Ideally Equifax will listen and either move it to equifax.com, or take down the site altogether. Since the real version seems to be answering randomly, they may as well just shut the whole thing down.
But seeing as they're a massive, bumbling, bureaucratic organization, there's probably a non-zero change they'll try to sue me instead.
If there are any lawyers here, am I in potential legal hot water for making this site?
I am not a lawyer. I would strongly advise you to instead make it so obvious that the site is a lampoon. As in, when they enter, you respond with "This site is a mockery of Equifax. If you were lead here by Equifax or any affiliate, you are at the wrong site. I'm sorry, I can't help you. I can reinforce that if your information was compromised, more people may be attempting you use this to phish additional people."
Check again, there was a short period of a few minutes without https when I switched off Cloudflare, but now all http requests are redirected to https.
- The site contains Equifax's heading, uses their branding, and is highly similar to the actual website
- The site is hosted on a domain that is very similar to the actual website and uses Equifax's name
- The site instructs users to enter PII on it under the guise of being Equifax.
It could be argued that the creator of the site created this to determine whether people were being phished by it before activating the actual collection of data.
Additionally, in Chrome, when I fill out the form and get the alert box, when I dismiss the alert box, two requests are made to the domain:
If an onSubmit handler is attached to the form submit that sets a cookie with this information before showing the alert, then the phished details are transmitted to securityequifax2017.com.
Lawyers will C&D this extremely hard, a very reasonable case can be made that this is impersonation, and a phishing site with malicious intent.
NB: I DO NOT BELIEVE THAT THIS IS THE CREATOR'S INTENT. So do not jump at me thinking that I do believe that. I'm just saying that it could be very reasonably and successfully argued, and that nuance and intent could do very little to spurn allegations of impersonation or actual phishing.
Your cookies are submitted with requests for anything from a site, favicon images included. Setting a cookie in JS that contains events performed on a webpage is a trivial exercise and you shouldn't assume that that doesn't happen in a case such as this.
What if it only sends HTML that sends data back under certain conditions? E.g. 1 in 1000 requests, at random. A security researcher is unlikely to hit the "bad" version but he can still phish 0.1% of victims.
If I were you I'd pop up an alert on clicking or tabbing into any of the form fields. It would get the message across without someone having to enter their private information into a page served over an insecure connection.
The first thing you see on the site is giant text stating "Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That's So Easily Impersonated By Phishing Sites?"
(Plus, Cloudflare's flagging it as phishing now, haha.)
You should force a redirect of anything http to the corresponding https URL. You can do it dynamically so it preserves any direct links in case you're worried about that.
No, the outside agency can obtain a new cert for just that subdomain. They can even use letsencrypt! (Although they really should use EV for this type of site.)
I have contracted places where that would be a very formal request with tons of meetings and approval flows across purchasing, it security, website ops, the design/branding team, etc. Weeks of lead time required.
Basically, the request signals all the little fiefdoms that it's their chance to weigh in.
The first one that comes to mind would be to invalidate all existing cookies so that the ones accessible to the other server aren't useful. I wouldn't call that the "best" since invalidating cookies can be annoying for users, but I'm sure there are other ways.
If a user has a cookie for example.com (your domain) and type in vendor.example.com in the web browser how would you invalidate these cookies before they are sent to the vendor? Or even after they are sent? I struggle a bit with seeing how this could be done in a secure manner.
Never underestimate how incompetent people can be. When I was waiting for my South African Visa application to go through, I had to check the status at a scammy-looking url. The form would reload if you pressed enter and pressing tab after the ID field would set the focus to the logo above it instead to the password field below.
My guess was that they wanted to reduce the chance of news leaking before they announced it. If they're like other large companies I've seen from the inside, changes to the main website involve lots of meetings and lots of people/stakeholders.
A few days ago, got a mail from PayPal about "changes in account". Go to my account was linked to https://www.secureserverpaypal.ssvahan.com/home. I've forwarded the mail to PayPal spoofing address, they replied it's legit. Why would a legit PayPal activity be linked to an arbitrary domain - I don't get it. It makes zero sense.
It sounds like your mailbox and/or client is compromised (that or someone is an idiot on paypal's end). I would assume you're totally compromised and start with a new computer that's installed with ISOs obtained from different computers/networks then change your passwords from there. There's probably guides you can follow online. But don't trust me, get the paypal phone number from the paypal site from somewhere like an Apple store or library and call them to ask about that URL yourself. The domain is not registered with the same provider and it's just super shady looking. Good luck.
It seems very unlikely that PayPal's spoof email would validate an obviously spoofed domain. It could be that PayPal is completely phoning it in at this point but that's really egregious. Not that I think they're some amazing company, I'd even say they're downright evil based on past experiences.
For the record, not overly happy with the response, I've sent this follow-up to spoof@paypal.com:
>Hi there. Thanks for the quick response.
I do have a question.
Why would PayPal refer me to a form not hosted under PayPal domain? How can I tell it's a legit PayPal communication?
Would it be possible for you to post the source (or even just the headers) with your email scrubbed from the message you received from them the first time? Depending on your email provider they could fake that too but it might be worth a look.
Paypal support is useless at spotting fakes. I got a real paypal email (the received: headers and all embedded links pointed directly to paypal.com) but the email was not in my preferred language, and the disclaimer at the bottom said you can spot fake paypal emails by checking if they are in your preferred language. When I pointed this out, at first they claimed the email was fake. When I questioned them again and pointed to the received headers, they claimed the email was not fake and the language chosen was a bug. If paypal support can’t tell fakes from legit emails, how can regular users stand a chance at all!
As of 5 hours after writing your comment, I get NXDOMAIN here (Australia, FWIW).
I would be confident to say that it was actively killed. Neat. Which is either a clear indication that PayPal finally did internally report the domain, or that some other source of noise got it shut down.
I had the same suspicious impression of the domain name too --- I wonder what factors cause that, because it's clearly something not everyone has, and probably gained after years of web browsing. I think the two biggest things that stand out are:
- Has "security" in its name
- Has the current year
I can't explain exactly why I think those factors make it suspicious, however.
> I can't explain exactly why I think those factors make it suspicious, however.
I think I have an idea of why, though I haven't been able to articulate it properly yet.
I've been thinking about it a lot recently because I co-work with a bunch of digital marketers, and some of them have affiliate marketing sites with domains that follow the pattern http://yourexactsearchterm.com.
The best I can come up with is the Uncanny Valley of SEO, where it feels like a website was made and over-optimized specifically for people making my exact search query. Maybe this is unfair or confirmation bias, but I feel like those websites are the most likely to be low quality content farms (e.g. paying content writers pennies to regurgitate content they have no experience with and/or don't understand). Either that, or they are outright scams.
Do any digital marketers here have opinions about this?
"Uncanny Valley of SEO" sounds like the best explanation --- and in my experience, sites with names like you describe have also tended to be content farms.
It's not just domain names, but the paths in URLs too --- an entry with your-exact-search-term.html almost subconsciously gets skipped over when scanning search results, unless the search term is extremely specific and somewhat obscure or I'm specifically looking for a file/path (e.g. spc4r37.pdf)
I think it's because it's smells like arbitrary-but-plausible sounding additions to a domain name, picked until they hit one domain that wasn't taken yet.
Even worse would have been if they had used dashes equifax-security-2017.com.
(plausible for those without the experience of "suspicious impression", of course)
IANAL, IANYL, TINLA but I can't imagine that using Equifax's name in your domain, using their branding and IP on your site, impersonating the site very strongly, or even presenting the option to enter sensitive info on your domain will end very well for you. I'd certainly have avoided it, or at least shown good will by having the site on that domain unambiguously say that it's not Equifax.
I just got domain-blacklisted by Chrome, so I'm going to take the site down. I think the point is made, and there are plenty of screenshots out there if people want to see it.
Just like everything else in regards to this issue - who knows? It's a noisy mess, and the only thing we can be sure of is that it's going to be a never-ending nightmare for a lot of people through absolutely no fault of their own, requiring constant vigilance for the rest of their lives, and the system that built and continues to support this monster isn't going away any time soon.
I think GP means fraud on Equifax's end (by telling you you are compromised even though they shouldn't be able tot ell you that since tha data is fake) to get you to bey into their protection service.
International Gibberish Day - they still haven't even made an effort to identify those in Canada and the UK who were affected. It's a whole world of nonsense.
At this point Equifax has repeatedly demonstrated nothing but contempt for people whose information they have compromised. When are the authorities going to padlock their doors and shut down this continuing criminally reckless enterprise?
It's beginning to look a lot like "retiring" both the CISO and CIO right in the middle of a major security news event... may have been another bad decision!
I'm with you, it's more criminal that after all they've flubbed, this company is even still allowed to operate, than that they lost all of our information to begin with.
Don't we have at least 3 major credit bureaus? Equifax should be shuttered immediately and with prejudice, the American credit system will be immediately better off and we can all live without this one. Shareholders be damned.
Is that really a question? No, I don't, I consider it to be unauthorized surveillance, but the fact is that Equifax blew this up, and now continues to demonstrate their organizational incompetence, while TransUnion and Experian are not really in the news this week.
Our system of credit operates on these bureaus, and we have two others that appear to be functioning properly. If I had one server that was obviously infested with hackers, but two others that were not obviously infested, assuming that I had isolated them properly and they did not have major parts that were in common, I'd start by unplugging the one that was already confirmed to be hacked.
I think it works the same way when corporations that surveilled 50% or more of the population demonstrate systematic incompetence basically without remorse, as in this case. They just need to be unplugged, immediately. (I'm not advocating we shut down the entire credit system, in other words, although I am terrified it may yet come to that.)
I am not sure what you think the definition of contempt is but from Google's definition (and example sentence) it is precisely the word to describe Equifax's behavior:
The feeling that a person or a thing is beneath consideration, worthless, or deserving scorn.
"he showed his contempt for his job by doing it very badly"
Fun fact from the trenches: I tried enrolling online for their post-hack free 1 year identity monitoring offer, but when it came time to verify myself by answering questions they clearly started asking me questions about someone else's profile because none of the questions made any sense. Then when I answered wrong (of course, because I'm not whoever that person is) I was given a phone number to call instead.
>but when it came time to verify myself by answering questions they clearly started asking me questions about someone else's profile because none of the questions made any sense
Just a note, this most likely is not what happened. Identify verification questions typically will ask questions like "Who is your current house mortgage with?" when you have none and they will include a "None of the above" answer, which you're supposed to pick. It's totally intentional.
When I went through one of these there was NO none of the above answers. Basically, you're screwed because you realize they are asking about someone else who was at your address 50 years ago, who drives a motorcycle (no option to say no such thing), has 3 kids who had college loans (no answer to say no such thing), and is on their 3rd housing mortgage (no option to say no such thing).
And what else can you do? You select randomly and then pass the 'id verification' with flying colours and then on the phone with the customer service rep, you verbally refute each one. The service rep says that they don't see any on that on their end.
Basically, it's like a web script that's not hooked up to anything in the backend... Like their recent "has your information been leaked" web forms.
I suspect that's the case across the entire industry.
I recently tried to dispute something on my Equifax report and I could not get past the verification stage. The answers to all the questions were obvious, but after failing the verification several times, I started wondering, "Did I open an account with x, y, or z back in 2011?"
The best ones are where you did legitimately open a credit line 20 years ago with some store but the list of options only include the backing bank's name ("BANCORP BANK, INC").
I had an interesting experience with these 'trick questions' doing the Creditkarma signup - I was asked four questions, three of which were fakes ('none of the above'), only the last question was legitimate. Either that's a random edge case, or a very sneaky intentional design...
