As Equifax moved to provide consumers the ability to protect their credit reports on the heels of a major data breach, some of the details of the company’s response were found lacking. As consumers registered and moved to lock their credit reports—in order to prevent anyone who had stolen data from opening credit in their name—they found that the security personal identification number (PIN) provided in the locking process was potentially insecure.
A number of customers discovered that the PINs generated by enrolling in Equifax’s TrustedID Premier Service were non-random and apparently sequential—in fact, they were essentially date-time stamps of the time of enrollment. Such PINs could potentially be brute-forced by someone attempting to unlock a credit report for the purpose of identity theft.
OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you’d get PIN 0908171415.
— Tony Webster (@webster) September 9, 2017
Equifax is moving to improve the PIN generation process. In response to an inquiry from Ars, an Equifax spokesperson said: