14
Sep 17

Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop

Visa and MasterCard are sending confidential alerts to financial institutions across the United States this week, warning them about more than 200,000 credit cards that were stolen in the epic data breach announced last week at big-three credit bureau Equifax. At first glance, the private notices obtained by KrebsOnSecurity appear to suggest that hackers initially breached Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time — when hackers accessed the company’s systems in mid-May 2017.

equifax-hq

Both Visa and MasterCard frequently send alerts to card-issuing financial institutions with information about specific credit and debit cards that may have been compromised in a recent breach. But it is unusual for these alerts to state from which company the accounts were thought to have been pilfered.

In this case, however, Visa and MasterCard were unambiguous, referring to Equifax specifically as the source of an e-commerce card breach.

In a non-public alert sent this week to sources at multiple banks, Visa said the “window of exposure” for the cards stolen in the Equifax breach was between Nov. 10, 2016 and July 6, 2017. A similar alert from MasterCard included the same date range.

“The investigation is ongoing and this information may be amended as new details arise,” Visa said in its confidential alert, linking to the press release Equifax initially posted about the breach on Sept. 7, 2017.

The card giant said the data elements stolen included card account number, expiration date, and the cardholder’s name. Fraudsters can use this information to conduct e-commerce fraud at online merchants.

It would be tempting to conclude from these alerts that the card breach at Equifax dates back to November 2016, and that perhaps the intruders then managed to install software capable of capturing customer credit card data in real-time as it was entered on one of Equifax’s Web sites.

Indeed, that was my initial hunch in deciding to report out this story. But according to a statement from Equifax, the hacker(s) downloaded the data in one fell swoop in mid-May 2017.

“The attacker accessed a storage table that contained historical credit card transaction related information,” the company said. “The dates that you provided in your e-mail appear to be the transaction dates. We have found no evidence during our investigation to indicate the presence of card harvesting malware, or access to the table before mid-May 2017.”

Equifax did not respond to questions about how it was storing credit card data, or why only card data collected from customers after November 2016 was stolen.

In its initial breach disclosure on Sept. 7, Equifax said it discovered the intrusion on July 29, 2017. The company said the hackers broke in through a vulnerability in the software that powers some of its Web-facing applications.

In an update to its breach disclosure published Wednesday evening, Equifax confirmed reports that the application flaw in question was a weakness disclosed in March 2017 in a popular open-source software package called Apache Struts (CVE-2017-5638)

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,” the company wrote. “We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

The Apache flaw was first spotted around March 7, 2017, when security firms began warning that attackers were actively exploiting a “zero-day” vulnerability in Apache Struts. Zero-days refer to software or hardware flaws that hackers find and figure out how to use for commercial or personal gain before the vendor even knows about the bugs.

By March 8, Apache had released new versions of the software to mitigate the vulnerability. But by that time exploit code that would allow anyone to take advantage of the flaw was already published online — making it a race between companies needing to patch their Web servers and hackers trying to exploit the hole before it was closed.

Screen shots apparently taken on March 10, 2017 and later posted to the vulnerability tracking site xss[dot]cx indicate that the Apache Struts vulnerability was present at the time on annualcreditreport.com — the only web site mandated by Congress where all Americans can go to obtain a free copy of their credit reports from each of the three major bureaus annually.

In another screen shot apparently made that same day and uploaded to xss[dot]cx, we can see evidence that the Apache Struts flaw also was present in Experian’s Web properties.

Equifax has said the unauthorized access occurred from mid-May through July 2017, suggesting either that the company’s Web applications were still unpatched in mid-May or that the attackers broke in earlier but did not immediately abuse their access.

It remains unclear when exactly Equifax managed to fully eliminate the Apache Struts flaw from their various Web server applications. But one thing we do know for sure: The hacker(s) got in before Equifax closed the hole, and their presence wasn’t discovered until July 29, 2017.

Update, Sept. 15, 12:31 p.m. ET: Visa has updated their advisory about these 200,000+ credit cards stolen in the Equifax breach. Visa now says it believes the records also included the cardholder’s Social Security number and address, suggesting that (ironically enough) the accounts were stolen from people who were signing up for credit monitoring services through Equifax.

Equifax also clarified the breach timeline to note that it patched the Apache Struts flaw in its Web applications only after taking the hacked system(s) offline on July 30, 2017. Which means Equifax left its systems unpatched for more than four months after a patch (and exploit code to attack the flaw) was publicly available.

Tags: , , , , ,

196 comments

    • That story was about them refuting claims that the hack was the result of a much more recent Struts vulnerability earlier this month. The original QZ story that the statement is in response to initially claimed that the Struts vulnerability was one that came out this month, not one back in March.

    • You think your credit card is bad, mine was terrible. i was at the edge of loosing my family, when i got saved by an old friend of mine who introduced me to a hacker by the name Global View. I didn’t at first believe it but i had no choice, i was about to loose everything. So i contacted him via email at globalview{DOT}hacker {AT}gmail{DOT}com and i must say, hackers are the best. He raised my credit score to a golden score and removed the eviction from my credit among other negative listings. Now my life is much better than i ever thought it would. I can now get approved for loans, mortgage, surgery e.t.c. I’ll advise you contact him to help fix your credit now. He’s the only hacker i trust can help out in any hack related issue.

  1. Forgive my lack of technical background here, but is there an answer to the question of why was Equifax, holding all this confidential data, using an open source software product? Why would this be secure from hackers if it’s open source? Wouldn’t a halfway smart hacker be able to find vulnerabilities easily? From a business perspective, was the company trying to save development dollars using this software choice? Maybe someone can explain this to me. I’ll check back after I finish freezing my accounts.

    • Open source software libraries and products help power nearly every web site on the planet. They form the foundation of Google, Amazon, Netflix, and countless others you probably use every day.

    • “Open Source” doesn’t mean “insecure”. In reality, with open source software you may have hundreds of folks reviewing the code for flaws. Since it is open source the source code is available to all that care to review it.

      This is not the case for proprietary code. We must rely on the vendor to validate their code.

      As we have seen with the NSA dumps there were plenty of exploitable vulnerabilities (0-days) in proprietary code.

      Code that is actively maintained by a reputable organization, open source or not, will have periodic security updates to patch vulnerabilities (either found in existing code, introduced when new features/functionality is added, in shared libraries, etc…).

      It is the responsibility of the organization using the code to patch those vulnerabilities in a time frame commensurate with the risk.

      Hope that helps.

      • There is no evidence to suggest that open source software is more or less secure. The problem is that everyone else assumes that everyone else is looking at the code. There have been major critical vulnerabilities in both open and closed source code which is why it is best to have multiple layers of security. If your not following best practices (least privilege, segmentation), running av, whitelisting, using machine learning, monitoring, actively looking for odd behaviors, etc. then your probably missing something. Assuming that any product is secure is just a bad idea.

        • You are correct. Open source software can have vulnerabilities too, and they are regularly found and fixed. What we CAN show though is that Open Source software is fixed very shortly after the vulnerability is found, every time, while proprietary software often is not. In fact, we’ve seen reports of proprietary software remain insecure for months or years after a report is released.

          So bugs per line of code? Probably the same, or at least similar enough that an argument could be made either way.

          Vulnerabilities unfixed after reporting? Open Source wins by a mile.

      • In some cases, “open source” DOES mean “insecure”. You may recall the Heartbleed flaw, which sat unnoticed in OpenSSL for 2 years. The old saw of open source being somehow superior to closed source due to more eyeballs on it no longer holds water. And the impacts can be just as damaging.

      • Open source / Open sores…. its all the same. With open sources there is NO clear concise accountability if something fails.

        And I am sure, that is in the EULA, right ?

    • I am by no means a technical expert like Brian Krebs, but have quite a bit of computational & open source background.

      The logic I have often seen is actually the opposite – open source programs, at least those that are widely, are considered SAFER as the code basically undergoes regular “peer review” by thousands (or millions – ?billions in case of Apache products) eyes at regular intervals.

      To be fair, once vulnerabilities are found ,they may be easier to exploit.

      Closed source products, on the other hand, generally are only as good wrt security as the particular (small group of) eyes looking at them. In the case of Equifax and how it seems to have handled computer security, I can only imagine what that would mean if they developed an in-house product…

    • LOL! You’ve got to understand, this is a cost-benefit decision. There’s apparently not much penalty for this breach as there’s no law forcing them to encrypt or protect our data. So why hire more programmers. Non-criminal penalties are another matter. Hopefully there can be a claw-back of the profits the execs made on stock sales done before the breach was exposed.

    • Would seem to me the security practices of this company were negligent in support these peoples data. As pointed out Open source software powers the world. What has me is why this company wasn’t forced to have a PCI compliance certification. Why was financial data in a database and not encrypted? Personally this company should be sued into extinction because they put profit in-front of simple security and you only get one chance to screw up this big!

      • Suing does not address the problem. It takes years if not decades and by the time it ends, only lawyers would have gotten rich, victims see practically nothing and the very same problem can reoccur again and the whole process repeats.

        There is so much money to profit from such practices and that, once made, is not taken away and no personal losses by top mgmt, that they readily take the risk of something like this will happen, by which time they at best are fired rich and with golden parachutes.

        As Bruce Schneier has written, the “free market” has no solution — it is, in fact, responsible for these problems and in the US the govt agencies regulating these malfeasers are in the hands of past malfeaser personnel that protects them.

        https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html

        Read it and the comments and weep.

        Check and mate.

        • I don’t see why you’re bashing free market capitalism over this incident. No one who advocates for a free market claims it will be a utopia. The alternatives to a free market are just a lot worse. I’m sure Cuba didn’t have to worry about the equifax breach..thank god for communism /sarcasm

      • PCI DSS applies to all entities who store, transmit or process credit card data so Equifax has a card data environment that is in scope. Requirement 6.2 is that all patches for critical vulnerabilities be applied within 1 month of the publication date. Since this vulnerability was published in March that means Equifax was not in compliance at the time of the breach.

    • re: security and openness in general – we need to open up about security practices everywhere. Am I nuts? For people who want to keep holding security close to the vest, I have one question: How’s that been working out for you?

      Every busy CEO should take these six words to heart. It boils everything about security they need to know down to an easy-to-remember rhyme: Care and share to be prepared.

      The debate about open vs. closed security practices is not new.

      I want to share one quote. It’s from a famous locksmith named Alfred Charles Hobbs. He wrote this in 1854. That’s not a typo. 1854. 163 years ago. Before smartphones and the Internet. Here is what he said on page 2 of his book, “On the Construction of Locks.”

      “A commercial, and in some respects a social, doubt, has been started within the last year or two, whether or not it is right to discuss so openly the security of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by shewing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and they already know much more than we can teach them respecting their several kinds of roguery.”

  2. Just attempted to put a freeze in place on-line at Equifax. After completing the initial information-getting, their site returns an “Error 500”, with the very lovely
    “Thank You for granting Equifax the Opportunity to serve you”. This was on 9/14, at about 8:15 Eastern.

  3. Froze my account at equifax a year ago. I may have missed someone who asked this same question earlier, but how can I easily check to make sure the account hasn’t been re-opened by hackers unraveling my pin #? since I am only allowed one free credit report each year, that won’t help….is equifax also offering unlimited free reports now?

    • I’m fairly certain that you can deduce whether your credit file is frozen by going through the steps again. If, once you enter in your personal information, you are NOT presented with the option to freeze your credit account, then it is still frozen.

      One thing I have not heard mention is if freeze pins were a part of the data that was stolen. If they were, then freezing your account will do nothing (the thieves would have the tools to unfreeze the account).

      Lastly, being a programmer, I suspect that the pin is simply the transaction date and time of the freeze document. Since we know that it is a timestamp, it is very likely that it is saved somewhere in the freeze document as a datetime entry. If so, then it is also highly likely that the pins WERE stolen along with the rest of the data.

      • The PINs Equifax used were originally simple timestamps. They have started to use a random number generator to assign PINs, after an outcry from people about using timestamps.
        https://arstechnica.com/information-technology/2017/09/equifax-moves-to-fix-weak-pins-for-security-freeze-on-consumer-credit-reports/

      • Yup. All those with past PINs should demand new ones.

        Equifax has, if I recall, promised to replace the PINs with random ones by mail, but they probably are now not in a state that permits them to do anything massive.

        So it is not unlikely that new thieves will exploit the weakness and use brute force to figure out the datetime pins and steal more data.

        The way the entire system operates right now has collapsed and only a systemic drastic change is required.

        I won’t hold my breath.

        • OK, I want my pin # changed right away. Any idea who, at equifax, is interested in helping me do that? Is there a way to request that change on their website somewhere, or a dedicated hotline? If by some miracle there is, and someone knows, I would be grateful for the lead.

  4. Thank you for your work , & giving the rest of us more insight on security.

  5. Sorry, have to add, if the thieves have 143 million records of personal info, and 200,000 records of transactional data, it would be simple to use the date of the transactional record to test whether the date of the transaction is close to the freeze pin (assuming the thieves find the credit account frozen), since Equifax charges most of us to freeze the account.

    So those whose credit card data was stolen are likely to be at higher risk of identity theft, even if the account is frozen.

    A fix would be to unfreeze the account now that the breach is in the past, and then freeze it again, thereby generating a new pin.

    Alternatively, anyone with an old frozen account should request a new pin via snail mail (Equifax’s process). Even though it’s painful, it’s better than trusting that the old freeze pin was not compromised.

  6. PCIDSS requires that cardholder data is adequately protected and recommends (although does not mandate) encryption as a way of achieving this.
    Penalties for breaching PCIDSS requirements include fines but can also extend to banning the use of card data. Now that would be amusing!
    Let’s see how the card schemes react to this breach.

    • Equifax because of the number of credit card accounts for which it is the custodian is most certainly a Level 1 entity under PCI DSS, which means they have to have an independent 3rd party, a QSA validate their compliance using PCI’s Report on Compliance or ROC. Requirement 3.4 in the ROC is that the entity must render the stored or transmitted personal account number unreadable by either hashing, truncating, tokenization or by strong encryption.

  7. Just tried 4 times to do a freeze on Equifax site @ 4:18 AM EDT
    And got the message below, what a nightmare!

    “We are currently unable to service your request.

    Please try again later.”

    • Finally! After about 2 hours of trying to freeze my credit report on the Equifax site! Success at about 6:00 AM EDT! Keep on trying folks, it eventually goes through. Although you have to keep entering the same information in over and over.

  8. A good informative article, Brian…as always.

    From what I’ve been reading on a few other sites, consumers are not only encountering problems trying to freeze their credit reports with Equifax, but also with Experian and Trans Union as well.

    It seems all 3 are deliberately stone-walling people by throwing stumbling blocks when you try to do so on-line, attempt to reach them by phone, etc.

    Frankly, at this point I have ZERO confidence in ANYTHING Equifax has to say. Once trust is lost in a manner & magnitude such as this…it will take a VERY long time to regain it!

    • If one is to adapt one’s cynicism to current reality, it’s hard to avoid the impression that for the CBs breaches trigger marketing campaigns to sell their services for billions:

      https://news.ycombinator.com/item?id=15254192

      It is not farfetched: if you have no obligations, responsibility or liability for breaches, you’re incentivized to make security as lax as possible and use the incidents to acquire huge profits that you would have had no way to make with good security.

      Upside down incentives have predictable consequences.

  9. Thank you for your work , & giving the rest of us more insight on security.

    Regards,

  10. How can you know IF your info was shared (and yes, I am very “non-tech” savvy). I can turn mine on, off and I can reboot it!

  11. I am unfortunately extremely well, “non-tech savvy”. How can the Average Joe find out IF THEY WERE EFFECTED Baby this debacle? Thanks, God Bless. Doc

  12. There is a similarity between data breaches and hurricane flooding. The damage for both can be paid for after the disaster occurs, which is apparently the favored method for handling the problem, or by putting safeguards in place to prevent or mitigate the problem beforehand. From a computer security perspective it seems odd that a company would want to clean up a data breach, when for a small ongoing expense they could avoid it altogether. But from my own experience I know companies see computer security as a nonessential expense. I worked for a company where every time I suggested improvements in security, I was told that the cost was too great. I did my best to protect the data and network, but when I left I told them that it was only a matter of time before they would have a problem. Just as an aside, after reading about Mirai on KoS, I performed a detailed network inspection and found an old 16 channel DVR used for security cameras sending out tons of data to the internet. Since the DVR was only used by the security guards internally, I asked to have it removed from the network.

    • Top management of large corporations make so much money that within a couple of years they become multizillionaires and have astronomic golden parachutes.
      They are incentivized to maximize profits at the expense of costs VERY FAST and are not aliniated with their company’s long term interests. It is also always much easier to increase profits by cutting costs than increasing revenues.

      If you read some of the details of what the updates of the flaw that purportedly is responsible required, it is easy to see why they did not bother with the complications. Hard work. In today America nobody wants to do that and is incentivized to that effect.

      Everybody wants the benefits of a digital economy, nobody wants the costs.

  13. Not sure how relevant this source is, but might be worth a look… It says the hackers claim it was not through Struts.
    http://spuz.me/blog/zine/3Qu1F4x.html

  14. Knowing how users are and how wide the breach is. Why not work on a method to freeze all credit? Example, if a small breach occurs, you may be alerted to change your password. If a big one occurs, they change it for you, or lock it out and force you to contact them.

    It’s a huge project to undertake, but then again.. it’s a bad breach.

    Hell, why not change the system to be frozen by default?, build it into the system and remove the fees for freeze/thaw. What’s the current cost of fraud these days? (to banks/credit types)

    • If they do this they lose their primary source of revenues and profits.

      A marketing campaign to sell monitoring service and charging for freezing and defreezing is much more logical. Why commit suicide when you can enrich yourself? The public? Who the hell cares? They’re not even customers.

      It never ceases to amaze me the simplemindedeness of Americans that expect corporations to “do the right thing” when the entire system is structured and incentivizes them to do the exact opposite.

      It’s that simplemindedness and apathy that produced such a system in the first place.

  15. Was the data encrypted on the storage devices at Equifax?

  16. One way malicious actors may try to use the stolen data could be for them to place a freeze on the credit account of someone whose data has been stolen. This would allow them to control your account by them owning the freeze/unfreeze pin. Preventing the legit owner of the account from freezing the account themselves and allowing the malicious actor to unfreeze the account at a later time when they are ready to use your info for fraud. For this reason I would recommend everyone to freeze their own accounts as soon as possible. The good news is that it looks like Equifax may have thought of this also and is taking precautions by going the extra mile to validate that the person asking for the account freeze is legit. Unfortunately this means more headache and hassle for the legit individual. Another thing to keep in mind: with millions of people trying to add freezes to their credit accounts, if you are successful in freezing yours, it may take you several days to a week or more to unfreeze it, if trying to do so any time in the near future. So don’t freeze it if you need it anytime soon or you may find your self waiting awhile to unfreeze it.

  17. If you are lucky enough to freeze your account at equifax (due to system timeouts, crashes, etc) they give you a pin to unlock your account in the future. I wonder if they store this pin in the clear like they do credit card and SSN data!

  18. I believe it is a lovely attribute for Equifax to have the web fonts used on Equifax web sites related to this breach so light as to be almost transparent, and nearly impossible to read for one with normal eyesight, yet alone those with vision challenges.

    Goes to show (me, anyway) that the entire response strategy is self-serving at best.

    Shame on Equifax.

