Visa and MasterCard are sending confidential alerts to financial institutions across the United States this week, warning them about more than 200,000 credit cards that were stolen in the epic data breach announced last week at big-three credit bureau Equifax. At first glance, the private notices obtained by KrebsOnSecurity appear to suggest that hackers initially breached Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time — when hackers accessed the company’s systems in mid-May 2017.
Both Visa and MasterCard frequently send alerts to card-issuing financial institutions with information about specific credit and debit cards that may have been compromised in a recent breach. But it is unusual for these alerts to state from which company the accounts were thought to have been pilfered.
In this case, however, Visa and MasterCard were unambiguous, referring to Equifax specifically as the source of an e-commerce card breach.
In a non-public alert sent this week to sources at multiple banks, Visa said the “window of exposure” for the cards stolen in the Equifax breach was between Nov. 10, 2016 and July 6, 2017. A similar alert from MasterCard included the same date range.
“The investigation is ongoing and this information may be amended as new details arise,” Visa said in its confidential alert, linking to the press release Equifax initially posted about the breach on Sept. 7, 2017.
The card giant said the data elements stolen included card account number, expiration date, and the cardholder’s name. Fraudsters can use this information to conduct e-commerce fraud at online merchants.
It would be tempting to conclude from these alerts that the card breach at Equifax dates back to November 2016, and that perhaps the intruders then managed to install software capable of capturing customer credit card data in real-time as it was entered on one of Equifax’s Web sites.
Indeed, that was my initial hunch in deciding to report out this story. But according to a statement from Equifax, the hacker(s) downloaded the data in one fell swoop in mid-May 2017.
“The attacker accessed a storage table that contained historical credit card transaction related information,” the company said. “The dates that you provided in your e-mail appear to be the transaction dates. We have found no evidence during our investigation to indicate the presence of card harvesting malware, or access to the table before mid-May 2017.”
Equifax did not respond to questions about how it was storing credit card data, or why only card data collected from customers after November 2016 was stolen.
In its initial breach disclosure on Sept. 7, Equifax said it discovered the intrusion on July 29, 2017. The company said the hackers broke in through a vulnerability in the software that powers some of its Web-facing applications.
In an update to its breach disclosure published Wednesday evening, Equifax confirmed reports that the application flaw in question was a weakness disclosed in March 2017 in a popular open-source software package called Apache Struts (CVE-2017-5638).
“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,” the company wrote. “We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
The Apache flaw was first spotted around March 7, 2017, when security firms began warning that attackers were actively exploiting a “zero-day” vulnerability in Apache Struts. Zero-days refer to software or hardware flaws that hackers find and figure out how to use for commercial or personal gain before the vendor even knows about the bugs.
By March 8, Apache had released new versions of the software to mitigate the vulnerability. But by that time exploit code that would allow anyone to take advantage of the flaw was already published online — making it a race between companies needing to patch their Web servers and hackers trying to exploit the hole before it was closed.
Screen shots apparently taken on March 10, 2017 and later posted to the vulnerability tracking site xss[dot]cx indicate that the Apache Struts vulnerability was present at the time on annualcreditreport.com — the only web site mandated by Congress where all Americans can go to obtain a free copy of their credit reports from each of the three major bureaus annually.
In another screen shot apparently made that same day and uploaded to xss[dot]cx, we can see evidence that the Apache Struts flaw also was present in Experian’s Web properties.
Equifax has said the unauthorized access occurred from mid-May through July 2017, suggesting either that the company’s Web applications were still unpatched in mid-May or that the attackers broke in earlier but did not immediately abuse their access.
It remains unclear when exactly Equifax managed to fully eliminate the Apache Struts flaw from their various Web server applications. But one thing we do know for sure: The hacker(s) got in before Equifax closed the hole, and their presence wasn’t discovered until July 29, 2017.
Update, Sept. 15, 12:31 p.m. ET: Visa has updated their advisory about these 200,000+ credit cards stolen in the Equifax breach. Visa now says it believes the records also included the cardholder’s Social Security number and address, suggesting that (ironically enough) the accounts were stolen from people who were signing up for credit monitoring services through Equifax.
Equifax also clarified the breach timeline to note that it patched the Apache Struts flaw in its Web applications only after taking the hacked system(s) offline on July 30, 2017. Which means Equifax left its systems unpatched for more than four months after a patch (and exploit code to attack the flaw) was publicly available.
Thanks for the updates! Question, if an answer is known…..could card numbers be downloaded or information accessed from frozen accounts? Ours are frozen, but the helplessly broken verification site of Equifax indicates we are compromised. I know that’s nothing to rely upon, but am still wondering if info was still accessible…
I have no idea. But it does raise an interesting question to which I also don’t have an answer: Were the cards related to purchases of credit monitoring services from Equifax? If so, that is pretty ironic.
Which brings another question – they said their core database was *not* compromised, just their “customer”‘s. I’m pretty certain they don’t have 143 million customers, and neither I nor my wife were, and it said we were compromised.
What we have done is use the free credit checks, however that must have been over a year ago, if it was even with Equifax (I don’t remember the firm). Alternatively, we may gotten say, another credit card, which might have caused an Equifax credit check. Does that make us a customer?
Does anyone know what their definition of a “customer” really is???
I know companies often have you sign, even digitally-sign, agreement to checks and sometimes list the name of the data housing organization.
Check with the card issuer.
Equifax doesn’t even really know… they are more worried about press releases and acting like they care. They don’t care about you, your identity or anything else…
At least Equifax is acting like they care about U.S. customer. They are completely ignoring Canadians customers and businesses (check out CAA – Canadian Automobile Association story – http://www.ctvnews.ca/business/caa-says-10-000-consumers-could-be-equifax-hack-victims-1.3589848) that may have been affected by this breach.
We have heard nothing from them in the UK either. Does that show how bad things are for them in the US that they have no time to think about the “minor” problems?
Oh, I certainly hope so! That would be deliciously poetic!
see my comment 9/14 @5:15 below
The Struts vulnerability is a single layer. The 143 million records didn’t come from harvesting. Even if the web front end was powned, they should have been DMZed and if designed right the web front end shouldn’t necessarily have had access to all of the data elements stolen. Even if it did, the next layer of defense would have been a database monitoring tool that would have seen excessive queries.
There are a lot of other possible layers that could have helped. Maybe they were there and the hackers were smart or the data went out before they could cut the pipes. Security is hard and I have sympathy, but their business is/was PII and that calls for extra dilligence and corresponding budgets.
Considering what Equifax originally used for PINs one can presume security design was secondary or non-existent. Even a simple KDF would at least convert a date (Equifax for “PIN”) to something that looks random to the uninitiated… although it would be simpler to use whatever random function their support language has.
Struts is a Java thing. For all its faults, Java does have a way to generate cryptographically secure random numbers, so there’s no excuse for using a householder’s birthday or some such guessable thing to generate a PIN.
“cryptographically secure random number” generally means it doesn’t help to know stuff about the number to guess it.
Equifax phishing domains updated:
https://pastebin.com/9fdBm1Zc
“The attacker accessed a storage table that contained historical credit card transaction related information,” the company said. “The dates that you provided in your e-mail appear to be the transaction dates. We have found no evidence during our investigation to indicate the presence of card harvesting malware, or access to the table before mid-May 2017.”
– this statement would be true if they did not have any database monitoring in place at the time to detect unauthorized access to the table in question. The absense of such monitoring would mean that there would be no evidence but that does not mean that the hackers did not access the data prior to may of 2017. It reads like cya legalese to me…
This doesn’t add up. Either MasterCard and VISA – goliath scale with sophisticated algorithms for detecting CPPs – or Equifax, which didn’t have the sense enough to plug a security hole known since 3/7. My hunch is both are correct: the intruders deleted artifacts to hide their tracks and Mandiant (the rumored forensic investigator) can only say with confidence of an intrusion in May based on available evidence. But Equifax cannot rule out November 2016 onward. How many other patches did Equifax ignore? We have to consider multiple exploits here.
Totally agree with you! Equifax is only going to fess up to what they’ve been exposed for. We likely will not hear about other exploits unless they’re exposed by media, Mandiant (unlikely), or others.
Brian,
Since we all know the bad guys like to attack multiple victims at the same time, have your investigations led you to any information about the other credit bureaus (Experian, & TransUnion), Business Credit Bureaus (D&B) or plethora of Identity Protection organizations (LifeLock, InfoArmor, etc), or was this more of a targeted attack? I imagine all of these gold mine orgs are under constant barrage. It would be an interesting case study on how they all approach the evolving threats.
Seems Equifax was storing credit card information inconsistant with the PCI data security standard. The hole appears to keep getting deeper and anticipated fines and losses are ever increasing.
“The attacker accessed a storage table that contained historical credit card transaction related information,”
That sounds like they are admitting they store credit card transactions in plain text for at least 6 months.
Pretty sure that’s against the PCI rules.
Oh great- is annualcreditreport.com also compromised?
We know it was vulnerable as of March 10, 2017. What we do not know, apparently, is when it was patched and if it was exploited prior to being patched. Equifax wasn’t attacked (by all accounts, anyway) until two months after that, so there is a big period of uncertainty.
Might have gotten more information– such as the day of month when billing is cut. Perhaps just coincidental, but I was hit for several charges in August with just one squeaking into the CC paper billing– triggered an online pull of later transactions showing several more illicit charges. Chip and sig, the vendors (or maybe Equifax…) get(s) to eat the charges but in the meantime I had to get another CC.
All the charges were small, apparently not enough to trigger out of area fraud alert; one cluster over a few weeks. It would be interesting to know what techniques the fraudsters use to minimize detection and maximize CC utilization before the card is burned.
Detection would have been much sooner but the CC provider doesn’t send SMS on each transaction. I much prefer immediate SMS vs. pull, even with all the flavors of “pending” causing multiple odd looking messages sometimes posted at times very different than the CC use.
“CC provider doesn’t send SMS on each transaction.” do any in the US do this? CCs have been doing this in South Korea for years and I have always thought it such a great security feature. I asked my CC if they could do that and was told no (about 3 or 4 years ago)
Not positively sure; but, seems First Data provides SMS alerts for each transaction, according to the info provided by my financial institution.
My Discover card does this — I have it set to notify me of any transaction over $50, but I believe you could set it low to be notified of any transaction. It’s definitely quite handy, but I don’t know if most CCs do it.
I get a notification for every transaction. That’s how I was able recently to discover within an hour fraudulent charges and cancel the card.
Many do, but they’re opt-in systems which means their participation is low.
I have alerts for any card not present transactions, any transactions conducted at a gas station, and card present transactions over a set amount. The alert consists of an email and a data connection to the bank’s app on my phone, and they have apps available for both iOS and Android.
Oh, please let them get excommunicated by the PCI!
Isn’t storing historical credit card transaction data a PCI violation?
and they still wont care about security after this.. their bottom line sure, security, nah!
Credit card data at rest is supposed to be encrypted. Do they not know this?
If stored in a database with non-sensitive data, the credit card number column should have column level encryption. That’s something I did ten years ago at a former company.
So I guess this means that Equifax was storing full card numbers in the clear…PCI-DSS violation anyone?
Great way to monetize intrusions- let the info out, then charge customers to stop fraud or sign-up for protection services.
Just tried to freeze my report on Transunion and it appears they are now forcing people to get an account in order to do it. Equifax and Experian did not. I don’t want a damn account. I just want to freeze my report. Have been trying all day and it appears they have been diligently working on getting this new requirement up and running. Ugh!
Admitting my idiocy here…already had an account. Was able to freeze credit report ($10). Sorry guys.
Suzie,
I am not sure how new a requirement that is.
I froze TU the day after the Equifax story broke and I had to establish an account. However, that is pretty basic: just name and password.
“Visa and MasterCard are sending confidential alerts to financial institutions…”
Do payment card providers Discover and American Express not send alerts to financial institutions; or, send many less alerts for the size of their proportional outstanding cards? If a card issuer is heavily Discover- and, or, American Express-based, then perhaps those cards would be prone to abuse longer than Visa or MasterCard.
I believe that Discover and Amex do not underwrite any other lenders cards. They only issue their own cards. This means that any fraud they detect will be dealt with internally rather than having to notify external lenders that there may be a problem.
