Ayuda! (Help!) Equifax Has My Data!

Equifax last week disclosed a historic breach involving Social Security numbers and other sensitive data on as many as 143 million Americans. The company said the breach also impacted an undisclosed number of people in Canada and the United Kingdom. But the official list of victim countries may not yet be complete: According to information obtained by KrebsOnSecurity, Equifax can safely add Argentina — if not also other Latin American nations where it does business — to the list as well.

equihaxEquifax is one of the world’s three-largest consumer credit reporting bureaus, and a big part of what it does is maintain records on consumers that businesses can use to learn how risky it might be to loan someone money or to extend them new lines of credit. On the flip side, Equifax is somewhat answerable to those consumers, who have a legal right to dispute any information in their credit report which may be inaccurate.

Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

We’ll speak about this Equifax Argentina employee portal — known as Veraz or “truthful” in Spanish — in the past tense because the credit bureau took the whole thing offline shortly after being contacted by KrebsOnSecurity this afternoon. The specific Veraz application being described in this post was dubbed Ayuda or “help” in Spanish on internal documentation.

The landing page for the internal administration page of Equifax’s Veraz portal. Click to enlarge.

Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. The “list of users” page also featured a clickable button that anyone authenticated with the “admin/admin” username and password could use to add, modify or delete user accounts on the system. A search on “Equifax Veraz” at Linkedin indicates the unit currently has approximately 111 employees in Argentina.

A partial list of active and inactive Equifax employees in Argentina. This page also let anyone add or remove users at will, or modify existing user accounts.

Each employee record included a company username in plain text, and a corresponding password that was obfuscated by a series of dots.

The “edit users” page obscured the Veraz employee’s password, but the same password was exposed by sloppy coding on the Web page.

However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.

A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily.

But wait, it gets worse. From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records.

750 pages worth of consumer complaints — more than 14,000 in all — complete with the Argentinian equivalent of the SSN (the DNI) in plain text. This page was auto-translated by Google Chrome into English.

Jorge Speranza, manager of information technology at Hold Security, was born in Argentina and lived there for 40 years before moving to the United States. Speranza said he was aghast at seeing the personal data of so many Argentinians protected by virtually non-existent security.

Speranza explained that — unlike the United States — Argentina is traditionally a cash-based society that only recently saw citizens gaining access to credit.

“People there have put a lot of effort into getting a loan, and for them to have a situation like this would be a disaster,” he said. “In a country that has gone through so much — where there once was no credit, no mortgages or whatever — and now having the ability to get loans and lines of credit, this is potentially very damaging.”

Shortly after receiving details about this epic security weakness from Hold Security, I reached out to Equifax and soon after heard from a Washington, D.C.-based law firm that represents the credit bureau.

I briefly described what I’d been shown by Hold Security, and attorneys for Equifax said they’d get back to me after they validated the claims. They later confirmed that the Veraz portal was disabled and that Equifax is investigating how this may have happened. Here’s hoping it will stay offline until it is fortified with even the most basic of security protections.

According to Equifax’s own literature, the company has operations and consumer “customers” in several other South American nations, including Brazil, Chile, Ecuador, Paraguay, Peru and Uruguay. It is unclear whether the complete lack of security at Equifax’s Veraz unit in Argentina was indicative of a larger problem for the company’s online employee portals across the region, but it’s difficult to imagine they could be any worse.

“To me, this is just negligence,” Holden said. “In this case, their approach to security was just abysmal, and it’s hard to believe the rest of their operations are much better.”

I don’t have much advice for Argentinians whose data may have been exposed by sloppy security at Equifax. But I have urged my fellow Americans to assume their SSN and other personal data was compromised in the breach and to act accordingly. On Monday, KrebsOnSecurity published a Q&A about the breach, which includes all the information you need to know about this incident, as well as detailed advice for how to protect your credit file from identity thieves.

[Author’s note: I am listed as an adviser to Hold Security on the company’s Web site. However this is not a role for which I have been compensated in any way now or in the past.]

Posted in alex holden, Ayuda, Equifax, Hold Security LLC, Jorge Speranza, Other, Solutions, Veraz | Leave a comment

House of Pomegranates (version 2), A by WILDE, Oscar

http://librivox.org/a-house-of-pomegranates-by-oscar-wilde/

A House of Pomegranates (1891) is the title of the second collection of Fairy Tales by Oscar Wilde. This book contains four tales: 1. “The Young King”; which is about taking responsibility. 2. “The Birthday of the Infanta”; a commentary on the unfeeling behaviour of the upper classes. 3. “The Fisherman and his Soul”; is about the triumph of love in adversity. And 4. “The Star-Child”; which is about responsibility and doing what is right despite the cost. – Summary by Noel Badrian

Posted in Solutions | Comments Off on House of Pomegranates (version 2), A by WILDE, Oscar

BRONZE UNION Cyberespionage Persists Despite Disclosures

https://www.secureworks.com/research/bronze-union

Type: Threat Analysis

Category:

CTU Research

Read our cyber threat analysis on the BRONZE UNION threat group and their ongoing campaigns despite public disclosures of their activities.

Posted in Solutions | Comments Off on BRONZE UNION Cyberespionage Persists Despite Disclosures

September 11, 2017: Owner of O.C. Pet Products Company Pleads Guilty to Selling Pet Meds without Prescriptions, Some of Which Were Not Approved for U.S. Sale

September 11, 2017: Owner of O.C. Pet Products Company Pleads Guilty to Selling Pet Meds without Prescriptions, Some of Which Were Not Approved for U.S. Sale

Posted in Solutions | Leave a comment

September 11, 2017: Knoxville Man Pleads Guilty to Conspiring to Defraud the FDA

September 11, 2017: Knoxville Man Pleads Guilty to Conspiring to Defraud the FDA

Posted in Solutions | Leave a comment

August 28, 2017: Costa Rican Defendant Appears in Federal Court to Face Fraud Charges

August 28, 2017: Costa Rican Defendant Appears in Federal Court to Face Fraud Charges

Posted in Solutions | Leave a comment

Wireless ‘BlueBorne’ Attacks Target Billions of Bluetooth Devices

UPDATE

Researchers disclosed a bevy of Bluetooth vulnerabilities Tuesday that threaten billions of devices from Android and Apple smartphones to millions of printers, smart TVs and IoT devices that us the short-range wireless protocol.

Worse, according to researchers at IoT security firm Armis that found the attack vector, the so-called “BlueBorne” attacks can jump from one nearby Bluetooth device to another wirelessly. It estimates that there are 5.3 billion devices at risk.

“If exploited, the vulnerabilities could enable an attacker to take over devices, spread malware, or establish a ‘man-in-the-middle’ to gain access to critical data and networks without user interaction,” according to the company. “The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode… since the Bluetooth process has high privileges on all operating systems, exploiting it provides virtually full control over the device.”

As part of a coordinated disclosure, Armis said Google and Microsoft have already made patches available to their customers.

In a statement to Threatpost, Microsoft said: “Microsoft released security updates in July and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.”

Microsoft’s September Patch Tuesday disclosure lists one of the BlueBorne bugs (Bluetooth driver spoofing vulnerability – CVE-2017-8628) as part of its security patches for the month.

Apple iOS devices running the most recent version of the OS (10.x) are safe, Armis said.

According to researcher, only 45 percent of Android phones (960 million) are patchable, leaving 1.1 billion active Android devices older than Marshmallow (6.x) vulnerable.

Also vulnerable are millions of smart Bluetooth devices running a version of Linux. Commercial and consumer-oriented versions of Linux (Tizen OS) are vulnerable to one of the BlueBorne bugs as are  Linux devices running BlueZ and 3.3-rc1 (released in October 2011). All Windows computers since Windows Vista are affected, according to the researchers. Microsoft Windows Phones are not impacted.

“This set of capabilities are every hacker’s dream. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent WireX Botnet,” according to the company.

“This means almost every computer, mobile device, smart TV or other IoT device running on one of these operating systems is endangered by at least one of the eight vulnerabilities. This covers a significant portion of all connected devices globally,” researchers said.

In all, BlueBorne consists of eight related vulnerabilities, three of which are classified as critical. The vulnerabilities were found in the Bluetooth implementations in Android, Microsoft, Linux and iOS. They include:

*Linux kernel RCE vulnerability – CVE-2017-1000251

*Linux Bluetooth stack (BlueZ) information leak vulnerability – CVE-2017-1000250

*Android information leak vulnerability – CVE-2017-0785

*Android RCE vulnerabilities CVE-2017-0781 & CVE-2017-0782

*The Bluetooth Pineapple in Android – Logical Flaw CVE-2017-0783

*The Bluetooth Pineapple in Windows – Logical Flaw CVE-2017-8628

*Apple Low Energy Audio Protocol RCE vulnerability – CVE Pending

An attack scenario includes an adversary identifying Bluetooth devices nearby and using commonly tools to identify the MAC address of vulnerable Bluetooth devices.

“By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective,” researchers wrote.

At this stage the attacker can choose to create a Man-in-the-Middle attack and control the device’s communication, or take full control over the device and use it for a wide array of cybercriminal purposes, researchers stated.

In order to traverse from one Bluetooth device to the next, researchers say attackers would take advantage of a feature called Bluetooth Mesh, introduced with Bluetooth 5, which allows Bluetooth devices to interconnect and form a larger network with a more elaborate and dense structure.

“The automatic connectivity of Bluetooth, combined with the fact that nearly all devices have Bluetooth enabled by default, make these vulnerabilities all the more serious and pervasive,” they said. “Once a device is infected with malware, it can then easily broadcast the malware to other Bluetooth-enable devices in its vicinity, either inside an office or in more public locations.”

“These silent attacks are invisible to traditional security controls and procedures. Companies don’t monitor these types of device-to-device connections in their environment, so they can’t see these attacks or stop them,” said Yevgeny Dibrov, CEO of Armis. “The research illustrates the types of threats facing us in this new connected age.”

BlueBorne attack types boil down to two types. One, where an adversary goes undetected and targets a specific devices to execute code with the objective to gaining access corporate networks, systems, and data. The second scenario involves creating a Bluetooth Pineapple to sniff or redirect traffic.

“These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date. Previously identified flaws found in Bluetooth were primarily at the protocol level. These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device,” according to researchers.

(This story was updated Sept. 12, 1:30pm ET to include Microsoft’s comments and CVE details.)

Posted in Android, Armis, blueborne, BlueBorne attack, Bluetooth, BlueZ, ios, IoT, Linux, man-in-the-middle, Microsoft, Mobile Security, Pineapple, Privacy, RCE, Security, Vulnerabilities, windows vista | Leave a comment

Updated Investor Bulletin: Trading in Cash Accounts

The SEC’s Office of Investor Education and Advocacy is issuing this Investor Bulletin to help educate investors regarding the rules that apply to trading securities in cash accounts and to highlight the 90-day account freeze which may arise with certain trading activities in these type of accounts.

What is a cash account?

A cash account is a type of brokerage account in which the investor must pay the full amount for securities purchased.  An investor using a cash account is not allowed to borrow funds from his or her broker-dealer in order to pay for transactions in the account (trading on margin).

The credit extension provisions of the Federal Reserve Board’s Regulation T govern an investor’s use of a cash account to purchase securities.  In particular, Regulation T authorizes a broker-dealer to use a cash account to purchase a security for an investor if:

  • There are “sufficient funds” in the account; or
  • The broker-dealer accepts in good faith the investor’s agreement that the investor will promptly make “full cash payment” for the security before selling it and does not contemplate selling the security prior to making such payment.

What type of trading is permitted in a cash account?

Some examples of trading that would be permitted in a cash account include:

  1. An investor has $10,000 in cash and no securities in a cash account.The investor buys $10,000 worth of ABC stock on Monday and sells it the same day.

    These transactions are permissible since the investor purchased the ABC stock on Monday with the $10,000 in cash that the investor had in the cash account.  Since the investor purchased the ABC stock with cash, the investor may sell this stock at anytime.
     

  2. An investor holds $10,000 of fully paid for and settled ABC stock in a cash account.The investor does not hold any additional cash or securities in the cash account. The investor sells all the ABC stock on Monday.On Friday, the investor buys $10,000 worth of XYZ stock.

    These transactions are permissible because an investor can sell a fully-paid for and settled security held in a cash account.  The $10,000 proceeds from the sale of the ABC stock would have settled on Wednesday.  Therefore the investor would have “sufficient funds” in the cash account on Friday to purchase the XYZ stock.
     

  3. An investor holds $10,000 of fully paid for and settled ABC stock in a cash account.The investor does not hold any additional cash or securities in the cash account. The investor sells all the ABC stock on Monday and buys $10,000 worth of XYZ stock the same day.The investor sells the XYZ stock on Friday.

    The sale of the ABC stock is permissible because an investor can sell a fully-paid for and settled security held in a cash account.  The purchase of the XYZ stock is also permissible. The investor may purchase the XYZ stock with the proceeds from the sale of the ABC stock as long as the investor does not sell the XYZ stock prior to the settlement of the ABC stock sale, which is Wednesday.  By doing this, the investor will have made full cash payment for the XYZ stock before selling it on Friday.

What are freeriding and freezes?

As noted above, in a cash account, an investor must pay for the purchase of a security before selling it.  If an investor buys and sells a security before paying for it, the investor is “freeriding.” 

The following example illustrates “freeriding:”

An investor holds $10,000 of fully paid for and settled ABC stock in a cash account.  The investor does not hold any additional cash or securities in the cash account. The investor sells all the ABC stock on Monday and buys $10,000 worth of XYZ stock on the same day.  On Tuesday, the investor sells all of the XYZ stock without adding any additional cash to the account.

