The latest Equifax security error marks yet another issue for the beleaguered credit agency.
Still reeling from a major data breach last week – with names, social security numbers (SSNs) and addresses among the information stolen from around 143m people – Equifax continues to struggle.
The advice given to affected customers was to freeze their credit files after receiving a 10-digit PIN from Equifax, stopping thieves from taking out a line of credit under someone else’s name.
The problem with PINs
Although this method is clunky, it is the best option customers affected by the breach are left with, as Mark Stockley of Sophos wrote in a blog post yesterday (10 September): “Frozen credit files can’t be accessed by creditors, which should stop thieves who stole your identity during the breach from taking out a line of credit in your name.
“Of course, it stops you from taking out credit too, but, unlike the crooks, you can unfreeze your credit files if you need to.
“It’s far from a perfect solution – freezing and unfreezing isn’t slick – but, short of changing your SSN and date of birth, it’s probably your best protection.”
Sound relatively simple? Apparently not. The PINs issued to customers were discovered not to have been chosen at random, making them insecure.
Instead, the 10 digits corresponded to the time and date a credit file freeze was performed, using the format MMDDyyHHmm, so, if someone performed the freeze on 9 September 2017 at 3.30pm, their PIN would read: 0909171530.
Screenshot of when you're assigned an Equifax security freeze PIN. It's just a timestamp of when you made the freeze: MMDDYYHHMM. pic.twitter.com/xna8aaQ2b3
— Tony Webster (@webster) September 9, 2017
As Stockley rightly points out, if Equifax had chosen randomised PINs, the chances for thieves to guess them on the first go would be one in 10bn. Comparatively, the possible permutations for the timestamped PINs reach just over 50m – slashing the guesswork required by a criminal to gain access by a large margin.
Any PIN can then be cross-referenced with the customer’s activity on the Equifax website, further narrowing the potential options down for canny thieves.
A rapid fix from Equifax
Following criticism from many in the infosec sphere, Equifax told The New York Times that it will be changing the PIN generation and request process: “While we have confidence in the current system, we understand and appreciate that consumers have questions about how PINs are currently generated.
“We are engaged in a process that will provide consumers a randomly generated PIN. We expect this change to be effective within 24 hours.”
There is still a problem here, as web engineer Tony Webster pointed out, with users requesting a new PIN having to contact Equifax by post to receive the digits.
Equifax's security freeze system is now generating random PINs. If you already got one though, you have to MAIL them to change it. Fail. pic.twitter.com/fOrtvgkmGd
— Tony Webster (@webster) September 11, 2017
What remains to be addressed is why Equifax used such a flawed security protocol in the first instance.