Barclays' "3D Secure" asks two questions when verifying an online purchase and I can only recall a single occasion when one wasn't 'none of the above'.
It does ask for your sort code as a third question though, that's a one in four chance if you were picking randomly.
I've done identity verification dozens of times. I know how that works. The questions they asked were more specific and therefore more wrong. More along the lines of "Who owns the mortgage on your house at address 1234 Abcd Rd, Somecity, Somestate, 991234?" and "You made your last college loan payment on <wrongdate>. Which lender was it to?" Because my thought is "House? Where? When?" And when that happens for every question one gets miiighty suspicious.
Most of those questions have a real answer available. They'll occasionally toss in ones where you have to enter "none," but most aren't like that. If you got something where every single correct answer was "none," something probably got screwed up. Otherwise it would be way too easy to spoof!
It's supposed to look real so people who aren't you fail the question. They will think, "well he lives near X or uses Y for something else, so it's probably that one". There isn't any indication that it may be false.
I don't understand your complaint at all. Phrasing the question differently doesn't deter people who are guessing, but it does deter people who don't understand what is being asked! People clearly (myself included) get confused at those questions and think they're incorrect - so change the question. Doing so doesn't make it harder to guess the answer, but it does make it easier to show that you know the right answer.
Also another crazy thing is freezing your credit is meaningless with Experian. You and or any hacker can get your freeze pin by using your personal info that is now public. They don't even bother with any two way verification offering!
That's right. You'd only be forfeiting the right to sue in the event that they get hacked again. Which to be fair is looking decently probable at this point.
Edit: I would like to know at this point, which got taken down faster after it was first reported on... This tweet, or the perfectly fine video interview of CISO Susan Mauldin with the Cazena CEO from 2016 before the breach? That one went down quickly after it was reported on by Hollywood LA News.
It's gotta be close. I believe that both were taken down in less than 24 hours.
> Mr. Sweeting explained in his email that a Linux command, “wget,” allows anyone to download the contents of a website, “including all images, HTML, CSS, etc.”
According to my research [0], this is the second time in New York Times history that the word "wget" has appeared in the NYT.
> Evidence presented during Private Manning’s court-martial for his role as the source for large archives of military and diplomatic files given to WikiLeaks revealed that he had used a program called “wget” to download the batches of files. That program automates the retrieval of large numbers of files, but it is considered less powerful than the tool Mr. Snowden used.
Very nice. I've been using wget by itself to archive various government pages, but that approach is reaching its end-life with JS-heavy sites becoming more prevalent. You use headless Chromium for screenshots; is it possible to use it to execute a page's JS and save the resulting HTML?
Yes, headless chrome `--dump-dom` allows you to dump the <body> html after the page loads. I opted not to do that in bookmark-archiver since glueing it back to the <head> code to get a working static page was complicated and error prone.
I implemented a credit check API connection to Equifax recently. The response data was encoded as a stream of offset-based text, with some offsets dynamically changing based on fields in the already-parsed data. Lots of work to write a parser for it.
We initially asked them if they had an updated version of this API using XML or JSON, and it turned into a call with several of their salespeople trying to upsell us on some complicated drag and drop rules engine that happened to return data as JSON. So we just stuck to the legacy API. They struck me as a pretty incompetent organization.
It sounds like an X12-style EDI format. They'll frequently have fields (or parts of fields) that can enable alternative blocks that may be of a different size. I had to write and maintain EDI interfaces for four years at a major retailer: there's a good business in transforming those documents.
It's not as weird as it sounds, you're parsing a text stream, not that much different in principle than parsing HTTP headers or network packets byte by byte.
To be clear, I'm not an Equifax customer. I have no business with them, creditors do. I have little to no recourse against them. I can't stop using them. Remember that we are not their customers, we're their product.
I have my home router set to use OpenDNS instead of my ISP's DNS, and OpenDNS actually resolved the real breach website to their own phishing warning... I had to turn off WiFi and use LTE (or reconfigure my router) to see it and contemplate putting my partial SSN into what might or might not have been a phishing site...
