118 stories
1 follower

Equifax Breach Fallout: Your Salary History

2 Comments and 5 Shares

In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach at Equifax.


At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that “Your personal information is protected.”

“With your consent your personal data can be retrieved only by credentialed verifiers,” Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits.

Sadly, this isn’t anywhere near true because most employers who contribute data to The Work Number — including Fortune 100 firms, government agencies and universities — rely on horribly weak authentication for access to the information.

To find out how easy it is to view your detailed salary history, you’ll need your employer’s name or employer code. Helpfully, this page lets you look that up quite easily (although if you opt to list employers alphabetically by the fist letter of the company name, there are so many entries for each letter that I found Equifax’s database simply crashes half the time instead of rendering the entire list).


What’s needed to access your salary and employment history? Go here, and enter the employer name or employer code. After that, it asks for a “user ID.” This might sound like privileged information, but in most cases this is just the employees’s Social Security number (or a portion of it).

At the next step, the site asks visitors to “enter your PIN,” short for Personal Identification Number. However, in the vast majority of cases this appears to be little more than someone’s eight-digit date of birth. The formats differ by employer, but it’s usually either yyyy/mm/dd or mm/dd/yyyy, without the slashes.

Successful validation to the system produces two sets of data: An employee’s salary and employment history going back at least a decade, and a report listing all of the entities (ostensibly, the aforementioned “credentialed verifiers”) that have previously requested and viewed this information.

Once you’re successfully “authenticated,” the system asks you to change your PIN to something more secret than your birthday. When the default PIN is changed, The Work Number prompts users to select a series of six challenge/response questions, which Equifax claims will “improve the security of your data and create an extra layer of protection on your account.”

Unfortunately, consumers whose employee history is stored by this service effectively have no privacy or security unless they possess both the awareness that this service exists and the forethought to access their account online before identity thieves or others do it first.


The Work Number does allow employers to opt for TALX’s “enhanced authentication” feature, wherein after logging in with your employer ID and PIN (often the last four digits of an SSN plus the birth year), the system is designed to require the requester to respond to an email at a work address or a phone call to a work number to validate the login.

However, I did not find this to be the case in several instances involving readers whose employers supposedly used this enhanced authentication method. In cases where corporate human resources departments fail to populate employee email addresses and phone numbers, the system defaults to asking visitors to enter any email address and phone number to complete the validation. This is detailed here (PDF), wherein The Work Number states “if you do not have the required phone and e-mail information on file, you will be prompted to update/add your phone numbers/email addresses.”


Worse yet, while companies that use this service tend to vary their approaches to what’s required in terms of user IDs and PINs, a great many employers publish online detailed instructions on how to fill out these various forms. For example, the State of California‘s process is listed here (PDF); instructions for the Health Resources & Services Administration (HRSA) are here; employees at the National Institutes of Health (NIH) can learn the steps by consulting this document (PDF). The process for getting this information on current and former UCLA employees is spelled out here. There are countless other examples that are easy to find with a simple Internet search.

Many readers probably consider their current and former salaries to be very private information, but as we can see this data is easily available on a broad spectrum of the working population in America today. The information needed to obtain it has been widely compromised in thousands of data breaches over the past few years, and the SSN and DOB on most Americans is for sale in a variety of places online. In short, if you can get these details from Equifax’s online service, so can anyone else.

Fortunately, you can reduce the likelihood that an acquaintance, co-worker, stalker or anyone else can do this by claiming your own account, changing the PIN and selecting a half-dozen security questions and answers. As always, it’s best not to answer these questions truthfully, but to input answers that only you will know and that can’t be found using social networking sites or other public data sources.

I could see this service potentially helping to create a toxic workplace environment because it offers a relatively simple method for employees to glean data about the salaries of their co-workers and bosses. While some people believe that companies should be more transparent about employee salaries, this data in the wrong hands very often generates a great deal of resentment and hostility among co-workers.

Employers who use The Work Number should strongly consider changing as many defaults as possible, and truly implementing the service’s enhanced authentication features.

October is National Cybersecurity Awareness Month, and as such KrebsOnSecurity will continue pointing readers to similar services that let anyone access your personal data armed with little more than static identifiers about you that should no longer be considered private. Although some readers may take issue with my pointing these out — reasoning that I’m only making it easier for bad people to do bad things — it’s important to understand that knowledge is half the battle: Planting your flag before someone else does is usually the only way to keep others from abusing such services to expose your personal information.

