When is a password not a password?
Never. It’s always a password.
No matter what you call it – password, passcode, passphrase, secret, PIN, login or Jeff – and no matter if it is numeric or alphanumeric, under the hood it’s the same. The same rules apply on how you choose it and how you store it.
Since Friday we’ve been advising the 143 million people who have been affected by the giant Equifax data breach to put a freeze on their credit files.
Frozen credit files can’t be accessed by creditors, which should stop thieves who stole your identity during the breach from taking out a line of credit in your name. Of course it stops you from taking out credit too but unlike the crooks, you can unfreeze your credit files if you need to.
It’s far from a perfect solution – freezing and unfreezing isn’t slick – but short of changing your SSN and date of birth it’s probably your best protection.
What stops the thieves from unfreezing your credit files is a PIN that you know and they don’t. Equifax chooses your PIN and gives it to you when you freeze your credit files.
Like all PINs, they’re just passwords by another name and the normal rules for choosing passwords apply: the PIN should be long, chosen at random and difficult to guess.
No matter how much a hacker knows about a person or system creating a password, that knowledge shouldn’t help. Likewise, knowing a password shouldn’t reveal anything about the system that created it or make guessing another one any easier.
That’s why we advise that your passwords shouldn’t be a child’s birthday, a pet’s name or your favourite sports team, and why you shouldn’t pick passwords according to a sequence or pattern.
In this case, however, you don’t get to choose: Equifax does it for you, so the normal rules about choosing passwords apply to them rather than to you.
Not PINs at all
Unfortunately Equifax PINs aren’t chosen at random, they are simply the date and time at which you performed your freeze.
If you froze your data on Friday night after watching our Facebook Live about the Equifax breach at, let’s say, 5pm, your PIN would be 0908171700.
The timestamp uses the format MMDDyyHHmm where two characters are used to represent each of: month (01 to 12), day of the month (01 to 31), year, hours since midnight (00 to 23) and minutes (00 to 59).
It seems that this isn’t some hurriedly put together, post-breach workaround either, as journalist and data nerd Tony Webster pointed out on Twitter:
https://twitter.com/webster/status/906638411930497029
The PINs are 10 digits long. If Equifax chose numeric PINs at random the crooks would have a one in ten billion chance of guessing the right number on the first go (that still wouldn’t count as a strong password by the way, but it’s not bad).
By using dates Equifax have slashed the odds on a successful guess.
Even if the system used a randomly-generated timestamp and turned it into a PIN, the system would be flawed.
There are only 365 days in most years, so the MMDD digits don’t deliver 10,000 different possibilities (0000 to 9999) as you might expect, and there are only 1440 minutes in a day, which slashes the range of possible values that HHmm can take.
Even if Equifax picked years from anywhere in the last century, the MMDDyyHHmm format would give just 365 × 100 × 1440 variations for a total of just over 50 million different PINs, rather than the 10 billion variations you might reasonably expect the security of the system to be based upon.
Of course, it’s much, much worse than that, because Equifax uses the time of your freeze application to lock in your PIN.
At the time of writing, the breach announcement happened about three days ago – and there are fewer than 5000 minutes in three days.
If you froze your credit files since the announcement, the odds of guessing your PIN correctly aren’t one in ten billion, they’re better than one in 5000.
If we assume that you didn’t freeze your credit files while you were asleep, and that you took at least a few hours to get round to applying for a freeze after hearing the news and deciding what to do, then the odds of guessing the PIN are even better still (better for the crooks, I mean; worse for you).
And that’s not the worst of it.
Because of the way the PIN-generating algorithm works, any timestamped logs of your activity on the Equifax systems that are related to your freeze (computers tend to generate a lot of timestamped logs) are effectively improperly secured copies of your PIN.
In other words, any PIN that’s generated like this just isn’t a PIN.
Our own Paul Ducklin put it this way:
The P in PIN is for Personal. It is by definition not a PIN if anyone else but you can figure it out by any method better than blind luck – for example by predicting it or retrieving it from a database.
Banks, he points out, don’t do it this way.
That is why banks issue ATM cards for which the PIN:
- Is chosen by you privately when the card is encoded at the bank, or
- Is generated randomly and printed using a tamperproof mailer that is sent to you separately from the card.
The PIN itself is not stored by the bank in plaintext form.
Equifax’s system ought to work that way. After all, those “freeze PINs” are essentially Equifax’s digits-only equivalent of, say, your Facebook or your email password.
Sadly, none of this comes as much of a surprise. As Forbes reports, Equifax have struggled with creating secure PINs before. In 2016 the company had to fix a serious flaw in the way it generated PINs issued to client employees:
[the PINs] consisted of the last four digits of an individual’s social security number and their four-digit year of birth
What next?
Unfortunately there is nothing you can do about this, it’s all on Equifax. Freezing your credit files remains your best course of action but you should know that the freeze is not as well protected as it should be.
The question is, what will Equifax do next? We think it needs to:
- Acknowledge that its PINs are not fit for purpose and fix them.
- Ensure that PIN entry is “rate limited” to prevent online guessing attacks.
- Promise to tell you if your PIN is hit by a guessing attack.
We’d also like to see Equifax commit to implementing the “right to deletion” of your data that GDPR will enshrine in Europe next year, even if US laws do not require it.
Remember, Equifax CEO Rick Smith said in a his announcement about the breach that Equifax “will not be defined by this incident, but by how we respond“.
Update on 2017-09-11:
The New York Times reports that Equifax is changing the way it generates PINs.
On Sunday afternoon, in an emailed statement, an Equifax spokesman, Wyatt Jefferies, said … that the company would soon be changing the PIN generation and reset request process.
“While we have confidence in the current system, we understand and appreciate that consumers have questions about how PINs are currently generated,” he wrote. “We are engaged in a process that will provide consumers a randomly generated PIN. We expect this change to be effective within 24 hours.”
That’s good news and a commendably swift response. Let’s hope that this new level of security applies to everyone though and not just the people who freeze their credit files from today. Everyone who has been issued a PIN in the last ten years deserves a randomly chosen replacement.
In time Equifax will also need to explain why such an obviously flawed approach (one that appears to have been fixed in a weekend) went unaddressed for at least a decade.
Anonymous
I froze my Experian account a while back and my PIN does not match the format listed in this article.
Mark Stockley
That’s good to hear, but this is about Equifax not Experian.
anon
Unfortunately this is about potential misuse of our personally identifiable information which can impact any credit reporting agency record thanks to Equifax. Because of this we are not being advised to freeze only Exuifax accounts but our accounts each of the four main credit bureaus. So it would be good to know how secure the other agencies PINs are. It would be even betterbetter if we would submit complaints enmass to the Consumer Financial Protection Board (CPFB) for corrective action.
Looks like all the credit agencies are selling identity theft monitoring services. Another coincidence?
Mitz
Yes, I noticed that . They are selling protection products. Do hacks benefit them !
Mitz
So hacks benefit them! Conflict of interest, I say!
Jim
“Chex Systems” is the 5th-place credit rating agency in the US. They also offer a security freeze.
Dom
I froze my Equifax files when I heard about the hack, I was allowed to create my own pin.
Mitz
Not me, they selected for me but they were random numbers not DOB or date stamp. Exoerian and transunion let me choose though.
Jim
I just did it three times (for wife and son), and it did not allow me to choose a password. So, perhaps there’s a browser-dependent piece? I’m using IE 11.
EquiFail
Equifax has also botched the security of its new breach check website, which has certificate chain failures.
And we allow these incompetent people to be the guardians of our credit history? The only thing even more ridiculous is the fact that we’ve allowed our SSNs to become a de facto national identification number. It’s time to scrap the SSN as having any link at all to a person’s credit or identification; that terrible policy is the apex of identity theft problems like these.
Pankhurst
Financial Institutions seem very casual about security practices.
I get notifications of AGMs and am urged to vote online “using the account number AND the security code printed at the top of this notification”.
How is an 8 digit account number made any more secure by printing the 6 digit “security code” on the same piece of paper – in effect it is a 14 digit public ID!
Paul Ducklin
I suppose it is a sort of password, given that your account number is essentially a matter of public record (many companies publish their account numbers to faciliate incoming payments).
If we assume that an account number can’t be considered to be secret, then printing it on the same letter as the security code is kind of irrelevant – the security code is the only secure part of the process, so your vote is no more or less secure than the letter on which the six-digit code is printed…
NeedToKnow
Why would any identity thief bother with guessing credit freeze pin codes? Wouldn’t a skilled thief already have all the information needed to order a replacement pin? Especially if the thief had access to Equifax’s stolen data?
Laurence Marks
Well, what’s the best advice? Freeze only Equifax? Or freeze Equifax and Experian and TransUnion? And what’s this fourth one mentioned by anon?
And by the way, is Isaac really Fair?
