2623 stories
·
8 followers

Equifax or Equiphish?

1 Share

More than a week after it said most people would be eligible to enroll in a free year of its TrustedID identity theft monitoring service, big three consumer credit bureau Equifax has begun sending out email notifications to people who were able to take the company up on its offer. But in yet another security stumble, the company appears to be training recipients to fall for phishing scams.

Some people who signed up for the service after Equifax announced Sept. 7 that it had lost control over Social Security numbers, dates of birth and other sensitive data on 143 million Americans are still waiting for the promised notice from Equifax. But as I recently noted on Twitter, other folks have received emails from Equifax over the past few days, and the messages do not exactly come across as having emanated from a company that cares much about trying to regain the public’s trust.

Here’s a redacted example of an email Equifax sent out to one recipient recently:

equifaxcare

As we can see, the email purports to have been sent from trustedid.com, a domain that Equifax has owned for almost four years. However, Equifax apparently decided it was time for a new — and perhaps snazzier — name: trustedidpremier.com.

The above-pictured message says it was sent from one domain, and then asks the recipient to respond by clicking on a link to a completely different (but confusingly similar) domain.

My guess is the reason Equifax registered trustedidpremier.com was to help people concerned about the breach to see whether they were one of the 143 million people affected (for more on how that worked out for them, see Equifax Breach Response Turns Dumpster Fire). I’d further surmise that Equifax was expecting (and received) so much interest in the service as a result of the breach that all the traffic from the wannabe customers might swamp the trustedid.com site and ruin things for the people who were already signed up for the service before Equifax announced the breach on Sept. 7.

The problem with this dual-domain approach is that the domain trustedidpremier.com is only a few weeks old, so it had very little time to establish itself as a legitimate domain. As a result, in the first few hours after Equifax disclosed the breach the domain was actually flagged as a phishing site by multiple browsers because it was brand new and looked about as professionally designed as a phishing site.

What’s more, there is nothing tying the domain registration records for trustedidpremier.com to Equifax: The domain is registered to a WHOIS privacy service, which masks information about who really owns the domain (again, not exactly something you might expect from an identity monitoring site). Anyone looking for assurances that the site perhaps was hosted on Internet address space controlled by and assigned to Equifax would also be disappointed: The site is hosted at Amazon.

While there’s nothing wrong with that exactly, one might reasonably ask: Why didn’t Equifax just send the email from Equifax.com and host the ID theft monitoring service there as well? Wouldn’t that have considerably lessened any suspicion that this missive might be a phishing attempt?

Perhaps, but you see while TrustedID is technically owned by Equifax Inc., its services are separate from Equifax and its terms of service are different from those provided by Equifax (almost certainly to separate Equifax from any consumer liability associated with its monitoring service).

THE BACKSTORY

What’s super-interesting about trustedid.com is that it didn’t always belong to Equifax. According to the site’s Wikipedia page, TrustedID Inc. was purchased by Equifax in 2013, but it was founded in 2004 as an identity protection company which offered a service that let consumers automatically “freeze” their credit file at the major bureaus. A freeze prevents Equifax and the other major credit bureaus from selling an individual’s credit data without first getting consumer consent.

By 2006, some 17 states offered consumers the ability to freeze their credit files, and the credit bureaus were starting to see the freeze as an existential threat to their businesses (in which they make slightly more than a dollar each time a potential creditor — or ID thief — asks to peek at your credit file).

Other identity monitoring firms — such as LifeLock — were by then offering services that automated the placement of identity fraud controls — such as the “fraud alert,” a free service that consumers can request to block creditors from viewing their credit files.

[Author’s note: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they are not legally required to do this — and very often don’t.]

Anyway, the era of identity monitoring services automating things like fraud alerts and freezes on behalf of consumers effectively died after a landmark lawsuit filed by big-three bureau Experian (which has its own storied history of data breaches). In 2008, Experian sued LifeLock, arguing its practice of automating fraud alerts violated the Fair Credit Reporting Act.

