October 4, 2017

Maybe you’ve been feeling left out because you weren’t among the lucky few hundred million or billion who had their personal information stolen in either the Equifax or Yahoo! breaches. Well buck up, camper: Both companies took steps to make you feel better today.

Yahoo! announced that, our bad!: It wasn’t just one billion users who had their account information filched in its record-breaking 2013 data breach. It was more like three billion (read: all) users. Meanwhile, big three credit bureau Equifax added 2.5 million more victims to its roster of 143 million Americans who had their Social Security numbers and other personal data stolen in a breach earlier this year. At the same time, Equifax’s erstwhile CEO informed Congress that the breach was the result of even more bone-headed security than was first disclosed.

To those still feeling left out by either company after this spate of bad news, I have only one thing to say (although I feel a bit like a broken record in repeating this): Assume you’re compromised, and take steps accordingly.

If readers are detecting a bit of sarcasm and cynicism in my tone here, it may be that I’m still wishing I’d done almost anything else today besides watching three hours worth of testimony from former Equifax CEO Richard Smith before lawmakers on a panel of the House Energy & Commerce Committee.

While he is no longer the boss of Equifax, Smith gamely agreed to submit to several day’s worth of grilling from legislators in both houses of Congress this week. It was clear from the questions that lawmakers didn’t ask in Round One, however, that Smith was far more prepared for the first batch of questioning than they were, and that the entire ordeal would amount to only a gentle braising.

Nevertheless, Smith managed to paint an even more dismal picture than was already known about the company’s failures to secure the very data that makes up the core of its business. Helpfully, Smith clarified early on in the hearing that the company’s customers are in fact banks and other businesses — not consumers.

Smith told lawmakers that the breach stemmed from a combination of technological error and a human error, casting it as the kind of failure that could have happened to anyone. In reality, the company waited 4.5 months (after it discovered the breach in late July 2017) to fix a dangerous security flaw that it should have known was being exploited on Day One (~March 6 or 7, 2017).

“The human error involved the failure to apply a software patch to a dispute portal in March 2017,” Smith said. He declined to explain (and lawmakers inexplicably failed to ask) how 145.5 million Americans — nearly 60 percent of the adult population of the United States — could have had their information tied up in a dispute portal at Equifax. “The technological error involved a scanner which failed to detect a vulnerability on that particular portal.”

As noted in this Wired.com story, Smith admitted that the data compromised in the breach was not encrypted:

When asked by representative Adam Kinzinger of Illinois about what data Equifax encrypts in its systems, Smith admitted that the data compromised in the customer-dispute portal was stored in plaintext and would have been easily readable by attackers. “We use many techniques to protect data—encryption, tokenization, masking, encryption in motion, encrypting at rest,” Smith said. “To be very specific, this data was not encrypted at rest.”

It’s unclear exactly what of the pilfered data resided in the portal versus other parts of Equifax’s system, but it turns out that also didn’t matter much, given Equifax’s attitude toward encryption overall. “OK, so this wasn’t [encrypted], but your core is?” Kinzinger asked. “Some, not all,” Smith replied. “There are varying levels of security techniques that the team deploys in different environments around the business.”

Smith also sought to justify the company’s historically poor breach response after it publicly disclosed the break-in on Sept. 7 — roughly 40 days after Equifax’s security team first became aware of the incident (on July 29). As many readers here are well familiar, KrebsOnSecurity likened that breach response to a dumpster fire — noting that it was perhaps the most haphazard and ill-conceived of any major data breach disclosure in history.

Smith artfully dodged questions of why the company waited so long to notify the public, and about the perception that Equifax sought to profit off of its own data breach. One lawmaker noted that Smith gave two public speeches in the second and third weeks of August in which he was quoted as saying that fraud was a “a huge opportunity for Equifax,” and that it was a “massive, growing business” for the company.

Smith interjected that he had “no indication” that consumer data was compromised at the time of the Aug. 11 speech. As for the Aug. 17 address, he said “we did not know how much data was compromised, what data was compromised.”

Follow-up questions from lawmakers on the panel revealed that Smith didn’t ask for a briefing about what was then allegedly only classified internally as “suspicious activity” until August 15, almost two weeks after the company hired outside cybersecurity experts to examine the issue.

Smith also maneuvered around questions about why Equifax chose to disclose the breach on the very day that Hurricane Irma was dominating front-page news with an imminent landfall on the eastern seaboard of the United States.

However, Smith did blame Irma in explaining why the company’s phone systems were simply unable to handle the call volume from U.S. consumers concerned about the Category Five data breach, saying that Irma took down two of Equifax’s largest call centers days after the breach disclosure. He said the company handled over 420 million consumer visits to the portal designed to help people figure out whether they were victimized in the breach, underscoring how so many American adults were forced to revisit the site again and again because it failed to give people consistent answers about whether they were affected.

Just a couple of hours after the House Commerce panel hearing ended, Politico ran a story noting that the Internal Revenue Service opted to award Equifax a $7.25 million no-bid contract to provide identity-proofing and anti-fraud services to the tax bureau. Bear in mind that Equifax’s poor security contributed to an epidemic of tax refund fraud at the IRS in the 2015 and 2016 tax years, when fraudsters took advantage of weak security questions provided to the IRS by Equifax to file and claim phony tax refund requests on behalf of hundreds of thousands of taxpayers.

Don’t forget that tax fraudsters exploited this same lax security at Equifax’s TALX payroll division to steal employee tax records from an as-yet undisclosed number of companies between April 2016 and March 2017.

Finally, much of today’s hearing centered around questions about the difference between a security freeze — a right that was hard-won on a state-by-state level over several years — and the “credit lock” services being pushed instead by Equifax and the big bureaus. Lawmakers on today’s panel seemed content with Smith’s answer that the two things were effectively the same, only that a freeze was more cumbersome and costly, whereas credit locks were free and far more consumer-friendly.

To those still wavering on which is better, I have only to point to reasoning by Christina Tetreault, a staff attorney on the financial services team of Consumers Union — the policy arm of Consumer Reports. Tetreault notes that perhaps the main reason a security freeze is the better option is that its promise to guard your credit accounts is guaranteed by law, whereas a credit lock is simply an agreement between you and the credit monitoring company.

“Having a contractual agreement is not as strong as having protections under law,” Tetreault said. “The contract may be unclear, may include provisions that allow the other party to change it, or include provisions that you may be better off not agreeing to, such as an arbitration agreement.”

What’s more, placing a freeze on your file is exactly what Equifax and the other bureaus do not want you to do, because it prevents them from making money by selling your credit file to banks and others (including ID thieves) who wish to grant new lines of credit in your name. If that’s not the best reason for opting for a freeze, I don’t know what is.

If anyone needs more convincing on this front, check out the testimony given in other committees today by representatives from banking behemoth Wells Fargo, which is under fire signing up tens of thousands of auto loan customers for insurance they did not need and in some cases couldn’t afford. That scandal comes on the heels of another debacle in which Wells Fargo was found to have created more than 3.5 million bank accounts without consumers’ permission between 2009 and 2016.

Mr. Smith is slated to testify before at least three other committees in the House and Senate this week before he’s off the hot seat. On Friday, KrebsOnSecurity published a lengthy list of questions that lawmakers should consider asking the former Equifax CEO. Here’s hoping our elected representatives don’t merely use these additional opportunities for more grandstanding and regurgitating the same questions.


101 thoughts on “Fear Not: You, Too, Are a Cybercrime Victim!

  1. Phil

    SSNs need to take page out of RSA Public Key Encryption. The Federal Government holds the Private Key, and Credit Bureaus, Banks, People get the public key. When a person’s SSN is registered at birth the Public and Private key pair are generated, the public key goes to parents/guardians to be given to child at age 18 for public use. The government holds the private key with its relevant data (which at this point would be data regarding both the birth and the parents/guardians). As the parents/guardians data is updated from time so is the data associated with the child’s Private Key.

