At this point Equifax has repeatedly demonstrated nothing but contempt for people whose information they have compromised. When are the authorities going to padlock their doors and shut down this continuing criminally reckless enterprise?
It's beginning to look a lot like "retiring" both the CISO and CIO right in the middle of a major security news event... may have been another bad decision!
I'm with you, it's more criminal that after all they've flubbed, this company is even still allowed to operate, than that they lost all of our information to begin with.
Don't we have at least 3 major credit bureaus? Equifax should be shuttered immediately and with prejudice, the American credit system will be immediately better off and we can all live without this one. Shareholders be damned.
Is that really a question? No, I don't, I consider it to be unauthorized surveillance, but the fact is that Equifax blew this up, and now continues to demonstrate their organizational incompetence, while TransUnion and Experian are not really in the news this week.
Our system of credit operates on these bureaus, and we have two others that appear to be functioning properly. If I had one server that was obviously infested with hackers, but two others that were not obviously infested, assuming that I had isolated them properly and they did not have major parts that were in common, I'd start by unplugging the one that was already confirmed to be hacked.
I think it works the same way when corporations that surveilled 50% or more of the population demonstrate systematic incompetence basically without remorse, as in this case. They just need to be unplugged, immediately. (I'm not advocating we shut down the entire credit system, in other words, although I am terrified it may yet come to that.)
I am not sure what you think the definition of contempt is but from Google's definition (and example sentence) it is precisely the word to describe Equifax's behavior:
The feeling that a person or a thing is beneath consideration, worthless, or deserving scorn.
"he showed his contempt for his job by doing it very badly"
Ideally Equifax will listen and either move it to equifax.com, or take down the site altogether. Since the real version seems to be answering randomly, they may as well just shut the whole thing down.
But seeing as they're a massive, bumbling, bureaucratic organization, there's probably a non-zero change they'll try to sue me instead.
If there are any lawyers here, am I in potential legal hot water for making this site?
International Gibberish Day - they still haven't even made an effort to identify those in Canada and the UK who were affected. It's a whole world of nonsense.
Just like everything else in regards to this issue - who knows? It's a noisy mess, and the only thing we can be sure of is that it's going to be a never-ending nightmare for a lot of people through absolutely no fault of their own, requiring constant vigilance for the rest of their lives, and the system that built and continues to support this monster isn't going away any time soon.
I think GP means fraud on Equifax's end (by telling you you are compromised even though they shouldn't be able tot ell you that since tha data is fake) to get you to bey into their protection service.
I am not a lawyer. I would strongly advise you to instead make it so obvious that the site is a lampoon. As in, when they enter, you respond with "This site is a mockery of Equifax. If you were lead here by Equifax or any affiliate, you are at the wrong site. I'm sorry, I can't help you. I can reinforce that if your information was compromised, more people may be attempting you use this to phish additional people."
- The site contains Equifax's heading, uses their branding, and is highly similar to the actual website
- The site is hosted on a domain that is very similar to the actual website and uses Equifax's name
- The site instructs users to enter PII on it under the guise of being Equifax.
It could be argued that the creator of the site created this to determine whether people were being phished by it before activating the actual collection of data.
Additionally, in Chrome, when I fill out the form and get the alert box, when I dismiss the alert box, two requests are made to the domain:
If an onSubmit handler is attached to the form submit that sets a cookie with this information before showing the alert, then the phished details are transmitted to securityequifax2017.com.
Lawyers will C&D this extremely hard, a very reasonable case can be made that this is impersonation, and a phishing site with malicious intent.
NB: I DO NOT BELIEVE THAT THIS IS THE CREATOR'S INTENT. So do not jump at me thinking that I do believe that. I'm just saying that it could be very reasonably and successfully argued, and that nuance and intent could do very little to spurn allegations of impersonation or actual phishing.
Your cookies are submitted with requests for anything from a site, favicon images included. Setting a cookie in JS that contains events performed on a webpage is a trivial exercise and you shouldn't assume that that doesn't happen in a case such as this.
What if it only sends HTML that sends data back under certain conditions? E.g. 1 in 1000 requests, at random. A security researcher is unlikely to hit the "bad" version but he can still phish 0.1% of victims.
Check again, there was a short period of a few minutes without https when I switched off Cloudflare, but now all http requests are redirected to https.
If I were you I'd pop up an alert on clicking or tabbing into any of the form fields. It would get the message across without someone having to enter their private information into a page served over an insecure connection.
The first thing you see on the site is giant text stating "Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That's So Easily Impersonated By Phishing Sites?"
(Plus, Cloudflare's flagging it as phishing now, haha.)
You should force a redirect of anything http to the corresponding https URL. You can do it dynamically so it preserves any direct links in case you're worried about that.
My guess was that they wanted to reduce the chance of news leaking before they announced it. If they're like other large companies I've seen from the inside, changes to the main website involve lots of meetings and lots of people/stakeholders.
The first one that comes to mind would be to invalidate all existing cookies so that the ones accessible to the other server aren't useful. I wouldn't call that the "best" since invalidating cookies can be annoying for users, but I'm sure there are other ways.
If a user has a cookie for example.com (your domain) and type in vendor.example.com in the web browser how would you invalidate these cookies before they are sent to the vendor? Or even after they are sent? I struggle a bit with seeing how this could be done in a secure manner.
I have contracted places where that would be a very formal request with tons of meetings and approval flows across purchasing, it security, website ops, the design/branding team, etc. Weeks of lead time required.
Basically, the request signals all the little fiefdoms that it's their chance to weigh in.
Never underestimate how incompetent people can be. When I was waiting for my South African Visa application to go through, I had to check the status at a scammy-looking url. The form would reload if you pressed enter and pressing tab after the ID field would set the focus to the logo above it instead to the password field below.
No, the outside agency can obtain a new cert for just that subdomain. They can even use letsencrypt! (Although they really should use EV for this type of site.)
A few days ago, got a mail from PayPal about "changes in account". Go to my account was linked to https://www.secureserverpaypal.ssvahan.com/home. I've forwarded the mail to PayPal spoofing address, they replied it's legit. Why would a legit PayPal activity be linked to an arbitrary domain - I don't get it. It makes zero sense.
It sounds like your mailbox and/or client is compromised (that or someone is an idiot on paypal's end). I would assume you're totally compromised and start with a new computer that's installed with ISOs obtained from different computers/networks then change your passwords from there. There's probably guides you can follow online. But don't trust me, get the paypal phone number from the paypal site from somewhere like an Apple store or library and call them to ask about that URL yourself. The domain is not registered with the same provider and it's just super shady looking. Good luck.
For the record, not overly happy with the response, I've sent this follow-up to spoof@paypal.com:
>Hi there. Thanks for the quick response.
I do have a question.
Why would PayPal refer me to a form not hosted under PayPal domain? How can I tell it's a legit PayPal communication?
Would it be possible for you to post the source (or even just the headers) with your email scrubbed from the message you received from them the first time? Depending on your email provider they could fake that too but it might be worth a look.
It seems very unlikely that PayPal's spoof email would validate an obviously spoofed domain. It could be that PayPal is completely phoning it in at this point but that's really egregious. Not that I think they're some amazing company, I'd even say they're downright evil based on past experiences.
Paypal support is useless at spotting fakes. I got a real paypal email (the received: headers and all embedded links pointed directly to paypal.com) but the email was not in my preferred language, and the disclaimer at the bottom said you can spot fake paypal emails by checking if they are in your preferred language. When I pointed this out, at first they claimed the email was fake. When I questioned them again and pointed to the received headers, they claimed the email was not fake and the language chosen was a bug. If paypal support can’t tell fakes from legit emails, how can regular users stand a chance at all!
As of 5 hours after writing your comment, I get NXDOMAIN here (Australia, FWIW).
I would be confident to say that it was actively killed. Neat. Which is either a clear indication that PayPal finally did internally report the domain, or that some other source of noise got it shut down.
