04
Oct 17

Fear Not: You, Too, Are a Cybercrime Victim!

Maybe you’ve been feeling left out because you weren’t among the lucky few hundred million or billion who had their personal information stolen in either the Equifax or Yahoo! breaches. Well buck up, camper: Both companies took steps to make you feel better today.

Yahoo! announced that, our bad!: It wasn’t just one billion users who had their account information filched in its record-breaking 2013 data breach. It was more like three billion (read: all) users. Meanwhile, big three credit bureau Equifax added 2.5 million more victims to its roster of 143 million Americans who had their Social Security numbers and other personal data stolen in a breach earlier this year. At the same time, Equifax’s erstwhile CEO informed Congress that the breach was the result of even more bone-headed security than was first disclosed.

To those still feeling left out by either company after this spate of bad news, I have only one thing to say (although I feel a bit like a broken record in repeating this): Assume you’re compromised, and take steps accordingly.

If readers are detecting a bit of sarcasm and cynicism in my tone here, it may be that I’m still wishing I’d done almost anything else today besides watching three hours worth of testimony from former Equifax CEO Richard Smith before lawmakers on a panel of the House Energy & Commerce Committee.

While he is no longer the boss of Equifax, Smith gamely agreed to submit to several day’s worth of grilling from legislators in both houses of Congress this week. It was clear from the questions that lawmakers didn’t ask in Round One, however, that Smith was far more prepared for the first batch of questioning than they were, and that the entire ordeal would amount to only a gentle braising.

Nevertheless, Smith managed to paint an even more dismal picture than was already known about the company’s failures to secure the very data that makes up the core of its business. Helpfully, Smith clarified early on in the hearing that the company’s customers are in fact banks and other businesses — not consumers.

Smith told lawmakers that the breach stemmed from a combination of technological error and a human error, casting it as the kind of failure that could have happened to anyone. In reality, the company waited 4.5 months (after it discovered the breach in late July 2017) to fix a dangerous security flaw that it should have known was being exploited on Day One (~March 6 or 7, 2017).

“The human error involved the failure to apply a software patch to a dispute portal in March 2017,” Smith said. He declined to explain (and lawmakers inexplicably failed to ask) how 145.5 million Americans — nearly 60 percent of the adult population of the United States — could have had their information tied up in a dispute portal at Equifax. “The technological error involved a scanner which failed to detect a vulnerability on that particular portal.”

As noted in this Wired.com story, Smith admitted that the data compromised in the breach was not encrypted:

When asked by representative Adam Kinzinger of Illinois about what data Equifax encrypts in its systems, Smith admitted that the data compromised in the customer-dispute portal was stored in plaintext and would have been easily readable by attackers. “We use many techniques to protect data—encryption, tokenization, masking, encryption in motion, encrypting at rest,” Smith said. “To be very specific, this data was not encrypted at rest.”

It’s unclear exactly what of the pilfered data resided in the portal versus other parts of Equifax’s system, but it turns out that also didn’t matter much, given Equifax’s attitude toward encryption overall. “OK, so this wasn’t [encrypted], but your core is?” Kinzinger asked. “Some, not all,” Smith replied. “There are varying levels of security techniques that the team deploys in different environments around the business.”

Smith also sought to justify the company’s historically poor breach response after it publicly disclosed the break-in on Sept. 7 — roughly 40 days after Equifax’s security team first became aware of the incident (on July 29). As many readers here are well familiar, KrebsOnSecurity likened that breach response to a dumpster fire — noting that it was perhaps the most haphazard and ill-conceived of any major data breach disclosure in history.

Smith artfully dodged questions of why the company waited so long to notify the public, and about the perception that Equifax sought to profit off of its own data breach. One lawmaker noted that Smith gave two public speeches in the second and third weeks of August in which he was quoted as saying that fraud was a “a huge opportunity for Equifax,” and that it was a “massive, growing business” for the company.

Smith interjected that he had “no indication” that consumer data was compromised at the time of the Aug. 11 speech. As for the Aug. 17 address, he said “we did not know how much data was compromised, what data was compromised.”

Follow-up questions from lawmakers on the panel revealed that Smith didn’t ask for a briefing about what was then allegedly only classified internally as “suspicious activity” until August 15, almost two weeks after the company hired outside cybersecurity experts to examine the issue.

Smith also maneuvered around questions about why Equifax chose to disclose the breach on the very day that Hurricane Irma was dominating front-page news with an imminent landfall on the eastern seaboard of the United States.

However, Smith did blame Irma in explaining why the company’s phone systems were simply unable to handle the call volume from U.S. consumers concerned about the Category Five data breach, saying that Irma took down two of Equifax’s largest call centers days after the breach disclosure. He said the company handled over 420 million consumer visits to the portal designed to help people figure out whether they were victimized in the breach, underscoring how so many American adults were forced to revisit the site again and again because it failed to give people consistent answers about whether they were affected.

Just a couple of hours after the House Commerce panel hearing ended, Politico ran a story noting that the Internal Revenue Service opted to award Equifax a $7.25 million no-bid contract to provide identity-proofing and anti-fraud services to the tax bureau. Bear in mind that Equifax’s poor security contributed to an epidemic of tax refund fraud at the IRS in the 2015 and 2016 tax years, when fraudsters took advantage of weak security questions provided to the IRS by Equifax to file and claim phony tax refund requests on behalf of hundreds of thousands of taxpayers.

Don’t forget that tax fraudsters exploited this same lax security at Equifax’s TALX payroll division to steal employee tax records from an as-yet undisclosed number of companies between April 2016 and March 2017.

Finally, much of today’s hearing centered around questions about the difference between a security freeze — a right that was hard-won on a state-by-state level over several years — and the “credit lock” services being pushed instead by Equifax and the big bureaus. Lawmakers on today’s panel seemed content with Smith’s answer that the two things were effectively the same, only that a freeze was more cumbersome and costly, whereas credit locks were free and far more consumer-friendly.

To those still wavering on which is better, I have only to point to reasoning by Christina Tetreault, a staff attorney on the financial services team of Consumers Union — the policy arm of Consumer Reports. Tetreault notes that perhaps the main reason a security freeze is the better option is that its promise to guard your credit accounts is guaranteed by law, whereas a credit lock is simply an agreement between you and the credit monitoring company.

“Having a contractual agreement is not as strong as having protections under law,” Tetreault said. “The contract may be unclear, may include provisions that allow the other party to change it, or include provisions that you may be better off not agreeing to, such as an arbitration agreement.”

What’s more, placing a freeze on your file is exactly what Equifax and the other bureaus do not want you to do, because it prevents them from making money by selling your credit file to banks and others (including ID thieves) who wish to grant new lines of credit in your name. If that’s not the best reason for opting for a freeze, I don’t know what is.

If anyone needs more convincing on this front, check out the testimony given in other committees today by representatives from banking behemoth Wells Fargo, which is under fire signing up tens of thousands of auto loan customers for insurance they did not need and in some cases couldn’t afford. That scandal comes on the heels of another debacle in which Wells Fargo was found to have created more than 3.5 million bank accounts without consumers’ permission between 2009 and 2016.

Mr. Smith is slated to testify before at least three other committees in the House and Senate this week before he’s off the hot seat. On Friday, KrebsOnSecurity published a lengthy list of questions that lawmakers should consider asking the former Equifax CEO. Here’s hoping our elected representatives don’t merely use these additional opportunities for more grandstanding and regurgitating the same questions.

Tags: , , , , , , , , , , , , , ,

100 comments

  1. The leopard cannot change his spots.

    Nor can any predator.

  2. I noticed a few people in the hearing, even including Richard Smith, called for a way to make SSNs moot. It’s about time!

    And for California Representative Anna Eshoo – the Dept. of Homeland Security did not inform anyone about the Struts vulnerability. The Apache Foundation did. And patched it.

    Maybe the time is finally right to fix the SSN mess.

    The credit reporting industry – with consumers, creditors, and credit reporting agencies – should be like a rock-paper-scissors game, where all three entities are mutually accountable.

    I put this 12 minute video presentation together a couple weeks ago about making SSNs moot and giving consumers a say-so in the system.

    http://dgregscott.com/143-million-reasons-credit-reporting-industry-reform-part-2/

  3. I have 7 active Yahoo accounts and so far only one of them has receive the official note from Yahoo informing of this new news.

    The note is all full of care, Verizon resources, improvements hurr-durr, but if they can’t even manage to get the news out to better than 1 in 7 accounts, it looks like Verizon hasn’t quite quenched Yahoo! Expanded dumpster fire.

  4. You need to protect yourself from two lines of attack:

    1. New accounts — using info on you to open a credit card or other account. That’s what a freeze at each of the major credit bureaus protects you against.

    2. Existing accounts — using info on you to steal from an account you already have. A freeze doesn’t prevent this.

    Ask each bank, credit union, or credit card company you deal with if they can put additional security on your account to prevent a crook who has your name, address, DOB, SSN, etc. from calling in and getting control of your account. Many will let you put a verbal codeword on your account. (Of course, don’t use something easily found on social networking — like the name of a childhood friend, pet, etc. It should be an off-the-wall word or phrase.)

    “The thieves didn’t know or hack his password. They knew so much about him that they were able to create, essentially, a duplicate identity. ”
    http://www.idahostatesman.com/opinion/bill-manny/article174409661.html

  5. I couldn’t bring myself to watch the parade of clowns bloviating on this subject.

    We all knew the fix was in before the hearing even started.

    I propose we rename the United States to ‘Scamerica’ – because it is as if every single aspect of our lives involves someone under the guise of ‘enhancing shareholder value’ trying to set us up to rip us off while smiling and telling us how much we’re gonna love the new shiny.

    It doesn’t matter which area of the political spectrum you occupy. Inevitably, in history, something’s always gotta give, and it won’t be pretty when it does.

    Paraphrasing ‘Videodrome’:
    “Long Live The New Shiny”

    • Really some great truth’s in your statements. Congress has consistently failed to provide oversight and consistently failed in many ways to do the #1 thing it should do, craft legislation that protects the American people. Calling them clowns is appropriate. The fact that all this has been allowed to happen partly because Congress are not up to speed on things related to cyber-security, is appalling. In a way these series of events are similar to 9/11, and totally preventable except for the lack for foresight by the people in charge. Legislation by Congress forcing companies like Equifax and Microsoft to protect us is so long over-due it’s a travesty.

  6. All this hacking of personal identifiable information appears to be at epidemic proportions. Without resorting to extensive measures such as locking my credit records and such I have followed what I consider appropriate measures. I get a free monitoring service, get an occasional message email is being monitored whenever I change the password, and am updated frequently on sex offenders who have moved into the are. I have isolated myself from society as much as possible while still using computers, phones and the internet. Sound principles involve not going out in public, especially where there are crowds, not releasing information to strangers, workers and inquiries from those investigating things whatever that may be. What I should do is move to the mountains, have no electricity and build a fallout shelter.

    • ralph l. seifer

      Very sound approach, although perhaps just a touch naive. Remember what Satch told us: “Don’t look back. Something may be gaining on us.”

      • Well I have a tendency to look back. Like the name I use here when posts not deleted. FARO is an old gambling game, considered almost even odds to the house except for crooked dealers. Eventually replaced by 21 I guess. 21 found to be beatable by skilled players in the 60’s.

  7. Lockheed DHS Whistleblower

    We need sites like this to do more than report on hacks. And the usual non-specific gibberish from just about EVERY security “expert” and cybersecurity group, association and think take out there. You are all part of the problem.

    What we need is for everyone to create a core set of actionable best practices and repeat the mantra over and over. Not just the stuff you sell. A clear example is Privileged Account Management. Most organizations, commercial and private, avoid it on purpose. Non hacks can be successful if the hackers do not have system/device permission to do damage. And even if they get in via a phish or are a bad actor proper PAM will limit their actions, see them if they move around and stop them.

    The overwhelming majority of companies and government organizations are avoiding the most critical cybersecurity practice of all. Dealing with Privileged Account security. It’s the biggest dirty secret in cybersecurity. Which is extremely unfortunate because virtually every hack on record was accomplished by someone gaining access to a privileged account then moving through the system. This usually occurs due to a successful phishing expedition. (Of which 22% are successful. Keep in mind only one is needed). Also most hackers are in a system for almost 6 months before being detected.

    Of the small fraction of companies that even say they deal with this area and purchase products few of them actually use the products they purchase properly. Many install them then slow roll actually using them to any significant degree for decades. Often this is meant to purposefully deceive C-Suite and regulators. This puts everyone at risk.

    Here is how bad things are. CMU CERT is the premier authority on cyber-security best practices. Especially for DoD. I found out that CMU CERT has no solution for themselves in this area. They actually defer to CMU IT for their own security and they have no solution in this area. Shouldn’t the organization responsible for telling others what best practice is use best practices for its own security?

    Why is this happening? IT leaders have no problem with firewalls, anti-virus or monitors of any systems except privileged accounts etc because those things are additive, don’t cause them to drive cultural habit changes or expose massive best practice issues. That leaves huge cybersecurity best practice gaps.

    Examples include having 4X more accounts than people. Non-encrypted password files or spreadsheets and emails with passwords. Software programs with passwords hard coded in them and many not knowing where they all are. As a result of this many passwords are not changed for decades. Especially for applications or databases. There is also the problem of having local admin permissions available on laptops and end points and not knowing where they all are either. Fixing those issues would also require forcing the masses to do things differently. Few have the desire to be part of any of that. In spite of “continuous process improvement” etc.

    Governing bodies and regulators mean well but they don’t help much either. They try to avoid being too specific to let the industry figure out best practices, do what is right for them or avoid government being too involved. Most of it is nonsense. This gives organizations far too much room to wiggle. Which they have no problem exploiting. Most companies and organizations doing the least amount possible.

    This is not a technical issue. Or even one of money since it cost more to not fix this given the hiring of way too many cybersecurity people to work around best practices. It’s one of Courage. Courage to admit the problems exist and to deal with the culture and lead them to fix them. And to not sacrifice customers or the public to protect egos or let the bean counters justify it’s cheaper to harm customers than the bottom line.

    Core and Ancillary Practices in Privileged Account Management (PAM)
    1. Least Privilege – The more folks who have system wide or broad access the worse off you are. Where possible limit access by role. This means not having more account than there are people and having accounts not used or unaccounted for.
    2. End Point Protection – Never allow admin privileges on user devices. Know where they all are and have their access actions monitored.
    3. Password Protection/Vaulting – Passwords should not be on spreadsheets or in emails. Worse case if they are they should be in a Vault with a proper identity and access process. (Same for SSH keys)
    4. Password Updating – Passwords should be updated often especially in response to events like employees leaving etc.
    5. Passwords Hard Coded in Software – Passwords should not be hard coded in software. There should be a process for programs to get a password when needed and to not store it in any manner.
    6. Monitor all System and Privileged Account actions – Account access and what people or systems are doing with access should be monitored for actions or access that go outside what is specified of intended.
    7. Jump Server – Minimized Knowledge of System Passwords – This process puts a middleman in the loop. Users provide their identity and personal password to the jump server. That system verifies access then uses another password to log the user on to the system. This keeps most people from ever knowing system passwords. It also makes updating system passwords often far less of a hassle to users.
    8. Identity – Two factor identification should be utilized.

