Do you have adblock enabled?
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Krebs On Security)   An online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: "admin/admin"   ( krebsonsecurity.com) divider line
    More: Facepalm, Credit score, Equifax, Equifax Argentina employee, Credit rating, Fair Credit Reporting Act, Hold Security, Credit history, Equifax employees  
•       •       •

2615 clicks; posted to Main » on 13 Sep 2017 at 1:14 PM (13 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



72 Comments     (+0 »)
 
View Voting Results: Smartest and Funniest


Oldest | « | 1 | 2 | » | Newest | Show all

 
2017-09-13 09:34:33 AM  
I want you to imagine something, subby. I want you to imagine that you're employed. At your job, every time you start to do something, a wiry, wild-eyed man leaps out of some hidden corner or from behind a file cabinet and shouts at you: NO, NO YOU'RE DOING IT WRONG. YOU HAVE TO FOLLOW THESE RULES TO DO THAT. START OVER. You go to file a report: WRONG, WRONG, WRONG. You try to dial into a WebEx: THAT'S NOT HOW IT NEEDS TO BE DONE. You raise your hand to contribute at a meeting: IF YOU DO IT LIKE THAT AGAIN YOU'RE FIRED.

How long do you think it would be before you cracked? Before you began to suffer serious traumatic side-effects? Lack of sleep, loss of confidence, a flinch reaction to the site of anyone reminding you of your tormentor. You'd become a twitchy, nervous wreck. And you'd have two options: quit, which you can't do because you need the job, or go to HR and see if they could help you, maybe lessen the oversight. Obviously, you'd go to HR.

Well, this is what life has been like for Equifax, only instead of a wiry, wild-eyed supervisor they've got oppressive government regulations. It's probably not much of an exaggeration to say that they're in one of the most over-regulated businesses on Earth. Everything they do, regulation. So with you it was just one person being emotionally abused for merely trying to do his job; with Experian (and their sister companies) it's an entire industry. Trying to find ways to augment revenue streams using customer data? WRONG WRONG YOU CAN'T DO THAT START OVER. Adding customer-friendly packages to monetize their own access to their credit reports: THAT'S NOT HOW YOU DO THAT YOU'RE WRONG AGAIN. Over and over, day in and day out. The entire industry by this point is almost certainly in a deep state of psychological trauma, and now you're going to ask them why they didn't change a password? That's like asking an abused wife why she didn't hide her husband's belts.

And here's the thing, the great irony: They were trying to make things better. Meekly, humbly, Experian had sent a few of its staff to Washington to beg, nay to plead with their lawmakers to intervene, to do something about the regulations that were so traumatizing their staff and paralyzing their work. They were trying to make things better, trying to improve their lot in life. But you couldn't let that happen, could you? You just couldn't let that happen.

One day, subby, Experian and companies like it are going to be pushed too far. They're going to crack, and we'll be looking at not just some accidental inconveniences to their customers, but the real possibility of, at best, serious long-term self esteem issues and the real likelihood of significant self-harm. I just wonder how you'll live with yourself when that happens. I really do.
 
vpb [TotalFark]
2017-09-13 09:57:21 AM  

Pocket Ninja: I want you to imagine something, subby. I want you to imagine that you're employed. At your job, every time you start to do something, a wiry, wild-eyed man leaps out of some hidden corner or from behind a file cabinet and shouts at you: NO, NO YOU'RE DOING IT WRONG. YOU HAVE TO FOLLOW THESE RULES TO DO THAT. START OVER. You go to file a report: WRONG, WRONG, WRONG. You try to dial into a WebEx: THAT'S NOT HOW IT NEEDS TO BE DONE. You raise your hand to contribute at a meeting: IF YOU DO IT LIKE THAT AGAIN YOU'RE FIRED.

And here's the thing, the great irony: They were trying to mak ...


That's pretty good.
 
2017-09-13 10:22:34 AM  
Equifax has offices in Argentina? The more you know.

This is an entire country that would have trouble passing a credit check.
 
2017-09-13 10:54:45 AM  
Their offices are incredibly secure, with cameras everywhere...
img.fark.netView Full Size

D'OH!
 
2017-09-13 10:57:27 AM  
I literally just taught in my security class about not sending private data out over the web in hidden fields 5 days ago.  This is hysterical.
 
2017-09-13 11:36:52 AM  
img.fark.netView Full Size
 
2017-09-13 12:10:03 PM  
I wouldn't be surprised if the admin/admin thing was how "hackers" got into the system here in the US.
 
2017-09-13 12:20:02 PM  
*Changes password to "Admin1"*
 
2017-09-13 01:18:24 PM  
I'm perfectly secure. My password for everything is Pa55w0rd.
 
2017-09-13 01:19:39 PM  
What a dumpster fire of a company. I hope by next year they are gone and it would be nice for some kind of consumer protections in place, bwhahahahahahahaha.
 
2017-09-13 01:20:36 PM  
They should change their password to WTF/SMDH
 
2017-09-13 01:21:46 PM  

Pocket Ninja: I want you to imagine something, subby. I want you to imagine that you're employed. At your job, every time you start to do something, a wiry, wild-eyed man leaps out of some hidden corner or from behind a file cabinet and shouts at you: NO, NO YOU'RE DOING IT WRONG. YOU HAVE TO FOLLOW THESE RULES TO DO THAT. START OVER. You go to file a report: WRONG, WRONG, WRONG. You try to dial into a WebEx: THAT'S NOT HOW IT NEEDS TO BE DONE. You raise your hand to contribute at a meeting: IF YOU DO IT LIKE THAT AGAIN YOU'RE FIRED.

How long do you think it would be before you cracked? Before you began to suffer serious traumatic side-effects? Lack of sleep, loss of confidence, a flinch reaction to the site of anyone reminding you of your tormentor. You'd become a twitchy, nervous wreck. And you'd have two options: quit, which you can't do because you need the job, or go to HR and see if they could help you, maybe lessen the oversight. Obviously, you'd go to HR.

Well, this is what life has been like for Equifax, only instead of a wiry, wild-eyed supervisor they've got oppressive government regulations. It's probably not much of an exaggeration to say that they're in one of the most over-regulated businesses on Earth. Everything they do, regulation. So with you it was just one person being emotionally abused for merely trying to do his job; with Experian (and their sister companies) it's an entire industry. Trying to find ways to augment revenue streams using customer data? WRONG WRONG YOU CAN'T DO THAT START OVER. Adding customer-friendly packages to monetize their own access to their credit reports: THAT'S NOT HOW YOU DO THAT YOU'RE WRONG AGAIN. Over and over, day in and day out. The entire industry by this point is almost certainly in a deep state of psychological trauma, and now you're going to ask them why they didn't change a password? That's like asking an abused wife why she didn't hide her husband's belts.

And here's the thing, the great irony: They were trying to make things better. Meekly, humbly, Experian had sent a few of its staff to Washington to beg, nay to plead with their lawmakers to intervene, to do something about the regulations that were so traumatizing their staff and paralyzing their work. They were trying to make things better, trying to improve their lot in life. But you couldn't let that happen, could you? You just couldn't let that happen.

One day, subby, Experian and companies like it are going to be pushed too far. They're going to crack, and we'll be looking at not just some accidental inconveniences to their customers, but the real possibility of, at best, serious long-term self esteem issues and the real likelihood of significant self-harm. I just wonder how you'll live with yourself when that happens. I really do.


Then they'll take our credit scores with them to Galt's Gulch.
 
2017-09-13 01:21:51 PM  
i.pinimg.comView Full Size
 
2017-09-13 01:22:38 PM  
00000000
 
2017-09-13 01:22:53 PM  
I once "hacked" a system using admin/admin.  I told the developer of the site (we were on the same programming language mailing list), who was STUNNED that I was able to figure that out.
 
2017-09-13 01:23:00 PM  
Ahhhh   The good old days.  If you had access to the server room, then you could just log in to the rconsole that was always open.  The AS400's userid/password was qsysopr/qsysopr and DSP01 was an unlocked dumb tube.  Uh, sorry.  Unlocked Different Skilll-Set Tube.

/One server room had a propped open back door that opened to a hall that went to the loading dock
 
2017-09-13 01:24:25 PM  
That's why I make my password an incomprehensible mishmash of random letters, symbols, and numerals at least 20 characters long.

