Experian Site Can Give Anyone Your Credit Freeze PIN

An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.

Experian's page for retrieving someone's credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).

After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

What’s more, many of the companies that provide and resell these types of KBA challenge/response questions have been hacked in the past by criminals that run their own identity theft services.

“Whenever I’m faced with KBA-type questions I find that database tools like Spokeo, Zillow, etc are my friend because they are more likely to know the answers for me than I am,” said Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI).

The above quote from Mr. Weaver came in a story from May 2017 which looked at how identity thieves were able to steal financial and personal data for over a year from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering KBA questions about those employees.

In short: Crooks and identity thieves broadly have access to the data needed to reliably answer KBA questions on most consumers. That is why this offering from Experian completely undermines the entire point of placing a freeze.  Continue reading →


20
Sep 17

Equifax Breach: Setting the Record Straight

Bloomberg published a story this week citing three unnamed sources who told the publication that Equifax experienced a breach earlier this year which predated the intrusion that the big-three credit bureau announced on Sept. 7. To be clear, this earlier breach at Equifax is not a new finding and has been a matter of public record for months. Furthermore, it was first reported on this Web site in May 2017.

equihaxIn my initial Sept. 7 story about the Equifax breach affecting more than 140 million Americans, I noted that this was hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans.

On May 17, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.

That story was about how Equifax’s TALX division let customers who use the firm’s payroll management services authenticate to the service with little more than a 4-digit personal identification number (PIN).

Identity thieves who specialize in perpetrating tax refund fraud figured out that they could reset the PINs of payroll managers at various companies just by answering some multiple-guess questions — known as “knowledge-based authentication” or KBA questions — such as previous addresses and dates that past home or car loans were granted.

On Tuesday, Sept. 18, Bloomberg ran a piece with reporting from no fewer than five journalists there who relied on information provided by three anonymous sources. Those sources reportedly spoke in broad terms about an earlier breach at Equifax, and told the publication that these two incidents were thought to have been perpetrated by the same group of hackers.

The Bloomberg story did not name TALX. Only post-publication did Bloomberg reporters update the piece to include a statement from Equifax saying the breach was unrelated to the hack announced on Sept. 7, and that it had to do with a security incident involving a payroll-related service during the 2016 tax year.

I have thus far seen zero evidence that these two incidents are related. Equifax has said the unauthorized access to customers’ employee tax records (we’ll call this “the March breach” from here on) happened between April 17, 2016 and March 29, 2017.

The criminals responsible for unauthorized activity in the March breach were participating in an insidious but common form of cybercrime known as tax refund fraud, which involves filing phony tax refund requests with the IRS and state tax authorities using the personal information from identity theft victims.

My original report on the March breach was based on public breach disclosures that Equifax was required by law to file with several state attorneys general.

Because the TALX incident exposed the tax and payroll records of its customers’ employees, the victim customers were in turn required to notify their employees as well. That story referenced public breach disclosures from five companies that used TALX, including defense contractor giant Northrop Grumman; staffing firm Allegis GroupSaint-Gobain Corp.; Erickson Living; and the University of Louisville.

When asked Tuesday about previous media coverage of the March breach, Equifax pointed National Public Radio (NPR) to coverage in KrebsonSecurity.

One more thing before I move on to the analysis. For more information on why KBA is a woefully ineffective method of stopping fraudsters, see this story from 2013 about how some of the biggest vendors of these KBA questions were all hacked by criminals running an identity theft service online.

Or, check out these stories about how tax refund fraudsters used weak KBA questions to steal personal data on hundreds of thousands of taxpayers directly from the Internal Revenue Service‘s own Web site. It’s probably worth mentioning that Equifax provided those KBA questions as well.

ANALYSIS

Over the past two weeks, KrebsOnSecurity has received an unusually large number of inquiries from reporters at major publications who were seeking background interviews so that they could get up to speed on Equifax’s spotty security history (sadly, Bloomberg was not among them).

These informational interviews — in which I agree to provide context and am asked to speak mainly on background — are not unusual; I sometimes field two or three of these requests a month, and very often more when time permits. And for the most part I am always happy to help fellow journalists make sure they get the facts straight before publishing them.

But I do find it slightly disturbing that there appear to be so many reporters on the tech and security beats who apparently lack basic knowledge about what these companies do and their roles in perpetuating — not fighting — identity theft.

It seems to me that some of the world’s most influential publications have for too long given Equifax and the rest of the credit reporting industry a free pass — perhaps because of the complexities involved in succinctly explaining the issues to consumers. Indeed, I would argue the mainstream media has largely failed to hold these companies’ feet to the fire over a pattern of lax security and a complete disregard for securing the very sensitive consumer data that drives their core businesses.

To be sure, Equifax has dug themselves into a giant public relations hole, and they just keep right on digging. On Sept. 8, I published a story equating Equifax’s breach response to a dumpster fire, noting that it could hardly have been more haphazard and ill-conceived.

But I couldn’t have been more wrong. Since then, Equifax’s response to this incident has been even more astonishingly poor.

EQUIPHISH

On Tuesday, the official Equifax account on Twitter replied to a tweet requesting the Web address of the site that the company set up to give away its free one-year of credit monitoring service. That site is https://www.equifaxsecurity2017.com, but the company’s Twitter account told users to instead visit securityequifax2017[dot]com, which is currently blocked by multiple browsers as a phishing site.