I had the same suspicious impression of the domain name too --- I wonder what factors cause that, because it's clearly something not everyone has, and probably gained after years of web browsing. I think the two biggest things that stand out are:
- Has "security" in its name
- Has the current year
I can't explain exactly why I think those factors make it suspicious, however.
> I can't explain exactly why I think those factors make it suspicious, however.
I think I have an idea of why, though I haven't been able to articulate it properly yet.
I've been thinking about it a lot recently because I co-work with a bunch of digital marketers, and some of them have affiliate marketing sites with domains that follow the pattern http://yourexactsearchterm.com.
The best I can come up with is the Uncanny Valley of SEO, where it feels like a website was made and over-optimized specifically for people making my exact search query. Maybe this is unfair or confirmation bias, but I feel like those websites are the most likely to be low quality content farms (e.g. paying content writers pennies to regurgitate content they have no experience with and/or don't understand). Either that, or they are outright scams.
Do any digital marketers here have opinions about this?
"Uncanny Valley of SEO" sounds like the best explanation --- and in my experience, sites with names like you describe have also tended to be content farms.
It's not just domain names, but the paths in URLs too --- an entry with your-exact-search-term.html almost subconsciously gets skipped over when scanning search results, unless the search term is extremely specific and somewhat obscure or I'm specifically looking for a file/path (e.g. spc4r37.pdf)
I think it's because it's smells like arbitrary-but-plausible sounding additions to a domain name, picked until they hit one domain that wasn't taken yet.
Even worse would have been if they had used dashes equifax-security-2017.com.
(plausible for those without the experience of "suspicious impression", of course)
IANAL, IANYL, TINLA but I can't imagine that using Equifax's name in your domain, using their branding and IP on your site, impersonating the site very strongly, or even presenting the option to enter sensitive info on your domain will end very well for you. I'd certainly have avoided it, or at least shown good will by having the site on that domain unambiguously say that it's not Equifax.
I just got domain-blacklisted by Chrome, so I'm going to take the site down. I think the point is made, and there are plenty of screenshots out there if people want to see it.
To be clear, I'm not an Equifax customer. I have no business with them, creditors do. I have little to no recourse against them. I can't stop using them. Remember that we are not their customers, we're their product.
Pretty much the only way to verify that's the right site is the fact that Equifax.com links to it, although this tweet indicates even that isn't necessarily a reason to trust it.
Why it's not a subdomain of Equifax.com is completely beyond me.
(Even better, the eligibility / credit monitoring signup takes you to another domain, https://trustedidpremier.com/)
The certificate lists the registered organization as "GeoTrust Inc." Shouldn't it be registered to "Equifax Inc?" I'm not sure what other services (such as web hosting) GeoTrust might also offer, but I wouldn't trust this website actually belongs to Equifax.
Yes, but my understanding is the organization name is supposed to be the entity you're doing business with. How else do you know that the owner of that domain is who the webpage claims they are if the organization and SSL vendor are the same? I'm not doing business with GeoTrust, it's with Equifax.
This would be hilarious if the impact wasn't felt by consumers. But honestly, its quite sad and frustrating that as consumers we bear the brunt of this organization's mistakes. This latest episode - their referral of an obviously fake site - is just plain awful...again for consumers. sigh
I have my home router set to use OpenDNS instead of my ISP's DNS, and OpenDNS actually resolved the real breach website to their own phishing warning... I had to turn off WiFi and use LTE (or reconfigure my router) to see it and contemplate putting my partial SSN into what might or might not have been a phishing site...
Not sure exactly how long it took OpenDNS to fix that but the false positive is cleared up now. Funnily enough, I switched from ISP (Verizon) DNS to OpenDNS to avoid their NXDOMAIN shenanigans, only to end up with other protective shenanigans.
I implemented a credit check API connection to Equifax recently. The response data was encoded as a stream of offset-based text, with some offsets dynamically changing based on fields in the already-parsed data. Lots of work to write a parser for it.
We initially asked them if they had an updated version of this API using XML or JSON, and it turned into a call with several of their salespeople trying to upsell us on some complicated drag and drop rules engine that happened to return data as JSON. So we just stuck to the legacy API. They struck me as a pretty incompetent organization.
