08
Mar 19

MyEquifax.com Bypasses Credit Freeze PIN

Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.

Consumers in every U.S. state can now freeze their credit files for free with Equifax and two other major bureaus (Trans Union and Experian). A freeze makes it much harder for identity thieves to open new lines of credit in your name.

In the wake of Equifax’s epic 2017 data breach impacting some 148 million Americans, many people did freeze their credit files at the big three in response. But Equifax has changed a few things since then.

Seeking to manage my own credit freeze at equifax.com as I’d done in years past, I was steered toward creating an account at myequifax.com, which I was shocked to find I did not previously possess.

Getting an account at myequifax.com was easy. In fact, it was too easy. The portal asked me for an email address and suggested a longish, randomized password, which I accepted. I chose an old email address that I knew wasn’t directly tied to my real-life identity.

The next page asked me enter my SSN and date of birth, and to share a phone number (sharing was optional, so I didn’t). SSN and DOB data is widely available for sale in the cybercrime underground on almost all U.S. citizens. This has been the reality for years, and was so well before Equifax announced its big 2017 breach.

myEquifax said it couldn’t verify that my email address belonged to the Brian Krebs at that SSN and DOB. It then asked a series of four security questions — so-called “knowledge-based authentication” or KBA questions designed to see if I could recall bits about my recent financial history.

In general, the data being asked about in these KBA quizzes is culled from public records, meaning that this information likely is publicly available in some form — either digitally or in-person. Indeed, I have long assailed the KBA industry as creating a false sense of security that is easily bypassed by fraudsters.

One potential problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

The first three multiple-guess questions myEquifax asked were about loans or debts that I have never owed. Thus, the answer to the first three KBA questions asked was, “none of the above.” The final question asked for the name of our last mortgage company. Again, information that is not hard to find.

Satisfied with my answers, Equifax informed me that yes indeed I was Brian Krebs and that I could now manage my existing freeze with the company. After requesting a thaw, I was brought to a vintage Equifax page that looked nothing like myEquifax’s sunnier new online plumage.

Equifax’s site says it will require users requesting changes to an existing credit freeze to have access to their freeze PIN and be ready to supply it. But Equifax never actually asks for the PIN.

This page informed me that if I previously secured a freeze of my credit file with Equifax and been given a PIN needed to undo that status in any way, that I should be ready to provide said information if I was requesting changes via phone or email. 

In other words, credit freezes and thaws requested via myEquifax don’t require users to supply any pre-existing PIN.

Fine, I said. Let’s do this.

myEquifax then asked for the date range requested to thaw my credit freeze. Submit.

“We’ve successfully processed your security freeze request!,” the site declared.

This also was exclaimed in an email to the random old address I’d used at myEquifax, although the site never once made any attempt to validate that I had access to this inbox, something that could be done by simply sending a confirmation link that needs to be clicked to activate the account.

In addition, I noticed Equifax added my old mobile number to my account, even though I never supplied this information and was not using this phone when I created the myEquifax account.

Successfully unfreezing (temporarily thawing) my credit freeze did not require me to ever supply my previously-issued freeze PIN from Equifax. Anyone who knew the vaguest and most knowable details about me could have done the same.

myEquifax.com does not currently seek to verify the account by requesting confirmation via a phone call or text to the phone number associated with the account (also, recall that even providing a phone number was optional).

Happily, I did discover then when I used a different computer and Internet address to try to open up another account under my name, date of birth and SSN, it informed me that a profile already existed for this information. This suggests that signing up at myEquifax is probably a good idea, given that the alternative is more risky.

It was way too easy to create my account, but I’m not saying everyone will be able to create one online. In testing with several readers over the past 24 hours, myEquifax seems to be returning a lot more error pages at the KBA stage of the process now, prompting people to try again later or make a request via email or phone.

Equifax spokesperson Nancy Bistritz-Balkan said not requiring a PIN for people with existing freezes was by design.

“With myEquifax, we created an online experience that enables consumers to securely and conveniently manage security freezes and fraud alerts,” Bistritz-Balkan said..

“We deployed an experience that embraces both security standards (using a multi-factor and layered approach to verify the consumer’s identity) and reflects specific consumer feedback on managing security freezes and fraud alerts online without the use of a PIN,” she continued. “The account set-up process, which involves the creation of a username and password, relies on both user inputs and other factors to securely establish, verify, and authenticate that the consumer’s identity is connected to the consumer every time.”

I asked Bistritz-Balkan what else besides a username and a password the company may have meant by “multi-factor;” I’m still waiting for clarification. But I did not experience anything like multi-factor in setting up or logging into my myEquifax account.

This may by closer to Equifax’s idea of multi-factor: The company told me that if I still really wanted to use my freeze PIN, I could always call their 800 number (800-349-9960) or make the request via mail. Nevermind that if I’m a bad guy looking to hack others, I’m definitely going to be using the myEquifax Web site — not the options that make me have to supply a PIN.

Virtually the entire United States population in 2017 became eligible for free credit monitoring from Equifax following its 2017 breach. Credit monitoring can be useful for recovering from identity theft, but consumers should not expect these services to block new account fraud; the most they will likely do in this case is alert you after ID thieves have already opened new accounts in your name.

A credit freeze does not impact your ability to use any existing financial accounts you may have, including bank and credit/debit accounts. Nor will it protect you from fraud on those existing accounts. It is mainly a way to minimize the risk that someone may be able to create new accounts in your name.

If you haven’t done so lately, it might a good time to order a free copy of your credit report from annualcreditreport.com. This service entitles each consumer one free copy of their credit report annually from each of the three credit bureaus — either all at once or spread out over the year.

Additional reading:

NYTimes, March 8, 2019: How Equifax Complicates a Simple Task: Freezing a Child’s Credit

The Register, March 8, 2019: Tech Security at Equifax was so diabolical, senators want to pass US laws making its incompetence  illegal.

Equifax Investigation by Senate Homeland Security committee (.PDF, Sen. Carper).

Credit Freezes are Free: Let the Ice Age Begin

Plant Your Flag, Mark Your Territory

Experian Site Can Give Anyone Your Freeze PIN

Survey: Americans Spent $1.4B on Credit Freeze Fees in Wake of Equifax Breach

Equifax Breach Fallout: Your Salary History

Data Broker Giants Hacked by ID Theft Service

Experian Sold Access to ID Theft Service

Tags: , , , , , ,

91 comments

  1. Thanks for writing an article about this. I had the exact same experience recently. I explained to someone on customer service that someone could have set up the account under my name with just basic information about me (SSN, previous addresses) without deactivating the freeze I had placed (using the pin that only I had). The person I spoke to seemed not to be senior enough to care about this obvious security lapse and didn’t seem interested in reporting the issue to their superiors so I let it slide and glad it was actually me setting up the account.

  2. The existing unfreeze PIN should be enforced. Isn’t that mandated in the law that created the freezes?

    To reset a lost/forgotten PIN, you must send in a notarized request with a copy of two forms of I.D.
    The reset PIN is sent by mail.

    • No. The law says you need to be allowed to look at the information they have and that you can restrict some of what they share with other credit bureaus.

      The information they retain is theirs and doesn’t belong to you. You have no say in how it’s to be secured, nor does the law.

  3. Un-flippin’ believable !!!

    Thanks again to Brian for the update on this amazingly incompetent industry.

    The poster who spoke of Sisyphus squarely hit the mark.

    It’s time to yet again push that boulder back up Mt Equifax.

    I’ve kept my credit frozen for years.

    I’ve repeatedly had to create NEW “freeze management” accounts and login credentials as CRAs attempt to “help me.”

    My password safe documents the long line of usernames and passwords ever created for each iteration by each CRA

    So this AM I resing myself yo begin anew; going thru it yet again for Equifax … oh wait … their site is “down.”

    Incompetence at it’s finest.

  4. So Brian, what is your suggestion regarding this? My credit has been frozen since the Equifax breach and I have the PIN to unfreeze it. Should I go and create this account so that no one can unfreeze me (i.e. steal my account information)?

  5. Ludicrous. Credit freeze with pin but now you apparently don’t need a pin. Why provide them in the first place. Makes no sense. All frozen accounts that were assigned pins should require the pin to unfreeze. Simple. Not these shenanigans.

  6. Jonas D. Atlas

    So basically, multi-factor means “you have multiple factors and any one will be enough”? Seems like a great idea. Although to be honest it doesn’t really surprise me at this point – companies providing financial services always did have a weird understanding of security, like a certain German bank that only allows 5 character passwords for online banking because “it’s a certified system”.

  7. I wonder whether this is a work in progress. I just created my account at myequifax (have had a freeze with a pin for years) and they asked for mobile phone # for a possible text & home phone if you don’t have a mobile one. No indication it was optional

    Strangely, they had a CAPTCHA but all I had to do was click that I was a human to get a check mark.

    I selected my own password since none was offered.

    They sent me a text with a 6-number verification which I typed in and my account was set up.

    Thanks for the article since it would have very inconvenient to figure this out when I tried to unfreeze the account in a hurry (e.g.
    to purchase a car)!

Leave a comment