Source: Krebs on Security

Advertisements

The Gospel of Peace

“How beautiful upon the mountains are the feet of him that bringeth good tidings, that publisheth peace; that bringeth good tidings of good, that publisheth salvation; that saith unto Zion, Thy God reigneth!” (Isaiah 52:7)

 

Surprisingly, there are more verses containing the word “peace” in the Old Testament book of Isaiah (King James Version) than in any other book of the Bible. The central occurrence (15 before, 15 after) is in our text, speaking of those whose feet travel with the beautiful gospel (that is, “good tidings,” mentioned twice in this verse) of peace. The one proclaiming this gospel is said to be publishing salvation; announcing the imminent reign of God the Savior over all the earth.

 

The first mention of “peace” in Isaiah speaks of the coming King and His reign, and so does the final occurrence. First, “the government shall be upon his shoulder: and his name shall be called . . . The Prince of Peace” (Isaiah 9:6). Then, in Isaiah’s last chapter we read, “For thus saith the LORD, Behold, I will extend peace to |Zion| like a river, and the glory of the Gentiles like a flowing stream” (Isaiah 66:12).

 

This wonderful gospel of peace is specifically mentioned just twice in the New Testament. The first is a direct quotation from our text. “And how shall they preach, except they be sent? as it is written, How beautiful are the feet of them that preach the gospel of peace, and bring glad tidings of good things!” (Romans 10:15).

 

The second is in connection with the Christian’s spiritual armor. The “beautiful feet” that are to carry the good tidings are, most appropriately, to be “shod with the preparation of the gospel of peace” (Ephesians 6:15). It is our high privilege to be among those whose feet travel upon the mountains, and across the plains, and over the seas with the beautiful gospel of peace and salvation.

OLD PERSON PRIDE

 

I’m passing this on as I did not want to
be the only old person receiving it.
Actually, it’s not a bad thing to be called,
as you will see.
  • Old People are easy to spot at sporting events; during the playing of the National Anthem. Old People remove their caps and stand at attention and sing without embarrassment.  They know the words and believe in them.

 

  • Old People remember World War II, Pearl HarborGuadalcanal , Normandy  and Hitler. They remember the Atomic Age, the Korean War, The Cold War, the Jet Age and the Moon Landing. They remember the 50 plus Peace-keeping Missions from 1945 to 2005, not to mention Vietnam .

 

  • If you bump into an Old Person on the sidewalk he will apologize. If you pass an Old Person on the street, he will nod or tip his cap to a lady. Old People trust strangers and are courtly to women.  


  • Old People hold the door for the next person and always, when walking, make certain the lady is on the inside for protection.

 

  • Old People get embarrassed if someone curses in front of women and children and they don’t like any filth or dirty language on TV or in movies.

 

  • Old People have moral courage and personal integrity. They seldom brag unless it’s about their children or grandchildren.

 

  • It’s the Old People who know our great country is protected, not by politicians, but by the young men and women in the military serving their country.

 

  • This country needs Old People with their work ethic, sense of responsibility, pride in their country and decent values.

Thank God for Old People.

Pass this on to all of the “Old People”
you know. I was taught to respect my elders.
It’s just getting harder to find them.

What will you do with the Good News???

There was a lot going on the night the Savior was born. In addition to the drama surrounding Mary and Joseph: their long journey, their inability to find lodging and her impending labor and delivery; Out in the field surrounding Bethlehem something far from ordinary was taking place.
The Scriptures tell the story in Luke 2:8-20. Some shepherds were pulling the night shift with their flocks when they saw some-thing that was completely unexpected. Right in the middle of them, an angel of the Lord appeared. They immediately knew this being wasn’t an ordinary man, because the brightness of the very glory of God completely surrounded Him. Obviously they were frozen with fear. Perhaps they even trembled not knowing what was going to happen next.
It was at this moment the heavenly messenger of God reassured them. “Don’t be afraid!” He said, “I bring good news!” The news the angel had to share with the shepherds was not just only good news for them; it was in fact great news for everyone on earth. The shepherds listened with amazement as the angel said, “Tonight, the Savior is born right here in Bethlehem.” Then the angel shared the location and the description of this incredible newborn.
As if the weight of the news was not enough, suddenly the one angel was joined by an army of angels, all as bright and shiny as the first. These mighty warriors of God lit up the entire hillside and shouted in unison as only a troop trained for battle can: “Glory to God in the highest heaven, and peace on earth to all whom God favors.” And then as soon as they had appeared they were gone.
The shepherds were left standing there all alone with the sheep, just as they had been 15 minutes earlier. And then they were faced with an interesting decision: “What will we do with this news?” They certainly could have begun to debate about exactly what they had saw. They also could have easily decided to not say anything to any-one, fearing what people would think.
But Luke 2:15-17 tells us exactly what these shepherds did with this precious news. First, they went to see for themselves the wonderful thing that had happened. After they had come before Mary, Joseph, and the baby Jesus, the Savior of the World, they ran to their village and told everyone what had happened.
We are faced time and time again with the same decision that the shepherds had to make that special night so long ago. What are we going to do with the good news about Jesus? Will we hide it? Will we debate about it among ourselves? Will we doubt it’s validity? What should we do with this good news?
At this holiday season, may this be our passion once again: To share the incredible life changing news that we have heard and experienced for ourselves to those around us. We have seen the super-natural saving power of Jesus and we have experienced just how awesome He is, now we must boldly and unashamedly proclaim the good news to anyone who will listen.