Equifax moves to fix weak PINs for “security freeze” on consumer credit reports

by
Sean Gallagher
from Ars Technica - All content on (#31TZF)
Screen-Shot-2017-09-11-at-12.34.42-PM-80

Enlarge / Equifax's site for enrolling in credit report security has gotten off to a bumpy start after the company's massive breach.

As Equifax moved to provide consumers the ability to protect their credit reports on the heels of a major data breach, some of the details of the company's response were found lacking. As consumers registered and moved to lock their credit reports-in order to prevent anyone who had stolen data from opening credit in their name-they found that the security personal identification number (PIN) provided in the locking process was potentially insecure.

A number of customers discovered that the PINs generated by enrolling in Equifax's TrustedID Premier Service were non-random and apparently sequential-in fact, they were essentially date-time stamps of the time of enrollment. Such PINs could potentially be brute-forced by someone attempting to unlock a credit report for the purpose of identity theft.

OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.

- Tony Webster (@webster) September 9, 2017

Equifax is moving to improve the PIN generation process. In response to an inquiry from Ars, an Equifax spokesperson said:

Read 1 remaining paragraphs | Comments

index?i=Z22WcRrGwrU:8q2UQmX17e4:V_sGLiPB index?i=Z22WcRrGwrU:8q2UQmX17e4:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments