Equifax is a joke

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Post Reply
User avatar
Topic Author
UncleLeo
Posts: 58
Joined: Wed Jul 12, 2017 12:43 am

Equifax is a joke

Post by UncleLeo » Thu Aug 15, 2019 9:23 pm

So I was impacted by the Equifax breach and now trying to put a security freeze on my credit reports.
Even tough I'm pretty sure that I've answered correctly to all of the security questions while trying to open an account on myEquifax, they decided to send e a verification code via email. No problem! a few days later, the letter arrived, I went to the link and typed the verification code. now, whenever I'm trying to login I'm getting the "Please give us a call" message. So I called them, and the answer I got is that I have to send them a copy of my driver license and social security card via physical mail or fax :shock:

I mean, Equifax just had one of the biggest security breaches ever. I'd expect them to know by now a thing or two about security and secure means of transferring sensitive documents. physical mail? fax? :oops: man in the middle attack is super easy on both of them

:confused

thx1138
Posts: 989
Joined: Fri Jul 12, 2013 2:14 pm

Re: Equifax is a joke

Post by thx1138 » Thu Aug 15, 2019 9:30 pm

Fax and USPS are in fact the preferred methods for sending sensitive personal information. UPS and FedEx fine as well though more expensive. They are doing exactly what nearly every security professional would recommend.

I think you need to look up the term “man in the middle” as that doesn’t apply here at all.

That said - Equifax is still a joke.

investor4life
Posts: 170
Joined: Fri Oct 08, 2010 9:45 am

Re: Equifax is a joke

Post by investor4life » Thu Aug 15, 2019 9:57 pm

UncleLeo wrote:
Thu Aug 15, 2019 9:23 pm
So I was impacted by the Equifax breach and now trying to put a security freeze on my credit reports.
Even tough I'm pretty sure that I've answered correctly to all of the security questions while trying to open an account on myEquifax, they decided to send e a verification code via email. No problem! a few days later, the letter arrived, I went to the link and typed the verification code. now, whenever I'm trying to login I'm getting the "Please give us a call" message. So I called them, and the answer I got is that I have to send them a copy of my driver license and social security card via physical mail or fax :shock:

I mean, Equifax just had one of the biggest security breaches ever. I'd expect them to know by now a thing or two about security and secure means of transferring sensitive documents. physical mail? fax? :oops: man in the middle attack is super easy on both of them

:confused
Been there, done that. :x DW was in a similar situation. We sent her license and passport info for verification via US Mail about 7 weeks ago. Still waiting to hear back. Not holding our breath. The good thing though is that since the account is locked-out, no one else can get in either (at least we hope so, but given how screwed-up their systems are who knows). Fortunately, we are able to freeze/unfreeze via phone using the PIN we have from the time we first froze the files after their breach.

Cheryl604
Posts: 125
Joined: Sat May 24, 2014 12:24 pm

Re: Equifax is a joke

Post by Cheryl604 » Thu Aug 15, 2019 10:15 pm

Hey, I sent my drivers license and social security card to equifax for a security freeze BEFORE the breach because my identity had been stolen and they had the wrong address on my account. Then, after the breach I got a letter that I was one of a special 100,000 who had their personal documents stolen in addition to the credit file. So, yes, equifax is a joke and I basically came here to +1 the title of this post. Honestly, the other two credit bureaus are so much easier to work with, I don't understand how equifax is even still in business.

dboeger1
Posts: 47
Joined: Fri Jan 13, 2017 7:32 pm

Re: Equifax is a joke

Post by dboeger1 » Thu Aug 15, 2019 10:23 pm

thx1138 wrote:
Thu Aug 15, 2019 9:30 pm
Fax and USPS are in fact the preferred methods for sending sensitive personal information. UPS and FedEx fine as well though more expensive. They are doing exactly what nearly every security professional would recommend.

I think you need to look up the term “man in the middle” as that doesn’t apply here at all.

That said - Equifax is still a joke.
What? It absolutely does apply. A "man in the middle" just needs to open the box or envelope or whatever to get your personal information. The reason for sending personal documents through the mail has absolutely nothing to do with protecting the data (which physical mail is quite bad at compared to proper digital encryption). It usually has to do with acting as a barrier for terrorists, bots, forgers, etc. For example, as a result of 9/11 and the war on terror, US banks are now legally required to verify that new customers are legitimate US citizens/residents so that terrorist organizations can't easily open an account from abroad and use it to get funding. They typically do this by requiring you to open an account in person or send signed documents from a US address. The intent is to stop people from opening fake/illegal accounts, not to protect the legitimate ones.

