Equifax Has Been Sending Consumers To a Fake Phishing Site for Almost Two Weeks (gizmodo.com) 154
An anonymous reader shares a Gizmodo report (condensed for space): For nearly two weeks, the company's official Twitter account has been directing users to a fake lookalike website. After announcing the breach, Equifax directed its customers to equifaxsecurity2017.com, a website where they can enroll in identity theft protection services and find updates about how Equifax is handing the "cybersecurity incident." But the decision to create "equifaxsecurity2017" in the first place was monumentally stupid. The URL is long and it doesn't look very official -- that means it's going to be very easy to emulate. To illustrate how idiotic Equifax's decision was, developer Nick Sweeting created a fake website of his own: securityequifax2017.com. (He simply switched the words "security" and "equifax" around.) As if to demonstrate Sweeting's point, Equifax appears to have been itself duped by the fake URL. The company has directed users to Sweeting's fake site sporadically over the past two weeks. Gizmodo found eight tweets containing the fake URL dating back to September 9th.
Is someone paying them to be this stupid? (Score:5, Insightful)
Because it's incredible how stupid this whole thing has been.
How can anyone be this bad at their core business?
Re: (Score:3, Insightful)
Because it's incredible how stupid this whole thing has been.
How can anyone be this bad at their core business?
the "free market" at work: screwing over ordinary people because who's going to stop them?
Re:Is someone paying them to be this stupid? (Score:5, Funny)
Re: (Score:2)
Hahahaha, good one - free market. We don't need those stupid consumer protections ^H^H^H^H^H^H^H^H^H^H^H^H^H^H overreaching regulations.
Ok, a person made an admin password "admin". That's STUPID! Do you know of a government regulation that can fix stupid? If you do, I guarantee you will win a Nobel Peace Prize.
Re: (Score:2)
Yes. Make the fines fucking huge when incompetence results in leaked private information. The fine needs to so big that the shareholders will revolt if the company has to pay it. That's the only way you can get management to throw some money at the IT department and security. A business will either invest in their security or shut down.
Re: (Score:2)
Security can 'fall off the radar' for your average idiot CEO - they're sure security incidents only happen to other people.
I think you have to have an independent team of security specialists perform a serious security audit at least every 6 months would go a long way.
Perhaps even require the tiger team to report directly to shareholders. That would force the company to own the specifics of their security concerns.
Re: (Score:3)
Some governments and industries require that sites be pentested prior to going live, even the most incompetent of pentesters would catch admin/admin.
Re: (Score:2)
Simple, just pass a law making computers illegal.
Re:Is someone paying them to be this stupid? (Score:5, Insightful)
Punishing stupid with jail time has been proven to reduce, though not eliminate, stupid's influence on the average citizen.
This is an idiotic knee-jerk solution. America already imprisons far more people than other countries, and we expend huge resources to do it, despite evidence that it increases future crime through direct recidivism as well as indirectly by destroying families and degrading communities.
So now we are going to put even more people in prison, not because they are violent, but because they are stupid?
Where is your "proof" that prison reduces stupidity? The PIC [wikipedia.org] is a result of stupidity, not a solution to it.
A far better solution is monetary penalties, that reduce the harm from stupidity by incentivising investors and shareholders to demand verified compliance with industry best practices.
Re: Is someone paying them to be this stupid? (Score:5, Insightful)
America already imprisons far more people than other countries, and we expend huge resources to do it, despite evidence that it increases future crime through direct recidivism as well as indirectly by destroying families and degrading communities.
Maybe that's because we're putting the wrong people in jail.
Re: Is someone paying them to be this stupid? (Score:5, Insightful)
Maybe that's because we're putting the wrong people in jail.
Prison should be for violent people that need to be physically separated from civilized society. For everyone else there are more appropriate punishments. For instance, the CEO of Equifax could wear an anklet tracking device while spending 60 hours per week changing bedpans in a nursing home for the next ten years. Instead of costing taxpayers, he would be benefiting society, and his family would still be intact.
If he is separated from his family, his children will grow up without moral guidance, thus increasing the chance that they will get MBAs and try to become CEOs themselves, and the cycle will continue for yet another generation.
Re: (Score:2)
prison is to DETER bad behavior.
why do you think its NOT ok to imprison ceo's? the rich white guys are that untouchable to you?
jail the corp leaders who fail and cause world-level problems.
I could not care less if its violent or not. that's NOT the point!!
Re: (Score:2)
prison is to DETER bad behavior.
... yet it has an extremely poor track record of doing that. People that go to prison are more likely to re-offend than people given more lenient punishments.
A few centuries ago, we executed people for stealing bread. People still stole bread. Harsh punishments have far less deterrent value than the certainty of getting caught.
If we start imprisoning CEO for making mistakes, far fewer honest people will want the job. So the pay will have to be much higher, and more dishonest people will be attracted sin
Re: (Score:2)
why do you think its NOT ok to imprison ceo's? the rich white guys are that untouchable to you?
Better question: do you think it's okay to imprison tax payers for not paying their taxes (aka debtor's prison)? Think carefully before you answer. If you don't know the history of the topic I'd refrain from answering.
Re: (Score:2)
Jailing more people is generally not a viable solution. Nor is it a particularly useful or effective one.
Instead hold people RESPONSIBLE. (hint: if you're getting free room and board + entertainment + schooling + social time + etc. then you aren't especially responsible.
Take away the CEO's money. Including their stock options and hidden offshore money and so on and so forth. Fine them personally for fuckups they knowingly allowed, endorsed, or perpetrated. None of the 'oh, Mr. CEO is resigning at the
Re: (Score:3)
Re: (Score:2)
A few centuries ago, people regularly starved to death and stealing bread was already a life or death decision. Your analogy might as well have included a car.
With that said, I agree that prison isn't a functional detriment to those who would or do commit crimes. The threat of jail has very little effect on people not otherwise inclined to break laws either.
However, CEO's are already compensated far higher than they were now that many years ago when people actually did expect them to be useful. Look at t
Re: (Score:2)
why do you think its NOT ok to imprison ceo's? the rich white guys are that untouchable to you?
Better question: do you think it's okay to imprison tax payers for not paying their taxes (aka debtor's prison)? Think carefully before you answer. If you don't know the history of the topic I'd refrain from answering.
Take away all their money. If the amount they have doesn't compensate for the wrong they perpetuated, then debtor's prison is suitable.
Re: (Score:3)
Re: (Score:2)
Riiiiight.... moral guidance. Because these people are not only the leaders of companies, they are the altruistic moral guiding light of everyone around them.
And the solution is to force everyone to be altruistic I suppose then? We should have a set of policies where the government forcefully takes the fruits of everyone's labor and their property and redistributes it?
Re: (Score:2)
Re: (Score:2)
bingo!
non violent plant inhalers who really do NO HARM TO ANYONE are spending 10's of years in prison.
meanwhile, white collar idiots who harm MILLIONS are passed over.
yeah, we imprison more people than the rest of the world combined, but that's because the republicans kept forcing us to wage a 'war on drugs' that never worked and can never work.
instead, we should reclaim consumer rights and imprison CEOs who fuck over multitudes of people.
this country is failing fast. if we don't reverse our course, we'll
Re: (Score:2)
Re:Is someone paying them to be this stupid? (Score:5, Insightful)
No, but criminally negligent on such an epic scale it can be barely conveyed.
If the financial information of 143 million US people has been compromised, this is literally almost every working age person in the country who has a credit history having their personal information put in the clear. And since people don't apparently have a choice in whether these assholes get their information, they could ruin the lives of people who didn't have a say in this company having their information for decades to come.
The sheer magnitude of this fuck up is impossible to explain, because it could literally result in tens of billions in damages to consumers because some fucking idiot was too lazy or stupid to apply a known security patch. You know, like "well, the plane might explode if you fly above 5000 feet but we'll keep that secret" kind of depraved indifference.
Mother fucking verified compliance with industry best practices????? Are you fucking kidding us? Incenti-fucking-vising goddamned shareholders??? Jesus fucking Christ, are you thinking when you type this shit?
This colossal fuck up means pretty much every adult in America with a credit history could be spending the rest of the lives subject to fraud. All of them. Anybody who shows up in this massive database, with the most vital and sensitive and unalterable information about them.
No, the only real response to this is Equifax pretty much needs to be wiped out as a legal entity, and the executives need to be treated as if they'd willfully destroyed lives to save a few bucks -- because they did. They were so grossly incompetent with managing the information of pretty much everyone you can't fucking incentivise investors and shareholders, you need to ensure the punishment is commensurate with the damage.
This is beyond mother fucking "industry best practices". This is devastating. And at this point, that potential damage far exceeds the damage from hurricanes, tornadoes, and earthquakes, because tens of millions of people stand to lose everything they own.
There's no fixing this, bullshit offer for credit monitoring aside, this is pretty much potentially a financial nuclear bomb.
There's simply no way you can treat this as a fine, a slap on the wrist, and a fucking expectation that the fucking shareholders will scold them and make it not happen again.
This pretty much has to have a scorched earth, prison, and public executions kind of response ... maybe not that last one, but this has to be responded to so harshly it isn't funny.
But don't say stupid shit which implies that the "market" will correct this or that anybody involved in this fiasco should ever have anything to do with people's financial information ever again. This needs to be the equivalent of disbarment, banishment, and a lifetime of having every person impacted by this free to punch these clowns in the face for the rest of their lives -- because the fucking victims of this (which is pretty much everybody) will be dealing with this for the rest of their lives.
Monetary fucking policies and fucking industry best practices. I sincerely hope you and everyone you know gets royally fucked by this, and then let's see what you think about shareholders and compliance with industry fucking best practices.
Idiot.
This is probably the highest value data breach in the history of mankind, and alarmingly that isn't even hyperbole. And you think industry standards are going to fix this?
Re: (Score:3)
Oh, if only I had mod points.
How much saliva did you have to wipe off your monitor and keyboard after typing that up?
That was.....brilliant.
Re: (Score:2)
This is probably the highest value data breach in the history of mankind, and alarmingly that isn't even hyperbole.
While this is manifestly true, it's such a gigantic breach that 148 million people are not going to be victimized. There literally aren't enough criminals to take advantage of all the data.
I'm all for subjecting Equifax to the corporate death penalty just on principle, but as a practical matter, fraud rates will go up, but not astronomically higher. There simply aren't enough fraudsters to take advantage of all the opportunities for fraud presented by the breach.
Unless someone manages to automate applying
Re: (Score:2)
Punishing stupid with jail time has been proven to reduce, though not eliminate, stupid's influence on the average citizen. Might be good to start there.
There is no way to create a deterrent to stupidity because as we know, most people are unaware of how stupid they are [wikipedia.org] because it actually requires sufficient intelligence to know this. Average ability people usually know when they are about to commit a crime but they are usually unaware of their own cognitive biases including overestimating their ability.
Re: (Score:2)
Right, like in China where they execute people for white collar crime.. Or at least they used to, because all fraud and malpractice was stopped.
You fucking imbecile.
You're the fucking imbecile. You have to actually prove there was intentional fraud and that what was done meets the legal definition of fraud. Just arbitrarily declaring something fraud does not make it so. We have laws in the United States for this sort of thing. The problem is substantiating the claim that it actually was fraud based on the legal definition of it.
Re: Is someone paying them to be this stupid? (Score:2)
Re: (Score:2, Insightful)
Because a government enabled credit-reporting oligopoly is totally the same thing as a free market! Get the government to run it like healthcare and the postal service, that'll fix everything!
Re: (Score:2)
Ah, the elusive ideal free market. It must exist just across the way from ideal communism.
Re: Is someone paying them to be this stupid? (Score:3, Informative)
Re: (Score:2)
Re: Is someone paying them to be this stupid? (Score:5, Insightful)
When you add together all the people on Medicare, Medicaid, and the VA, yes, the government runs a BIG part of healthcare in the US - approx 120,000,000 people, and it's going up every day.
To be fair the government isn't even trying to run health care efficiently. If it was Canada with a market 1/10th the size of the US, wouldn't be getting lower drug pricing. The states would be able to band together for greater purchasing power (or insurers across state lines for that matter). You could lower the cost of government medicine by >25% in an afternoon by merely dropping barriers that have been artificially put in place to keep well connected drug companies flush with cash. The Feds have clearly chosen the side they favor with health care policy - and it's drug companies not consumers, patients, or taxpayers.
