In a situation like this it's safer to say that your profile is safe only if that specific identity is on a white list of known safe identities. Thus things like test will by default, Show as unsafe which is better because it hides information about who is unsafe. If designed right, random form data will simply return unsafe silently. Maybe you could try testing for that.
It's not like they can tell you "Name and SSN not found" when you put in gibberish. That's a public facing interface to brute forcing what somebody's SSN is. Just try numbers until you get a yes or no back.
If people are upset about this, what's the better option?
This message is horribly misleading, though: if you're not in the database, by definition you haven't been part of the breach. For example, I have no credit history, but if I put my name and SSN into this site (I'm not going to, for obvious reasons) it would tell me that I was probably hacked.
A better solution would have been to not put this on a website to begin with: give everyone an extra free credit report on top of their usual three yearly, and add a field to it saying whether or not you were hit. This re-uses all of the regular security precautions of that process, rather than hastily inventing a whole new procedure.
I can also see a potential advantage for them: since it's more annoying to request a credit report than to put your name into a website, fewer people would find out that they were part of the mess and get angry at them, while they could say "look how generous we are, we gave everyone an extra credit report!"
4 comments
[ 3.2 ms ] story [ 20.4 ms ] threadThis isn't even taking into account that it's a bare metal WordPress installation with a shitty (aka, free) ssl certificate
If people are upset about this, what's the better option?
A better solution would have been to not put this on a website to begin with: give everyone an extra free credit report on top of their usual three yearly, and add a field to it saying whether or not you were hit. This re-uses all of the regular security precautions of that process, rather than hastily inventing a whole new procedure.
I can also see a potential advantage for them: since it's more annoying to request a credit report than to put your name into a website, fewer people would find out that they were part of the mess and get angry at them, while they could say "look how generous we are, we gave everyone an extra credit report!"