Example of AMEX-issued by another financial institution, has both logos on it:
penfed.org/credit-cards/travel-rewards-american-express
This financial institution would get fraud alerts from Visa as a minimum, as Visa is another offered card by this financial institution.
Even though that has the CU logo on it, that could simply be a custom card issued by AmEx. Costco used to have their own Costco AmEx cards with similar custom graphics, but it was just an account with AmEx.
Equifax is listed as a member of the PCI Standards Council group.
https://www.pcisecuritystandards.org/get_involved/participating_organizations
Appreciate the irony…
There is no relationship between Council membership as a participating organization and your company’s compliance status. It would be a very bad assumption to say they are compliant because they are a participating organization.
Being a member doesn’t mean much. M3AAWG has some of the worst spammers in their sponsors: Sendgrid and Mailchimp.
I would not believe anything Equifax says even if it is said over a stack of bibles!
Regards,
Why don’t we fix it so that company expenses paid to investigate/remediate hacks due to exploits that have been patched are not deductible for income tax purposes?
Regards,
How do I or my husband, Mark Stracke, know if we have been compromised?
My MC was frozen due to a $25 fraudulent transaction detected by MC on 7/31/17. coincidence? I know the exact date because I was notified as I was about to board a plane for a 3 week trip out of the country. added a lot of inconvenience to that trip!
Edit: my credit accounts are also frozen, so that may not have prevented my data from being stolen
Don’t you just LOVE having to pay to have your credit frozen, just because some the company has it stored without your permission?
How is that different from me putting people’s information on-line and only agreeing to remove it if they pay me?
Sure, we are victims in this situation, but the real victims are the credit card companies who are going to have to eat most of the fraudulent charged that we complain about.
And while I think about it, is it really possible that any company that maintains large amounts of consumer financial data does NOT have the database well-seeded with fake records that can be used to track breeches and illegal usage?
Lastly, one of my credit cards (Capital One I think) sends me emails when large or unusual charges come though so I can quickly let them know if there is a issue. Why are we not given more power as partners to help fight the fraud problems?
Terry- You and your husband have both been compromised. Or at very minimum you need to assume this going forward. Please read Bryan’s other articles about what to do to protect yourself.
Terry- You and your husband have both been compromised. Or at very minimum you need to assume this going forward. Please read Bryan’s other articles about what to do to protect yourself.
Question: “the Apache Struts vulnerability was present at the time on annualcreditreport.com”
Has it since been patched?
Comment “Were the cards related to purchases of credit monitoring services from Equifax? If so, that is pretty ironic.”
When I did my credit freeze online, right after I heard of the announcement of the breech, I didn’t have to pay Equifax $10. From my understanding Equifax should have been charging me $10 for the credit freeze? Does that insinuate that they took down the payment method because the payment method was hacked?
Where’s that facepalm meme?
Storing credit cards in the clear is STUPID and in violation of PCI rules!
Equifax is giving only 1 year of their TrustedID product to impacted consumers. This problem will live a lot longer than 1 year. They should provide TrustedID forever to all who have been compromised.
I froze my account at Experian, TransUnion, and Innovis – it was easy. But Equifax’s online system kept crashing and non one would answer the phone….
I just got an email from Equifax asking me to verify my SSN and birthdate for activation of their TrustedID Premier. Do you think the email is legitimate?
I would not respond to any email asking for that information. Not saying at this point that it would surprise me if Equifax did do something like that, just saying you should never provide sensitive information like that because you were requested to do so via email. I’m betting the phishers are having a field day with this breach.
Care to share the text of the email and/or a screenshot?
According to Equifax, the final phase of enrollment is an email to the enrollee:
Enroll tab: “Within a few days, you will receive an email with a link to activate TrustedID Premier. Please be sure to check your spam and junk folders if you do not receive your activation email within that timeframe.”
So, yes, it may be legit, but it may not.
Look at the email header. If it really came from Equifax, they should be barbecued. But it probably came from an impersonator.
If you unhide the email header, depends on the email client used, run it through an email header parser. Nothing but certain parts of the email header may be legitimate:
levinecentral.com or spamcop.net