs asked a company representative about this, they explained:
We deployed an experience that embraces both security standards (using a multi-factor and layered approach to verify the consumer’s identity) and reflects specific consumer feedback on managing security freezes and fraud alerts online without the use of a PIN. The account set-up process, which involves the creation of a username and password, relies on both user inputs and other factors to securely establish, verify, and authenticate that the consumer’s identity is connected to the consumer every time.
None of that is true. Even elementary security standards like confirming the email address aren’t “embraced,” and multi-factor authentication is trivial to bypass.
This is bad but at least Equifax isn’t alone: It looks like credit reporting agencies Transunion and Experian also have ways of getting around PINs. You’d just think that Equifax, having failed so badly at security before, would want to make its setup a little more robust — even meeting basic standards would be good.
As Krebs points out, however, it’s in your interest to set up an account with your actual email address and information, since if you don’t, it seems pretty much anyone with a few data points on you can do so themselves, gaining the ability to freeze and unfreeze your credit.