Equifax has re-opened a Web site that lets anyone look up the salary history of a large portion of the American workforce using little more than a person’s Social Security number and their date of birth. The big-three credit bureau took the site down just hours after I wrote about it on Oct. 8, and began restoring the site eight days later saying it had added unspecified “security enhancements.”
The Work Number, Equifax’s salary and employment history portal.
At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.
What’s needed to access your salary and employment history? Go here, and enter the employer name or employer code. After that, it asks for a “user ID.” This might sound like privileged information, but in most cases this is just the employees’s Social Security number (or a portion of it).
At the next step, the site asks visitors to “enter your PIN,” short for Personal Identification Number. However, in the vast majority of cases this appears to be little more than someone’s eight-digit date of birth. The formats differ by employer, but it’s usually either yyyy/mm/dd or mm/dd/yyyy, without the slashes.
Successful validation to the system produces two sets of data: An employee’s salary and employment history going back at least a decade, and a report listing all of the entities (ostensibly, the aforementioned “credentialed verifiers”) that have previously requested and viewed this information.
In a story in the financial industry publication National Mortgage News, Equifax said: “As access to the employee portal is restored, individuals must be re-authenticated and establish a unique PIN. Therefore, the data exposed in the cyber incident will not be sufficient to access The Work Number.”
The publication said Equifax declined to answer questions about whether the timing of the portal maintenance or the decision to add new security features were in response to the original Oct. 8 report here, quoting an Equifax spokesman saying the company opted to move up and expand a planned service outage.
“At that time, we also decided to accelerate the implementation of select security enhancements to our platforms which extended the service outage timeframe,” the spokesman said.
I walked through the newer, allegedly more secure portal with a friend and source who worked at a major firm that used The Work Number at some point previously, and at first we couldn’t figure out how to enter his default PIN. A quick search for his employer’s name and “The Work Number” turned up a PDF with instructions stating that the PIN consisted of the last two digits of the employee’s birth year, and the fourth and fifth digit of their SSN.
Part of the new and improved security at The Work Number.
After passing that screen, the only “security enhancements” I saw that my source encountered was a prompt to enter his full name, date of birth, Social Security number, address, phone number and email, followed by the usual retinue of four multiple-guess “knowledge-based authentication” (KBA) questions. I’ve long been a critic of these KBA questions, because the answers usually are available using sites like Zillow and Spokeo, to say nothing of social networking profiles.
Fortunately, you can reduce the likelihood that an acquaintance, co-worker, stalker or anyone else can glean your salary history by claiming your own account, changing the PIN and selecting a half-dozen security questions and answers. As always, it’s best not to answer these questions truthfully, but to input answers that only you will know and that can’t be found using social networking sites or other public data sources.
I used to think that if you had a security freeze on your credit file at a credit bureau that the bureau would then be unable to ask these KBA questions. I’ve recently worked with several sources who had freezes on their files and yet were still asked these KBA questions. Those individuals may not have all been approved to continue whatever transaction was in progress after answering those questions, but in most cases it shocks folks who have freezes when they even get asked those KBA questions.
However, it seems that each of the cases I’ve seen in which the person had a freeze on their credit file, the applicant was asked only non-financial questions. In other words, they were given questions that one did not necessarily need access to one’s credit card or mortgage statements to answer successfully — such as the names of previous streets resided on or the names of lenders used in the past.
What’s interesting is that these types of questions tend to be easier to answer than, say, ‘What was the amount of your most recent car loan payment?’ That suggests that ID thieves could find people with credit freezes an easier target of services like this one because they face far easier KBA questions after they provide all of the target’s static information (DOB, SSN, etc).
If that sounds ironic or sad, remember that we’re talking about a company whose breach more severely impacted consumers who paid Equifax whatever fees the company is allowed to charge under state laws to freeze the consumer’s credit file.
We all sort of assumed this was the case when Equifax initially disclosed on Sept. 7 that the breach resulted in the theft of SSNs and other data on 143+million people, as well as some 209,000 credit and debit card numbers. But in written notifications recently mailed to victims of the breach, Equifax made it crystal clear that their credit card data was stolen because they once used it at Equifax to request a credit freeze or copy of their credit report.
Part of the notice Equifax mailed this week to a U.S. breach victim.
Does your current or former employer share your salary data with Equifax? If so, were you able to access your salary history via The Work Number site? Sound off in the comments below about any “security enhancements” you encountered along the way.