Re: Is someone paying them to be this stupid? (Score:4)
When you add together all the people on Medicare, Medicaid, and the VA, yes, the government runs a BIG part of healthcare in the US
The US government spends about $6000 per capita on healthcare. Sweden's government spends about $4000 per capita. So America's health care is actually more socialist than Sweden's by total expenditure, although slightly less (60% vs 75%) as a percentage.
Re: (Score:2)
Hiring competent people would eat away at profits!
Re: (Score:2)
You know what, I'm not buying this. I've heard other people defend this "Music major as a Chief Security Officer." I understand that Music has many mathematical properties, and if she has a Masters in Music, she is likely very intelligent. I also have no doubt that she had quite the resume when it came to security and management; I'd suppose you'd have to have those things if you were a Chief Anything Officer at Equifax.
But you know what? Who cares?! The fact that she had both degrees (a Bachelors and a Mas
Re: (Score:2)
But you know what? Who cares?! The fact that she had both degrees (a Bachelors and a Masters) in Music tells me that she just wasn't that into this Chief Security/Information Officer stuff.
What utter fucking elitist idiocy.
Re: (Score:3)
Because it's incredible how stupid this whole thing has been.
How can anyone be this bad at their core business?
the "free market" at work: screwing over ordinary people because who's going to stop them?
You misspelled "government protected racket".
Re: (Score:2)
the "free market" at work: screwing over ordinary people because who's going to stop them?
The "free market" is not inherent stupid or intelligent. Making an administrator password "admin" is stupid. It was a human error by someone who is obviously a moron.
Re: (Score:2)
I'm all for free markets. But every time I try to walk out of the market without paying for my stuff, they get very upset.
Re:Is someone paying them to be this stupid? (Score:5, Interesting)
Re:Is someone paying them to be this stupid? (Score:4, Insightful)
vote to sweep the entire company clean....and start over.
Won't happen. There is no way they can afford that many multi-million dollar golden parachutes at the same time. And you're not going to see a single executive actually punished over this.
Re: (Score:3)
Re: (Score:2, Funny)
Do you think they'd then be required to sell their database info to the highest bidder to recoup loses?
Re:Is someone paying them to be this stupid? (Score:5, Funny)
Do you think they'd then be required to sell their database info
I thought I heard it's already available online somewhere. Can't put my finger on where I heard that though.
Re: Is someone paying them to be this stupid? (Score:2, Funny)
No, he's Jesuit.
Re: Is someone paying them to be this stupid? (Score:2, Insightful)
Pfffft, they're too big to fail (or too much money over government influence).
They'll get a couple lashes from a whip to set an example and lose some revenue but they'll continue on. Consumers are their main product, not their customer.
Businesses and banks will continue using them as if nothing happened. Years or decades later, information from this breach will be used by independent groups worldwide for identity theft related purchases. They may even drum up some new business for their consumer directed cr
Re: (Score:2)
Honestly, I've been thinklng the same....trying to see if it bottoms out and buy stock....but every time I think it is slowing down, they do something fscking stupid AGAIN.....and the bottom keeps dropping.
Re:Is someone paying them to be this stupid? (Score:4, Interesting)
Yea, so when your IT folks raise concerns about security..... DON'T IGNORE THEM!
Re: (Score:2)
My thought exactly.
Re:Is someone paying them to be this stupid? (Score:4, Funny)
How can anyone be this bad at their core business?
Their core business is, literally, collecting and sharing information. They shared it with a few too many people in this case, but hey, can you blame an over-achiever?
Re:Is someone paying them to be this stupid? (Score:4, Interesting)
Their core business is maintaining an oligopoly on an essential service, and they do that well. Keeping information safe is not part of their core business, and thus, they pay little attention to it.
Re: (Score:2)
Generating a arbitrary number that affects their cattles ability to get a loan? Thats their core business.
Re: (Score:2)
Re: (Score:2)
Because it's incredible how stupid this whole thing has been.
