More On the Equifax Breach

The security industry is continuing to come out with more information in regards to the massive data breach at Equifax. This is not any ordinary breach, where a database was taken from a company and put underground for those people to sell, and others to report on it like Brian Krebs. This was done through a vulnerability in a piece of software which was able to give the data.

What was it?

In an article posted to Trend Micro’s blog entitled "a-PATCH-e: Struts Vulnerabilities Run Rampant," Equifax confirmed that the attack vector in its data breach was caused by a vulnerability in this piece of software. The CVE number for this vulnerability is CVE-2017-5638 and it doesn’t look good. The opening paragraph of the CVE number linked here says: “Apache Struts is a free and open-source framework used to build Java web applications. We looked into past several Remote Code Execution (RCE) vulnerabilities reported in Apache Struts, and observed that in most of them, attackers have used Object Graph Navigation Language (OGNL) expressions. The use of OGNL makes it easy to execute arbitrary code remotely because Apache Struts uses it for most of its processes.”

I’m not too familiar with this software, but Apache is used to run the web on Linux platforms and web hosting environments such as mine. “This particular vulnerability can be exploited if the attacker sends a crafted request to upload a file to a vulnerable server that uses a Jakarta-based plugin to process the upload request. The attacker can then send malicious code in the Content-Type header to execute the command on a vulnerable server. A proof of concept that demonstrates the attack scenario is publicly available.”

This is done with lots of various software, but this particular vulnerability can give you a leg up and, under the right conditions, can get you in where data can be extracted. I would suggest you read more about this vulnerability by clicking on its number within this article.

The number according to the Trend Micro article is 143 million United States consumers and 400,000 United Kingdom consumers as well. To top this all off, this also has affected 100,000 Canadian users. This vulnerability was disclosed in March of 2017, and was patched shortly after disclosure. This is what you really want to see in any type of software where people can take advantage of this rather quickly, according to the article.

I’m not a software developer, but when I find a problem in my HTML web pages, I fix it immediately. If I don’t know of the issue, I can’t fix it. The same goes for any type of software, whether it is on the internet or a desktop or mobile application.

Credit Freezes: Are they worth it?

On the heels of all of this, Krebs on Security tells us that we should apply for a credit freeze so that we are not affected by the people getting a line of credit, buying things, and outright taking our identity. Krebs posted on September 21 entitled "Experian Site Can Give Anyone Your Credit Freeze PIN." I really don’t want to get this freeze. First, it costs us consumers every single time we want to put one on, or take one off, and it costs per bureau. For someone who is making money, and can afford it, go for it. From what I read, it does not do anything to your existing credit, so if there is fraud and trouble using that existing credit, you have no recourse except to get a new card. Some states don’t want the agencies to charge, according to the article.

The alert reader who pointed Krebs to the issue had Krebs doing some digging. All you need to provide to get one's pin is some basic knowledge questions which are probably out in the underground already, per prior breaches you might have been a part of, to no fault of yours.

Here is a segment of this article: “Experian’s page for retrieving someone’s credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth, and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach and that is broadly for sale in the cybercrime underground).

After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

The link to the Equifax breach points to a search on Krebs' site directly where all the articles are listed there.

Continuing with the quoting of the article: “The final authorization check is that Experian asks you to answer four so-called 'knowledge-based authentication' or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial."

What’s more, many of the companies that provide and resell these types of KBA challenge/response questions have been hacked in the past by criminals that run their own identity theft services.”

My question, dear reader, is why are we forced to sign up for such services if when we need help with our pin it can be already retrieved with nothing but data already taken and sold underground? This, dear reader, does not make any logical sense to me.

Now, on to the next article in this ever turning story of what is going on. Equifax Breach: Setting the Record Straight talks about really setting the record straight. I’d rather make sure I get my reporting straight, and if I link to something, I always say on my own blog that we’ll wait for more news, and not jump to conclusions. I say that they should read the story, but we’ll be around for updates should something change. I think that people should always put that in their stories, instead of misleading people in their writing. Here is the opening paragraph of this article. “Bloomberg published a story this week citing three unnamed sources who told the publication that Equifax experienced a breach earlier this year which predated the intrusion that the big-three credit bureau announced on Sept. 7. To be clear, this earlier breach at Equifax is not a new finding and has been a matter of public record.”

The fact that it took many months to publish this fact really hurts the millions of us that could be effected by this horrifying breach. I just don’t understand what seems to be going on with accurate, verifiable, and reliable information in a timely manner so we can protect ourselves. The piece goes on to talk about an unrelated hack in March of 2016, not May of this year, which I understand this particular incident was reported as a CVE.

So what can we do?

The final article really asks what we can do. "The Equifax Data Breach: What Do I Do Next?" is that article. It has several points that we can do. They are:

• Find out if you are affected. Check with Equifax here.
• Unfortunately, that will require you to provide the firm with a few more details (surname and last six Social Security number digits).
• Enroll in free TrustedID Premier credit monitoring from Equifax. Previous reports that this process forfeited your right to sue are no longer accurate after Equifax updated its terms.
• Set up fraud alerts with the three major credit reporting agencies: Equifax, Experian, and TransUnion. These will alert you if someone tries to apply for credit in your name.
• Set up fraud alerts for all your credit and debit cards. This will require you to contact each lender individually.
• Consider setting up a credit/security freeze. This will lock down any credit information so fraudsters can’t open any new accounts in your name.
• Regularly check your bank accounts/credit card statements for suspicious transactions.
• Beware of phishing scams. Do not trust unsolicited calls and never hand out personal information over the phone. If you are concerned, ring back the company which the original caller said they worked for to double check.
• Stay alert to phishing scams. Never open attachments or click on links in unsolicited emails, even if they appear to come from a reputable source. Again, contact the company they purport to have been sent from to double check. Grammatical errors in the email and unusual “from” addresses may indicate a scam.
• File your taxes early for the 2018 financial year to beat any fraudsters looking to file in your name for an early rebate.

This is all sound advice, however, many in the disabled community who are impacted or may be impacted by other breaches can’t just up and do all of these things. I know I can’t afford money to pay every time I want to do something with my credit. I also stopped potential fraud by reporting the unauthorized charge immediately to my card issuer. By default, they monitor for fraud, but if something is normal, and someone charges something within your normal range, you don’t get a call or alert.

“With the stolen data, scammers can impersonate affected consumers in interactions with banks, creditors and a wide variety of service providers. It clears the way for identity fraud on a massive scale, potentially allowing them to apply for loans and credit cards in your name, drain funds from your bank account and make card purchases in your name.”

This is just great. I just locked my card with the app, and will be notified about a charge. I will only unlock the card once I know I’m expected to make a credit card purchase. I’ll be notified otherwise, and I’ll know if I am being billed and I didn’t pull out my card at any time during the time the charge is put through.

Continuing on: “Another tactic to be wary of is follow-on phishing attempts. Fraudsters may send you legitimate-looking but fake emails designed to trick you into disclosing yet further sensitive personal and financial information. These emails might look like they came from your bank, credit card company, or even Equifax itself.

Fraudsters might also pick up the phone in so-called “phishing” attempts. The aim here is the same: they will pretend to be calling from a legitimate organization in order to elicit more information from you which can then be used to commit identity fraud. "The scammers may well quote back to you some of the stolen info to make these requests sound more legitimate.” If you get a call, claiming to be from someone asking for information and you know they should have it, I’d ask if they are really from the company, and pay attention to caller ID. You should know if the company is supposed to ask for such information over the phone. One other thing I should mention is not to just hand out the info, especially if you know that someone like Equifax doesn’t call consumers at all. These agencies are collecting data, they don’t call us.

Under what to do now, it says: “Unfortunately, unlike account passwords and credit card details, much of the information that has been stolen from Equifax — names, addresses, Social Security numbers etc — is very hard if not impossible to replace. This means you will have to keep a close eye on your accounts to see if anyone is trying to use your name and details fraudulently.” It also has the bulleted points I posted above that we should do straight away.

I just don’t know anymore. This can’t be good. We are losing control, and sadly, it's a matter of time before we can’t be in control of our own data anymore. We need to hold these companies like Equifax accountable for their actions of not patching their software and keeping our data safe. We have no idea we do business with them, just like I got notified by OPM. I had no idea who they were until I called them up. This is just sad. Really sad.