In 2009, a court found in favor of Experian, and that decision effectively killed such services — mainly because none of the banks wanted to distribute them and sell them as a service anymore.

WHAT SHOULD YOU DO

These days, consumers in all states have a right to freeze their credit files, and I would strongly encourage all readers to do this. Yes, it can be a pain, and the bureaus certainly seem to be doing everything they can at the moment to make this process extremely difficult and frustrating for consumers. As detailed in the analysis section of last week’s story — Equifax Breach: Setting the Record Straight — many of the freeze sites are timing out, crashing or telling consumers just to mail in copies of identity documents and printed-out forms.

Other bureaus, like TransUnion and Experian, are trying mightily to steer consumers away from a freeze and toward their confusingly named “credit lock” services — which claim to be the same thing as freezes only better. The truth is these lock services do not prevent the bureaus from selling your credit reports to anyone who comes asking for them (including ID thieves); and consumers who opt for them over freezes must agree to receive a flood of marketing offers from a myriad of credit bureau industry partners.

While it won’t stop all forms of identity theft (such as tax refund fraud or education loan fraud), a freeze is the option that puts you the consumer in the strongest position to control who gets to monkey with your credit file. In contrast, while credit monitoring services might alert you when someone steals your identity, they’re not designed to prevent crooks from doing so.

That’s not to say credit monitoring services aren’t useful: They can be helpful in recovering from identity theft, which often involves a tedious, lengthy and expensive process for straightening out the phony activity with the bureaus.

The thing is, it’s almost impossible to sign up for credit monitoring services while a freeze is active on your credit file, so if you’re interested in signing up for them it’s best to do so before freezing your credit. But there’s no need to pay for these services: Hundreds of companies — many of which you have probably transacted with at some point in the last year — have disclosed data breaches and are offering free monitoring. California maintains one of the most comprehensive lists of companies that disclosed a breach, and most of those are offering free monitoring.

There’s a small catch with the freezes: Depending on the state in which you live, the bureaus may each be able to charge you for freezing your file (the fee ranges from $5 to $20); they may also be able to charge you for lifting or temporarily thawing your file in the event you need access to credit. Consumers Union has a decent rundown of the freeze fees by state.

In short, sign up for whatever free monitoring is available if that’s of interest, and then freeze your file at the four major bureaus. You can do this online, by phone, or through the mail. Given how unreliable the credit bureau Web sites have been for placing freezes these past few weeks, it may be easiest to do this over the phone. Here are the freeze Web sites and freeze phone numbers for each bureau (note the phone procedures can and likely will change as the bureaus get wise to more consumers learning how to quickly step through their automated voice response systems):

Equifax: 866-349-5191; choose option 3 for a “Security Freeze”

Experian: 888-397-3742;
–Press 2 “To learn about fraud or ADD A
SECURITY FREEZE”
–Press 2 “for security freeze options”
–Press 1 “to place a security freeze”
–Press 2 “…for all others”
–enter your info when prompted

Innovis: 800-540-2505;
–Press 1 for English
–Press 3 “to place or manage an active duty alert
or a SECURITY FREEZE”
–Press 2 “to place or manage a SECURITY
FREEZE”
–enter your info when prompted

Transunion: 888-909-8872, choose option 3

If you still have questions about freezes, fraud alerts, credit monitoring or anything else related to any of the above, check out the lengthy primer/Q&A I published here on Sept. 11, The Equifax Breach: What You Should Know.

Read the whole story
freeAgent
23 hours ago
reply
Los Angeles, CA
Share this story
Delete

UC is handing out generous pensions, and students are paying the price with higher tuition

1 Comment

As parents and students start writing checks for the first in-state tuition hike in seven years at the University of California, they hope the extra money will buy a better education.

But a big chunk of that new money — perhaps tens of millions of dollars — will go to pay for the faculty’s increasingly...