Related reading:

USPS ‘Informed Delivery’ is Stalker’s Dream
Student Aid Tool Held Key for Tax Fraudsters
Sign Up at IRS.gov Before Crooks Do It For You
Crooks Hijack Retirement Funds via SSA Portal
Social Security Administration Now Requires Two-Factor Authentication
SSA: Ixnay on txt msg reqmnt 4 e-acct, sry

Read the whole story
11 days ago
Share this story
2 public comments
8 days ago
theworknumber has been down for "maintenance" since the weekend, and of course this happens when i actually need to get data from it
Dallas, Texas
12 days ago
Really, people? Sigh.
Central Indiana

Remembrance of blogs past

1 Share

A week or two ago, this old post of mine got linked on Hacker News. I learned about it on Twitter a day or two later and saw it had been given a short flurry of attention.

Tweets via Hacker News

This happens every year or so, either on Hacker News or some forum on Reddit. The post recounts a story from the mid-80s in which Don Knuth wrote an article/program in the literate programming style and Doug McIlroy wrote a literary-style critique of it. The story seems to interest young programmers with strong opinions, i.e., the kind of people who hang out at Hacker News and Reddit.

Whenever I see this happen, I don’t think about the post or the story behind it. I think about the first time it got attention, which was just a few days after it was written in December 2011, and how I came to learn about it.

I was sitting in a small room in the Edward Cancer Center. It was my wife’s first day of chemotherapy. We had been told this initial session would take longer than normal, and we should bring books, magazines, iPods, computers—whatever we needed to keep ourselves occupied for the full morning and into the afternoon. Janet had some magazines and her iPad; I had my MacBook Air—the same one I still have, but it was only a year old back then.

Her mastectomy had been in early November—the sixth anniversary is coming up—and her oncologist wanted her past the worst effects of that before starting the chemo. The session did last a long time, as promised, but it went pretty smoothly. Easy for me to say, I suppose, but I think she’d agree, because she had recovered well from the surgery and she hadn’t had any chemo before. It wasn’t until the next day, when she started the cycle of drugs taken to counteract the side effects of other drugs—what I likened to The House That Jack Built—that she began to feel rotten.

This is the Taxotere and Cytoxan, which prevent the return of the tumor.

This is the Neulasta, which stimulates the production of white blood cells, which were killed by the Taxotere and Cytoxan, which prevent the return of the tumor.

This is the steroid, which dulls the bone pain caused by the Neulasta, which stimulates the production of white blood cells, which were killed by the Taxotere and Cytoxan, which prevent the return of the tumor.

This is the laxative, which alleviates the constipation, which was caused by the steroid, which dulls the bone pain caused by the Neulasta, which stimulates the production of white blood cells, which were killed by the Taxotere and Cytoxan, which prevent the return of the tumor.

But as we sat in the little room, that was still in the future. She read and surfed the web; I sent some emails and checked Google Analytics to what kind of traffic ANIAT had been seeing. My timing must have almost perfect. Not only were the GA numbers way too high for a post that hadn’t been Fireballed, they were increasing significantly in real time. After a quick check on the referrers, I realized I was getting traffic from both Hacker News and Reddit, which both had active arguments going on about the post with many disparaging comments about me. I can’t remember a time when I’ve cared so little about being criticized so much.

Every time my Knuth/McIlroy post gets renewed attention on Hacker News or Reddit, I’m back in that little room.

After the first visit, Janet took her treatments out in the Cancer Center’s big open area with a wall of windows that overlooked a pond. The sessions didn’t last as long, but they were harder because now she knew what was coming. They were always scheduled for late morning/early afternoon, so I’d get us lunch at Jimmy John’s and we’d eat and look out at the winter as the poisons dripped into her arm.

I just realized, looking back at that last paragraph, that this sounds like it’s going in a dark direction. Sorry about that. Janet’s still here and cancer-free. Although breast cancers like hers can return years later, there’s been no sign that hers will.