It sounds like an X12-style EDI format. They'll frequently have fields (or parts of fields) that can enable alternative blocks that may be of a different size. I had to write and maintain EDI interfaces for four years at a major retailer: there's a good business in transforming those documents.
It's not as weird as it sounds, you're parsing a text stream, not that much different in principle than parsing HTTP headers or network packets byte by byte.
Fun fact from the trenches: I tried enrolling online for their post-hack free 1 year identity monitoring offer, but when it came time to verify myself by answering questions they clearly started asking me questions about someone else's profile because none of the questions made any sense. Then when I answered wrong (of course, because I'm not whoever that person is) I was given a phone number to call instead.
>but when it came time to verify myself by answering questions they clearly started asking me questions about someone else's profile because none of the questions made any sense
Just a note, this most likely is not what happened. Identify verification questions typically will ask questions like "Who is your current house mortgage with?" when you have none and they will include a "None of the above" answer, which you're supposed to pick. It's totally intentional.
It's supposed to look real so people who aren't you fail the question. They will think, "well he lives near X or uses Y for something else, so it's probably that one". There isn't any indication that it may be false.
I don't understand your complaint at all. Phrasing the question differently doesn't deter people who are guessing, but it does deter people who don't understand what is being asked! People clearly (myself included) get confused at those questions and think they're incorrect - so change the question. Doing so doesn't make it harder to guess the answer, but it does make it easier to show that you know the right answer.
When I went through one of these there was NO none of the above answers. Basically, you're screwed because you realize they are asking about someone else who was at your address 50 years ago, who drives a motorcycle (no option to say no such thing), has 3 kids who had college loans (no answer to say no such thing), and is on their 3rd housing mortgage (no option to say no such thing).
And what else can you do? You select randomly and then pass the 'id verification' with flying colours and then on the phone with the customer service rep, you verbally refute each one. The service rep says that they don't see any on that on their end.
Basically, it's like a web script that's not hooked up to anything in the backend... Like their recent "has your information been leaked" web forms.
I suspect that's the case across the entire industry.
I recently tried to dispute something on my Equifax report and I could not get past the verification stage. The answers to all the questions were obvious, but after failing the verification several times, I started wondering, "Did I open an account with x, y, or z back in 2011?"
The best ones are where you did legitimately open a credit line 20 years ago with some store but the list of options only include the backing bank's name ("BANCORP BANK, INC").
Most of those questions have a real answer available. They'll occasionally toss in ones where you have to enter "none," but most aren't like that. If you got something where every single correct answer was "none," something probably got screwed up. Otherwise it would be way too easy to spoof!
I had an interesting experience with these 'trick questions' doing the Creditkarma signup - I was asked four questions, three of which were fakes ('none of the above'), only the last question was legitimate. Either that's a random edge case, or a very sneaky intentional design...
Barclays' "3D Secure" asks two questions when verifying an online purchase and I can only recall a single occasion when one wasn't 'none of the above'.
It does ask for your sort code as a third question though, that's a one in four chance if you were picking randomly.
I've done identity verification dozens of times. I know how that works. The questions they asked were more specific and therefore more wrong. More along the lines of "Who owns the mortgage on your house at address 1234 Abcd Rd, Somecity, Somestate, 991234?" and "You made your last college loan payment on <wrongdate>. Which lender was it to?" Because my thought is "House? Where? When?" And when that happens for every question one gets miiighty suspicious.
That's right. You'd only be forfeiting the right to sue in the event that they get hacked again. Which to be fair is looking decently probable at this point.
Edit: I would like to know at this point, which got taken down faster after it was first reported on... This tweet, or the perfectly fine video interview of CISO Susan Mauldin with the Cazena CEO from 2016 before the breach? That one went down quickly after it was reported on by Hollywood LA News.
It's gotta be close. I believe that both were taken down in less than 24 hours.
Also another crazy thing is freezing your credit is meaningless with Experian. You and or any hacker can get your freeze pin by using your personal info that is now public. They don't even bother with any two way verification offering!