I keep it written down on a post-it note in my desk drawer if I ever forget it.
 
2017-09-13 01:26:16 PM  
In a civilized world, this kind of negligence would be considered criminal.
 
2017-09-13 01:27:21 PM  
I was going suggest going the torches and pitchforks route but I don't think anyone wants to risk being associated with the tiki-torch bigots from Charlottesville.

What would Tyler Durden do?
 
2017-09-13 01:29:28 PM  

FortyHams: *Changes password to "Admin1"*


And a "!"

That will really trip everyone up
 
2017-09-13 01:32:48 PM  

Pocket Ninja: I want you to imagine something, subby. I want you to imagine that you're employed. At your job, every time you start to do something, a wiry, wild-eyed man leaps out of some hidden corner or from behind a file cabinet and shouts at you: NO, NO YOU'RE DOING IT WRONG. YOU HAVE TO FOLLOW THESE RULES TO DO THAT. START OVER. You go to file a report: WRONG, WRONG, WRONG. You try to dial into a WebEx: THAT'S NOT HOW IT NEEDS TO BE DONE. You raise your hand to contribute at a meeting: IF YOU DO IT LIKE THAT AGAIN YOU'RE FIRED.

How long do you think it would be before you cracked? Before you began to suffer serious traumatic side-effects? Lack of sleep, loss of confidence, a flinch reaction to the site of anyone reminding you of your tormentor. You'd become a twitchy, nervous wreck. And you'd have two options: quit, which you can't do because you need the job, or go to HR and see if they could help you, maybe lessen the oversight. Obviously, you'd go to HR.

Well, this is what life has been like for Equifax, only instead of a wiry, wild-eyed supervisor they've got oppressive government regulations. It's probably not much of an exaggeration to say that they're in one of the most over-regulated businesses on Earth. Everything they do, regulation. So with you it was just one person being emotionally abused for merely trying to do his job; with Experian (and their sister companies) it's an entire industry. Trying to find ways to augment revenue streams using customer data? WRONG WRONG YOU CAN'T DO THAT START OVER. Adding customer-friendly packages to monetize their own access to their credit reports: THAT'S NOT HOW YOU DO THAT YOU'RE WRONG AGAIN. Over and over, day in and day out. The entire industry by this point is almost certainly in a deep state of psychological trauma, and now you're going to ask them why they didn't change a password? That's like asking an abused wife why she didn't hide her husband's belts.

And here's the thing, the great irony: They were trying to mak ...


img.fark.netView Full Size
 
2017-09-13 01:33:47 PM  
Burn them to the farking ground!!!
 
2017-09-13 01:34:21 PM  

Subtonic: That's why I make my password an incomprehensible mishmash of random letters, symbols, and numerals at least 20 characters long.

I keep it written down on a post-it note in my desk drawer if I ever forget it.


spkaa.comView Full Size
 
2017-09-13 01:35:04 PM  

Pocket Ninja: I want you to imagine something, subby. I want you to imagine that you're employed. At your job, every time you start to do something, a wiry, wild-eyed man leaps out of some hidden corner or from behind a file cabinet and shouts at you: NO, NO YOU'RE DOING IT WRONG. YOU HAVE TO FOLLOW THESE RULES TO DO THAT. START OVER. You go to file a report: WRONG, WRONG, WRONG. You try to dial into a WebEx: THAT'S NOT HOW IT NEEDS TO BE DONE. You raise your hand to contribute at a meeting: IF YOU DO IT LIKE THAT AGAIN YOU'RE FIRED.

How long do you think it would be before you cracked? Before you began to suffer serious traumatic side-effects? Lack of sleep, loss of confidence, a flinch reaction to the site of anyone reminding you of your tormentor. You'd become a twitchy, nervous wreck. And you'd have two options: quit, which you can't do because you need the job, or go to HR and see if they could help you, maybe lessen the oversight. Obviously, you'd go to HR.


Please come take your surveillance camera out of my office.

Thanks...
 
2017-09-13 01:35:14 PM  
img.fark.netView Full Size
 
2017-09-13 01:36:26 PM  

ifky: FortyHams: *Changes password to "Admin1"*

And a "!"

That will really trip everyone up


No no.  Some systems won't let you use special characters so use "sysadmin" instead.  That'll do it.
 