How can anyone be this bad at their core business?
From Slap-On-The-Wrist fines for the Financial Industrial Complex, to the Too-Big-To-Fail bailouts for the US auto industry, tell me again how obscene incompetence and criminal behavior has been anything short of rewarded?
THAT is how they can be this bad. Turns out it's actually worth it to put in a fucking half-assed effort.
Re: (Score:2)
Re: (Score:3)
How can anyone be this bad at their core business?
I'm a member of two class action suits against Equifax. The first, ongoing since 2008, is because they violated the Fair Debt Reporting Act. I was also affected by this data breach. A quick Googling reports that there are at least 23 class action suits for this latest incident alone. In the scummy consumer credit marketplace incompetence is de rigueur.
Re: (Score:2)
Re: (Score:1)
Just more proof of how evil and restrictive government regulation is, everyone knows businesses can be trusted to police themselves. #MAGA!
Re: (Score:2)
1.) Fire all the smart people because they cost so much.
2.) Profit!
3.) Company collapses under lawsuits, pressure from competitors, outright thievery...
Re: (Score:2)
Re: Is someone paying them to be this stupid? (Score:3)
You have to work really hard to be this incompetent. Doing nothing, nothing all all - just playing mine sweeper, has to be better than this.
Re: Is someone paying them to be this stupid? (Score:2)
Re: (Score:2)
They have been good at their core business. collecting and sharing financial data on millions of people. Nowhere in their charter does "security" or "trust" exist. We are the product they sell.... not security products.
Just look at how they originally offered the free service to monitor accounts: first you had to sign up, they didn't automatically enroll you.. Second - you had to promise not to sue them (term since removed).
They don't care about you, the product. They want high quality "data" and ta
Put them to death! (Score:3)
SFWeekly is calling for all Equifax employees to be executed [sfweekly.com].
In all seriousness, the Equifax credit freeze does not work very well, and their freeze needs to work over Experian and TransUnion (and Equifax should pay for it).
Re: (Score:3)
Re: (Score:2)
Additionally (Score:5, Insightful)
It's worth pointing out that it's pretty stupid to use a link obfuscator (aka short URL service) in this situation... which this "Tim" person from Equifax also did - he used a link shortener to direct people to the fake website!
(I'd argue link shorteners are evil in general, but that's a discussion for another day)
Re: (Score:3)
(I'd argue link shorteners are evil in general, but that's a discussion for another day)
Yeah, it seems like obfuscation of links causes more problems than I'd like. But in a world where lots of common services have a character limit (not just Twitter--even Slashdot's signature function is severely limited), sometimes a shortener is a necessity.
Re: (Score:2)
(I'd argue link shorteners are evil in general, but that's a discussion for another day)
Link shorteners in general aren't evil, but their no click, no confirmation implementation is. They should always direct to an intermediate page which shows clearly where the shortener is directing you and wait for confirmation to do so.
Wow (Score:4, Insightful)
The level of Equifax's ongoing idiocy is amazing. Almost impressive, even.
The fact that they can't even get the most basic security things right strongly suggests that their core business activities are likely to be run with the same amount of incompetence.
Re:Wow (Score:5, Funny)
Don't forget that they have a talent deficit: they just lost their head of information security.
Re:Wow (Score:5, Funny)
Re: (Score:2)
Are you saying that you think this is the result of malice?
Re: (Score:2)
Don't need to click. Just mouseover and check the status bar.
Re: (Score:2)
Think about it. Why is this linky linky thing stupid? Put another way: What would have been better?
What would have been better is to follow standard practice with important domain names: you register the name you want as well as all of the variations/typos that might be easily confused with it.
Typosquatting isn't anything like a new thing.
I'm an expert -- I have a degree (Score:1)
In music.
It's still not safe! (Score:5, Insightful)
This leads me to believe that the hackers didn't just get the website and the database. They got the entire network and that Equifax up until today is unsure if their network is safe yet. Equifax's decision to host the new website in CloudFlare is to make sure that they don't give additional information to hackers who are ALREADY in.
Re: (Score:2)
So after all these security fuckups, you think they're competent enough to get the idea that they have no idea whether their network is compromised?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
What gave you the impression that outside contractors were not the initial cause of this?