Perhaps the worst part of this breach is I have had people tell me "that's okay, I've never been an Equifax customer." The lack of understanding is almost as saddening as the breach itself. If you have credit, you're impacted.
The constant bungling on Equifax's part would be hilarious if the potential impacts weren't so sad.
Any other Uk visitors see this on https://trustedidpremier.com/ - thought a few thousand UK accounts were tied up in this...
ERROR
The request could not be satisfied.
The Amazon CloudFront distribution is configured to block access from your country.
Generated by cloudfront (CloudFront)
Request ID: ZU-LJh21L1Px18Bz5n20R3Nb1aApdzyce_Q6ZeeSIZ0OYiJk2v0eIA==
Non-US citizens won't be able to enter the last 6 digits of their US Social Security Number so the site is not going to be of value to you. (Although I'm not sure why they block Europe, there are certainly US citizens living abroad now.)
I don't know where to send you, but I would advise against sending at this point any additional responsibility or personal information to Equifax if you haven't already.
What would be the impact of requesting a total remove of one's information from Equifax? There are still 2 other credit bureaus who could be used when applying for loans.
Obviously this does nothing for the information that's already compromised, but if enough people do it, it would help kill off Equifax (lenders will rely less and less on it, thus depriving them of revenue).
> What would be the impact of requesting a total remove of one's information from Equifax?
Nothing. Your request would be ignored because we don't have legislation like the GDPR in this country to protect the rights of individuals to the privacy of the information collected about them.
This incompetence is truly hilarious at this point. I wouldn't be surprised if other large institutions holding sensitive data are just as reckless. Student loans? Health insurance companies?
Does anyone know what you have to do to join the Amish?
All jokes aside, every time I try to explain to a "normal" what is going on in "computer security" I feel like shit. The entire industry is a tire fire. And it's getting worse.
Pretty sure you can just convert and start living with them provided you can find a willing community to take you on.
Also - don't be fooled - using the CMM as a metric, the Amish are probably one of the more technologically mature societies around, since they have a clearly defined process around technology usage...
"
There are five levels defined along the continuum of the model and, according to the SEI: "Predictability, effectiveness, and control of an organization's software processes are believed to improve as the organization moves up these five levels. While not rigorous, the empirical evidence to date supports this belief".[15]
Initial (chaotic, ad hoc, individual heroics) - the starting point for use of a new or undocumented repeat process.
Repeatable - the process is at least documented sufficiently such that repeating the same steps may be attempted.
Defined - the process is defined/confirmed as a standard business process
Capable - the process is quantitatively managed in accordance with agreed-upon metrics.
Efficient - process management includes deliberate process optimization/improvement.
Within each of these maturity levels are Key Process Areas which characterise that level, and for each such area there are five factors: goals, commitment, ability, measurement, and verification. These are not necessarily unique to CMM, representing — as they do — the stages that organizations must go through on the way to becoming mature.
The model provides a theoretical continuum along which process maturity can be developed incrementally from one level to the next. Skipping levels is not allowed/feasible.
"
At this point, can someone explain me why that company is not taken out of business or _at least_ put under state control to verify they actually fix their issues and stop posing a threat to their customers lives?
I honestly don't know why they are allowed to handle the remediation and "damage control" at all, I've been saying that for over a week; it's been getting clearer and clearer that they do not have the operational capability to continue to exist, but nobody with any juice appears to be arguing this.
When they notified law enforcement well after the legal requirement to notify law enforcement had come and gone, that would have been a good time for the government to step in and say "hands off the wheel, we're handling this now." Would we be any better off today? I don't know, but my gut says no.
If I had to guess, the answer is that we don't just take companies and put them under state control here in the United States. It just does not happen that I am aware of. Can you name a time this happened?
I certainly can't think of a time when it would have made more sense to do this, but I am struggling to think of even one example of a company that was taken over by the state without searching.
It says here[1] the US government nationalized railroads and the Smith & Wesson company during WWI, and it also nationalized the railroad system and coal mines during WWII, and that Amtrak was the product of another time the government nationalized railroads in the 70's, but was re-privatized in the 80's...
If the law enforcement agencies had taken some kind of stand, we might still have video interviews with CISO Susan Mauldin from 2016, that have now been erased since September 10, but for some reason there does not seem to be much interest in that. Everyone understands the company is "saving face" by removing those interviews. Nobody is saying it, but it's pretty clear.
There is probably no legal requirement to keep those interviews online, even if they might provide some insight into the mindset of the CISO and how she was influenced in the months leading up to the breach by the other executives and the board members of Equifax. The fact that this is not a bigger story probably owes mostly to the fact that this is already such a big story.
140MM Americans impacted, likely every last person in the country with a credit history's personal information exposed, quite possibly enough to shutter the credit system as we know it for good. What's a little cover-up compared to that?
195 comments
[ 14.1 ms ] story [ 55.8 ms ] threadhttps://pbs.twimg.com/media/DKLbd1FW0AEsx_Q.jpg
At this point Equifax has repeatedly demonstrated nothing but contempt for people whose information they have compromised. When are the authorities going to padlock their doors and shut down this continuing criminally reckless enterprise?
I'm with you, it's more criminal that after all they've flubbed, this company is even still allowed to operate, than that they lost all of our information to begin with.
Don't we have at least 3 major credit bureaus? Equifax should be shuttered immediately and with prejudice, the American credit system will be immediately better off and we can all live without this one. Shareholders be damned.
Our system of credit operates on these bureaus, and we have two others that appear to be functioning properly. If I had one server that was obviously infested with hackers, but two others that were not obviously infested, assuming that I had isolated them properly and they did not have major parts that were in common, I'd start by unplugging the one that was already confirmed to be hacked.
I think it works the same way when corporations that surveilled 50% or more of the population demonstrate systematic incompetence basically without remorse, as in this case. They just need to be unplugged, immediately. (I'm not advocating we shut down the entire credit system, in other words, although I am terrified it may yet come to that.)
What'd the tweet say?
Never attribute to malice that which is adequately explained by stupidity.
They've completely demonstrated incompetence, no contempt needed.
The feeling that a person or a thing is beneath consideration, worthless, or deserving scorn. "he showed his contempt for his job by doing it very badly"
Ideally Equifax will listen and either move it to equifax.com, or take down the site altogether. Since the real version seems to be answering randomly, they may as well just shut the whole thing down.
But seeing as they're a massive, bumbling, bureaucratic organization, there's probably a non-zero change they'll try to sue me instead.
If there are any lawyers here, am I in potential legal hot water for making this site?
https://techcrunch.com/2017/09/08/psa-no-matter-what-you-wri...
Why? This seems like clear and compelling evidence that the site was not designed to actually phish.
- The site contains Equifax's heading, uses their branding, and is highly similar to the actual website
- The site is hosted on a domain that is very similar to the actual website and uses Equifax's name
- The site instructs users to enter PII on it under the guise of being Equifax.
It could be argued that the creator of the site created this to determine whether people were being phished by it before activating the actual collection of data.
Additionally, in Chrome, when I fill out the form and get the alert box, when I dismiss the alert box, two requests are made to the domain:
https://securityequifax2017.com/eligibility/images/favicon-3... https://securityequifax2017.com/eligibility/images/favicon-1...
If an onSubmit handler is attached to the form submit that sets a cookie with this information before showing the alert, then the phished details are transmitted to securityequifax2017.com.
Lawyers will C&D this extremely hard, a very reasonable case can be made that this is impersonation, and a phishing site with malicious intent.
NB: I DO NOT BELIEVE THAT THIS IS THE CREATOR'S INTENT. So do not jump at me thinking that I do believe that. I'm just saying that it could be very reasonably and successfully argued, and that nuance and intent could do very little to spurn allegations of impersonation or actual phishing.
"What if"s don't produce convictions.
(Plus, Cloudflare's flagging it as phishing now, haha.)
Why in the world wouldn't they just put it on their own domain?
You're right of course, but I'm betting that was the motivation.
Basically, the request signals all the little fiefdoms that it's their chance to weigh in.
Something like https://breach.equifax.com
Agreeing with everyone though, it's a wrong reason, but I can fathom why someone would do it.
<tangent>
A few days ago, got a mail from PayPal about "changes in account". Go to my account was linked to https://www.secureserverpaypal.ssvahan.com/home. I've forwarded the mail to PayPal spoofing address, they replied it's legit. Why would a legit PayPal activity be linked to an arbitrary domain - I don't get it. It makes zero sense.
>Hi there. Thanks for the quick response. I do have a question. Why would PayPal refer me to a form not hosted under PayPal domain? How can I tell it's a legit PayPal communication?
Expectedly, never got a response.
I would be confident to say that it was actively killed. Neat. Which is either a clear indication that PayPal finally did internally report the domain, or that some other source of noise got it shut down.
I think I have an idea of why, though I haven't been able to articulate it properly yet.
I've been thinking about it a lot recently because I co-work with a bunch of digital marketers, and some of them have affiliate marketing sites with domains that follow the pattern http://yourexactsearchterm.com.
The best I can come up with is the Uncanny Valley of SEO, where it feels like a website was made and over-optimized specifically for people making my exact search query. Maybe this is unfair or confirmation bias, but I feel like those websites are the most likely to be low quality content farms (e.g. paying content writers pennies to regurgitate content they have no experience with and/or don't understand). Either that, or they are outright scams.
Do any digital marketers here have opinions about this?
It's not just domain names, but the paths in URLs too --- an entry with your-exact-search-term.html almost subconsciously gets skipped over when scanning search results, unless the search term is extremely specific and somewhat obscure or I'm specifically looking for a file/path (e.g. spc4r37.pdf)
Even worse would have been if they had used dashes equifax-security-2017.com.
(plausible for those without the experience of "suspicious impression", of course)
The website: https://archive.is/PjlIK
Pretty much the only way to verify that's the right site is the fact that Equifax.com links to it, although this tweet indicates even that isn't necessarily a reason to trust it.
Why it's not a subdomain of Equifax.com is completely beyond me.
(Even better, the eligibility / credit monitoring signup takes you to another domain, https://trustedidpremier.com/)
Haha, just kidding, their certificate is DV.
/s
You know it's real because it's http.
It definitely looks like ol’ Barb in accounting has a nephew that builds web pages. “I bet he’d build it on the cheap!!1!!”
It’s time for this company to go away.
Not sure exactly how long it took OpenDNS to fix that but the false positive is cleared up now. Funnily enough, I switched from ISP (Verizon) DNS to OpenDNS to avoid their NXDOMAIN shenanigans, only to end up with other protective shenanigans.
We initially asked them if they had an updated version of this API using XML or JSON, and it turned into a call with several of their salespeople trying to upsell us on some complicated drag and drop rules engine that happened to return data as JSON. So we just stuck to the legacy API. They struck me as a pretty incompetent organization.
It troubles me how true this is.
Care to post a mini-example with fake data so we can better understand what you are describing?
Combine that info with https://techcrunch.com/2017/09/08/psa-no-matter-what-you-wri... and it's enough to throw one into paroxysms.
This chaos is maddeningly absurd, and in a just world their business would be completely shut down by the government.
Just a note, this most likely is not what happened. Identify verification questions typically will ask questions like "Who is your current house mortgage with?" when you have none and they will include a "None of the above" answer, which you're supposed to pick. It's totally intentional.
Basically, it's like a web script that's not hooked up to anything in the backend... Like their recent "has your information been leaked" web forms.
I suspect that's the case across the entire industry.
It does ask for your sort code as a third question though, that's a one in four chance if you were picking randomly.
Or, hopefully, just sued into bankruptcy.
Edit: I would like to know at this point, which got taken down faster after it was first reported on... This tweet, or the perfectly fine video interview of CISO Susan Mauldin with the Cazena CEO from 2016 before the breach? That one went down quickly after it was reported on by Hollywood LA News.
It's gotta be close. I believe that both were taken down in less than 24 hours.
They should apply HIPAA rules to data that can be used for identity theft.
Page 24 specifies “Amount of a civil money penalty”.
https://www.experian.com/ncaconline/freezepin
We are so screwed by these laggards!
