The credit bureau Equifax claims to take various precautions regarding their customers’ personal information, and attempts to combat identity theft. However, if you ever need to contact their customer service for any reason (being locked out of your account, resetting your password, et cetera), they will send you your password in plain text. You might wonder why this is a problem, so let me tell you. When an individual sends an email, they type it in an email client like Thunderbird, Mail, Outlook (all known as Mail User Agents [MUAs]). The MUA then sends that email to a mail server running software to relay mail, such as Postfix, Exim, Qmail (known as Mail Transfer Agents [MTAs]). These MTAs then relay the mail to the recipient mail server, and the recipient’s MUA connects to his or her MTA in order to retrieve it. Basically, it looks like the following flowchart:
Sender’s MUA –> Sender’s MTA –> Recipient’s MTA –> Recipient’s MUA
or with examples, it may be:
Thunderbird –> Gmail –> Apple’s .me mail server –> Mail application in Mac
In between the sender’s MUA and the sender’s MTA, the email (which is broken down into packets of data) may pass through many different switches, routers, and other networking equipment. In between the sender’s MTA and the recipient’s MTA, the data will pass through even more networking gear. And you guessed it, it will pass through even more pieces of networking equipment from the recipient’s MTA and the recipient’s MUA. During this chain of transfers, if the data is unencrypted, the text contained in the email can be intercepted and read without any problem. Therefore, sending a password in plain text provides many opportunities for that password to be intercepted, read, and subsequently, used by the interceptor to log in to the account.
Equifax, a purportedly reputable firm that handles sensitive financial and personal information about its customers, sends passwords to their customers’ respective email addresses in plain text (without encryption)! They are trying to help prevent identity theft, but don’t seem to safeguard their customer accounts very well! This HUGE oversight makes me wonder if they are also storing customers’ credit card numbers in plain text in a database, or even Social Security Numbers (SSNs).
Add Equifax to the list of companies that really should hire a security consultant before being trusted with personal information.
|:| Zach |:|