If you’re still unsure what you should be doing in the wake of the breach at Equifax, see this Q&A.
I wanted to try this when you first posted about it, but as you said, they pulled it down. I just tried it, my company was indeed listed and was easily found by the search function, but I was unable to login. I tried my social security number, which it accepted but it will probably accept anything, but when I tried the yyyymmdd as well as mmddyyyy it did not work and said it locked me out. Hopefully that means my company used a little more thought and created more secure PINs.
I just experienced the same thing.
“Fortunately, you can reduce the likelihood that an acquaintance, co-worker, stalker or anyone else can glean your salary history by claiming your own account, changing the PIN and selecting a half-dozen security questions and answers.”
How does one claim your own account? I don’t see a way to do that on The Work Number web site. (My employer doesn’t appear in the search.)
This is bull that they allow this and our corrupt goverment does nothing but gives them a slap on the hand we as American people need to come together as one and stop this no one should have to be put threw this this is our own private info and should be a lot harder to get any of this stand up America take action against corporattoins like this take back our lives
Don’t hold your breath waiting for Republican Party dominated government from working on behalf of you the consumer. How does that benefit their key constituency – multi national corporations?
don’t wait on Democrats either.
We talking about whose in control now. Stop deflecting
You mean the party that drove the creation of the Consumer Financial Protection Bureau created by the Dodd–Frank Wall Street Reform and Consumer Protection Act, an act that was opposed by virtually all of the GOP and is actively being undercut by the GOP-led Congress today? You mean those Democrats?
“You mean the party that drove the creation of the Consumer Financial Protection Bureau created by the Dodd–Frank Wall Street Reform and Consumer Protection Act…”
Please, both parties are equally bought and paid for in various ways and by various moneyed special interests. What we have and have had for quite some time is a power sharing duopoly. They may throw you bones like gay marriage and gun rights to bring you to the polls, but on any issue that would significantly disrupt the status quo flow of trillions of your tax dollars and new debt accrued on your tab, forget it. Read the groundbreaking 2014 Princeton University study, “Testing Theories of American Politics: Elites, Interest Groups, and Average Citizens” which confirms that.
Here are some key excerpts from that study:
A great deal of empirical research speaks to the policy influence of one or another set of actors, but until recently it has not been possible to test these contrasting theoretical predictions against each other within a single statistical model. We report on an effort to do so, using a unique data set that includes measures of the key variables for 1,779 policy issues.
Multivariate analysis indicates that economic elites and organized groups representing business interests have substantial independent impacts on U.S. government policy, while average citizens and mass-based interest groups have little or no independent influence. The results provide substantial support for theories of Economic-Elite Domination and for theories of Biased Pluralism, but not for theories of Majoritarian Electoral Democracy or Majoritarian Pluralism.
In the United States, our findings indicate, the majority does not rule—at least not in the causal sense of actually determining policy outcomes. When a majority of citizens disagrees with economic elites or with organized interests, they generally lose. Moreover, because of the strong status quo bias built into the U.S. political system, even when fairly large majorities of Americans favor policy change, they generally do not get it.
…the preferences of economic elites (as measured by our proxy, the preferences of “affluent” citizens) have far more independent impact upon policy change than the preferences of average citizens do. To be sure, this does not mean that ordinary citizens always lose out; they fairly often get the policies they favor, but only because those policies happen also to be preferred by the economically-elite citizens who wield the actual influence.
Hey Brian,
I was able to register.
My PIN was either birth date or social again, filled it up too quickly, sorry.
Sure enough, answered the KBA questions even though I have all my credit files frozen.
But once I was in, there were no additional security questions I could setup. The “additional security” was to add my cell phone and email.
I don’t know if the intent is to send me a code or something.
I did start getting email notifications.
If they are using “New Data” for KBA, where is that information being pulled? The hygene takes place when you enter the information in the 0Auth portal and are tricked into thinking you are really validating some information, if the claim is really true that the old breached data is stale (is that even possible). Another chapter in Data-Broker fuckery
The cybercrooks know that the breached data will never get stale. That data will still have value for many years, probably even after the owner dies – for creating a synthetic identity.
Credit card thieves are probably looking on in wonder.
How long before the entire database is breached? Thus making “claiming your own account” ineffective .