Not sure exactly how long it took OpenDNS to fix that but the false positive is cleared up now. Funnily enough, I switched from ISP (Verizon) DNS to OpenDNS to avoid their NXDOMAIN shenanigans, only to end up with other protective shenanigans.
Perhaps the worst part of this breach is I have had people tell me "that's okay, I've never been an Equifax customer." The lack of understanding is almost as saddening as the breach itself. If you have credit, you're impacted.
The constant bungling on Equifax's part would be hilarious if the potential impacts weren't so sad.
I was saying this[0] in the other thread, but I'm not sure this ends with laughs and `aw shucks`es for Nick. Equifax has been remarkably ham-fisted in every regard, from their initial exposure, to their inability to patch, to their getting breached, to their mishandling of disclosure, to their lax and callous response, etc etc etc. Nick's site looked and acted like a real phishing site. Equifax, as well as the court of public opinion and an actual court, might not be able to detect the nuance here and a reasonable case could be made that this was an attempt to phish off of Equifax's debacle.
The NYT writing it up certainly helps his case, but there were probably more tactful ways of going about this.
No way. There is no better or more tactful way to show how roundly incompetent the company is, and continues to be, than to put up a domain name that is confusingly similar to the already confusing, pointless, dangerous domain that they put up as a response to their breach... and then proceed to watch them as they tweet it out to half dozen or more of their customers, as if on cue.
There just isn't! It's perfect. Many people who are professional security types said on Day 1 that this would happen, and sagely advised that it might be unwise for anyone to put part of their SSN into a two-day old website on a previously unknown domain that looked like Baby's first PHP, just as news of the breach was still breaking.
And that it was similarly unwise to ask them to do so! So can we just unplug Equifax already? Please? It should be clear who the guilty party is here, and it starts with an Equifax.
Thoroughly disagree. While I do think Equifax should be raked forcefully over the coals for their gross and pervasive misconduct, setting up something that is virtually equivalent to a phishing site does not punish them or create relief for exposed parties. It just sows more confusion, and creates a distraction that Equifax could conceivably use to divert attention away from their own fiasco.
That's understandable. I just don't see how anything good comes from this breach unless we can get eyeballs on poor security practices. Because nobody else between you, me, and the wall seems to be paying any attention to this at all.
There's no relief forthcoming that is possible. The only way things get better now is if we dismantle the entire credit system as we know it, the cat is out of the bag. I'm not interested in punishment. I want to see more serious attention given to prevention.
First, I want to see the license and the keys taken away from the repeat offending drunk driver. Who gave them keys anyway? I sure as hell didn't sign up for this, I want to get off Mr. Bones Wild Ride.
If he hadn't collected any info posted to that site, it'd be at least reason to dig deeper into motivation. Saving people's names and SSNs really would look bad but if the site was just static HTML with no backend and no plausible way for him to see the data entered then it's some evidence that he was honestly trying to prove a point, not phish.
I honestly believe that he was trying to prove a point and not phish. I'm cautioning that I think it's a dangerous game to play.
A website doesn't need to have a "backend" or make a POST request or use a submit button to transmit data that you enter on it to another party. You should assume that ANY ACTION you take on any website is being transmitted to the server or to any third party. Key strokes, mouse moves, time on page, info about your browser and location, all of it.
A bad actor could mimic this sort of "prove a point" site and actually harvest information from unwitting people, all while feigning concern and saying they're proving a point, but carefully disguised JS could be encrypting page events and sending them in cookies to other parties. If we normalize this kind of security grandstanding, we open the the door a little bit wider to phishers.
Browser maintainers were right to mark the site as a phishing site. Because it is. It doesn't matter if it transmitted data or not. I guess you could call that "catch and release".
I was very careful to remove any scripts loaded on the page, and I both disabled the FORM submitting and pointed it to localhost.
