A salary lookup service provided by recently compromised credit bureau Equifax came back online after it was taken down for “security enhancements” on October 8. The service allows anyone to look up your salary and employment history going back at least 10 years by providing a few pieces of personal information: Your Social Security number and your date of birth.
It’s designed to provide income verification to employers, banks, and other “credentialed verifiers” but after the Equifax hack, the sensitive information you need to access someone’s even more sensitive information was out there, ripe for the taking. When security expert Brian Krebs brought attention to the issue in a post on his blog, Equifax took the site down.
Now, however, the website is back up and despite Equifax’s claims to the contrary, the security enhancements the company made to the Work Number, haven’t exactly enhanced security all that much.
“The only ‘security enhancements’ I saw that my source encountered was a prompt to enter his full name, date of birth, Social Security number, address, phone number and email, followed by the usual retinue of four multiple-guess ‘knowledge-based authentication’ (KBA) questions. I’ve long been a critic of these KBA questions, because the answers usually are available using sites like Zillow and Spokeo, to say nothing of social networking profiles,” Krebs wrote.
So, in short, you can still access someone’s income and employment history with readily available information — and a handful of less readily available information, illicitly procured from the dark corners of the internet. Krebs goes on to describe how even a credit freeze — the recommended course of action after your information has been compromised — won’t protect you entirely.
Those knowledge-based authentication questions, generated from your credit and income history, will still pop up when attempting to access your income history through the Work Number, but the questions won’t use financial information — they will be generated from other bits of information Equifax has about you, like your address history, and the names of lenders you’ve used in the past.
“What’s interesting is that these types of questions tend to be easier to answer than, say, ‘What was the amount of your most recent car loan payment?’” Krebs continues, describing how a credit freeze just might make it easier for identity thieves to access the sensitive personal information contained on the Work Number.
The best defense, Krebs says, is to sign into the Work Number yourself, set up a secure PIN, and add at least a half dozen security questions and answers to your account. The questions, he advises, should have answers only you would know that cannot be found via social media.