I worry far more about database hacking than my individual account getting hacked. Many of the recent breaches, including Equifax, have reinforced this.
I just tried it. While I could not guess the PIN, it offered a “Forgot Your PIN” option. I answered the questions and was texted a one-time passcode. That let me reset the PIN and I now have control of the account – at least for one previous employer. It appears to be setup as a combination of individual and employer. I have not yet tried any other employers.
I was under the impression that employers couldn’t share your salary details without explicit permission? How is this service legal? Especially in, say, California or Massachusetts, which outright ban “What’s your previous salary?” questions.
Your q&a link at the bottom results in a 403 forbidden.
I was able to access my own data. The kba questions were utterly senseless
I was able to access the site starting with the same initial screenshot provided.
Then it indicated for the most recent employer I could find (It was not my current one), that I either had to enter my login ID as a current employee or my social as an ex-employee. The instructions here weren’t actually clear, as it said to use your SS and PIN, but only actually wanted your SS.
It then asked for my name, SS, address & phone number again. Then it text me a verification code to the same #.
The next screen asked for a PIN. If you try the method Krebs described, it didn’t work and kicked me out. I had to select “Forgot PIN” which took me to a new screen where it asked me to create a new one. The only requirements where that “If you plan to use the automated phone system, your new 8 to 16 character PIN should be numbers only.” I created a PIN.
It then asked if I wanted to remember the device.
Then it asked for a phone & e-mail to associate with the account. You could add multiple #’s and e-mails (Up to 6 e-mails; multiple phone #’s).
Then it dropped me into the site. It was easy enough to change the e-mail, PIN, and phone #’s; did not ask for re-verification through the PIN, or log me out and ask me to verify back in again.
I took a handful of screenshots as well.
To whom this may concern
I am a victim of identity theft
Merge credit reports
Loss of credit
Because of equifax
You have destroyed my credit life
I filed police reports
See you in court soon
Sincerely
Nancy J Dye
Same problem here and no matter what I do or file reports, nothing changes. Plus now when I call all I get an automated operator. Any suggestions on what I could do to get this problem straight ? Its ruining my life HELP!!!
Don’t fall for all this !!! They want all your personal information so they can scam you,too !!! Think about ! Why would they need your name, address, phone #, birth date, SS#, Etc.
KBA questions are useless.
Last time I had to answer them one of the questions asked for a previous address. I forgot the house number for that address.
A simple search on the internet gave me the answer in less than a minute.
I am getting the following error:
ALERT: Thank you for using The Work Number. Some features are temporarily down for service today. If you need assistance with an Employment Data Report or Salary Key, please call our service center at 800-367-2884 to complete your transaction. Thank you for your patience.
They must be back down again. At least your articles are keeping them from making this service available…
same her
“ALERT: Thank you for using The Work Number. Some features are temporarily down for service today. If you need assistance with an Employment Data Report or Salary Key, please call our service center at 800-367-2884 to complete your transaction. Thank you for your patience.”
its,hot,now,in,usa,but…only,usa.little.bit.in.canada.too.
thats,what,people..who.work.as.carders.told.
usa,bank.transfers,stuff,drops.carding,tax.refunding..and.all.this.are.hot.now.its.hot.season.in.usa.lucky.who.is.in.usa..alot.money.to.be.made.dumps.jobs.also.popular..it.hink
John Oliver did an interesting segment on EquiFax on his ‘Last Week Tonight’ show a few weeks ago:
https://youtube.com/watch?v=mPjgRKW_Jmk
@Brian: this was odd, I saw James’s post with the waiting for moderation indicator, but I’m not James.
Not a horrible security leak as on average it would be public soon anyway, just odd…
Sadly, the video is no longer available, a vouple hours after your post.
Hmm….. I just clicked on the link and it opened and started playing for me. Give it another try.
Requires PIN to be numeric even though it said something like “If you want to use the automated phone system PIN must be numeric.” Mine said PIN must be between 4 and 16 characters.
Look what I found…I guess I need to freeze this too?
To place a security freeze on your The Work Number employment report, send
your request via mail to:
TALX Corporation
ATTN: Employment Data Report Dept 19-10
11432 Lackland Road
St. Louis, Missouri 63146
Or, you may contact us on the web at http://www.theworknumber.com or call 800-996-7566.
