The Work Number does allow employers to opt for TALX’s “enhanced authentication” feature, wherein after logging in with your employer ID and PIN (often the last four digits of an SSN plus the birth year), the system is designed to require the requester to respond to an email at a work address or a phone call to a work number to validate the login.
However, I did not find this to be the case in several instances involving readers whose employers supposedly used this enhanced authentication method.
For example, the State of California‘s process is listed here (PDF); instructions for the Health Resources & Services Administration (HRSA) are here; employees at the National Institutes of Health (NIH) can learn the steps by consulting this document (PDF).The process for getting this information on current and former UCLA employees is spelled out here.In May, Krebs On Security broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans.Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach at Equifax.The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.
The homepage for this Equifax service wants to assure visitors that “Your personal information is protected.” “With your consent your personal data can be retrieved only by credentialed verifiers,” Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits.
Although some readers may take issue with my pointing these out — reasoning that I’m only making it easier for bad people to do bad things — it’s important to understand that knowledge is half the battle: Planting your flag before someone else does is usually the only way to keep others from abusing such services to expose your personal information. A notice on the site says the company took the portal down a few hours after my story was published yesterday, without the usual advance warning the company offers for scheduled maintenance.
The notice reads: “Equifax Workforce Solutions is currently performing maintenance activities that will affect the following applications: The Work Number EDR” “We apologize for any inconvenience this may cause, but it is necessary to ensure that Equifax Workforce Solutions continues to provide you the industry-leading services you have come to expect.” Also, several readers pointed out that when they tried the service Sunday evening before Equifax took it down they were asked to answer knowledge-based authentication questions before being able to authenticate to the portal to view their salary history.
At the next step, the site asks visitors to “enter your PIN,” short for Personal Identification Number.
However, in the vast majority of cases this appears to be little more than someone’s eight-digit date of birth.
There are countless other examples that are easy to find with a simple Internet search.