By Ron Benvenisti. Equifax, one of the three major providers of consumer credit reports, said a data breach on its website affected up to 143 million US credit card holders.
A vulnerability on the Equifax website was used by criminals to hit almost half of the entire US population, around 324 million people.
In cooperation with UPS and affected customers and the sources of their retail purchases i have confirmed that many people in Lakewood have been affected. Criminals are using local UPS drop-off such as the one at Taylor’s Pharmacy and others in Ocean County. Crooks are buying stuff with your card and having it sent to the local drop-off locations in your zip code to avoid suspicion.
What can you do:
- Act Fast: Banks are no longer covering fraudulent credit card transaction. If you report within three days, you “only” are liable for $50. After that, you pay. That’s why banks set up text and email notifications. If you don’t set that up, they don’t do it automatically so set it up ASAP if you hadn’t already and READ THEM (but don’t click or reply – call them immediately).
- If you had any contact with Equifax regarding obtaining a credit report or filing a dispute, call your bank and cancel your credit card ASAP. This is a major hassle but since close to one out of every two US credit card holders are affected, the chances your PII and card has been stolen. The bank will issue you a new card within 5 to 10 days and will give you an instantly activated temporary card on the spot.
- Check your bank statements, preferably on line to see if any transactions were not made by you.
- Make sure that you have set up your account to receive text messages and e-mails for every time your card is used.
- On your on-line or statement, note who the vendor is (this is visible in the transaction details). Call the vendor, using your real name and info (that’s how they ordered) and get the tracking number and the shipping address. If the shipping address is not yours, and it won’t be.
- Notify the LPD immediately and file a report (you are guaranteed to have to wait on line – there are a record number of reports being filed).
The criminals grabbed names, Social Security numbers, birth dates, addresses, and, even driver’s license numbers. The hackers also accessed credit card numbers for 209,000 US consumers from dispute documents with personal identifying information (PII) for close to 182,000 US citizens. This allows cybercrooks to open new accounts in your name, besides using your existing accounts. Limited personal information for an unknown number of Canadian and UK residents was also exposed.
Equifax said the hacks occurred beginning in July. Equifax officials discovered the hack on July 29. “Criminals exploited a US website application vulnerability to gain access to certain files,” Equifax said in a statement late Thursday, without elaborating. That leaves open a wide range of possibilities, with injection bugs, faulty authentication mechanisms, and cross-site scripting vulnerabilities topping the list of the most widely exploited website flaws.
This isn’t the first time Equifax has been breached. In 2013, personal details of famous people—including US Vice President Joe Biden, FBI Director Robert Mueller, Attorney General Eric Holder, and rap star Jay Z—were exposed on one of their sites, annualcreditreport.com, that also allows consumers to monitor their credit reports. Lax security on that site (in other word, totally preventable) allowed people to gain unauthorized access to addresses, mortgages, outstanding loans, and other details that are often widely used to verify the identity of someone applying for new loans or credit.
Equifax says that you can find out if your info was exposed by entering your last name and the last six digits of your Social Security number on this page. DON’T DO IT! I checked the site and it is hosted by a third-party that uses a security certificate that has been revoked and not replaced with the current secure replacement! (You can verify that here).
Ron Benvenisti – NY-NJ Electronic Crimes Task Force
Dansdeals had this yesterday and also gave that link for checking your #. I did it . What should be done now?
Freeze your credit as well. That is the most secure way.
SHA1 with RSA is not being cracked by anyone less than nation state and nation states do not care about this.
The reports are saying only 209,000 people had their credit card info leak… the Info was 143 million but not credit cards.. it’s hard for me to believe that the 209,000 “many” people just from Lakewood were affected! Maybe there is some other breach going on in Lakewood are the people who are having their credit card used at these drop off locations coming up as may have been breached when they check Equifax website?
Your link to verify the security of the site is checking the security of http://www.equifaxsecurity2017.com – that’s just the first landing page, not the site where you actually enter your personal information. Can you research the security of http://www.trustedidpremier.com – the site that collects your info – and post whether that site is insecure as well? I’m getting A ratings on at least the first few servers for that domain.
Just follow the instructions in the article, which BTW says 209,000 US customers. I know it sometimes feels like there are actually 209,000 customers in Lakewood.
Nation states do not care about anything especially the USA. I know SHAI and he’s a great guy, who graduated from RSA.
Use CreditKarma.com to file disputes and get free credit reports. Don’t use the sites Equifax posted.
There are always breaches. Most do not get reported.
Usually drop-off points are in the same ZIP code as the real card owner. Taylor’s is a confirmed drop-off point in Lakewood.
Could be that the SSL certificate on the site you mentioned has been updated. But I ask you, why would Equifax use a third-party domain to get your information and not a sub-domain of the main Equifax TLD and three of the top executives of Equifax sold significant amounts of stock before the breach was reported, which tanked Equifax’s stock by more than 12%. Just sayin’ ……
Forgot to say, millions of web certificates were recently compromised and showed an A rating even so. They all had to be patched. Not all are. Even so, the crooks are always at least one step ahead.
“Banks are no longer covering fraudulent credit card transaction”. Might be true with debit cards, but I believe all Major Credit Cards do cover fraudulent transaction (I believe it’s the law), and many wave the $50 allowed charge. Check with your provider.
Ron Should we sign up for Lifelock would that take care of any problems?