Fail: Equifax Directs Consumers To Fake Site On Twitter

Well that's embarrassing. Equifax mistakenly sent people looking for more information about its recent data breach, which compromised the private data of 143 million Americans, to a mock website that could have stolen the last six digits of their Social Security numbers and other sensitive info.

When it revealed the data breach, Equifax set up a website dedicated to helping people find out if their information was affected by the hack and what they can do to protect themselves if they were. That site--the real one--resides at "equifaxsecurity2017.com." The mock site, which featured a similar design, bore the URL "securityequifax2017.com." You might think those URLs are different enough for people to notice. You would be wrong.

The addresses were apparently similar enough to fool several Equifax employees who shared links to the mock website on Twitter. To be clear: The employees who are supposed to help people respond to one of the most devastating breaches in history shared a link to a fake website that asked for sensitive information. People could have compromised their personal data simply by trying to find out if they were affected by the hack.

Here's the good news: The person who claims to have set up the website merely wanted to highlight the mistakes Equifax made when it set up its own site. Instead of presenting information related to the breach on its main site, the company set up a dedicated page with an easily spoofed URL its own employees couldn't keep straight. Even more concerning is the fact that this is just another notch on the company's belt of mistakes.

The problems started when Equifax failed to patch a known vulnerability in Apache Struts, months after its release. Then, it took the company several days to disclose the breach, during which time some executives sold off stock in what Equifax said was an unrelated incident. Next it was revealed that the company secured an Argentinian web portal with the astoundingly insecure username / password combination of "admin / admin."

In the meantime, Equifax was criticized for its TrustedID Premier service that required people to waive their right to sue the company in exchange for identity theft and fraud protection. Equifax changed those terms after public outcry, but other problems with the service, such as the fact that people will have to pay for it after just one year of using it, remain. (Again, this information won't expire in a year, so Equifax's offering is a stall at best.)

The other good news is that Google Chrome now flags the mock website as deceptive, so it should be harder for people to submit portions of their Social Security numbers to an illegitimate site. Equifax's breach also prompted Democratic senators to introduce the Data Broker Accountability and Transparency Act, which aims to hold data brokers accountable for securing the information they store, especially since few people have a say in whether or not their personal data is vacuumed up by these companies and sold to other businesses without their knowledge or consent.

It's worth reiterating that if people escape this incident unscathed it will be despite, not because of, Equifax. The company failed to take basic security precautions at every step of this episode, including by using weak username / password combinations, not installing patches to critical vulnerabilities, and seeing employees sharing links to malicious websites on Twitter, and its failings are as indefensible as they are harmful.

This thread is closed for comments
4 comments
    Your comment
  • why_wolf
    I strongly recommend to anyone that isn't presently trying to open new credit card or bank loan to place a credit freeze on their account. In theory the credit freeze will stop criminals from being able to open bogus credit cards and loans in your name. You can read up in detail about what it is and how to do it over on KrebsonSecurity. http://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/

    Krebs is a great site for news on internet security in general. His work is often sited by the big newspapers in their reports.
  • derekullo
    If I can protect my World of Warcraft account from getting stolen using 2 factor authentication you would think it would be standard practice for credit agencies who are entrusted with the most important data you have.

    By simply requiring a code generated every 30 seconds in google authenticator to access or create new credit cards, loans and other financial products, the majority of credit card fraud and identity theft could be erradicated.

    Of course your phone could still be stolen, but that would require a thief to be in physical possession of your phone, not 2000 miles away trying to guess your mother's maiden name.

    You could always institute a credit freeze as mentioned in a prior post if your phone was stolen.

    Credit agencies would probably lose money due to people dropping their credit card monitoring services, but this is a small price to pay for not screwing up some one's life.
  • fruitn
    Try looking to Denmark and the NemID. A papercard in your pocket with keys to your username and password linked to your social security number. What a shame ppl wants to get rid of the card part, it's the only thing keeping them secure.