2017-09-13 01:36:30 PM  
To to enter my password,  I must solve a series of riddles, all covering dark secrets of my past I had assumed were long forgotten, but must now reckon with, at peril to my psyche. Only then will my soul be prepared to do battle with the terrible ancient beast that sleeps and dreams beneath the surface of the ever-living earth, my sword piercing its acid heart, its thrashing limbs destroying untold acres of the dead countryside. All so I can remove its wicked skull, and hear it whisper to me my 16-bit authentication key.
 
2017-09-13 01:37:11 PM  
Who would have expected to try an English username in Argentina?
 
2017-09-13 01:37:22 PM  

Madman drummers bummers: I'm perfectly secure. My password for everything is Pa55w0rd.


Mine's bosco
 
2017-09-13 01:37:58 PM  
thenerdytheologian.files.wordpress.comView Full Size
 
2017-09-13 01:41:18 PM  
I'm starting to think that these guys may have been negligent. I think some tax cuts could encourage them to improve.
 
2017-09-13 01:41:54 PM  

Madman drummers bummers: I'm perfectly secure. My password for everything is Pa55w0rd.


Silly human, you should be adding a special character.

P@55w0rd

See? Much more secure. NO ONE will think of that one because it has a special character in it.
 
2017-09-13 01:42:40 PM  

FortyHams: *Changes password to "Admin1"*


@dm!n
 
2017-09-13 01:42:43 PM  

Subtonic: That's why I make my password an incomprehensible mishmash of random letters, symbols, and numerals at least 20 characters long.

I keep it written down on a post-it note in my desk drawer if I ever forget it.


You do not even know how many "security experts" I've had that argument with when they try to tell me their stupid ass "password rules" are making things more secure.
 
2017-09-13 01:43:58 PM  

Subtonic: That's why I make my password an incomprehensible mishmash of random letters, symbols, and numerals at least 20 characters long.

I keep it written down on a post-it note in my desk drawer if I ever forget it.


When I have to work on someone's computer you would be surprised at how many people have a shiat printed and thumb tacked to the board of all their usernames and passwords.  I had to have my boss tell the 2nd in command person that leaving a list of all usernames and passwords and URLs printed out and laying next to their monitor was a horrible idea and thing to do.
 
2017-09-13 01:55:26 PM  
I told them to use admin/password.......those fools.
 
2017-09-13 01:57:28 PM  

Extra Virgin Geek Olive Oil: Madman drummers bummers: I'm perfectly secure. My password for everything is Pa55w0rd.

Silly human, you should be adding a special character.

P@55w0rd

See? Much more secure. NO ONE will think of that one because it has a special character in it.


Thou art truly teh l33t35t of teh h@XXors.
 
2017-09-13 01:58:26 PM  

Arkanaut: Extra Virgin Geek Olive Oil: Madman drummers bummers: I'm perfectly secure. My password for everything is Pa55w0rd.

Silly human, you should be adding a special character.

P@55w0rd

See? Much more secure. NO ONE will think of that one because it has a special character in it.

Thou art truly teh l33t35t of teh h@XXors.


Pa66w1rd
 
2017-09-13 01:59:59 PM  
I just pulled a code sample that stored credentials in clear text, in strings, from our docs, so I'm getting a kick...
 
2017-09-13 02:02:55 PM  

genner: I told them to use admin/password.......those fools.


You should have made it password/admin to really trip them up.
 
2017-09-13 02:05:30 PM  

Pocket Ninja: I want you to imagine something, subby. I want you to imagine that you're employed. At your job, every time you start to do something, a wiry, wild-eyed man leaps out of some hidden corner or from behind a file cabinet and shouts at you: NO, NO YOU'RE DOING IT WRONG. YOU HAVE TO FOLLOW THESE RULES TO DO THAT. START OVER. You go to file a report: WRONG, WRONG, WRONG. You try to dial into a WebEx: THAT'S NOT HOW IT NEEDS TO BE DONE. You raise your hand to contribute at a meeting: IF YOU DO IT LIKE THAT AGAIN YOU'RE FIRED.