    While PAM products are not needed to effect most of these (not counting the Jump Server) they make the process far easier. Especially for companies of any size and complexity.

  8. “Smith told lawmakers that the breach stemmed from a combination of technological error and a human error, casting it as the kind of failure that could have happened to anyone.”

    As a cyber-security professional, I get a bit frustrated when other cyber pros (who should know better), and the media, love to beat up on just about anyone who gets caught with their pants down. Though I love your articles Brian, I think its really easy to look at a cyber incident and play hindsight 20/20.

    I’m not saying Smith shouldn’t bear responsibility here, along with other executives. But I nonetheless find it funny when cyber security professionals ridicule companies who experience a breach, when the reality is almost any experienced pen-tester, given enough time and money, can make even a great CISO look like an idiot. Anyone who spends any time in this industry knows how easy it is to find vulnerable systems in even companies and networks that have even the most admirable security.

    Our response to these kinds of events should be a double helping of “What went wrong, how can we change this, and how can we make sure this doesn’t happen again,” and a less full portion of, “look at these morons.”

    • “Anyone who spends any time in this industry knows how easy it is to find vulnerable systems in even companies and networks that have even the most admirable security.”

      Then why doesn’t each multibillion dollar company hire a full time COMPETENT team of hackers to probe for weaknesses every day of the week AND to at least make certain that EVERY software update IS performed. The black hat hackers working on their own time sure managed to find the problem!

      ZERO excuses. None.

      • Great point, did Equifax have a blue AND red team? I would think they would have found this sooner.

      • Winston – While your idea makes sense, there simply are not enough “COMPETENT” (ethical) hackers available. There is a serious shortage of talent these days and that’s not going to end any time soon.

        • “Winston – While your idea makes sense, there simply are not enough “COMPETENT” (ethical) hackers available. There is a serious shortage of talent these days and that’s not going to end any time soon.”

          Actually, from the large amount I’ve read on the topic, I suspect most of the good ones on our side work for the NSA and similar. Stuxnet was significantly impressive. Perhaps very large salaries could attract their kind to the likely to be far more boring work of corporate network security? No Equihax recruiting at white hat hacker events?

          • This isn’t a matter of just throwing money around until it sticks on a solution. Salary in the private sector has always trumped government work. Our peers in the NSA and other various branches of the intelligence services are not the types looking to maximize their capital gain.

            The bad guys are always going to have an advantage simply due to the fact that it is impossible to prove that your software is 100% bug free. This is just the simple nature of software development.

        • “While your idea makes sense, there simply are not enough “COMPETENT” (ethical) hackers available. There is a serious shortage of talent these days and that’s not going to end any time soon.”

          The primary reason there is a “shortage” of COMPETENT (ethical) hackers is money. As long as nefarious pays better than ethical, that’s where the best hackers will go.

      • The Internet of Mistakes arises from businesses that emphasize profit over privacy management. In effect, businesses that should not collect personal data for profit, and expose it on the Internet, unless:

        1) The have a data breach mitigation plan and insurance coverage for incident response;
        2) Encipher personal identifying information;
        3) Publish their ecosystem test plan, test results, and top-10 report defect escapes, and the wall clock needed to re-qualify each independent revision;
        4) Legislation enforcing monetary penalties arising from data breach incidents. I think Joe Barton (R) of Texas said something like “How about $2000 per breached record as a penalty?”

    • Jack,

      Believe it or not I care a lot more about changing the system than I do holding executives accountable, which almost never happens (look at the financial crisis, e.g.). I have been trying to get lawmakers to press the company about freezes vs. locks, and on making permanent changes away from a reliance on static data — as well as making sure there is never a fee for a freeze. The freeze fees will most likely be addressed in legislation. But your statement that given enough time any pen-tester can make a CISO look like an idiot is not in dispute here. What is in dispute is why the company gave them that time, and I think we have a duty to insist that companies which largely aren’t accountable to consumers and yet hold their financial future in their hands stop acting like the attackers will never get in.

      I, for one, will keep up the pressure on these companies until they start to realize and act as if there are *always* intruders inside — all the time. That’s the way large companies stop small intrusions from becoming big breaches. And if we can’t convince the big companies that have huge responsibilities but little accountability that this is in their best interests and the best interests of the public, then I’m afraid it’s time for more liability and regulation.

      • I understand that, and I think its clear you’ve made some admirable pushes in those spaces.

        I have this reaction though, because I think so many folks who don’t practice or study cyber security just don’t understand how holding accountable the “boots on the ground” types, like analysts and CISOs, just doesn’t work the same way it does in security the way it does other fields. This is certainly not to say that that accountability shouldn’t be there–far from it. But it should be pursued by people who understand the field and the intense intricacies of actually securing an entire organization’s informational assets.

        When I see Equifax’s security team taking a beating in the news from reporters and commentators, as well as seeing their CISO fry, all for having missed a patch by two months, it seems very much like sensationalism. I’d be willing to bet that on any given day, in just about any given organization’s facility, if I ran around the building with a vulnerability scanner, I could find at least a few systems missing a few different patches, but that we just don’t hear about ever because they don’t happen to get hacked into that year.

        This isn’t to say that, “Well, there’s nothing we can do.” But it is to say that we cyber security folks have to be honest with ourselves sometimes, rather than jumping on the blame wagon, and ask, “Would I really have been able to ensure that any given system, on any given day, in any given country that my company does business in, was completely patched?” The answer is generally going to be no (among the honest).

        But again, the accountability should be there. I hadn’t heard about the complete lack of encryption for their static data until today, which is something I can more understand frying security pro’s for.

        • “When I see Equifax’s security team taking a beating in the news from reporters and commentators, as well as seeing their CISO fry, all for having missed a patch by two months, it seems very much like sensationalism.”

          Well perhaps that would be the case if they didn’t wait not 2 months but more than twice that amount of time to patch (4.5 months). That’s far too long. Combine that with the fact that they weren’t encrypting the data suggests that the company doesn’t give two whits about consumers or protecting their data.

        • The only change.org petition concerning Equifax encryption that I’m aware of, and headed nowhere fast:

          change.org/p/martin-j-gruenberg-chairman-ffiec-secure-our-financial-information-with-new-financial-ids-using-block-chain-technology

          Of all the other “Equifax” petitions at change.org, the highest has gotten 0.06% of U.S. adult backing. 147,888 / 145.5M = 0.1% of breached Equifax records sign such petitions.

      • “I have been trying to get lawmakers”

        There’s where you slipped up. They’re owned by those who fund their campaigns and are therefore far more beholden to them than the mostly clueless voters who elect them and who continue to reelect them even if they don’t deliver on their campaign promises.

        So, the core problems are bought government and clueless voters. How to fix that combo? I have no idea…

        For example, just today at Lowes I tried to use my chipped debit card in a chip capable point of sale terminal. I selected “debit” and was prompted to remove my card. The teller said to insert my card and I said I already had. He said that the problem had been that I had used the debit card in chip mode and pressed “debit”. If one presses “debit” the card would need to be swiped. If one used the debit card and pressed “credit”, one could use the chip reader. I have sent an email about that to the Lowes general customer email address, suggested they forward it to their security section, and expect action sometime around the same time that Pluto is ruled to be a planet again.

        I told the teller the security reason for ONLY using credit card chips when possible and, as an example of lax security in general, I mentioned the Equihax compromise.

        He was in his early to mid 20s and hadn’t heard of it!

        Like I said, far too many clueless voters. People who frequent sites like this make the mistake of assuming everyone else is like them and their well chosen friends. They aren’t. There’s a VERY clueless world out there.

        • Seems like your approach to this is just to throw up your hands and shake your head at how bought or stupid people are. That doesn’t seem like a very effective way to bring about changes that are clearly needed.

          Sunlight and education are usually the answers to these problems. I will continue to educate those who wish to learn more, while working to expose those who refuse to see the truth. And while certainly this blog is frequented by people who know (or who think they know) a lot about these subjects, there are plenty coming here for their first clues about how bad things have gotten.

          The more who know, the more impetus there is for change.

      • “…if we can’t convince the big companies that have huge responsibilities but little accountability that this is in their best interests and the best interests of the public, then I’m afraid it’s time for more liability and regulation.”

        Sir, modern capitalism has evolved to a point that the ONLY real responsibility any company has is to make money for its shareholders.

        So yes, it’s time for regulation and genuine penalties for the company, the Board and the C-suite when a major breach happens. In the current political environment in North America, I suggest no-one should hold their breath waiting for real change.

    • I agree that hindsight is 20/20 and that no matter what you put up, someone will find a way to get in, however just the fact that my info was not encrypted at rest is just deplorable. Humans make mistakes, which makes me feel empathy for that security team, however processes and response make a good team. In this case they failed miserably.

      Smith is not the one to talk to, Kelly is, he was in charge of InfoSec. Smith is a suit, nothing more. They get “millions” of incidents every year, and this one fell through the cracks due to some poor schlub not applying one of the thousands of patches a year, then the scanning tool not finding the vulnerability.

      But not encrypting just about everything is a miserable failure. They make billions, they can afford gear with fast processors.

      Did you see that after the breach they attempted to pass a bill stating that you could not start a class action against a credit bureau? Executives sold 2 million in stock? There was a memo stating that it was a breach earlier than Smith said? Does it make sense now why Equifax got “mad” at Mandiant, since it set them back a few weeks to try to wiggle there way out while passing bills protecting themselves against what they were in for?

      This is nothing short of deception, corruption, and self preservation, and that is why Smith should have been fired by the board immediately. Stockholders should take a hard look at the board as well.

  9. Can we learn anything from the past few years of leaked secrets? Sure, we can learn that some big-shot executives and elected officials are lazy and feckless. We can learn that software is brittle and needs diligent patching. We can learn that a determined person trying to exfiltrate data has a HUGE advantage over the people trying to protect it.

    But we already know this stuff.

    The leaks are often due to particular people’s gross incompetence. But, seriously, finger-pointing and indignation have run their course as useful ways to deal with this crisis.

    We need a new assumption. It is this: Secrets WILL leak. Not even state actors with unlimited resources can prevent their secrets from leaking.

    We need to make the legal assumption that any cache of secrets is, inherently, a hazard. The bigger the cache, the bigger the hazard. We need the holders of caches of secrets to take responsibility for the hazards they create.

    In common law, this is called “strict liability.” A farmer who keeps a bull in a field is strictly liable for damage his bull causes if he escapes. It doesn’t matter why the bull escapes. It doesn’t matter whether the farmer was drunk or sober, awake or asleep, or letting his goofy nephew play toreador. If the bull gets into the village and busts up the china shop, the farmer owes full restitution to the shopkeeper. Negligence is NOT a factor. The only factor is that the farmer had a dangerous animal.

    Farmers cope with this liability using defense in depth. They don’t keep more bulls than they need. (Steers — castrated bulls — ouch — are much less dangerous than bulls.) They keep them far from villlages. They keep them in fields with extra fencing. They keep them close to their farmhouses so they can keep an eye on them.

    People and orgs who keep caches of secrets need to be held to the same standard of strict liability. Having a vast cache of secrets in one place has to be recognized as astoundingly, business-threateningly, dangerous. (In the case of state actors, nation-threatening.)

    Secret-holders need to have big incentives to reduce the sizes of their caches, to make the secrets they hold less damaging to the public, and to protect those secrets.

    Companies like Equifax should be pummelling the government to get rid of the stupid nine-digit taxpayer ID, for example. Credit card processors should cut off merchants who don’t convert to chip-and-pin. Companies like Turbotax (Intuit) should be doing similar things. Most online companies should be scrambling to erase caches of secrets they don’t need. State actors should work on making their caches of secrets smaller. (Why does the US federal government need a centralized HR system?)

    Congressional hearings to humiliate big shot executives are some kind of fun. But they aren’t solving the problem. In fact, they may be obscuring it.

    • That such sensitive personal data wasn’t encrypted at rest is simply inexcusable. I guess the “fax” part of Equifax clues us in on how outdated the company’s technology is.

  10. Fix the social security number mess? Best way, enforce the laws that are on the books. That number ties you to a record, what else could you use? A biometric? You change daily, a finger cut interrupts your whirl patterns, and now your identies changed. You look at a intense white light and the retenal patterns change. You go out in the sun, tan, and your skin tone changes. But it’s still you, that’s why, you need a number, enforceable to you. To find that piece of paper that says, yup, it’s me, not them.

  11. I have a kid starting college next fall and I’m about to start applying for aid, loans, etc. Does it make sense for me to freeze my credit or will that likely result in a huge hassle?

    • Yes, you can temporarily unfreeze when you get the loans.

    • This is certainly off subject for this post, but
      If you’re applying for aid you’re doing in wrong

      Financial Aid should be a last resort not first

      • Not necessarily. I got half my college tuition covered with grants and a scholarship, and I wouldn’t have done so if my folks hadn’t filed the FAFSA.

        What you want to avoid doing is paying for college with a bunch of loans.

  12. I smell kick backs. To big to fail/to rich to jail. Politics over law, is normal in a world of corruption. These hearings are normal, just a public puppet show, nobody wealthy will spend a day in jail.
    “Internal Revenue Service opted to award Equifax a $7.25 million no-bid contract”

  13. The government should give all compromised ssn’s, new ssn’s and charge Equifax for each new ssn. It doesn’t help with everything else, but maybe it’s a start.

  14. Question: Is a freeze on any one of the three credit reporting agencies sufficient? Of late, TransUnion has been the *only one* able to carry out the freeze online. Equifax and Experian have removed the online capability of placing a freeze, or availability has been intermittent.

    • @Rick –

      I froze my credit at all four major agencies a couple of days ago. Transunion and Equifax did it easily over the phone. For Experian and Innovis it went OK online.

      The fees for doing this vary by state. Transunion gives you 3 seconds to begin entering your credit card number, otherwise they cancel the whole process and you must start over – arrogant nitwits. Equifax now gives a more secure PIN than in Sept but so rapidly you can barely catch it; press ‘*’ not ‘#’ to repeat the message.

      The online applications make you answer “security questions” (which only the data thieves will know for sure) regarding former phone numbers etc, so good luck with that.

  15. Why aren’t we hearing from the Creditors/Lenders on this topic? They are the parties we provided our information to and they are the ones who gave it to the bureaus. As the bureaus like to point out – consumers aren’t their customers. Well, creditors/lenders are…and this breach directly affects their ability to carry out business. They should be the ones demanding the bureaus clean up their act – a PCI for financial info comes to mind. As consumers, we should be pissed as hell with the banks, creditors, and financial institutions that gave our info to the bureaus and allowed the bureaus to mismanage it.

    • Equifax is non compliant with at least 2 of the PCI requirements: to patch a critical vulnerability within 30 days of its publication and the digital storing of card holder data in plaintext. In addition, they are in violation of with the different state’s data breach notification laws, like California’s SB1386 which requires prompt notification in the event of a breach. This is all going to be a bonanza for the tort lawyers.

  16. It’s the easiest thing in the world to beat up companies for not patching promptly – but after 21 years of eperience working in large enterprises on the infrastructure and patching teams, I can tell you that it’s a near impossible job these days to keep compliant with patches.

    Firstly there’s the problem of knowing what you have. Unless there’s an effective asset manegement in place, servers are always going to be missed for one reason or another. Perhaps a new subnet was added and the scanning/paching team was not told. Maybe a dev created a new server under his desk and never told anyone. And a proportion of locally installed patching/scanning agents which should be reporting in will always be broken and need reinstalling.

    On top of this, the number of vulnerabilities that are being found & announced means that you are always playing catch-up. Each vulnerability need to be assessed, criticality & exposure determined and patches tested in dev & UAT before considering production.

    The Apache Struts vulnerabilities were particularly challenging as vulnerable apps needed to be identified, developers contacted, the apps recompiled, tested and released…and that’s assuming that the original dev is still even employed at the company.

    Sometimes, even when vulnerable systems are identified and patches ready to go, the application owners refuse to allow the patch to be deployed for fear of their application breaking. When escalated and to our horror, the issue is frequently ‘risk accepted’ by senior management and we just have to cross our fingers.

    All in all, it’s a massive headache and we’re not winning. Those of us in this position live in constant fear that the company we work for is just one missed patch away from complete compromise and that we will be chucked under the bus when that happens.

    So to sum up…not surprised at all that Equifax did not patch a critical vuln for several months. Happens all the time!

  17. No, you must put a freeze on all three credit reporting agencies. (one will not suffice/propagate to the others). I also experienced intermittent problems for quite a few days but was eventually able to put online freezes on all (either very late at night or early in the morning….like 2:00AM).
    https://www.experian.com/ncaconline/freeze

    https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

    • I did set a freeze on all three of my accounts day after the announcement. After doing so, a FB friend mentioned to me doing only one agency would sufffice — that if any one of the three were denied credit reporting access via freeze, it was red flag for a lender to halt any new credit setup for would-be customer. Wondering if that was generally true or not.

  18. I understand that freezing my credit report inhibits the credit reporting agencies from irresponsibly selling my personal data to their clients. The question that I have is this: How would freezing my credit report at Equifax prevent it from being one of the millions of accounts accessed in this data breach? Whether your report is frozen or not isn’t it all without distinction stored (and in plain text) on an Equifax server?

    • I believe that a freeze will prevent potential creditors from accessing your information.

      If the bad guys have your ssn, credit card numbers, address, etc from data obtained from the breech, they will use it to apply for credit under your name.

      The bank with whom they apply credit will want to assess the credit worthy ness of the individual. To do that, that use the information stolen to attempt to access the credit report from the credit bureau. If there is a freeze, the credit report is denied. The lender will then deny the credit because they cannot get the credit report from the credit bureau. Banks (lenders) will not grant credit based on the information that the bad guy has (your personal information) alone. They will want to see the official credit report and score from the bureau.

  19. I’m happy to be living in the Netherlands 🙂
    In the EU, you have lots of rights when it comes to privacy data, especially when the GDPR comes into effect next year.

    You can ask a company to delete all data referencing to you and they need to ditch all your records except those that are required for law (example your bank needs a copy of your ID). instead of a freeze, you would request a data deletion. A data leak would need to be reported within 72 hours after discovery. Failure to comply to these rules can cost a company up to 4% of the global turnover.

    I’m a bit surprised equifax holds data for UK citizens and how it got hold of that data. I hope someone will dig into that.

    it is about time America’s law is written for the people and not for the companies .

  20. Question: Do they store the PINs for freezes in plain text, also?

    • No, they publish them on the Internet. That way there will be back up copies in case the credit bureau looses them.

  21. I still do not understand what value Verizon saw in buying Yahoo! It seems like Yahoo! is a neverending source of trouble. Granted, many do not hold Verizon in high regard, but buying Yahoo! with all it’s troubles is like shooting yourself in the foot just to find out how it feels.

    As for not using SSN as some sort of ID number, I would support such a change. As always it takes some sort of catastrophe to get the lazy American lawmakers to do anything positive for the citizens of the USA.

  22. The no-bid contract with Equifax for the IRS has been an under-rep0orted story, in my view. Thanks for the additional detail, but I could see a future post devoted to this debacle. The weakest link…

  23. Wait! What?!

    The IRS awarded Equihax a no-bid contract to verify taxpayer identity?!

    You mean the identity details they leaked?

    That’s a joke…right?

    I see the first line-item for Tax Reform.

  24. This is a debacle, there is no doubt there.
    However, it is my opinion that this is a bigger debacle because of another very weak process we all know about but nobody seem to want to really talk about:
    Financial institutions need to fundamentally change their identity validation processes for line of credit establishment.
    If a bank/credit union/financing company wants to provide a line of credit for any reason, they should be required to finalized the line of credit in person with the customer receiving the service.

    In other words, if you want a credit card, or a loan, or any other line of credit, you should be required to visit a bank in person with evidence (DMV anyone?).
    Better yet, when you get the line of credit, you should have a clear photograph of your face created as evidence of the transaction.

    • In principle, that isn’t unreasonable.

      But, there are all sorts of problems w/ it.

      1. Identity records don’t include photos
      2. People can use makeup/skin masks if necessary
      3. People can print fake ids with their own picture instead
      4. Some people for various reasons show very little of themselves in public (and they can gain such a reason at any time)

      I’m not at all opposed to expecting lenders to have enough documentation to know the “identity” to whom they’re making a loan.

      At the very least, if they loan to the wrong “person” and the real person associated with that `identity` comes along, having the documentation will enable the real person to sever their affiliation with the loan…

  25. FileYourTaxesEarly

    So, your identity has been stolen because of the Equifax hack and now the IRS is going to continue to use them for “fraud prevention”. This is a JOKE!!!! And OUR tax dollars are paying for it. Give me a break.

    Equifax snags $7.25M no-bid IRS ID verification, fraud prevention contract
    https://www.scmagazine.com/equifax-snags-725m-no-bid-irs-id-verification-fraud-prevention-contract/article/697825/

  26. I understand that the Equifax executives who retired (fired) declined to appear before Congress. They should have been subpoenaed.

    They each had the responsibility for IT itself and IT Security which meant they would have been more aware of the status of the patching. Also they would have been more involved than Smith when the breach was discovered. Smith said he got updates at various intervals so the other executives would have been more intimate with the situation. Their testimony is necessary as it will shed light on the technical and business inhibitors in play at the time. Congress should also be made aware of what orders Smith imposed on them after the breach was discovered.

  27. I am probably a lot older than most in here. I have observed for many, many years that the main emphasis after a corporate or employee mishap is usually to immediately take up a Henry VIII mentality – some heads are going to roll. I know, because I almost lost mine a couple of times.

    • Sometimes the headsman’s axe chops exactly the right necks needed to make a real change.

      I’ve seen companies that are set in their ways get breached, and suddenly the CEO and CIO are out. If the board has any sense, they’ll bring in competent replacements; preferably a CEO with a turnaround attitude; and a CIO with a strong engineering and security background who has a track record for making bold changes.

      There will be plenty of pain at such companies, as those will not be the only jobs affected. But if the changes were needed, the company now has a chance.

  28. I think a lot of the public (including Congress and Senate) are only catching 1/2 of what the vulnerability is here. It’s not that someone will apply for credit in your name (the freeze/lock products could help mitigate that), it’s that this new massive data breach will be used by crafty individuals for things like stealing your 401k, draining your bank account, using your medical insurance, stealing your tax refunds, and impersonating you for any number of things (including living falsely under your name). With all the data from this breach and all the data from social media, they could easily create a false identity as if they were you, travel as if they were you, commit crime and give law enforcement false/stolen identifying information and the next thing you know, you have a criminal record and have to try and clear your name. I get that people are worried about their credit, but that seems benign compared to the other nefarious possibilities.

  29. For those wondering what a credit lock actually does, the answer is apparently nothing:

    Locking your credit file with Equifax Credit Report Control will prevent access to your Equifax credit file by certain third parties, such as credit grantors or other companies and agencies. Credit Report Control will not prevent access to your credit file at any other credit reporting agency, and will not prevent access to your Equifax credit file by companies like Equifax Global Consumer Solutions which provide you with access to your credit report or credit score or monitor your credit file; Federal, state and local government agencies; companies reviewing your application for employment; companies that have a current account or relationship with you, and collection agencies acting on behalf of those whom you owe; for fraud detection and prevention purposes; and companies that wish to make pre-approved offers of credit or insurance to you. To opt out of such pre-approved offers, visit http://www.optoutprescreen.com.

  30. I lived in the US many years and still have a healthy credit file. The Equifax monitoring website is now set up to block access from outside the US. Luckily, I have a VPN set up which I used to enroll for the monitoring service. But seriously, does Equifax really think only people who live in the US right now are affected?

    • I know it’s stupid, but I hadn’t spent the time thinking about why they did it in the first place.

      Thanks for complaining about it. (You weren’t the first, I just smiled and nodded the previous times I saw people complaining about this.)

      I suspect the geo-block is because they want to limit their hacking exposure. Basically, ~99% of IPs in the US have a legitimate reason to access their site. OTOH, ~99% of IPs outside the US don’t have a legitimate reason to access this service. From a security perspective, it makes sense to reject access if 99% of accesses will be hacks. (For reference perhaps 4 million Americans live abroad, there are >7billion people in the world, so we’re talking about <1‰.)

      For perspective, I'm maintaining servers and we're constantly being probed by IPs in China and certain other countries. There shouldn't be any legitimate access from those countries, so I'm seriously considering blocking all access.

      I personally don't care. I froze my reports w/ the 4 credit bureaus years ago.

      Beyond that, as a general rule, I call companies instead of using web sites. — And you can certainly do that for freezing your credit (w/ the 4 credit bureaus and even Chex…)

      The nice thing is that while a "1800" number isn't Global (you often can't dial a US 1800 number from a Canadian line), you can use Skype to dial toll free numbers anywhere in the world for free (inlcuding US 1800 numbers).

Leave a comment