mrgeek
Premium
join:2002-12-13
Dundee, IL
clubs:
| Potential Security Issues?
I see that starting 12/1, we will be able to get free copies of our credit reports from the three major credit bureaus. A web site was created for this purpose,(annualcreditreport.com, live 12/1) where you will enter personal information such as DOB and SSN, and, possibly other items such as mortgage company and/or payment amount. The article further stated your information would be protected with a "barrage of anti-hacker tools". The reports would also be available by phone or mail. Will this be a potential security problem and phishers dream?
I DO know one person who will not be using the web site;) |
|
B
Premium,MVM
join:2000-10-28 | With relevant links to a news source or links on the credit bureaus' own sites, this would make a great front page post.
I wasn't aware of the program.
-- B
--
In a realm outside causality and function |
|
Bobby_Peru
Premium
join:2003-06-16
edit:
November 28th, @07:58PM
| reply to mrgeek
Big 3 Credit Report Site |
 ! As B already noted, it would be great if you would post the source - a quick Google/Google-news just now was not productive.
said by AnnualCreditReport.com:
Eligibility for an annual free credit report is determined by your state of residence based on the rollout schedule set by federal law. The site's main page is live now - »https://www.annualcreditreport.com
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** |
|
B
Premium,MVM
join:2000-10-28
edit:
November 28th, @08:01PM
| I'm just a little suspicious.
Each of the Big 3 charges $30 to $40 for the SAME service right now, and would not be inclined to give it away unless mandated.
(Edit: I guess they were mandated -- something called the "Fair and Accurate Credit Transactions Act (FACT Act)".)
Perhaps this is merely a competitor to FreeCreditReport.com ?
Perhaps a scam? (Edit: guess not.)
Edit: Yahoo press release: »biz.yahoo.com/prnews/041123/cltu020_1.html
Experian PDF: »www.experian.com/whitepapers/FAC···sked.pdf
Other info: »www.google.com/search?hl=en&lr=&···2Bcom%22
-- B
--
In a realm outside causality and function |
|
Bobby_Peru
Premium
join:2003-06-16
| Probably compliance with Fed Law forcing this, which they might just figure out a way to turn profitable through data mining, and or ads?
Interestingly, the site won't let me on through the above link, in FF.
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** |
|
B
Premium,MVM
join:2000-10-28
|
Hilarious. Keep trying though. I get "For security purposes, www.AnnualCreditReport.com cannot be accessed from the referring website." in Mozilla 1.7, but then a refresh works just fine.
I think for a change this isn't browser-specific, but that they're telling the truth -- they don't like displaying the https secure page when referred from a different site. Makes sense.
-- B
--
In a realm outside causality and function |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
 ·RoadRunner Cable
 ·Clearwire Wireless
edit:
November 28th, @08:19PM
| reply to Bobby_Peru
Try this link
»https://www.annualcreditreport.com/
Any "security" concern I'd have with this site would be focused more on the integrity of the machine accessing the site rather than the site itself.
edit typing the address into the address bar works here.
--
Dave said "By the way, 4294967295 is just another way to write -1".
|
|
B
Premium,MVM
join:2000-10-28
edit:
November 28th, @08:24PM
| The problem is that you guys are cutting and pasting after you've arrived at the site and ALREADY been transferred from the unencrypted (http) page to the https page.
What you need to post is THIS link: »www.annualcreditreport.com
That should work without any complaints.
(Edit: Crud. It didn't work, although my link IS properly without https. But it just continues to transparently auto-refer. Drat.)
And yes, I suppose this phenomenon will cause confusion for others posting links to the site -- they should probably skip the referrer check on the first page!
-- B
--
In a realm outside causality and function |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Bobby_Peru
said by Bobby_Peru :Probably compliance with Fed Law forcing this, which they might just figure out a way to turn profitable through data mining, and or ads? Interestingly, the site won't let me on through the above link, in FF. You can't go there by a link for security purposes which is good! I got the following error when I tried:
"For security purposes, www.AnnualCreditReport.com cannot be accessed from the referring website."
