Hacker News new | past | comments | ask | show | jobs | submit login

So everybody has been talking about "freezing" your Equifax account for a little bit of protection... Well it turns out the Equifax security freeze PIN (which is all the "secret" info an attacker needs to unfreeze it) is just the date & time: MMDDYYHHMM! https://mobile.twitter.com/webster/status/906346071210778625



If this is true (and it looks like it is), this is absolutely insane. For me this puts Equifax into beyond negligent territory.


But would not an attacker then have to know the exact minute that you froze your account on? If you have only a few tries to unlock your account - how would attacker possibly guess it?


525,600 possible pins for a whole year is staggeringly tiny.

1440 tries max if you know the day. 720 if you know if it was day or night. Botnet and/or proxies can do the rest


Has anyone notified them of this bafoonery?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: