It appears that my diary of yesterday advising folks to freeze their credit reports in the wake of the recent Equifax hacking had the desired effect. Many of you did the smart thing and rushed online to freeze your reports at each of the big three credit reporting agencies.
That was smart. Feel good about that. You did the right thing.
Just...don’t feel too good, OK? Because I have to say that what I learned yesterday about Equifax’s ongoing security practices leaves me shaken. The company’s practices are flimsy and incompetent from top to bottom, and that problem is still ongoing. I’ve seen lemonade stands that are more secure than this buffoonish company. After considerable soul-searching I’ve decided to discuss that here, because I think that you, and the public at large, and certainly the authorities, all need to know this.
Here’s what I know:
My diary yesterday was based on my own experience freezing my own credit reports early yesterday morning, plus helping my wife freeze her reports, too. When you freeze your credit report, the reporting company gives you a PIN number you can use at some later date to unfreeze it again — which you’ll need to do the next time you want to apply for a loan or a credit card or to open a new bank account.
When I froze my report at TransUnion, I was given a six-digit PIN number. Six digits is reasonably good; that’s one of 999,999 possible numbers. A bad guy trying to guess your PIN number would, on average, have to try 500,000 different numbers in order to have a 50-50 chance of unfreezing your report without your permission. And if TransUnion is at all competent, it would certainly shut down your account after far fewer than that number of failed attempts. So, OK...I guess.
The jury is still out regarding how good Experian’s PIN security is. They didn’t provide my PIN number to me over the web, but instead promised to snail-mail it to me. So we’ll wait and see how many digits their PINs use.
On the surface of things, Equifax’s PIN numbers are super-good: they’re ten digits long. That’s ten billion possible numbers that a bad guy looking to unfreeze your report would need to wade through. Good on them, right?
Wrong. Because Equifax security is incompetent, the odds are that I might be able to correctly guess someone else’s PIN number (and, thus, unfreeze someone else’s credit report) in about 75 attempts, or thereabouts (admittedly, I could do this only under some special conditions...see below...but those conditions aren’t nearly special enough to comprise good security).
I know this because, about a half-hour after I froze my own report at Equifax, I sat down with MsDawg and helped her through the process of freezing hers. And, lo and behold, at the end of that process when the web site gave us her ten-digit PIN number, it was a number that differed from my own PIN by just 160. What I mean to say here is that if my PIN number was, say, 1,234,567,890, then MsDawg’s PIN was 1,234,568,050.
EDIT: Hat-tips to kyoders and goodasgold, in the comments below, for pointing out that the situation with Equifax’s PINs are even worse than I first realized. The first six digits of their PINs are the date on which you froze your account (for example, if you freeze today then the first six digits of your PIN will be 090917). And the last four digits are sequentially issued.
EDIT #2: And another hat-tip to Daniel Donner. The last four digits of an Equifax PIN are now known to be the timestamp. In other words, if you applied for a freeze at 12:41 PM today, your PIN number is 0909171241. There are only 1,440 possible hour-minute combinations (24 x 60), so on any one day, no matter how many people freeze their accounts, Equifax issues only 1,440 different PIN numbers.
If I know when you applied for your freeze, then I know your PIN number. Or if I simply know the date on which you froze your report, then I have a 50-50 chance of correctly guessing your PIN number in just 720 tries. And — oh by the way — your ISP knows exactly what your Equifax PIN number is, because it knows the exact time and date on which you clicked that button. And anyone who purchases your browsing history from your ISP will also know your PIN number. Long story short: your Equifax PIN number (i.e., your password for freezing and unfreezing your report) is utterly worthless from a security perspective. You might as well rent a billboard on I-95 and advertise your PIN number to the whole freaking world, for all the good it does you.
Words fail me. As anyone who has even the most rudimentary working knowledge of security knows, this is gob-smackingly stupid. PINs are passwords, fer chrissake. You don’t issue sequentially numbered passwords. And you don’t encode the issue date into the password You. Just. Don’t. Because it is one helluva lot easier to ‘guess’ the next number in a numeric series than it is to guess a random number. And so nobody does that.
Except, Equifax does. And this factoid provides us with a revealing (and sickening) glimpse into the security mindset at Equifax. And what we see is that Equifax doesn’t know the first damn thing about security. Either that, or they just plain don’t give a shit about security. And, apparently, never have.
The Equifax hack wasn’t an ‘act of God.’ It wasn’t something that could have happened to any company, given that there’s no such thing as perfect cybersecurity.
It was, instead, the inevitable result of a criminally negligent mindset pervading the company.