You MUST manually type in the url in the address bar. When I did that, I had no problems getting to the main page of the site via Firefox.
I'm glad top know the site is already up. I have been waiting for December 1 so I can order my report. My mom wants hers but she is in Arkansas and that state will not be eligible until July. This is mandated by Congress and has taken over a year to become reality and even so the rollout is gradual as you can see from the map. Each person will be allowed ONE report PER YEAR FREE from each of the THREE credit bureaus and the reports can be ordered from the website or from calling any of the three credit bureaus. You will get all three reports with just one phone call or one request from the website. The credit bureaus have said almost nothing about this except for Experian which, to its credit, has had this information on its main web page since June and has this column about the FACT act:
Ask Max credit advice
Our most recent column
Select a topic from our most recent column – July 14, 2004
* Update on the FACT Act implementation
* Experian sponsors National Fraud Awareness Week
Update on the FACT Act implementation
"Dear Readers,
In January I provided a summary of the new Fair and Accurate Credit Transactions Act (FACT Act) and what Experian knew then about the law. Since that time, significant progress has been made. Here's an update.
When I wrote the January column the Federal Trade Commission (FTC) and other regulators were tasked with making decisions about how some aspects of the new law would be implemented. Perhaps the most notable is how you will be able to get a free credit report every 12 months from the national credit reporting agencies.
The FACT Act required that the national credit reporting agencies establish a centralized source through which you will request the free reports. The FTC was given six months to create the rules for the centralized source. Those rules were announced in June.
Experian and the other national credit reporting agencies are now working to put the centralized source in place.
One of our greatest concerns was that if everyone asks for their reports at the same time it would not only delay delivery of the free reports, it could impact our ability to provide service to people who need critical assistance, such as fraud victims.
To address that concern, the FTC established a plan to roll-out free report access by regions beginning Dec. 1, 2004. The chart below illustrates the regions and the dates free reports will become available.
FACT Act rollout graphic
You will be able to request free reports by telephone, in writing, or online. You also will be able to request reports from all three national credit reporting agencies at the same time, or one at a time.
The national credit reporting agencies are working together to finalize the details of the system, including a telephone number, mailing address and Internet address.
In addition to your free report, you will be able to request a credit score for a reasonable fee. Like other details of the system, that fee is still being determined by the FTC.
The credit score will include a description of the factors from your credit report that most impacted it. Knowing the factors will help you take steps to become more creditworthy and improve your credit scores.
Experian has added information about the FACT Act to its homepage, www.experian.com. You will find a link in the lower right corner in the Consumer Alerts section. The information will be updated as more details become available.
Thanks for reading."
»www.experian.com/consumer/index.html#
This is a popup window see bottom right column under Consumer Alerts: The FACT Act
I was thinking of doing this online but I am not giving my Social Security number online. I will wait a bit and then call for mine.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
·Clearwire Wireless
| reply to mrgeek
From the link B put up
»biz.yahoo.com/prnews/041123/cltu020_1.html
"Annualcreditreport.com, the only service authorized by Equifax, Experian and TransUnion, allows consumers to request, view and print one, two or all three of their free credit reports in a fast and convenient way via a secure Internet site. Consumers should not provide their personal information to any other company or person in connection with requesting free annual credit file disclosures under the FACT Act.
Additionally, the service offers consumers the option of requesting their credit reports by telephone or by mail. Forms to request credit reports by mail can be printed from the site. Telephone and mail requests will be processed within 15 days of receipt."
Seems like a well thought out process. I'm sure the postal mail option will require that the report be sent to the consumers address of record, just another good security precaution. This site could very well put a dent into myriad of bogus "Free Credit Report" sites now operating on the net.
--
Dave said "By the way, 4294967295 is just another way to write -1". |
|
B
Premium,MVM
join:2000-10-28
edit:
November 28th, @09:01PM
| If one can't properly link to the darned site, then they had darned well better:
a. Register EVERY possible misspelling and variant of annualcreditreport.com, since they're forcing all those great spellers out there to type the URL manually, and
b. Put a note on the refusal page that says "hit Refresh, dummy". Or words to that effect. 
Damn, that doesn't really work either! (I was actually hitting ALT-D and then ENTER, since that's how I usually refresh a page. That DOES work, but it's because I'm activating the URL bar, and effectively typing and entering the URL.) Thanks for the reality check, Snowy.
-- B
--
In a realm outside causality and function |
|
Bobby_Peru
Premium
join:2003-06-16
edit:
November 28th, @10:50PM
| I didn't elaborate that the https link returned the "Security" page. I realize that they probably see this referral block (or what ever it is) as a security measure. I didn't mean that there was any compatibility problem between The Weasel and the site, just that it occurred and was interesting.
FF's Contextual Menu Extension PlainTextLinks ("Open Selected URL in New Tab") works, as does IEView. I am generally way too lazy to be typing anything way way up in that there address bar [edit: unless it's about:config related].
It is way past time that these Agencies made this information readily available to folks, and at no direct charge to folks. While one Report per Agency per year is not really sufficient to enable frequent enough review to catch problems in a timely manner, it's better than nothing, and at least a start. It might make sense to make 3 separate single Agency requests to increase the frequency, if that is permitted.
Now, as the OP wondered, how will all this wind up being abused? One way might be that the scammers will utilize this roll-out to simultaneously capture folks through more sleaze-ball prestidigitation (UCE for scam sites, PHISHING...).
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** |
|
Mele20
Premium
join:2001-06-05
Hilo, HI | TBE opens all new links in a new tab. I still get the security error. |
|
B
Premium,MVM
join:2000-10-28
edit:
November 28th, @11:11PM
| Me too, with the stock Moz Ctrl-Click tab.
Hmm, just noticed that the page title reads "Black List Message" -- implying that DSLR, SPECIFICALLY, is not allowed to refer people to the site.
I'm guessing that it's either meaningless, or they intend to establish a whitelist later.
The HTML is a bit scary, though:
Black List Message
Black List Message</title>
<meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
<link rel="stylesheet" href="css/styles.css" type="text/css">
</head>
<A HREF="css/styles.csstype=text/css">
Doesn't bode well for security OR standards compliance OR cross-platform compatibility, ya know?
-- B
--
In a realm outside causality and function |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to mrgeek
I think they currently have all links blacklisted. I tried from the Yahoo news article link and got the same security error. This was on IE in case it just Firefox getting the error from dslr link.
Perhaps they simply don't want visitors even to the main page until December 1. They will be swamped on December 1, I would think.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 |
|
mrgeek
Premium
join:2002-12-13
Dundee, IL
clubs: | reply to mrgeek
The original article I referenced to was in the Sunday edition of the Chicago Tribune, in the Real Estate section, page 2. It does show a Washington Post Writers Group byline. |
|
ylen131
join:2000-02-09
Canoga Park, CA | reply to Mele20
»search.yahoo.com/search?p=annual···ieas-dns
click on first link |
|
B
Premium,MVM
join:2000-10-28
| The same link does NOT work from here ( »rds.yahoo.com/S=2766679/K=annual···ort.com/ )
So I guess Yahoo's on the whitelist I theorized earlier?
-- B
--
In a realm outside causality and function |
|
ylen131
join:2000-02-09
Canoga Park, CA
| no idea but after i click on your link i needed to delete "cra/index.jsp" and click enter to enter website |
|
B
Premium,MVM
join:2000-10-28 |
Nah, you don't need to delete anything. It's the same referrer issue we were discussing above.
-- B
--
In a realm outside causality and function |
|