The settlement date on the sale of the ABC stock that the investor used to pay for the purchase of the XYZ stock would be Wednesday (two business days after the date of the sale).  Since the investor used the proceeds from a sale of securities that has not settled yet, to purchase the XYZ stock, the investor cannot not sell the XYZ stock prior to Wednesday without adding additional cash to the account to cover the purchase price of the XYZ stock.  Since the investor sold the XYZ stock on Tuesday without adding any additional cash to the account, the investor’s actions constitute freeriding.

“Freeriding” is not permitted under Regulation T, and may require the investor’s broker to “freeze” the investor’s account for 90 days.  During this 90-day period, an investor may still purchase securities with the cash account, but the investor must fully pay for any purchase on the date of the trade.  An investor may avoid having a “freeze” placed on his cash account by fully paying for the securities by the settlement date with funds that do not come from the sale of the securities.

Related Information

For additional educational information for investors, see the SEC’s Office of Investor Education and Advocacy’s homepage.  For additional information relating to cash accounts, also see:

The Office of Investor Education and Advocacy has provided this information as a service to investors. It is neither a legal interpretation nor a statement of SEC policy. If you have questions concerning the meaning or application of a particular law or rule, please consult with an attorney who specializes in securities law.

Posted in Security | Leave a comment

September 11, 2017: Three Florida Residents Arrested After Law Enforcement Discover Steroid and Fake Prescription Drug Lab

September 11, 2017: Three Florida Residents Arrested After Law Enforcement Discover Steroid and Fake Prescription Drug Lab

Posted in Solutions | Leave a comment

Equifax Breach Response Turns Dumpster Fire

https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/

I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans.

WEB SITE WOES

As noted in yesterday’s breaking story on this breach, the Web site that Equifax advertised as the place where concerned Americans could go to find out whether they were impacted by this breach — equifaxsecurity2017.com
is completely broken at best, and little more than a stalling tactic or sham at worst.

In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat. In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.

phonelaptopequifax

Others (myself included) received not a yes or no answer to the question of whether we were impacted, but instead a message that credit monitoring services we were eligible for were not available and to check back later in the month. The site asked users to enter their last name and last six digits of their SSN, but at the prompting of a reader’s comment I confirmed that just entering gibberish names and numbers produced the same result as the one I saw when I entered my real information: Come back on Sept. 13.

Who’s responsible for this debacle? Well, Equifax of course. But most large companies that can afford to do so hire outside public relations or disaster response firms to walk them through the safest ways to notify affected consumers. In this case, Equifax appears to have hired global PR firm Edelman PR.

What gives me this idea? Until just a couple of hours ago, the copy of WordPress installed at equifaxsecurity2017.com included a publicly accessible user database entry showing a user named “Edelman” was the first (and only?) user registered on the site.

Code that was publicly available on equifaxsecurity2017.com until very recently showed account information for an outside PR firm.

I reached out to Edelman for more information and will update this story when I hear from them.

EARLY WARNING?

In its breach disclosure Thursday, Equifax said it hired an outside computer security forensic firm to investigate as soon as it discovered unauthorized access to its Web site. ZDNet published a story Thursday saying that the outside firm was Alexandria, Va.-based Mandiant — a security firm bought by FireEye in 2014.

Interestingly, anyone who happened to have been monitoring look-alike domains for Equifax.com prior to yesterday’s breach announcement may have had an early clue about the upcoming announcement. One interesting domain that was registered on Sept. 5, 2017 is “equihax.com,” which according to domain registration records was purchased by an Alexandria, Va. resident named Brandan Schondorfer.

A quick Google search shows that Schondorfer works for Mandiant. Ray Watson, a cybersecurity researcher who messaged me this morning on Twitter about this curiosity, said it is likely that Mandiant has been registering domains that might be attractive to phishers hoping to take advantage of public attention to the breach and spoof Equifax’s domain.

Watson said it’s equally likely the equihax.com domain was registered to keep it out of the hands of people who may be looking for domain names they can use to lampoon Equifax for its breach. Schondorfer has not yet returned calls seeking comment.

EQUIFAX EXECS PULL GOLDEN PARACHUTES?

Bloomberg moved a story yesterday indicating that three top executives at Equifax sold millions of dollars worth of stock during the time between when the company says it discovered the breach and when it notified the public and investors.

Shares of Equifax’s stock on the New York Stock Exchange [NSYE:EFX] were down more than 13 percent at time of publication versus yesterday’s price.