EDIT: Another example relevant to Bogleheads is granting someone such as a spouse the authorization to manage one's investments. You can't just check a box on the web site. They make you get a bunch of signed and notarized affidavits and send them through the mail. It's to make it harder for someone to simply ask for access to your account. It does not, however, make it harder to gather your personal information; quite the contrary, it makes it easier for people with physical access to your mail to get that information. I doubt it's a real serious concern for most people, because mailing stuff from a local post office is generally pretty safe, but then again, I suppose bad people would be likely to target an organization like Equifax knowing that they have this mountain of personal documents coming in.

thx1138
Posts: 989
Joined: Fri Jul 12, 2013 2:14 pm

Re: Equifax is a joke

Post by thx1138 » Thu Aug 15, 2019 10:34 pm

dboeger1 wrote:
Thu Aug 15, 2019 10:23 pm
thx1138 wrote:
Thu Aug 15, 2019 9:30 pm
Fax and USPS are in fact the preferred methods for sending sensitive personal information. UPS and FedEx fine as well though more expensive. They are doing exactly what nearly every security professional would recommend.

I think you need to look up the term “man in the middle” as that doesn’t apply here at all.

That said - Equifax is still a joke.
What? It absolutely does apply. A "man in the middle" just needs to open the box or envelope or whatever to get your personal information. The reason for sending personal documents through the mail has absolutely nothing to do with protecting the data (which physical mail is quite bad at compared to proper digital encryption). It usually has to do with acting as a barrier for terrorists, bots, forgers, etc. For example, as a result of 9/11 and the war on terror, US banks are now legally required to verify that new customers are legitimate US citizens/residents so that terrorist organizations can't easily open an account from abroad and use it to get funding. They typically do this by requiring you to open an account in person or send signed documents from a US address. The intent is to stop people from opening fake/illegal accounts, not to protect the legitimate ones.

EDIT: Another example relevant to Bogleheads is granting someone such as a spouse the authorization to manage one's investments. You can't just check a box on the web site. They make you get a bunch of signed and notarized affidavits and send them through the mail. It's to make it harder for someone to simply ask for access to your account. It does not, however, make it harder to gather your personal information; quite the contrary, it makes it easier for people with physical access to your mail to get that information. I doubt it's a real serious concern for most people, because mailing stuff from a local post office is generally pretty safe, but then again, I suppose bad people would be likely to target an organization like Equifax knowing that they have this mountain of personal documents coming in.
https://en.m.wikipedia.org/wiki/Man-in- ... dle_attack

User avatar
Topic Author
UncleLeo
Posts: 58
Joined: Wed Jul 12, 2017 12:43 am

Re: Equifax is a joke

Post by UncleLeo » Thu Aug 15, 2019 10:46 pm

thx1138 wrote:
Thu Aug 15, 2019 10:34 pm
dboeger1 wrote:
Thu Aug 15, 2019 10:23 pm
thx1138 wrote:
Thu Aug 15, 2019 9:30 pm
Fax and USPS are in fact the preferred methods for sending sensitive personal information. UPS and FedEx fine as well though more expensive. They are doing exactly what nearly every security professional would recommend.

I think you need to look up the term “man in the middle” as that doesn’t apply here at all.

That said - Equifax is still a joke.
What? It absolutely does apply. A "man in the middle" just needs to open the box or envelope or whatever to get your personal information. The reason for sending personal documents through the mail has absolutely nothing to do with protecting the data (which physical mail is quite bad at compared to proper digital encryption). It usually has to do with acting as a barrier for terrorists, bots, forgers, etc. For example, as a result of 9/11 and the war on terror, US banks are now legally required to verify that new customers are legitimate US citizens/residents so that terrorist organizations can't easily open an account from abroad and use it to get funding. They typically do this by requiring you to open an account in person or send signed documents from a US address. The intent is to stop people from opening fake/illegal accounts, not to protect the legitimate ones.

EDIT: Another example relevant to Bogleheads is granting someone such as a spouse the authorization to manage one's investments. You can't just check a box on the web site. They make you get a bunch of signed and notarized affidavits and send them through the mail. It's to make it harder for someone to simply ask for access to your account. It does not, however, make it harder to gather your personal information; quite the contrary, it makes it easier for people with physical access to your mail to get that information. I doubt it's a real serious concern for most people, because mailing stuff from a local post office is generally pretty safe, but then again, I suppose bad people would be likely to target an organization like Equifax knowing that they have this mountain of personal documents coming in.
https://en.m.wikipedia.org/wiki/Man-in- ... dle_attack
Can you explain how UPS/FedEx or sending a fax is resilient to a MiTM attack? @dboeger1 just described how a simple attack would work. same concept can be applied to a fax, since the protocol doesn't use any encryption/PKI.

thx1138
Posts: 989
Joined: Fri Jul 12, 2013 2:14 pm

Re: Equifax is a joke

Post by thx1138 » Thu Aug 15, 2019 11:09 pm

UncleLeo wrote:
Thu Aug 15, 2019 10:46 pm
thx1138 wrote:
Thu Aug 15, 2019 10:34 pm
dboeger1 wrote:
Thu Aug 15, 2019 10:23 pm
thx1138 wrote:
Thu Aug 15, 2019 9:30 pm
Fax and USPS are in fact the preferred methods for sending sensitive personal information. UPS and FedEx fine as well though more expensive. They are doing exactly what nearly every security professional would recommend.

I think you need to look up the term “man in the middle” as that doesn’t apply here at all.

That said - Equifax is still a joke.
What? It absolutely does apply. A "man in the middle" just needs to open the box or envelope or whatever to get your personal information. The reason for sending personal documents through the mail has absolutely nothing to do with protecting the data (which physical mail is quite bad at compared to proper digital encryption). It usually has to do with acting as a barrier for terrorists, bots, forgers, etc. For example, as a result of 9/11 and the war on terror, US banks are now legally required to verify that new customers are legitimate US citizens/residents so that terrorist organizations can't easily open an account from abroad and use it to get funding. They typically do this by requiring you to open an account in person or send signed documents from a US address. The intent is to stop people from opening fake/illegal accounts, not to protect the legitimate ones.

EDIT: Another example relevant to Bogleheads is granting someone such as a spouse the authorization to manage one's investments. You can't just check a box on the web site. They make you get a bunch of signed and notarized affidavits and send them through the mail. It's to make it harder for someone to simply ask for access to your account. It does not, however, make it harder to gather your personal information; quite the contrary, it makes it easier for people with physical access to your mail to get that information. I doubt it's a real serious concern for most people, because mailing stuff from a local post office is generally pretty safe, but then again, I suppose bad people would be likely to target an organization like Equifax knowing that they have this mountain of personal documents coming in.
https://en.m.wikipedia.org/wiki/Man-in- ... dle_attack
Can you explain how UPS/FedEx or sending a fax is resilient to a MiTM attack? @dboeger1 just described how a simple attack would work. same concept can be applied to a fax, since the protocol doesn't use any encryption/PKI.
First of all MiTM is typically not the term used for simple eavesdropping - see the link. We call a phone tap a phone tap and not MiTM. Sure you could stretch MiTM to mean almost anything but people use terms for specific things for a reason.

Second fax and mail are based on physical security and personnel screening. Naturally anyone in the chain could violate that trust. It is, however, rare because it is difficult to do without eventual detection and the payoff is low relative to the risk of detection.

Your DL is of very little value. 100,000 DLs are valuable. Hence electronic attacks that can gather massive amounts of PII are what are executed. Someone trying to tap the phone line to gather faxes while possible is not an effective criminal enterprise.

Just taking a photo of your license to send it via fancy encryption to Equifax is far more risky for the vast majority of consumers. The information is likely to be compromised by malware on the consumer end before it is even encrypted and put into a channel.

Again, the standard recommendation for sending PII from a consumer includes physical mail and fax not because they are perfect but because in the real world they are lower risk for consumers than most practical electronic alternatives. The postal service and the phone company have been protecting far more valuable exchanges of information than your rather boring exchange with Equifax for decades. Consumers know how to put something in an envelope and drop it in a blue box or at the post office. Consumers know how to dial a fax number. They can do that with very low risk. Much lower risk than scanning that document with any device connected to a network.

dboeger1
Posts: 47
Joined: Fri Jan 13, 2017 7:32 pm

Re: Equifax is a joke

Post by dboeger1 » Fri Aug 16, 2019 5:03 pm

thx1138 wrote:
Thu Aug 15, 2019 11:09 pm
UncleLeo wrote:
Thu Aug 15, 2019 10:46 pm
thx1138 wrote:
Thu Aug 15, 2019 10:34 pm
dboeger1 wrote:
Thu Aug 15, 2019 10:23 pm
thx1138 wrote:
Thu Aug 15, 2019 9:30 pm
Fax and USPS are in fact the preferred methods for sending sensitive personal information. UPS and FedEx fine as well though more expensive. They are doing exactly what nearly every security professional would recommend.

I think you need to look up the term “man in the middle” as that doesn’t apply here at all.