That being said, your concern is warranted, I think Cloudflare and browsers did the right thing by blocking my site. It served its purpose, and as of 4pm CT today I took it down and destroyed the droplet it was running on. I collected no analytics while it was running off Cloudflare, and kept no logs.
Hopefully Equifax doesn't sue me in the next few months.
Thank you for being forthcoming about all this. I don't mean to be a pain in your ass and I know your intentions are good. I hope this all ends up being a force for good and that things like the NYT coverage help avoid legal issues with Equifax. Good luck to you in that regard.
For the record, the favicon requests that went out after "submitting" your site's data did not appear to transmit any form data to that server. I just noticed that it'd be trivially easy to do that if someone else emulated this as a bad actor.
I think we can all agree that Equifax chose extremely poorly with a separate domain name, one that is just crassly phishy-sounding already, and opening itself up to actual bad actors.
Sorry to say that I do think you should talk to a lawyer before you do anything else. An initial free consultation would be worthwhile.
I’m not sure it’s Equifax suing you that you should be most concerned about. Equifax’s giant fuckup has already stirred up the prosecutorial wasps, they’re all looking for something to sting.
The first time I saw that the site was not a sub-domain of Equifax.com, I was worried that someone would quickly create a copy and I would mistakenly enter my information on the site.
Subsequently, each time I had to go to the site - to check if my data was hacked, to enroll for the TrustedID protection (had to try multiple times), I would always first go to equifax.com and then follow the links from there.
It's sad to see that my fears of the site being easily cloned is true (although this was a proof of concept to show Equifax that they were wrong but who knows if there isn't a real malicious site that had already collected people's information).
Not only can you not enroll immediately they tell you that . your data was stolen, even when you return on your given enrollment date, you don't get to complete it that same day. You still have to wait for a few more days to get an email.
Equifax has really really messed up. I hope the other companies are using this as a learning experience and are fixing any flaws they have.
This would be hilarious if the impact wasn't felt by consumers. But honestly, its quite sad and frustrating that as consumers we bear the brunt of this organization's mistakes. This latest episode - their referral of an obviously fake site - is just plain awful...again for consumers. sigh
Does anyone know what you have to do to join the Amish?
All jokes aside, every time I try to explain to a "normal" what is going on in "computer security" I feel like shit. The entire industry is a tire fire. And it's getting worse.
Pretty sure you can just convert and start living with them provided you can find a willing community to take you on.
Also - don't be fooled - using the CMM as a metric, the Amish are probably one of the more technologically mature societies around, since they have a clearly defined process around technology usage...
"
There are five levels defined along the continuum of the model and, according to the SEI: "Predictability, effectiveness, and control of an organization's software processes are believed to improve as the organization moves up these five levels. While not rigorous, the empirical evidence to date supports this belief".[15]
Initial (chaotic, ad hoc, individual heroics) - the starting point for use of a new or undocumented repeat process.
Repeatable - the process is at least documented sufficiently such that repeating the same steps may be attempted.
Defined - the process is defined/confirmed as a standard business process
Capable - the process is quantitatively managed in accordance with agreed-upon metrics.
Efficient - process management includes deliberate process optimization/improvement.
Within each of these maturity levels are Key Process Areas which characterise that level, and for each such area there are five factors: goals, commitment, ability, measurement, and verification. These are not necessarily unique to CMM, representing — as they do — the stages that organizations must go through on the way to becoming mature.
The model provides a theoretical continuum along which process maturity can be developed incrementally from one level to the next. Skipping levels is not allowed/feasible.
"
At this point, can someone explain me why that company is not taken out of business or _at least_ put under state control to verify they actually fix their issues and stop posing a threat to their customers lives?
I honestly don't know why they are allowed to handle the remediation and "damage control" at all, I've been saying that for over a week; it's been getting clearer and clearer that they do not have the operational capability to continue to exist, but nobody with any juice appears to be arguing this.
When they notified law enforcement well after the legal requirement to notify law enforcement had come and gone, that would have been a good time for the government to step in and say "hands off the wheel, we're handling this now." Would we be any better off today? I don't know, but my gut says no.