The executives reportedly told Bloomberg they didn’t know about the breach when they sold their shares. A law firm in New York has already announced it is investigating potential insider trading claims against Equifax.

CLASS ACTION WAIVER?

Yesterday’s story here pointed out the gross conflict of interest in Equifax’s consumer remedy for this breach: Offering a year’s worth of free credit monitoring services to all Americans via its own in-house credit monitoring service.

This is particularly rich because a) why should anyone trust Equifax to do anything right security-wise after this debacle and b) these credit monitoring services typically hard-sell consumers to sign up for paid credit protection plans when the free coverage expires.

Verbiage from the terms of service from Equifax's credit monitoring service TrustID Premier.

Verbiage from the terms of service from Equifax’s credit monitoring service TrustID Premier.

I have repeatedly urged readers to consider putting a security freeze on their accounts in lieu of or in addition to accepting these free credit monitoring offers, noting that credit monitoring services don’t protect you against identity theft (the most you can hope for is they alert you when ID thieves do steal your identity), while security freezes can prevent thieves from taking out new lines of credit in your name.

Several readers have written in to point out some legalese in the terms of service the Equifax requires all users to acknowledge before signing up for the service seems to include legal verbiage suggesting that those who do sign up for the free service will waive their rights to participate in future class action lawsuits against the company.

KrebsOnSecurity is still awaiting word from an actual lawyer who’s looking at this contract, but let me offer my own two cents on this.

Update, 9:45 p.m. ET: Equifax has updated their breach alert page to include the following response in regard to the unclear legalese:

“In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.”

Original story:

Equifax will almost certainly see itself the target of multiple class action lawsuits as a result of this breach, but there is no guarantee those lawsuits will go the distance and result in a monetary windfall for affected consumers.

Even when these cases do result in a win for the plaintiff class, it can take years. After KrebsOnSecurity broke the story in 2013 that Experian had given access to 200 million consumer records to Vietnamese man running an identity theft service, two different law firms filed class action suits against Experian.

That case was ultimately tossed out of federal court and remanded to state court, where it is ongoing. That case was filed in 2015.

To close out the subject of civil lawsuits as a way to hold companies accountable for sloppy security, class actions — even when successful — rarely result in much of a financial benefit for affected consumers (very often the “reward” is a gift card or two-digit dollar amount per victim), while greatly enriching law firms that file the suits.

It’s my view that these class action lawsuits serve principally to take the pressure off of lawmakers and regulators to do something that might actually prevent more sloppy security practices in the future for the victim culpable companies. And as I noted in yesterday’s story, the credit bureaus have shown themselves time and again to be terribly unreliable stewards of sensitive consumer data: This time, the intruders were able to get in because Equifax apparently fell behind in patching its Internet-facing Web applications.

In May, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services. In 2015, a breach at Experian jeopardized the personal data on at least 15 million consumers.

CAPITALIZING ON FEAR

Speaking of Experian, the company is now taking advantage of public fear over the breach — via hashtag #equifaxbreach, for example — to sign people up for their cleverly-named “CreditLock” subscription service (again, hat tip to @rayjwatson).

“When you have Experian Identity Theft Protection, you can instantly lock or unlock your Experian Credit File with the simple click of a button,” the ad enthuses. “Experian gives you instant access to your credit report.”

First off, all consumers have the legal right to instant access to their credit report via the Web site, annualcreditreport.com. This site, mandated by Congress, gives consumers the right to one free credit report from each of the three major bureaus (Equifax, Trans Union and Experian) every year.

Second, all consumers have a right to request that the bureaus “freeze” their credit files, which bars potential creditors or anyone else from viewing your credit history or credit file unless you thaw the freeze (temporarily or permanently).

I have made no secret of my disdain for the practice of companies offering credit monitoring in the wake of a data breach — especially in cases where the breach only involves credit card accounts, since credit monitoring services typically only look for new account fraud and do little or nothing to prevent fraud on existing consumer credit accounts.

Credit monitoring services rarely prevent identity thieves from stealing your identity. The most you can hope for from these services is that they will alert you as soon as someone does steal your identity. Also, the services can be useful in helping victims recover from ID theft.

My advice: Sign up for credit monitoring if you can (and you’re not holding out for a puny class action windfall) and then freeze your credit files at the major credit bureaus (it is generally not possible to sign up for credit monitoring services after a freeze is in place). Again, advice for how to file a freeze is available here.

Whether you are considering a freeze, credit monitoring, or a fraud alert (another, far less restrictive third option), please take a moment to read this story in its entirety. It includes a great deal of information that cannot be shared in a short column here.

Posted in Solutions | Comments Off on Equifax Breach Response Turns Dumpster Fire