Securing Credit Lines: Eating Our Own Dogfood

Last updated at Wed, 30 Aug 2017 01:01:40 GMT

We InfoSec (or cybersecurity) folks, we're full of all kinds of sage wisdom:

“Put a password on your phone, tell it to self destruct after 10 failed attempts” … check!

“Set up WPA2 on your home network!” … check!

“Install patches as fast as you can!” … (well, as best as I can?) …check!

“Freeze your credit reports!” … static

“Dogfooding” (verb, slang) is a term used to reference a scenario in which a company uses its own product to validate the quality and capabilities of the product.” This is a reference I make all the time- we expect dogs to eat what we put in front of them (we call that “food”), but would NEVER eat the stuff ourselves!

NSTIW (and so there I was) talking with a group of military folks about operational security from a technology standpoint, ranging from the devices they travel with to safe and anonymous usage of the internet. We talked about the simple stuff all the way up to things on your Black Hat or DEF CON conference checklist... and there was this one moment where I offered the pearl of wisdom to, "go take a few minutes freeze your credit lines, make identity theft harder” that we security professionals like to occasionally reference.

… and then there was this moment immediately after that, where someone very politely asked, “How long does that take?” and “How much does it cost?” … and then that really awkward moment where I have to admit I haven't done it.

I have no excuse, I need to go do it.

So here's me eating MY dogfood in an effort to save you some time!

Prepare:

• Carve out one hour to focus
• Gather the addresses you've lived at for the last two years.
• Social Security Number (I assume this is memorized, but just in case)
• Credit card info (you're gonna spend a shade over $30US if you can do all three online), so have it ready
• Your password manager
  • You'll have some new pin numbers you won't want to memorize OR forget
  • If you're like me, you will have totally silly and unrelated answers to the password reset questions in your password safe as well
• A 'default' type browser (or turn off all of your hacking & security tools, anonymity, whitelist, Java & Flash block plugins…)

Do the work here:

• https://www.freeze.equifax.com
• http://www.experian.com/consumer/security_freeze.html
• https://freeze.transunion.com

Here's how to do it.

I started off doing a quick search for all three credit agencies. (Mind you, I can't name them off the top of my head.)

Equifax

I started off by trying the online form, and it wouldn't work, so I did the next best thing, I called the number (800.349.9960).After giving the IVR system my street address number and social security number, I actually can't do anything on the phone. It reads me instructions on how to send a mail a request. Lame.

Rather than using the postal service, I decided to try this on a the default browser (Safari for me) without all of my hacker/privacy plugins, which I run on Chrome and Firefox.

After ignoring my obvious concerns and complying when the form process wouldn't accept the evil hacker-enabled special character “#” for my apartment number… the form worked. Profit.

Time spent submitting, less than five minutes.

Total time in at this point, 15 minutes.

Experian

Started here, and apparently the workflow varies by state, so your mileage may vary.

I'm gonna spare you details, this form is pretty straight forward, I stripped out symbols (remember Apt. #) and such with no luck, no support, no guidance. As unhelpful and non-intuitive as this workflow was, I'm kind of afraid what might be in the application logs. Tried in two browsers, a variety of input attempts to thwart user entry, fat fingering, weak copy and paste efforts, all to the generic feedback statement, “We were unable to honor your request to place a security freeze on your personal credit report based on the information you entered.” Thanks. (... and for the record people, I didn't do anything questionable, I SWEAR, never pointed any tools at it … but seriously, who did the last web application security and usability audit on this?)

Back to snail mail. Lame.

10 minutes of form fiddling

25 minutes total so far on this project.

TransUnion

I found generic information here, and found the real action here.

This website affords the opportunity to set up an account here, unsure if this is good or bad. More AppSec sadness here: It seems the form has lots of indigestion and weak user guidance.

• The password form doesn't seem to like spaces or special characters, and may not be able eat more than 15 characters at a time.
• The “Secret Answer” down below seems to have a larger diet, but gets indigestion from characters and spaces. I don't know. Maybe code is hard.
• On the upside, it seems to want numbers in your password.
• You will also need to properly format your birthday with “/“ or it won't work.

After spending 20 minutes doing battle with the account creation process (worrying over input handling and if it's actually my browser), apparently I already have an account!?

Password reset workflow:

• Enter your SSN
• twice
• Enter your last name, next screen...
• My birthday (easy)
• Mom's maiden name… OH DEAR. That's going to be need to be changed, apparently this is all that's protecting my credit score?
• Finish new password workflow, and I'm there!
• Login screen - I enter my credentials … and I get LOGGED OUT!? WHAT?
• Go back to the above URL, log in this time, success.

10 dollars and 30 minutes later, this one is solved.

I've spent an hour, 20 bucks, and now have two of the three US credit agencies locking my credit score.

Done.

Now I need to find an adult (my wife) to help me get a check or money order and place a snail-mail request freezing Experian.

Hopefully this saves you some pain. Go eat your dogfood!

~ @treyford