That said - Equifax is still a joke.
What? It absolutely does apply. A "man in the middle" just needs to open the box or envelope or whatever to get your personal information. The reason for sending personal documents through the mail has absolutely nothing to do with protecting the data (which physical mail is quite bad at compared to proper digital encryption). It usually has to do with acting as a barrier for terrorists, bots, forgers, etc. For example, as a result of 9/11 and the war on terror, US banks are now legally required to verify that new customers are legitimate US citizens/residents so that terrorist organizations can't easily open an account from abroad and use it to get funding. They typically do this by requiring you to open an account in person or send signed documents from a US address. The intent is to stop people from opening fake/illegal accounts, not to protect the legitimate ones.

EDIT: Another example relevant to Bogleheads is granting someone such as a spouse the authorization to manage one's investments. You can't just check a box on the web site. They make you get a bunch of signed and notarized affidavits and send them through the mail. It's to make it harder for someone to simply ask for access to your account. It does not, however, make it harder to gather your personal information; quite the contrary, it makes it easier for people with physical access to your mail to get that information. I doubt it's a real serious concern for most people, because mailing stuff from a local post office is generally pretty safe, but then again, I suppose bad people would be likely to target an organization like Equifax knowing that they have this mountain of personal documents coming in.
https://en.m.wikipedia.org/wiki/Man-in- ... dle_attack
Can you explain how UPS/FedEx or sending a fax is resilient to a MiTM attack? @dboeger1 just described how a simple attack would work. same concept can be applied to a fax, since the protocol doesn't use any encryption/PKI.
First of all MiTM is typically not the term used for simple eavesdropping - see the link. We call a phone tap a phone tap and not MiTM. Sure you could stretch MiTM to mean almost anything but people use terms for specific things for a reason.

Second fax and mail are based on physical security and personnel screening. Naturally anyone in the chain could violate that trust. It is, however, rare because it is difficult to do without eventual detection and the payoff is low relative to the risk of detection.

Your DL is of very little value. 100,000 DLs are valuable. Hence electronic attacks that can gather massive amounts of PII are what are executed. Someone trying to tap the phone line to gather faxes while possible is not an effective criminal enterprise.

Just taking a photo of your license to send it via fancy encryption to Equifax is far more risky for the vast majority of consumers. The information is likely to be compromised by malware on the consumer end before it is even encrypted and put into a channel.

Again, the standard recommendation for sending PII from a consumer includes physical mail and fax not because they are perfect but because in the real world they are lower risk for consumers than most practical electronic alternatives. The postal service and the phone company have been protecting far more valuable exchanges of information than your rather boring exchange with Equifax for decades. Consumers know how to put something in an envelope and drop it in a blue box or at the post office. Consumers know how to dial a fax number. They can do that with very low risk. Much lower risk than scanning that document with any device connected to a network.
Okay, sure. I know what a man in the middle attack is. I work for a company that makes network security equipment. Arguing about what to call eavesdropping of physical mail is like arguing whether a car accident is a crash or a collision. We're describing the same thing.

Your comparison to malware on one's home computer isn't particularly fair. Any method of sending personal information is prone to failure assuming ignorance and poor practices on the part of the user. There are many ways for educated consumers to protect their digital communications, just as there are ways for ignorant consumers to put their physical mail at risk (Joe at the bar said he was headed to the post office tomorrow morning and offered to drop my mail off for me). I've never had any malware on any of my personal devices. My mother-in-law and sister each seem to get it every other week. I think it's fair to say that what might be best for OP is not necessarily the same as for them.

As an aside, I just watched the movie "The Bank Job" yesterday, which was based on a true story, and it's kind of ironic how all these public figures with important reputations assumed their safety deposit boxes were safe, until they got robbed. The funny thing is the bank then asked for records of the contents so they could keep track of what was recovered, and they of course did not want to share that information because the contents were intended to be private. It wasn't really my intention to argue about which method of transmission is more secure for most people. I think we can all agree that it's just silly that Equifax is now asking for all of this personal information after suffering such a massive data breach.

3-20Characters
Posts: 577
Joined: Tue Jun 19, 2018 2:20 pm

Re: Equifax is a joke

Post by 3-20Characters » Fri Aug 16, 2019 5:09 pm

What? Equifax is a joke!?