If I had to guess, the answer is that we don't just take companies and put them under state control here in the United States. It just does not happen that I am aware of. Can you name a time this happened?
I certainly can't think of a time when it would have made more sense to do this, but I am struggling to think of even one example of a company that was taken over by the state without searching.
It says here[1] the US government nationalized railroads and the Smith & Wesson company during WWI, and it also nationalized the railroad system and coal mines during WWII, and that Amtrak was the product of another time the government nationalized railroads in the 70's, but was re-privatized in the 80's...
If the law enforcement agencies had taken some kind of stand, we might still have video interviews with CISO Susan Mauldin from 2016, that have now been erased since September 10, but for some reason there does not seem to be much interest in that. Everyone understands the company is "saving face" by removing those interviews. Nobody is saying it, but it's pretty clear.
There is probably no legal requirement to keep those interviews online, even if they might provide some insight into the mindset of the CISO and how she was influenced in the months leading up to the breach by the other executives and the board members of Equifax. The fact that this is not a bigger story probably owes mostly to the fact that this is already such a big story.
140MM Americans impacted, likely every last person in the country with a credit history's personal information exposed, quite possibly enough to shutter the credit system as we know it for good. What's a little cover-up compared to that?
Pretty much the only way to verify that's the right site is the fact that Equifax.com links to it, although this tweet indicates even that isn't necessarily a reason to trust it.
Why it's not a subdomain of Equifax.com is completely beyond me.
(Even better, the eligibility / credit monitoring signup takes you to another domain, https://trustedidpremier.com/)
The certificate lists the registered organization as "GeoTrust Inc." Shouldn't it be registered to "Equifax Inc?" I'm not sure what other services (such as web hosting) GeoTrust might also offer, but I wouldn't trust this website actually belongs to Equifax.
Yes, but my understanding is the organization name is supposed to be the entity you're doing business with. How else do you know that the owner of that domain is who the webpage claims they are if the organization and SSL vendor are the same? I'm not doing business with GeoTrust, it's with Equifax.
Any other Uk visitors see this on https://trustedidpremier.com/ - thought a few thousand UK accounts were tied up in this...
ERROR
The request could not be satisfied.
The Amazon CloudFront distribution is configured to block access from your country.
Generated by cloudfront (CloudFront)
Request ID: ZU-LJh21L1Px18Bz5n20R3Nb1aApdzyce_Q6ZeeSIZ0OYiJk2v0eIA==
Non-US citizens won't be able to enter the last 6 digits of their US Social Security Number so the site is not going to be of value to you. (Although I'm not sure why they block Europe, there are certainly US citizens living abroad now.)
I don't know where to send you, but I would advise against sending at this point any additional responsibility or personal information to Equifax if you haven't already.
What would be the impact of requesting a total remove of one's information from Equifax? There are still 2 other credit bureaus who could be used when applying for loans.
Obviously this does nothing for the information that's already compromised, but if enough people do it, it would help kill off Equifax (lenders will rely less and less on it, thus depriving them of revenue).
> What would be the impact of requesting a total remove of one's information from Equifax?
Nothing. Your request would be ignored because we don't have legislation like the GDPR in this country to protect the rights of individuals to the privacy of the information collected about them.
This is why I hate it when companies create new domain names for things instead of using something more sensible (like subdomains). Teaching users that other domains besides the primary are totally legit is a recipe for a disaster of the phishing variety, not to mention how much money is going to inevitably be wasted every year.
This incompetence is truly hilarious at this point. I wouldn't be surprised if other large institutions holding sensitive data are just as reckless. Student loans? Health insurance companies?
Ideally Equifax will listen and either move it to equifax.com, or take down the site altogether. Since the real version seems to be answering randomly, they may as well just shut the whole thing down.
But seeing as they're a massive, bumbling, bureaucratic organization, there's probably a non-zero change they'll try to sue me instead.
If there are any lawyers here, am I in potential legal hot water for making this site?