"As noted in yesterday’s breaking story on this breach, the Web site that Equifax advertised as the place where concerned Americans could go to find out whether they were impacted by this breach — equifaxsecurity2017.com —
is completely broken at best, and little more than a stalling tactic or sham at worst.
In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat. In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones."
I ask because I know security experts that put in the 100 most recently decased people from an authoritative list of the recently dead (with their social security numbers) and had none of them come up positive. (Their own names, and mine, came up as in the list.) This indicated to them that the data is from a current list of live customers.
It has been pointed out that if you take their offer of a year of protection service, you waive your right to participate in any lawsuits though.
I saw that the name was fake and the number was something like “000000”.
That doesn’t mean it’s not working, simply because that’s what gets used for test data all the time.
Alternatively, the logic for displaying the message might not be the smartest – it could be defaulting to a positive if certain criteria aren’t met.
The examples where the answers were different on different devices for the same data are more interesting, but again, that could just point to crappy code.
A broken certificate that “hasn’t been verified as issued by a trusted authority using a secure signature” and results in an UNKNOWN_ISSUER warning.
If you give it a common name like Smith or Johnson and 6 random digits, it shows the “we believe that your personal information may have been impacted by this incident.” message. But the behind the scenes response from the server is actually { statusCode: "COME_BACK_LATER", reg1Date: "09/13/2017", statusUrl: null, numberOfDaysToWait: 2, status: "SUCCESS" }
If you give it a bogus name like Funkensteiner or Porkmustang and 6 random digits, it shows the “we believe that your personal information was not impacted by this incident.” while the server response behind the scenes is blank so evaluates as undefined.
So it appears to just be an untested, rushed out marketing microsite to sell their identity theft prevention service. The COME_BACK_LATER response suggests that they may be checking against a list of names that they have records of, but that they haven’t yet hooked it up to any data that knows which of those might have been affected.