Posts Tagged: identity theft


11
Sep 17

The Equifax Breach: What You Should Know

It remains unclear whether those responsible for stealing Social Security numbers and other data on as many as 143 million Americans from big-three credit bureau Equifax intend to sell this data to identity thieves. But if ever there was a reminder that you — the consumer — are ultimately responsible for protecting your financial future, this is it. Here’s what you need to know and what you should do in response to this unprecedented breach.

Some of the Q&As below were originally published in a 2015 story, How I Learned to Stop Worrying and Embrace the Security Freeze. It has been updated to include new information specific to the Equifax intrusion.

Q: What information was jeopardized in the breach?

A: Equifax was keen to point out that its investigation is ongoing. But for now, the data at risk includes Social Security numbers, birth dates, addresses on 143 million Americans. Equifax also said the breach involved some driver’s license numbers (although it didn’t say how many or which states might be impacted), credit card numbers for roughly 209,000 U.S. consumers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”

Q: Was the breach limited to Americans?

A: No. Equifax said it believes the intruders got access to “limited personal information for certain UK and Canadian residents.” It has not disclosed what information for those residents was at risk or how many from Canada and the UK may be impacted.

Q: What is Equifax doing about this breach?

A: Equifax is offering one free year of their credit monitoring service. In addition, it has put up a Web site — www.equifaxsecurity2017.com — that tried to let people determine whether they were affected.

Q: That site tells me I was not affected by the breach. Am I safe?

A: As noted in this story from Friday, the site seems hopelessly broken, often returning differing results for the same data submitted at different times. In the absence of more reliable information from Equifax, it is safer to assume you ARE compromised.

Q: I read that the legal language in the terms of service that consumers must accept before enrolling in the free credit monitoring service from Equifax requires one to waive their rights to sue the company in connection with this breach. Is that true?

A: Not according to Equifax. The company issued a statement over the weekend saying that nothing in that agreement applies to this cybersecurity incident.

Q: So should I take advantage of the credit monitoring offer?

A: It can’t hurt, but I wouldn’t count on it protecting you from identity theft.

Q: Wait, what? I thought that was the whole point of a credit monitoring service?

A: The credit bureaus sure want you to believe that, but it’s not true in practice. These services do not prevent thieves from using your identity to open new lines of credit, and from damaging your good name for years to come in the process. The most you can hope for is that credit monitoring services will alert you soon after an ID thief does steal your identity.

Q: Well then what the heck are these services good for?

A: Credit monitoring services are principally useful in helping consumers recover from identity theft. Doing so often requires dozens of hours writing and mailing letters, and spending time on the phone contacting creditors and credit bureaus to straighten out the mess. In cases where identity theft leads to prosecution for crimes committed in your name by an ID thief, you may incur legal costs as well. Most of these services offer to reimburse you up to a certain amount for out-of-pocket expenses related to those efforts. But a better solution is to prevent thieves from stealing your identity in the first place.

Q: What’s the best way to do that?

A: File a security freeze — also known as a credit freeze — with the four major credit bureaus.

Q: What is a security freeze?

A: A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it.

Q: What’s involved in freezing my credit file?

A: Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future. Depending on your state of residence and your circumstances, you may also have to pay a small fee to place a freeze at each bureau. There are four consumer credit bureaus, including EquifaxExperianInnovis and Trans Union.  It’s a good idea to keep your unfreeze PIN(s) in a folder in a safe place (perhaps along with your latest credit report), so that when and if you need to undo the freeze, the process is simple.

Q: How much is the fee, and how can I know whether I have to pay it?

A: The fee ranges from $0 to $15 per bureau, meaning that it can cost upwards of $60 to place a freeze at all four credit bureaus (recommended). However, in most states, consumers can freeze their credit file for free at each of the major credit bureaus if they also supply a copy of a police report and in some cases an affidavit stating that the filer believes he/she is or is likely to be the victim of identity theft. In many states, that police report can be filed and obtained online. The fee covers a freeze as long as the consumer keeps it in place. Consumers Union has a useful breakdown of state-by-state fees. Continue reading →


18
May 17

Fraudsters Exploited Lax Security at Equifax’s TALX Payroll Division

Identity thieves who specialize in tax refund fraud had big help this past tax year from Equifax, one of the nation’s largest consumer data brokers and credit bureaus. The trouble stems from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees.

In a boilerplate text sent to several affected customers, Equifax said the unauthorized access to customers’ employee tax records happened between April 17, 2016 and March 29, 2017.

Beyond that, the extent of the fraud perpetrated with the help of hacked TALX accounts is unclear, and Equifax refused requests to say how many consumers or payroll service customers may have been impacted by the authentication weaknesses.

Equifax's TALX -- now called Equifax Workforce Solutions -- aided tax thieves by relying on outdated and insufficient consumer authentication methods.

Equifax’s subsidiary TALX — now called Equifax Workforce Solutions — aided tax thieves by relying on outdated and insufficient consumer authentication methods.

Thanks to data breach notification laws in nearly all U.S. states now, we know that so far at least five organizations have received letters from Equifax about a series of incidents over the past year, including defense contractor giant Northrop Grumman; staffing firm Allegis Group; Saint-Gobain Corp.; Erickson Living; and the University of Louisville.

A snippet from TALX’s letter to the New Hampshire attorney general (PDF) offers some insight into the level of security offered by this wholly-owned subsidiary of Equifax. In it, lawyers for TALX downplay the scope of the breach even as they admit the company wasn’t able to tell exactly how much unauthorized access to tax records may have occurred.

“TALX believes that the unauthorized third-party(ies) gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees’ pins (the password to the online account portal),” wrote Nicholas A. Oldham, an attorney representing TALX. “Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected.”

ANALYSIS

Generally. Forensically. Exactly. Potentially. Actually. Lots of hand-waving from the TALX/Equifax suits. But Equifax should have known better than to rely on a simple PIN for a password, says Avivah Litan, a fraud analyst with Gartner Inc.

“That’s so 1990s,” Litan said. “It’s pretty unbelievable that a company like Equifax would only protect such sensitive data with just a PIN.”

Litan said TALX should have required customers to use stronger two-factor authentication options, such as one-time tokens sent to an email address or mobile device (as Equifax now says TALX is doing — at least with those we know were notified about possible employee account abuse).

The big consumer credit bureaus like Equifax, Experian, Innovis and Trans Union are all regulated by the Fair Credit Reporting Act (FCRA), which strives to promote accuracy, fairness and privacy for data used by consumer reporting agencies.  But Litan said there are no federal requirements that credit bureaus use stronger authentication for access to consumer data — such as two-factor authentication.

“There’s about 500 percent more protection for credit card data right now than there is for identity data,” Litan said. “And yet I don’t know of one document from the federal government that spells out how these credit bureaus and other companies have to protect PII (personally identifiable information).” Continue reading →