Equifax moves to fix weak PINs for “security freeze” on consumer credit reports

As Equifax moved to provide consumers the ability to protect their credit reports on the heels of a major data breach, some of the details of the company’s response were found lacking. As consumers registered and moved to lock their credit reports—in order to prevent anyone who had stolen data from opening credit in their name—they found that the security personal identification number (PIN) provided in the locking process was potentially insecure.

A number of customers discovered that the PINs generated by enrolling in Equifax’s TrustedID Premier Service were non-random and apparently sequential—in fact, they were essentially date-time stamps of the time of enrollment. Such PINs could potentially be brute-forced by someone attempting to unlock a credit report for the purpose of identity theft.

Equifax is moving to improve the PIN generation process. In response to an inquiry from Ars, an Equifax spokesperson said:

Read 2 remaining paragraphs | Comments

Leave a Reply

Read the original at Ars Technica.