How long do you think it would be before you cracked? Before you began to suffer serious traumatic side-effects? Lack of sleep, loss of confidence, a flinch reaction to the site of anyone reminding you of your tormentor. You'd become a twitchy, nervous wreck. And you'd have two options: quit, which you can't do because you need the job, or go to HR and see if they could help you, maybe lessen the oversight. Obviously, you'd go to HR.

Well, this is what life has been like for Equifax, only instead of a wiry, wild-eyed supervisor they've got oppressive government regulations. It's probably not much of an exaggeration to say that they're in one of the most over-regulated businesses on Earth. Everything they do, regulation. So with you it was just one person being emotionally abused for merely trying to do his job; with Experian (and their sister companies) it's an entire industry. Trying to find ways to augment revenue streams using customer data? WRONG WRONG YOU CAN'T DO THAT START OVER. Adding customer-friendly packages to monetize their own access to their credit reports: THAT'S NOT HOW YOU DO THAT YOU'RE WRONG AGAIN. Over and over, day in and day out. The entire industry by this point is almost certainly in a deep state of psychological trauma, and now you're going to ask them why they didn't change a password? That's like asking an abused wife why she didn't hide her husband's belts.

And here's the thing, the great irony: They were trying to mak ...


tl:dr
 
2017-09-13 02:05:47 PM  
Is anybody really surprised by this?  This is a company who selected someone with degrees in music composition as their chief security officer.
 
2017-09-13 02:07:03 PM  

MBooda: [img.fark.net image 500x148]


I've seen people do exactly that, when setting up accounts. They never remember.
 
2017-09-13 02:08:48 PM  

fragMasterFlash: I was going suggest going the torches and pitchforks route but I don't think anyone wants to risk being associated with the tiki-torch bigots from Charlottesville.

What would Tyler Durden do?


Yankee Candles attached to Swiffers
 
2017-09-13 02:14:46 PM  

UsikFark: Arkanaut: Extra Virgin Geek Olive Oil: Madman drummers bummers: I'm perfectly secure. My password for everything is Pa55w0rd.

Silly human, you should be adding a special character.

P@55w0rd

See? Much more secure. NO ONE will think of that one because it has a special character in it.

Thou art truly teh l33t35t of teh h@XXors.

Pa66w1rd


Mind = blown
 
2017-09-13 02:14:47 PM  

rwhamann: I literally just taught in my security class about not sending private data out over the web in hidden fields 5 days ago. This is hysterical.


This is basic .com era web development knowledge, right up there with not doing all of your form validation with javascript and making sure you sanitize user input.

// at this point, I'm fairly certain that there's a bobby tables problem in their systems too.

groppet: What a dumpster fire of a company. I hope by next year they are gone and it would be nice for some kind of consumer protections in place, bwhahahahahahahaha.


One thing that needs to come out of this is that credit freezes need to be cost-free permanently.

These credit reporting agencies gather data that many people never willingly gave them, have a service that many people never directly used, and they have the gall to charge people in order to protect themselves to lock down said data.

// I just tried to figure out how much a credit freeze currently costs (just did a google search and picked the first agency).

img.fark.netView Full Size


// also, what's up with that stock image
 
2017-09-13 02:16:18 PM  
A friend I haven't seen in years used to be an IT auditor at Equifax.  He once said to me "The last thing they think about here is security."

A bunch of people left my current company to work at Equifax and while some of them are great people, most were people I wasn't sorry to see go, and mainly because they couldn't give a shiat less about InfoSec, which I was for years.  Some of them are the kind of people who will work all day to circumvent some security measure so nothing about Equifax surprises me.  Nothing.
 
2017-09-13 02:20:09 PM  

lordargent: // also, what's up with that stock image


She looks utterly captivated by a monitor that's probably not even plugged in
//it must be nice to take LSD on a workday...
 
2017-09-13 02:24:41 PM  

Somaticasual: lordargent: // also, what's up with that stock image

She looks utterly captivated by a monitor that's probably not even plugged in
//it must be nice to take LSD on a workday...


When you put on the special sunglasses it says CONSUME.
 
2017-09-13 02:35:12 PM  
New slogan: "To monetize at the cost of security"
 
Displayed 50 of 72 comments


Oldest | « | 1 | 2 | » | Newest | Show all


View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking

On Twitter





Top Commented
Javascript is required to view headlines in widget.
  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report