Dark memories, though, are hard to avoid, regardless of how things have turned out. Some triggers are obvious, like when I visit a doctor in the building next to the Cancer Center. But some, like seeing a link on Hacker News, are based on odd coincidences that manage to form strong associations.

Steve Jobs’s death, for example, hit us both very hard because it happened during that horrible limbo period between Janet’s diagnosis and mastectomy. His cancer and hers became linked in our minds, and I remember us both crying so much that day. Even today, the connection is there. I found the tribute to Steve during the Apple Event a couple of weeks ago difficult to watch, and I expect the stories next week on the sixth anniversary of his death will bring on the same feelings.

[If the formatting looks odd in your feed reader, visit the original article]

Read the whole story
21 days ago
Share this story

Why Is Cisco Pushing LISP in Enterprise Campus?


I got several questions along the lines of “why is Cisco pushing LISP instead of using EVPN in VXLAN-based Enterprise campus solutions?”

Honestly, I’m wondering that myself (and maybe I’ll get the answer in a few days @ NFD16). However, let’s start at the very beginning…

Read more ...
Read the whole story
38 days ago
I've been asking this same thing without good responses.
Share this story
1 public comment
39 days ago
"Long story short: ask yourself whether you really need large VLANs or whether you need a simpler IP network and smart apps (and as I said, do report your findings in the comments)."

Yes! Though if you walk into a new role and all you have are VLANS and VRFs everywhere, it takes time to get out of it... And probably some bumps along the way that everyone questions which takes more time.
Atlanta, GA
39 days ago
So much truth here.

Adobe Flash’s Days Are Officially Numbered

1 Share

Adobe announced today that it has set the end-of-life date for Flash, its popular technology for displaying animations and other multimedia on the web.

Adobe is planning to end-of-life Flash. Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats.

Apple has a long and storied history with Adobe and, more pointedly, Flash. When the first iPhone launched ten years ago, one of the chief controversies at the time surrounded the fact that Safari on iPhone OS did not support Flash, and Steve Jobs made it clear that it would not support Flash.

This stance grew into more of a sticking point for prospective consumers in 2010 when Apple’s new tablet, the iPad, did not support Flash either. Sparked by the newly revised controversy, Jobs laid out his thoughts on the issue in a piece simply titled “Thoughts on Flash.” His closing words predicted the technology could not survive in an increasingly mobile-first landscape.

Flash was created during the PC era – for PCs and mice...New open standards created in the mobile era, such as HTML5, will win on mobile devices (and PCs too). Perhaps Adobe should focus more on creating great HTML5 tools for the future, and less on criticizing Apple for leaving the past behind.

→ Source: blogs.adobe.com

Read the whole story
87 days ago
Share this story

★ Public Service Announcement: You Should Not Force Quit Apps on iOS

6 Comments and 12 Shares

The single biggest misconception about iOS is that it’s good digital hygiene to force quit apps that you aren’t using. The idea is that apps in the background are locking up unnecessary RAM and consuming unnecessary CPU cycles, thus hurting performance and wasting battery life.

That’s not how iOS works. The iOS system is designed so that none of the above justifications for force quitting are true. Apps in the background are effectively “frozen”, severely limiting what they can do in the background and freeing up the RAM they were using. iOS is really, really good at this. It is so good at this that unfreezing a frozen app takes up way less CPU (and energy) than relaunching an app that had been force quit. Not only does force quitting your apps not help, it actually hurts. Your battery life will be worse and it will take much longer to switch apps if you force quit apps in the background.

Here’s a short and sweet answer from Craig Federighi, in response to an email from a customer asking if he force quits apps and whether doing so preserves battery life: “No and no.”

Just in case you don’t believe Apple’s senior vice president for software, here are some other articles pointing out how this habit is actually detrimental to iPhone battery life:

This thing about force quitting apps in the background is such a pernicious myth that I’ve heard numerous stories from DF readers about Apple Store Genius Bar staff recommending it to customers. Those “geniuses” are anything but geniuses.