    Only allow the first transaction done with the public key to be through a State government office beyond a certain date to either obtain a State ID, register to vote, obtain a leaner’s permit. The public key with the other data is validated against the data associated with the private key, if it matches the State then generates another Private Key for the Public Key that is sent to the federal government with related info for the transaction.

    Commercial transactions are only allowed after the first state government transaction and beyond a specified date. For any future transactions that occur with the child’s Public Key as they come of age, they supply the Public Key with associated data that needs to be compared with Federal Government’s records data that has been associated to the Private Key, no match on the data, no transaction can be done.

    So in this hypothesized Public/Private Key system, a current Parents/Guardians need to be with the child and supply their public keys and associated data for the first state transaction to get a state ID/register the child, and the child can’t work for an employer until they obtain a state ID. This will help with some labor/work-force related issues as well.

    These are just my own personal musings so feel free to judge my rambling thoughts, maybe something good could arise from it

    1. Ron

      Doesn’t matter!

      The best security solutions will be trumped by incompetence.

      1. Robert

        Ron – “The best security solutions will be trumped by incompetence.”

        “Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning.” — Rich Cook

        Let’s field test Rich’s observation.

        Equifax breach caused by someone not apply a simple patch. – Universe 1, common sense 0

        Equifax stores data in plain text rather than encrypt. Universe 2, common sense 0

        Congress is so concerned they passed legislation years ago to prevent such problems. Universe 3, common sense 0

        Game, set, match! Universe wins!

        Found this site while trying to figure out what i should change my pins to in an attempt to limit damage (I use a different pin for e-v-e-r-y-t-h-i-n-g).

        http://datagenetics.com/blog/september32012/

        I called one bank to change the automated phone system pin, which is different from my ATM pin. They have removed the ability to do so over the phone, you must now talk to a CSR. Very good move.

        Then things went south. In order to change the pin they needed to text me, don’t have that capability. Rather then tell me to drive to the nearest branch with ID(s) to get this done, I heard, “I’ll ask you some personal infomation to confirm your identity.” I sighed softly knowing what was coming.

        “What city is the street address you have on file with us?” Data containing such info has been breached many times over the years! Any bad guy trying to impersonate me has it already.

        Before I was even asked the next question, I answered it! “What is the name of the County for the town you live in?”

        Looks like the Universe got a few more points. At least they have restricted access to changing your pin but it needs some tweaking.

        Can’t recall if Brian mentioned this article or I stumbled onto it. The bank was most helpful – to the bad guys. Another win for the Universe!

        http://www.idahostatesman.com/opinion/bill-manny/article174409661.html

      2. Larry

        Incompetence is bad enough, but this goes beyond that IMHO. It was on purpose! The worst part is nothing will happen to Smith his pals!

    2. CK

      Do you think the avg Citizen has any clue what to do with Keys? Let alone maintain one until their kids turn 18?

      You have people that don’t even understand how a computer or phone works and you want to introduce encryption keys into their lives…… yeah that’s going to work

    3. timeless

      Any proposed solution needs to address what happens when documents are destroyed/lost.

      It also needs to be fairly simple/easy to use/manage.

      And you need to outline how it should replace the existing system.

      The existing problem is roughly:
      there are lots of people who have similar names, no fixed address, and many entities want to be able to correlate them.

      Let’s temporarily ignore the private sector and focus on the public sector.

      The SSA wants to be able to take a cut of your paycheck and give you a statement showing your SSA account’s progress. When you retire, it wants to enable you to retrieve money from that account.

      The IRS wants to be able to recognize when an employer reports it gave income to you so that it can ensure you pay tax on that income.

      Sure, we could use a public-key private-key system here, but most people just want an identifier. That public key would be just as good.

      The IRS also wants your banks and investment firms to report income given to you the same way your employer gives you income.

      The next phase is that a lender wants to know if you’re a credit risk. It could be a bank, or some other entity. And it won’t necessarily have a preexisting relationship with you.

      Now, there’s no requirement that credit be managed by the private sector. Some countries manage credit themselves. Given the dumpster fire here, I’d be quite happy with the government being responsible (as long as it can’t contract it out to these companies…). But, a significant portion of the population doesn’t trust the government (it’s the reason that an SSN wasn’t mandatory…).

  2. Big E

    Are we any closer to figuring out who got all this PII data? Doesn’t look like the data has hit the market yet…so if it’s Russia, China, or NK… how would they use it?

    1. Peter Quirk

      On 9/20, someone in Thailand and someone else in Korea tried to penetrate my Microsoft account (I’m based in the US.) Fortunately, I have it protected by 2FA. I’m wondering whether these attacks used info from the Equifax hack.

      1. Robert.Walter

        Do you use same p/w on both accounts?

        If no, as it should be, then it seems strange that a wrong p/w could trigger a 2FA text dispatch.

        Also seems unlikely that anybody with your Equifax particulars could get MS to reset, much less reveal your p/w.

  3. FunnyBits

    Yes, it was a grueling 3hrs for Mr. Smith. We’ll deserved! The Congressmen and future Government seats need to converse with experts like you Brian on what questions to ask and associated follow-ups based on answers. To further make the point of transparency on the Credit Lock VS Credit Freeze. ($) The public needs to know they created a Credit Lock so they can still conduct business as usual in selling your Credit Information to the banks and merchants.
    As well as the websites way of trying to get you to purchase their Premium Credit Monitoring services at $20 a mo. when navigating their website to get to the page to perform and Credit Freeze.
    “I am deeply Sorry.” (REALLY!?) And in this Cluster of a mess you and your company created your still angling to make money off it. (Credit Lock and Premium Credit Monitoring)
    Mr. Smith also mentioned in this meeting he’s still working for Equifax without any payment (cash or otherwise) is that to ensure they “keep the lid on” the other Exec’s that cashed out their stocks days before they knew there was a breach. If you listen to that timeline they discuss its sketchy and you know as soon as they realizes there was a breach irrelevant if they had the data behind the depth that Security Team informed the CIO and it was OUT. Hence the large cash outs.
    It’s also a coincidence that the SEC also announced a breach on their side shortly after Equifax.
    Still no new press on the SEC’s investigation of these Equifax Exec’s.
    In the next rounds of questioning they need to include the CIO and the Security Teams Management. Nail down these timelines.

    SS# should never have been the accepted unique number to catalog a person in ANY system outside the IRS. Banking and any other systems should produce their own unique ID’s to catalog a customer and they all should be using different sequencing. I like the idea of a Hard Token and 2 factor authentication.
    Hopefully congress will put that in their new legislation bill they are driving. Have all companies that carry our data to conform to these new security standards and levy high penalties when they don’t as well as with every breach event.
    These companies we didn’t OPT-IN to allow them to carry our data need to have “Skin in the Game”. And feel the consequences for not following the rules. Today they are benefitting by selling our data with no repercussions.

  4. FunnyBits

    Hummm…my comment was taken down? Did I hit a nerve?

    1. BrianKrebs Post author

      Relax. Your comment was held for moderation by my anti-spam system. FYI, implying that I’m taking down comments is the fastest way to get banned here.

  5. Todd

    My favorite part is Discover offers free monitoring of your SSN on nefarious sites….. I went to sign up for kicks, and guess who they share your info with to get the results??? EQUIFAX.

  6. marma-lade

    Here is the question I would have asked Richard Smith: “What is the amount of your golden parachute?”

  7. Amy

    I called Maxine Waters, from the committee that held a hearing with an Equifax executive, before the hearing happened, and suggested that her staff should look at your website.

    Have you ever tried communicating with governmental officials, Brian? Calling their offices usually works best. Say you’d like to leave a comment when you call.

    Cheers! Keep up the good fight.

  8. Amper$andor

    He was well prepared for the so called ‘grilling’. Fed them just enough sales and kindly offered additional number BS, well planned and prepared. Everything he did was a snow job, they all played into it just like his legal team knew they would.

    He’s getting paid plenty per hour, he still owns a billion shares. God knows he wants the company to shine brighter than ever or he wouldnt volunteer his service to go through that.

    With this kind of money at stake, he’s well positioned either way.

  9. Thomas

    Ello Mr. Krebs,
    Read elsewhere that Mr. Smith put the blame on one (Unnamed) person for not having patched the vulnerability. In the same article he said that Equafax had 225 security employees.

    How does a person contribute what has happened. To one single person in such a large department. If not to wash one own hands?

    Also, how the hell does the world expect this to get better as long as management does not truly own up to the task?

  10. Karlo

    “To those still wavering on which is better, I have only to point to reasoning by Christina Tetreault, a staff attorney on the financial services team of Consumers Union — the policy arm of Consumer Reports. Tetreault notes that perhaps the main reason a security freeze is the better option is that its promise to guard your credit accounts is guaranteed by law, whereas a credit lock is simply an agreement between you and the credit monitoring company.”

    This issue is academic if the company’s security is the equivalent of a screen door. We have no idea what goes on behind the curtain, but based on past experience, it isn’t confidence inspiring.

  11. Garyh

    It is hard for me to get too bent out of shape about SSN breaches since my SSN was available in 2000 at the unprotected, ie no login/passwd, Delaware Federal Bankruptcy Court PACER site. Me and all my co-workers SSNs, salaries, addresses, everything due to out company’s bankruptcy.

  12. Disgusted

    This is all the same in nothing but frustration. Mr. “Georgia” was so obvious in his kissing up tactics with Mr. Smith that it was more than apparent he had no intentions of putting Smith to the task of answering for his errors and omissions honestly and without convoluted statements in an effort to avoid answering the questions put to him, for all the world to see, including that one guy who didn’t do his job. Do we even believe that? He was so transparent in his soft and understanding approach with Smith that he truly was on Equifax’s side because that’s where the big tax bill is being paid by. That’s who pays for his state, Equifax, so he isn’t about to get serious about this serious situation and demand accountability, who is going to bite the hand that feeds him? It was appalling to watch and listen to his sickly sweet voice and statements of understanding and compassionate forgiveness. Bah! This guy is a greedy user. He takes people’s information without consent and sells it. If I was doing that, I’d be in prison! This is unconscionable. The mere fact that they knew a patch needed to be done on March 9 and no one followed up on it proves complacency, negligence and incompetence. For this to be ignored until they saw movement in the files is unforgivable. Let’s also recall their pretending that if there is activity that wouldn’t mean there is a breech in a normally inactive area of the program. Not doing anything until July 31 to protect people’s information and then the employees who knew about it are suddenly selling their stocks the day and following day after…..Equifax is again spitting in our faces and saying we are not only stupid for allowing them to retain our personal information, but they are also saying that we are gullible and can be taken advantage of based on these flaws, so it’s effectively ok for them to do whatever they want, that it doesn’t matter. Smith and his unnamed accomplice will go free and so will the ones who dumped stocks after the event because they are all worth millions and we all know, it’s only the people who can’t afford legal counsel who get charged and go to prison. Only the rich scape goats will be sacrificed, the rest remain on the loose. I still want the name of the guy who didn’t apply the patch! Why couldn’t the committee at least obtain that piece of information?

  13. Michael

    OFF TOPIC but what’s the deal with KASPERSKY LAB?

    Good or not good?

    1. Value Criteria

      “what’s the deal with KASPERSKY LAB? Good or not good?”

      It depends. Do you think detecting NSA malware is good or not?

  14. Buckminster.Bob

    “The technological error involved a scanner which failed to detect a vulnerability on that particular portal.”

    They had to rely on a vuln scan, and didn’t know what software is installed on a critical public-facing web app? They didn’t pay attention to vulnerabilities? I doubt it! Security professionals in Equifax probably identified the risk, and management just accepted it or deferred patching because patching/testing would be too onerous?

  15. Yasar Ali

    Wow~
    Thanks for the UPDATES & Warning TOO!
    Appreciate IT>

  16. A Gold

    Couple of things of interest:

    Due to the incompetence of all in the hearing, it is more than just having a scan of files.
    When you hold the largest portion of identity details of the US public, it is your IMPLIED required duty to use the most expensive hardware, web application proactices (OSWAP), and have it all programmed ON SHORE, and not off.
    You can EASILY subscribe to LiquidWeb, WP Engine, or Pressable who will ALWAYS upgrade your WordPress site before an infection can take hold of your wordpress website.
    In addition, there is NO excuse to be able to ‘sell stock’ during a time of wait, before announcing the cyber security failure. This is why there is an SEC, and this is why their funds should be immediately revoked, if not on shore, then they should have Equifax as a business revoke the severance pay. He is in DIRECT violation of his fiduciary responsibility to the share holders, the board members and to the clients.
    He should be made an example to both SEC violators, and public companies. He is not the only one responsible and it should not be ONLY he, who receives these consequences.
    I JUST got a letter from Equifax, confirming my Freeze. They state in the snail mail letter: “The charge to place a security freeze on your Equifax credit file is $3.00 when your request is received by mail or telephone. ”
    IN this pathetic situation, you will try to set up a freeze on line, but you will have to agree to their terms of removing them from liability. They are essentially forcing the clientele to pay for privacy. They are also showing yet ANOTHER example of their abuse to their clients, in the name of profit and bonuses. I am not against bonuses, but not when your performance is SO pathetic.
    It goes to ask of the SEC – what exactly DOES a person need to do in order to be investigated. Equifax is NOT too big to fail. They need to be closed, since the entire management team, the board and the employees are not able to stop security flaws, ID theft, etc.
    They should not have a three strike rule, (which they already broke) they should have a two strike rule, and the entire company should be closed.
    The government should work directly with credit reporting agencies and a cyber security person like Matt Cutts (who is currently working with the US Government in another capacity) to re-establish social security number maintenance, database design, network security, etc.
    These standards should be required by any credit reporting agency.
    All Equifax systems and employees and contractors should be audited and the data and backups need to be audited to figure out what outlying laptops, tablets and mobile devices have the accessibility to access any internal network.

  17. John S

    I think we need to recognize that these companies do more for PR after a disaster then trying to prevent one. Hiring a music degree person to run security at Equifax? I mean who in HR looked over all the applicants and decided a music degree was enough? The incompetence goes a lot deeper then we tend to see. Companies love to do a lot to convince us they protect our information. But it’s pretty clear its more a PR job then anything else. Yes, its easy to focus on the music degree person, or the CEO but clearly people at all levels just dropped the ball and oversight was non existent.

  18. ixit

    Looks like they’ve taken it down for maintenance as of October 8th. Let’s hope they’re improving, not just maintaining, although the scope of the project to improve this would be incredible.

  19. Mark Preston

    Watching a social media webpage today I saw (names redacted) ZZZZZZZZZZZZZ Not sure if equifax break in or something else but junk mail up a bunch since wevhit the road 7 weeks ago. Now averaging over 30 a day that I need to deleate then clean from deleate box with approval every day.

    XXXXXXXXXXX For the first time ever, yesterday, I got an email from Apple detailing my request for account recovery from someplace near Nashville. Now I wonder if that breach had anything to do with it. Glad Apple’s on the ball! I changed passwords and stopped the account recovery immediately. I do not live near Nashville, nor was I there visiting…SO frustrating!

    yyyyyyyyyyyyyyyyyyy glad you caught it quickly

Comments are closed.