Ryan Glenn Nkanginieme Paumier
So does this make the internet activity logs every US ISP is keeping now to sell everyone’s online browsing history an even more valuable resource since it would contain the timestamps of records of when users went to the www.freeze.equifax.com website?
Paul Ducklin
Good point :-)
And a good reason to use the https link from the start – the ISP will see connections going to equifax DOT com but not the details of the URL, which is inside the HTTP request, which is is encrypted.
anon
Close them, delete ’em, freeze ’em. Better yet, don’t open or use accounts in the first place (i.e., maintain a small footprint). It’s that or accept the risk of breach, which appears to be growing logrythmically, and get ready to clean up the mess.
There are three main credit bureaus; Equifax, Experian, and Trans Union. Innovus is the fourth major consumer reporting agency with credit reporting capabilities. There are many others and the list is growing with no complete central list being maintained. The CFPB has a short list from voluntary company disclosures on their web page and information on regulations governing them.
The really sad thing about breaches that disclose your PII is the huge number of individual accounts such stolen data can be used to access or create. Essentially, you can not count on use of your PII as a means to secure your assets.
Jim
I predict Equifax will be out of business in less than a year because of this. And, it seems to be, our response should be “good riddance”.
If a company makes its money selling personal information, then they darned well better keep that information secure. They needed to be watching their data every single day, and clearly they weren’t.
Companies get hacked. But, companies in the personal info business should be on an extremely short leash.
I locked every account I’m responsible for (me, my wife, and my son with Down Syndrome), and I recommended to my kids to do the same. And, I’m telling friends as I talk to them. I hope the message gets around, because Equifax clearly cannot be trusted with personal data any more.
If any business I have to deal with uses them, my response is going to be “please use one of the other services, because that one will never be allowed to dispense my information again.”
Anonymous
I agree, lock it and never unlock…creditors can use another service. If every body did this they would be out of business in no time.
Cari
I put a freeze on my credit with equifax and supposedly a pdf document should have downloaded at the end. I went to the download center and it says the document failed to download. Great. I can’t wait to get into qn argument with someones supervisor tomorrow.
Lauren
I just did the same thing. Cannot print the pdf and get the pin. Acrobat and Microsoft. So how do I unfreeze if necessary, cannot even find a number for a live person and this problem not in FAQ.
Hopefully helpful
I had the same problem where the PDF failed to display. Fortunately, I found the PDF located in the browser cache folder, and was able to manually open it and get the PIN. What I did:
– Open a cmd prompt
– C: (assumes your Windows profile is on C:)
– cd %LOCALAPPDATA% (or manually CD to your profile folder)
– dir *.pdf /s
– Look for a PDF created around the time of your freeze. Mine was named SFF[1].pdf.
– Use Acrobat to verify the PDF.
– Copy this PDF somewhere safe.
Hopefully this helps others!
L Mae Hutch
me to…. no PDF! :-( It didn’t even give me any confirmation until it finally asked me if I wanted to LIFT the freeze!!!
Dave
HA! you can easily guess your own credit freeze PIN if you know the time & date when you pushed that submit button. MMDDYYHHMM It is in east coast time, btw.
Anon
Same thing. I clicked on the link to download the .pdf, another webpage popped up and served me a “System Currently Unavailable – Error 500”. So, I never was able to view the .pdf and hence, never received the PIN #.
Anonymous
The same thing happened to me. Now my only options to get my PIN are to verbally give someone in a loud call center somewhere my SSN over the phone, or mail Equifax a copy of my passport or drivers license. I’m not comfortable doing any of this.
L Mae Hutch
no pdf in cache, alas, thanks, anyhoo………. I don’t even know when the freeze happened, or even IF it did, since I have been trying the site for days now
djk
The entire industry need to go to fingerprint i.d. so the hackers can’t copy it.
Dan
Accounts frozen for the 3 major US entities once the effective DOS caused by all of us hitting the sites after heavy news coverage of the breach. My experience as of 15 September, Equifax generated 10-digit, seemingly random, pin as did Experian. On the other hand, TransUnion required a user-generated 6 digit numerical code whether it was done online or by phone (one done each way). However, Experian also required creation of an account. Because of where I live, etc., there was no charge for any of this, nor, its says, for thawing the freeze, when needed.
It is troubling that a thief, once he has the data from Equifax, can still open accounts if the account provider verifies the information from one of the other services! The list of specialty credit bureaus I found numbered around 40 with the disclaimer that there many others, so where do you stop??