It occurs to me that one of the best examples proving that this notion is wrong (at least in terms of performance) are YouTube “speed test” benchmarks. There’s an entire genre of YouTube videos devoted to benchmarking new phones by running them through a series of apps and CPU-intensive tasks repeatedly, going through the loop twice. Once from a cold boot and the second time immediately after the first first loop. Here’s a perfect example, pitting a Samsung Galaxy S8 against an iPhone 7 Plus. Note that no apps are manually force quit on either device. The iPhone easily wins on the first loop, but where the iPhone really shines is on the second loop. The S8 has to relaunch all (or at least almost all) of the apps, because Android has forced them to quit while in the background to reclaim the RAM they were using. On the iPhone, all (or nearly all) of the apps re-animate almost instantly.

In fact, apps frozen in the background on iOS unfreeze so quickly that I think it actually helps perpetuate the myth that you should force quit them: if you’re worried that background apps are draining your battery and you see how quickly they load from the background, it’s a reasonable assumption to believe that they never stopped running. But they do. They really do get frozen, the RAM they were using really does get reclaimed by the system, and they really do unfreeze and come back to life that quickly.1

An awful lot of very hard work went into making iOS work like this. It’s a huge technical advantage that iOS holds over Android. And every iPhone user in the world who habitually force quits background apps manually is wasting all of the effort that went into this while simultaneously wasting their own device’s battery life and making everything slower for themselves.

This pernicious myth is longstanding and seemingly will not die. I wrote about at length back in 2012:

Like with any voodoo, there are die-hard believers. I’m quite certain that I am going to receive email from people who will swear up-and-down that emptying this list of used applications every hour or so keeps their iPhone running better than it would otherwise. Nonsense.

As Fraser mentions, yes, there are exceptional situations where an app with background privileges can get stuck, and you need to kill that app. The argument here is not that you should never have to kill any app using the multitasking switcher — the argument is that you don’t need to do it on a regular basis, and you’re not making anything “better” by clearing the list. Shame on the “geniuses” who are peddling this advice.

And don’t even get me started on people who completely power down their iPhones while putting them back into their pockets or purses.

  1. The other contributing factor to believing that force quitting is good for your iPhone are the handful of apps that have been found to be repeated abusers of loopholes in iOS, such that they really do continue running in the background, wasting battery life. Most infamously, Facebook was caught playing silent audio tracks in the background to take advantage of APIs that allow audio-playing apps to play audio from the background. They called it a “bug”. In those cases force-quitting the apps really did help, and I see no reason to trust Facebook. So if you want to keep force quitting Facebook, go right ahead. But don’t let one bad app spoil the whole barrel. The Battery section in the iOS Settings app can show you which apps are actually consuming energy in the background — tap the clock icon under “Battery Usage” and don’t force quit any app that isn’t a genuine culprit. ↩︎

Read the whole story
91 days ago
92 days ago
Share this story
5 public comments
67 days ago
Good point.
89 days ago
IOS really sucks.
89 days ago
Noted! well we are all just clueless idiots I guess bc nobody ever told me that I should just leave my 800+ apps running and my phone will be better for it!
Nob Hill, San Francisco
88 days ago
Well, most of us come from a background of operating systems where *we* the users are expected to think about how the *software* should operate and handle memory. That's backwards, and yet we take a long time to be comfortable with the idea that an operating system should be mature and sophisticated enough to handle the "background" logistics. :-)
92 days ago
While it might be correct that you don't need to force quit apps or power down your phone or whatever. The bigger problem here, to me, is the people who feel the need to tell other people that they're using the device wrong. It's my device, I'll use it how I want, no matter what you say.

Quit wasting time writing the you're using your device wrong stories.
92 days ago
There's two sides to this, isn't it. There's one group of people who do things thinking "this helps me with whatever". With this, you can demonstrate that their actions don't achieve their goals, and then they change their actions. The other group of people are different. For example, they might choose to open Safari, type "google" into the search bar, click the first link to "google.com", type into the search bar in google, and *then* see their actual search results. You might show them there's a better way, and they might say, "well this is my phone, and I'll use it how I want, no matter what you say". Well, they're right, and in that case, you just walk away knowing they're idiots. But it doesn't mean you stop showing other people that there is indeed a better way. :-)
91 days ago
I have no problem being told I'm doing something wrong and could be doing it in a way that's better and easier, but I guess you do? That's unfortunate, but don't worry: Nobody will ever force you to be rational. You can use the device however you like. Just don't be surprised when there's people pointing out it's not only unhelpful but actually counter productive. And try not to get angry; they have every right to talk about such things.
91 days ago
Congratulations everyone, we've "Well, actually" on the internet. That's just as good as the 'you're doing it wrong' article.
91 days ago
And congratulations, jhamill, for being an ignorant and aggressive asshole.
91 days ago
Sure, okay @tewha I'm not the one calling people assholes on the internet but, you do you.
93 days ago
The one app I do force quit regularly is Waze, because if you don't it continuously monitors your location even when you're not driving or using it.

iOS 11 makes that much more clear with a giant blue bar at the top of the screen 'Waze is using your location', which miraculously goes away after I punt Waze.

But otherwise, Gruber is completely correct.
Cupertino, CA
90 days ago
Go go settings ➡️ privacy ➡️ location services, and set it to only have access when you are using the app?
87 days ago
The problem with that is, when I'm actually navigating, I may be using other apps (to play music, for example). If I have Waze only use location services when the app is in the foreground, it isn't going to work well. Like tdnox, I force-quit Waze when I'm done with it.

1Password wants you to sync via the cloud, but won't force you


Over the weekend it seems that there was an uproar about the future of 1Password, despite a seeming lack of new news on the subject. Lorenzo Franceschi-Bicchierai summarizes at Motherboard:

In the last few years, 1Password has become a favorite for hackers and security researchers who often recommend it above all other alternatives… Last weekend, though, several security researchers tweeted that 1Password was moving away from allowing people to pay for a one-time license and have local password vaults, in favor of its cloud-based alternative that requires a monthly subscription.

It seems to me that there’s some conflation going on here. As with so many software products that mix mobile and desktop and cloud, 1Password’s publisher decided that the way forward for the product was to create a subscription package1. When you subscribe to 1Password, you also get access to 1Password’s new cloud syncing service.

1Password believes—correctly, in my opinion—that for most users, a built-in cloud sync service designed specifically for 1Password is going to be a better option than using another cloud service like iCloud or Dropbox, which 1Password has supported for quite a while. 1Password is quite open about how its security is designed, including the fact that the decryption key for your passwords is never synced with the cloud, so even if a hacker were to penetrate 1Password’s security and get your online vaults, all they’d get access to is doubly-encrypted garbage.

Judging some of the Twitter threads I read today, what’s really happening is that some people simply hate the idea of software subscriptions and are sowing fear over 1Password’s security and local file syncing as a way of lashing out.

While Kate Sebald of AgileBits told me today that 1Password’s sync service is actually more secure that syncing a local vault via Dropbox or iCloud, it would have been a whole lot harder for AgileBits to convert users to a subscription model without a cloud-syncing service. Countless software companies have realized that offering ongoing subscription fees, integrated cloud services, and mobile-device syncing in a package is the best way to generate a sustainable revenue stream. I pay an annual fee for Office 365 and Adobe Photoshop and, quite frankly, they’re worth it. (And yes, both of those subscriptions include desktop, mobile, and cloud features.) Is 1Password worth $36/year (or $59/year for a family)? I think so, but your mileage may vary.

Still, AgileBits knows that a (loud, angry) portion of its customer base hates software subscriptions. A senior AgileBits person told me via email today that while it would have been much easier for the company to make 1Password a subscription-only product years ago, it has instead done extra work to allow both models to coexist.

As for using local storage for 1Password vaults: Sebald emphasized that the company will “go to great lengths to preserve [the] choice to use local vaults, even if we are encouraging new users to make a different choice.”

In other words: AgileBits is building a cloud service that it feels is safe, secure, and convenient for the vast majority of its users. But 1Password still supports local storage, too—and it seems like it will do so for the foreseeable future2. The app isn’t going to force you to sync your passwords via its cloud service if you don’t want to. However, in terms of what the company communicates to its user base and recommends to new users, that’s going to be focused on using the 1Password.com sync service rather than local vaults, and the company is building new features like Travel Mode around the sync service.

  1. An AgileBits engineer insists that the need to add features via a cloud service motivated the decision. Could be. But selling upgrades can be difficult, especially once cloud services and mobile apps get thrown into the mix. ↩

  2. Windows version 6 does not support local vaults, but version 4 still works. Still, this does show that AgileBits is not prioritizing local vault features. ↩

Read the whole story
100 days ago
Share this story
Next Page of Stories