Image backup/mirror of the tweet for when they eventually (?) delete it. As of this comment, it's still up, nearly 20 hours later.
The constant bungling on Equifax's part would be hilarious if the potential impacts weren't so sad.
ERROR
The request could not be satisfied.
The Amazon CloudFront distribution is configured to block access from your country. Generated by cloudfront (CloudFront) Request ID: ZU-LJh21L1Px18Bz5n20R3Nb1aApdzyce_Q6ZeeSIZ0OYiJk2v0eIA==
I don't know where to send you, but I would advise against sending at this point any additional responsibility or personal information to Equifax if you haven't already.
Obviously this does nothing for the information that's already compromised, but if enough people do it, it would help kill off Equifax (lenders will rely less and less on it, thus depriving them of revenue).
They'll say no.
Nothing. Your request would be ignored because we don't have legislation like the GDPR in this country to protect the rights of individuals to the privacy of the information collected about them.
I suppose you don't care, but it should be "lose" :-)
(transitive) To let loose, to free from restraints. (intransitive) Of a grip or hold, to let go.
I hope they aren't big to be held responsible.
All jokes aside, every time I try to explain to a "normal" what is going on in "computer security" I feel like shit. The entire industry is a tire fire. And it's getting worse.
At least we have DRM in the browsers now, eh?
Also - don't be fooled - using the CMM as a metric, the Amish are probably one of the more technologically mature societies around, since they have a clearly defined process around technology usage...
https://en.wikipedia.org/wiki/Capability_Maturity_Model
" There are five levels defined along the continuum of the model and, according to the SEI: "Predictability, effectiveness, and control of an organization's software processes are believed to improve as the organization moves up these five levels. While not rigorous, the empirical evidence to date supports this belief".[15]
Within each of these maturity levels are Key Process Areas which characterise that level, and for each such area there are five factors: goals, commitment, ability, measurement, and verification. These are not necessarily unique to CMM, representing — as they do — the stages that organizations must go through on the way to becoming mature.The model provides a theoretical continuum along which process maturity can be developed incrementally from one level to the next. Skipping levels is not allowed/feasible. "
This talk is both interesting, more or less correct, and absolutely hilarious.
When they notified law enforcement well after the legal requirement to notify law enforcement had come and gone, that would have been a good time for the government to step in and say "hands off the wheel, we're handling this now." Would we be any better off today? I don't know, but my gut says no.
If I had to guess, the answer is that we don't just take companies and put them under state control here in the United States. It just does not happen that I am aware of. Can you name a time this happened?
I certainly can't think of a time when it would have made more sense to do this, but I am struggling to think of even one example of a company that was taken over by the state without searching.
It says here[1] the US government nationalized railroads and the Smith & Wesson company during WWI, and it also nationalized the railroad system and coal mines during WWII, and that Amtrak was the product of another time the government nationalized railroads in the 70's, but was re-privatized in the 80's...
[1]: https://www.cbsnews.com/news/a-history-of-corporate-national...
If the law enforcement agencies had taken some kind of stand, we might still have video interviews with CISO Susan Mauldin from 2016, that have now been erased since September 10, but for some reason there does not seem to be much interest in that. Everyone understands the company is "saving face" by removing those interviews. Nobody is saying it, but it's pretty clear.
There is probably no legal requirement to keep those interviews online, even if they might provide some insight into the mindset of the CISO and how she was influenced in the months leading up to the breach by the other executives and the board members of Equifax. The fact that this is not a bigger story probably owes mostly to the fact that this is already such a big story.
140MM Americans impacted, likely every last person in the country with a credit history's personal information exposed, quite possibly enough to shutter the credit system as we know it for good. What's a little cover-up compared to that?
After the OPM breach, I have zero confidence that the United States have any more competence at this than Equifax.
[0] https://en.wikipedia.org/wiki/Office_of_Personnel_Management...
“Larry... did you accidentally link to a phishing site instead of our company’s site?”
“Uuhhh...”
(Audience laughs)
“Dammit Larry!”
(Audience laughs)