Because no contractors were blamed. Considering that it's common to blame contractors for problems (whether or not they were the cause), it speaks volumes that this isn't happening here.
Re: (Score:2)
Re: (Score:2)
So instead of giving my information to the hackers that have breached Equifax's network, I get to hand it over the the hackers that have breached CloudFlare's network. Better or worse?
No network is secure.
Re: (Score:2, Insightful)
They could have easily created a subdomain under the official equifax.com domain but still made the IP under Cloudflare or whatever they wanted to do. They're just idiots.
Re: (Score:2)
> Equifax's decision to host the new website in CloudFlare is to make sure that they don't give additional information to hackers who are ALREADY in.
What? Do you even know how CloudFlare works?
Re: (Score:2)
I went looking to see if my records were affected. Then followed the link to their special website -- and was mildly nervous over the name. I then realized how stupid the name was and was sure the spammers would start sending out fake look-a-like links.
Apparently their naming scheme is to cover next year's planned leak of data.
Of course when these reports began to come to light I immediately went and verified that I had been on a real site. There was no feedback - I submitted a task to them and was pres
The only reasonable solution... (Score:5, Funny)
Wall street is also turning into a clickbait scam! (Score:1)
Hey Guys! You might remember my post earlier where I whined about my husband failing to perform in bed and would rarely get me turned on at all? At first I was like: WTF, where do all those adult film stars get their stamina? — we've tried everything you can think of, from Viagra to other libido pills, nothing seemed to work. Bullshit! — his dick remained limp and sex didn’t last for more than a couple of minutes.
After about 6 months I gave up. I decided it was in his age and part of his physical condition, and that there was nothing we could do about it. Also, I can’t say I wanted sex that bad myself, knowing that I wouldn't be satisfied, and he’d be upset. I felt my husband totally losing confidence in himself and it was frustrating.
but then again slashcode advertising sucks dead horse balls! [insidedailyhealth.com]
Clint Eastwood is not dead yet and neither is his dick! His last words will be "dying ain't much of a livin' boy" if there is any humor left in the world.
On topic, the whole equifax situation in a way is similar and is proving to be complete and utter Wall Street bullshit IMHO and is in itself just a stock option clickbait scam. Just watch what happens when equifax goes on sale. I am almost willing
Re: (Score:2)
For the data
Re: (Score:2)
Re: (Score:2)
Not even close to all of their data was made public.
Re: (Score:2)
Just the most critical information that affects pretty much ALL working class individuals in the US. It does not take a rocket scientist to actually realize that if the information taken is the primary basis for any other information they may have, even though it was not taken, will devalue any of said information to the point of insignificance. Since the underlying base information has now been compromised any other data derived from it has now been made much less valuable almost to the point of worthles
Re: (Score:2)
in hoping that the company survives this debacle
Personally, I hope they go out of business. The level of incompetence they continue to demonstrate indicates to me that the situation is not redeemable.
BTW, if you actually look at their corporate mission statement, one of the values they purported to achieve was Integrity.
Corporate mission statements are almost always marketing BS. Does anyone really take them seriously?
Besides, this is Equifax. We've already known for a very long time that "integrity" isn't exactly their #1 priority.
For Immediate Release and Action (Score:2)
You're all fired, for cause, effective immediately. Concordant with a for-cause firing, any and all severance benefits are rendered null and void. Surrender all company property, including cell phones and computers, to HR immediately. Please collect your personal effects; security will be instructed to escort you off company property no later than 18:00 EDT.
Re: (Score:2)
What HR? You've just fired them too....
Can we just jail all of equifax (Score:1)
It seems like we're reaching a point where we should just take every employee in anyway involved with the decisions that equifax has made in the last 5 years, and put them in jail for something like criminal negligence
Contact Us (Score:2)
Powering the World with Knowledge
Yea, they sure did! They just gave all the personal information for pretty much all the working class Americans.
Now that is a great motto for a company that actually adhered to their mission statement.
Security (Score:2)
Perhaps they were trying to do their customers a favor for once, redirecting them to a site that's likely to be fare more secure than their own.