As LibertyID president Travis Mills recommended in this recent USA Today story regarding the Equifax breach, “Do not go onto Equifax.com to give them any more information. They have been compromised and should no longer be trusted.”
A ZDNet.com story published on Sept. 12, 2017 confirms this advice.
The Equifax site which people can use to set up alerts on their credit rating history (which we’re purposefully not linking to) has at least one vulnerability that allows a hacker to trick users into turning over sensitive data, as the ZDNet.com story titled “Equifax’s credit monitoring site is also vulnerable to hacking” points out.
The problem is the site, which is used to request a 90-day fraud or active duty alert, is easily spoofed.
“The site is vulnerable to a cross-site scripting (XSS) attack, which lets an attacker run malicious code on a legitimate website or web application, such as Equifax’s site. In this case, a hacker can trick a user into loading the site from a malicious link, which prompts for the consumer’s social security number and other personal information. That data could be seen by a malicious actor as soon as the information is submitted,” according to the story.
Meanwhile your browser will likely think the site is secure and display the lock icon in the browser window, since the malicious code is included in the Equifax web address.
“Do you trust Equifax with your details? The problem is that post breach they are asking people to enter their personal details all over again while they still have many insecure sites and pages,” security researcher Martin Hall told ZDNet.com for the story.
As such, ZDNet.com doesn’t recommend consumers use the Equifax website to set up alerts or credit freezes for the time being, until the security flaw is resolved. There’s no timeline on when that will be — Hall reportedly reached out to inform Equifax’s security team about some of the security flaws across the site, but didn’t hear back.
Credit Monitoring versus Identity Restoration
Equifax is also encouraging people to sign up for its own credit monitoring product, TrustedID Premier. It’s important to remember that credit monitoring doesn’t prevent identity theft, it only alerts you to a possible problem. And the risk of identity theft goes up exponentially if your Social Security number and personal information have been compromised. Some stats show you’re 11 times more likely to have your identity stolen following a data breach.
TrustedID Premier does not provide identity restoration services if your identity is stolen. Essentially, they don’t do anything to actually fix any problem that pops up — they just might tell you about it. It’s important to note many types of identity theft won’t even show up on your credit report, including tax identity theft, criminal identity theft, Social Security identity theft and, often times, medical identity theft.
LibertyID provides identity restoration. That means if you’re a LibertyID member and your identity is stolen, we will fix it.
There’s no limit to the time or money we will spend restoring your identity to pre-event status. A certified restoration specialist will handle all of the legwork and keep you informed with regular status updates.
Have you been a victim of a data breach?