  19. Interesting that Equifax’s PCI compliance expired 8/31/2017

    http://www.visa.com/splisting/searchGrsp.do

  20. British Gentleman

    Suggested new slogan for Equifax: “Powering the UNDERworld with knowledge”

  21. Another point against Equifax: What’s up with “the enrollment period ends on Tuesday, November 21, 2017”, why a self-imposed short timeframe, rhetorical?

  22. Chase Bank notified me that they detected potential fraud on my credit card. Someone (not me) was taking Uber trips and charging my card. So, Chase cancelled the card and sent me a new one. This is the 3rd time it has happened. First, was after the Target breach. Second was after the Home Depot breach. Third is after the Equifax breach. I suspect that Chase is passing the cost of these fraud on to it’s consumers.

    • It does not necessarily have to do with the latest Equifax breach. Criminals get your info in any number of ways. Breaches, Skimmers, malware, etc. I had 2 of my cards used twice by criminals. Once I found a rootkit in my computer and suspect that might have had something to do with it. The second time another website had a breach and I was notified via USPS mail. Here is a site that has a list of breaches the general public has probably never heard of.

      http://www.idtheftcenter.org/Data-Breaches/data-breaches

  23. This breach along with the other incidents in recent times leads me to believe that there needs to be real legal repercussions for all of the entities that want to store PII. They make it mandatory that the users submit this information to use the service so there is no real way around providing the information.
    The user feels the pain of a breach due to the inability of the company to secure it, therefore I submit the company and company officials need to feel real pain. Not just a fine or a stock hit. Prison time or banning company for doing business and officials from doing business with any PII ever again. Full correction of issue and full reimbursement of damages to all people that have been exposed and ID actually stolen. I know this is a bit hard line but without real consequences to the behavior then the behavior will continue based upon cost benefit analysis demonstrating that it is cheaper to pay for “credit Monitoring” for a year than it is to actually secure the information.

    • The minute you started to store private info on line you essentially gave control to the underworld. The reality is that those who want to break security will always be ahead of those supposed to enforce it.

      The only way to prevent this is to go back to non-digital economy, but I suspect that the economy will self-destruct before that happens.

  24. The focus here should not be a the application later. It should be at the data layer. What was this data not encrypted!?

  25. I saw mention of it in a previous post, but don’t recall if the question was answered. Did the equifax hackers obtain the security freeze unlock PIN codes? If they did, this is most concerning…

  26. Brian, Awesome write up as usual. For years I have been paying for a credit monitoring and ID theft protection package from Equifax called “Equifax Complete™ Premier” for $19.95 per month. The charges are applied to a credit card of mine that Equifax has on file. Would you guess those were the 200K credit cards stolen, because others like me were paying for their monitoring service and had their cards on file as well?

    If so, then this a likely a completely different breach than the credit report breach just announced last week.

    The irony here is unbelievable. Pay for a credit monitoring and ID theft protection from a company, where both my credit card on file and my credit reports were both stolen.

    Stephen

  27. Those asking why the data wasn’t encrypted need to understand this exploit in particular, and exploits in general.
    Yes data should be encrypted, and if this data wasn’t stored that way, it certainly would have been part of the story. But data can’t always be encrypted, otherwise you couldn’t use the information at all.
    If the database was simply downloaded, the hackers would only have encrypted data. By itself it would be useless, but with data banks of user information the data might have value by running usernames and passwords against the database to see if anything gets unlocked.
    That isn’t what happened here. The hackers gained access to essentially become users (i.e. a person who would need access to the data and could unlock it as a normal business operation).
    Over a period of essentially two months they were able to download all that information blending in as normal business transactions.

  28. BIT OF IRONY:

    Why would Equifax have 200,000 Visa Card numbers?

    My guess would be for those people who paid to have their credit frozen in the past or unfrozen. Some states allow you to get that done free, but not all.

    rather ironic wouldn’t you say?

    Someone made a comment about companies not wanting to spend money on IT security. Been there done that. as a former IT person, I used to say “nothing like a good security compromise in the news to get us more money for security!” Until the execs got amnesia….

  29. I suppose we’ll never learn what sort of security measures they had (or didn’t have) in place to prevent someone who broke into their web network from getting to the internal network.