Read the whole story
freeAgent
1 day ago
reply
Yudof sounds like a jerk, but he's right. The real problem here are public officials (more or less, people playing with public money in this case) deciding to unwisely spend that money because it has no negative consequences for them.
Los Angeles, CA
Share this story
Delete

Intellectual fallout from the likely failure of Graham-Cassidy

3 Shares

1. The Democrats were debating single payer while this bill, which they dread, nearly passed (and still has some chance of passing).  This was not a random mistake, rather it reflects a more general tendency of the Democratic Party to focus on the wrong kind of expressive values, in a manner which does not seem remediable.  We need to re-model what they are, and build this kind of un-educability into the new model.

2. One lesson of Graham-Cassidy failure is that American health care, at the state level, is a race to the bottom not to the top.  Recall that the Canadian health care system also leaves key decisions to the provinces + block grants, but American Progressives love the results.  Most observers know the American states would not copy the Canadian provinces in their policies, and it is not only because fiscal equalization is weaker to the south.  The reality is that spending much more on health care would not make most American states much more desirable places for most people to live in.  If it did, Graham-Cassidy would be a better idea than in fact it is and a race to the top would ensue.  Better health care would brighten up states all around, attract more population, and increase the revenue going into governor’s coffers.

Democrats and Republicans both find this inadequacy of state-level outcomes difficult to accept, though for opposing reasons.  Democrats hate having to recognize that all the extra health care spending might be mainly redistribution rather than remedying a market failure or providing a broad-based social public good.  Republicans hate to see that giving states control over health care policy, and allowing them to revise Obamacare, won’t improve those states and probably would make most of them worse.

Of course my points #1 and #2 relate.  I agree Graham-Cassidy is a bad idea, but every time I hear the critics say it is heartless, or would “take away” people’s health insurance, or “kill people,” what I really hear is “If we let everyone vote again on Obamacare, with a real time balanced budget constraint, they wouldn’t vote for nearly as much health care next time around.”

Which is why you should not be obsessing over single-payer systems.

Across the board, pondering Graham-Cassidy, including its failure, should make you more pessimistic about economic and social processes.

The post Intellectual fallout from the likely failure of Graham-Cassidy appeared first on Marginal REVOLUTION.

Read the whole story
freeAgent
1 day ago
reply
Los Angeles, CA
mrobold
1 day ago
reply
Orange County, California
Share this story
Delete

Amazon may deliver Chipotle and Five Guys right to your front door

1 Comment
Amazon's been getting into the food game for awhile now. After all, they've introduced Amazon Fresh and drive-through grocery pickup. And oh yeah, they acquired Whole Foods earlier this year. Clearly Amazon is serious about the food business; they've...
Read the whole story
freeAgent
1 day ago
reply
I can feel myself getting fatter.
Los Angeles, CA
Share this story
Delete

Why Equifax’s error wasn’t hiring someone with a music degree

1 Share
In the wake of the Equifax breach, a significant number of people lost their minds this week upon discovering that one of its newly deposed security executives has a degree in music composition. Despite 14 years of experience as a security profession...
Read the whole story
freeAgent
1 day ago
reply
Los Angeles, CA
Share this story
Delete

In spectacular fail, Adobe security team posts private PGP key on blog

2 Shares

Enlarge / Um, yes, that was Adobe PSIRT's private PGP key on their website. Best get their new public key.

Having some transparency about security problems with software is great, but Adobe's Product Security Incident Response Team (PSIRT) took that transparency a little too far today when a member of the team posted the PGP keys for PSIRT's e-mail account—both the public and the private keys. The keys have since been taken down, and a new public key has been posted in its stead.

The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen:

Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account.

Read 4 remaining paragraphs | Comments

Read the whole story
freeAgent
1 day ago
reply
Los Angeles, CA
Share this story
Delete
Next Page of Stories