Equifax breach frustrates customers
Instead of help, many find red flags
Instead of finding answers from Equifax’s website about whether they were affected by a huge data hack, nervous Americans found solutions proposed on the credit-reporting company’s website and on a helpline raised unnerving questions.
First, the main Equifax.com site was overloaded and intermittently unavailable over the course of Friday, a day after the breach was announced. Would-be users received the unhelpful message that the server was busy and they should try back in a few minutes.
Next, users who did get through were sent to equifaxsecurity2017.com. Clicking through from there took them to an entirely different URL, trustedidpremier.com
Being routed to a different domain is a classic technique used by phishing scams. It’s especially concerning because scammers had registered at least 194 Web addresses designed to lure the unwary into giving up their information as of Friday afternoon. Those addresses included the kinds of easily-made misspellings people too easily type in:
‣ equifaxsmcurity2017.com
‣ equifaxsocurity2017.com
‣ equifaxsrcurity2017.com
In this case, however, Equifax had registered a separate Internet domain to handle inquiries about the cyberattack, so the site was legitimate.
Users who clicked through were told to enter their last name and the final six digits of their nine-digit Social Security numbers. The site would then tell them whether their personal information was compromised.
The six-digit requirement was surprising to many security experts. In fact, some browsers interpreted the request as a potential phishing scam.
“Never give anyone the last 4 digits of your SSN, let alone the last 6,” advised Travis Mills, president of LibertyID, an identity theft information company. “Do not go onto Equifax.com to give them any more information. They have been compromised and should no longer be trusted.”
Equifax determined six digits is the minimum needed to figure out whether an individual may have been impacted, it said in a statement to USA TODAY.
While Americans have become used to giving out the last four digits of their Social Security numbers to activate credit cards or confirm their identity with billing companies, six digits is significantly more exposure, said Matt Devost, who heads the Global Cyber Defense practice at Accenture Security.
“If you’ve got the final six, it’s not hard to get the first three — and then the genie’s out of the bottle,” he said.
The final concern was that initially, when users clicked through to see if they were affected, it appeared that they were agreeing to Equifax’s terms of service. Those terms seemed to require them to resolve all disputes through binding arbitration and required that they give up their right to participate in any class-action suits against the company.
After the language was widely tweeted, New York state Attorney General Eric Schneiderman on Friday clarified the policy with the company. The company told him the arbitration and clause and class action waiver only applied to the free credit file monitoring and identity theft protection products, not the cybersecurity attack.