Well, you have a point. A damn good one. Search here for all the ways they keep screwing up. They just can’t seem to get their act together. Thank god I got in early with a freeze (PIN). At least I can use their automated phone system to unfreeze. Their web/IT and support are pure amateur hour and there would be no way to unfreeze my account otherwise.

mhalley
Posts: 7288
Joined: Tue Nov 20, 2007 6:02 am

Re: Equifax is a joke

Post by mhalley » Fri Aug 16, 2019 5:40 pm

If you had trouble doing the credit freeze online, you might try doing over the phone. I had success last year doing it that way when the online route didn't work.

gtd98765
Posts: 349
Joined: Sun Jan 08, 2017 4:15 am

Re: Equifax is a joke

Post by gtd98765 » Fri Aug 16, 2019 6:03 pm

Equifax is indeed a joke. But it does not see keeping your information secure as part of its job; it's job is to sell your information to as many people as possible. Keeping your info secure makes their job harder, as does implementing a security freeze. Therefore, we should not be surprised that they make it as hard as possible to protect your information.

Eno Deb
Posts: 85
Joined: Sun Feb 03, 2019 4:08 pm

Re: Equifax is a joke

Post by Eno Deb » Fri Aug 16, 2019 6:05 pm

I'm convinced they intentionally make it difficult and complicated (that's probably also why they keep changing the process). Every time someone freezes their credit file they lose a bit of money because they can't sell that person's information anymore.

User avatar
Kenkat
Posts: 5110
Joined: Thu Mar 01, 2007 11:18 am
Location: Cincinnati, OH

Re: Equifax is a joke

Post by Kenkat » Fri Aug 16, 2019 6:07 pm

Another concern is that Equifax will take the copy of the drivers license and SSN card you send, scan it to an image and store it on their servers. Hopefully encrypted but I wouldn’t necessarily count on that. And hopefully they will set a short record retention so it gets permanently deleted once validated. I wouldn’t necessarily count on that either.

thx1138
Posts: 989
Joined: Fri Jul 12, 2013 2:14 pm

Re: Equifax is a joke

Post by thx1138 » Fri Aug 16, 2019 7:47 pm

dboeger1 wrote:
Fri Aug 16, 2019 5:03 pm
Okay, sure. I know what a man in the middle attack is. I work for a company that makes network security equipment. Arguing about what to call eavesdropping of physical mail is like arguing whether a car accident is a crash or a collision. We're describing the same thing.
Fair point. :beer
Your comparison to malware on one's home computer isn't particularly fair. Any method of sending personal information is prone to failure assuming ignorance and poor practices on the part of the user. There are many ways for educated consumers to protect their digital communications, just as there are ways for ignorant consumers to put their physical mail at risk (Joe at the bar said he was headed to the post office tomorrow morning and offered to drop my mail off for me). I've never had any malware on any of my personal devices. My mother-in-law and sister each seem to get it every other week. I think it's fair to say that what might be best for OP is not necessarily the same as for them.
I agree that you, me and the OP can all probably successfully scan a document and transmit it securely with success. Probably a fair fraction of Bogleheads can as well. As you illustrate with your own anecdote most consumers probably can't. Equifax is only going to support so many ways to get the information. Mail and fax are both secure enough and the best option for the majority of their users. And they are pretty universally recommended ways to do that. There are certainly even more secure ways for sure if the people at both ends are competent.

That was my main objection to the OP. He's making fun of Equifax for doing what is actually one of the recommended best practices. I can to a degree understand being annoyed with them not providing other options but honestly at this point its not like any sane person is going to trust Equifax with any of those electronic options in the first place. If they provided some "secure" submission method on their website I can't imagine actually using it. I'd fax or mail the document because they are far less likely to screw that up.

But anyway we definitely all agree Equifax is a big joke in so many different ways! Sadly we are all part of the joke whether we wanted to be or not...
As an aside, I just watched the movie "The Bank Job" yesterday, which was based on a true story, and it's kind of ironic how all these public figures with important reputations assumed their safety deposit boxes were safe, until they got robbed. The funny thing is the bank then asked for records of the contents so they could keep track of what was recovered, and they of course did not want to share that information because the contents were intended to be private.
Yeah the level of threat for any "interesting" target is just so much more severe. The Lockheed-RSA attack illustrates just how severe the threat can be and how even "security professionals" can be successfully targeted.
It wasn't really my intention to argue about which method of transmission is more secure for most people. I think we can all agree that it's just silly that Equifax is now asking for all of this personal information after suffering such a massive data breach.
As others pointed out it certainly isn't a priority of their business model to protect your data or help you lock your credit. Their business is selling it, not protecting it. Completely agree with you and would go one step further - ridiculous this company is even in business any more. Arthur Anderson went the way of the dodo after Enron and WorldCom. Equifax really should have suffered a similar fate.

Cheers!

Post Reply