Just for grins, I clicked on the “Find Employer Name or Code” link, and did a search on “Senate”, and found “SENATE UNITED STATES – US DEPARTMENT OF HOMELAND SECURITY”. I wonder how hard it would be to guess a Senator’s login and default PIN.
My current employer doesn’t use this service. Prior employer, a university, doesn’t report income. So I guess there is no way for me to access this info and make it more secure.
I did what you did and googled “The Work Number” and my company name “fiserv” and imagine my surprise when I saw that Equifax and Fiserv collaborated to create this: https://insight.equifax.com/equifax-and-fiserv-join-to-provide-income-and-employment-verification-services-to-auto-lenders/
With that found out, I knew that my employer had to be in there and it was. It asked my my full social and also asked kbq but it did ask me about my mortgage and car payment. I have a freeze on my account so it shouldn’t have asked me any financial questions?
I also had an old request in there from 07/05/2006. I wonder what that was for and if it was legitimate.
Perhaps as a response to the Equifax disaster, you can no longer get your free credit reports *online* (annualcreditreport dot com).
Experian and Transunion blocked me right away: “a condition exists where we cannot…” or “Technical difficulties prevent…”.
Equifax “teased” me by allowing me to answer a few KBA questions, but they also blocked me after I provided correct responses (“We cannot provide your report online”).
In all three cases, they advised requesting it by mail.
I agree with Daniel Miessler, perhaps it’s time to return to in-person authenticaion.
https://danielmiessler.com/blog/time-let-go-data/
“If that sounds ironic or sad, remember that we’re talking about a company whose breach more severely impacted consumers who paid Equifax whatever fees the company is allowed to charge under state laws to freeze the consumer’s credit file.”
So is it still a good idea to freeze your credit file?
I’m confused over all of this. This system and the credit system should be off/frozen/denied by default for all people. You should have to unfreeze if you plan on using the credit system or this service.
Look how you write ACLs. You don’t enable all by default and only turn off ones that you want to block.. you allow nothing at first, and enable those who want it.
For a system that many systems and people rely on.. it’s ridiculous.
Internally, I’d hope that frozen accounts would be pulled from the main db and moved (with all records) to a db that’s not accessible from outside the network. Hell, I’d hope all the information wouldn’t be accessible from outside the companies network.
Just went in and changed everything. Hopefully did something worthwhile.
This was the confirmation I received from after the changes. Looks suspicious at best. Whats a “pim” (that’s an M not N)
(I deleted some info, as you’ll notice)
From: pim confirmation
Date: Fri, Nov 3, 2017 at 7:55 AM
Subject: Personal Information change notification
To: “deleted by me”
DELETED BY ME has made changes to the following Personal Information fields:
Cell Phone
User Email0
MSG ID: DELETED BY ME
I was able to get in using my social security number and then the last four of my social as my PIN. It asked me some security questions (about past loans, which I might or might not had at some point in the past), which apparently I answered correctly.
I was able to change my PIN and enter my email address. Freaky that all that information is available online.
I work for a company that employs over 5,000 people and it has no knowledge of my employer. I guess they’re not reporting our wages to Equifax.
I don’t think this is such a big deal. For New Jersey — and most other states and government agencies in the USA — government workers titles and salaries are posted publicly.
> This payroll data for public employees is updated quarterly and displayed by calendar year. It includes Executive Branch departments, the Legislature, the Judiciary and independent authorities.
https://www13.state.nj.us/pls/nj_public/f?p=PAYROLL:9:0::NO:SESSION
Is it a big deal for a tax payer to be able to find out how much a particular state work — the governor, local police chief etc. — gets paid? If not, then why is it a big deal for me to find out what a specific employee at Blooomberg get paid?
I got through the PIN reset etc., got my report–which was downloaded by Firefox as a .aspx file. I looked at it and could see it was really a PDF, renamed it, could open it.
I guess misnaming it is the new security feature–that will stop the real n00bs!
Actually, they also made it mo’ betta secret by garbling the data a bit. It shows annual totals of $0 for years in which it shows monthly payments (which are, surprise, not $0).
Truly amazingly bad. But hey, it’s the web, nothing much there works any more, right?
And then I tried to do the same for my wife, who has been retired for over 20 years. None of the PIN suggestions worked (mmddyyyy, yyyymmdd, or SSN last-four); at that point, it did NOT offer a way to reset the PIN, either. So it’s not entirely consistent, it seems. Also excellent–who would expect a computerized system to work in a consistent fashion?