Posts Tagged: TransUnion


20
Sep 17

Equifax Breach: Setting the Record Straight

Bloomberg published a story this week citing three unnamed sources who told the publication that Equifax experienced a breach earlier this year which predated the intrusion that the big-three credit bureau announced on Sept. 7. To be clear, this earlier breach at Equifax is not a new finding and has been a matter of public record for months. Furthermore, it was first reported on this Web site in May 2017.

equihaxIn my initial Sept. 7 story about the Equifax breach affecting more than 140 million Americans, I noted that this was hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans.

On May 17, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.

That story was about how Equifax’s TALX division let customers who use the firm’s payroll management services authenticate to the service with little more than a 4-digit personal identification number (PIN).

Identity thieves who specialize in perpetrating tax refund fraud figured out that they could reset the PINs of payroll managers at various companies just by answering some multiple-guess questions — known as “knowledge-based authentication” or KBA questions — such as previous addresses and dates that past home or car loans were granted.

On Tuesday, Sept. 18, Bloomberg ran a piece with reporting from no fewer than five journalists there who relied on information provided by three anonymous sources. Those sources reportedly spoke in broad terms about an earlier breach at Equifax, and told the publication that these two incidents were thought to have been perpetrated by the same group of hackers.

The Bloomberg story did not name TALX. Only post-publication did Bloomberg reporters update the piece to include a statement from Equifax saying the breach was unrelated to the hack announced on Sept. 7, and that it had to do with a security incident involving a payroll-related service during the 2016 tax year.

I have thus far seen zero evidence that these two incidents are related. Equifax has said the unauthorized access to customers’ employee tax records (we’ll call this “the March breach” from here on) happened between April 17, 2016 and March 29, 2017.

The criminals responsible for unauthorized activity in the March breach were participating in an insidious but common form of cybercrime known as tax refund fraud, which involves filing phony tax refund requests with the IRS and state tax authorities using the personal information from identity theft victims.

My original report on the March breach was based on public breach disclosures that Equifax was required by law to file with several state attorneys general.

Because the TALX incident exposed the tax and payroll records of its customers’ employees, the victim customers were in turn required to notify their employees as well. That story referenced public breach disclosures from five companies that used TALX, including defense contractor giant Northrop Grumman; staffing firm Allegis GroupSaint-Gobain Corp.; Erickson Living; and the University of Louisville.

When asked Tuesday about previous media coverage of the March breach, Equifax pointed National Public Radio (NPR) to coverage in KrebsonSecurity.

One more thing before I move on to the analysis. For more information on why KBA is a woefully ineffective method of stopping fraudsters, see this story from 2013 about how some of the biggest vendors of these KBA questions were all hacked by criminals running an identity theft service online.

Or, check out these stories about how tax refund fraudsters used weak KBA questions to steal personal data on hundreds of thousands of taxpayers directly from the Internal Revenue Service‘s own Web site. It’s probably worth mentioning that Equifax provided those KBA questions as well.

ANALYSIS

Over the past two weeks, KrebsOnSecurity has received an unusually large number of inquiries from reporters at major publications who were seeking background interviews so that they could get up to speed on Equifax’s spotty security history (sadly, Bloomberg was not among them).

These informational interviews — in which I agree to provide context and am asked to speak mainly on background — are not unusual; I sometimes field two or three of these requests a month, and very often more when time permits. And for the most part I am always happy to help fellow journalists make sure they get the facts straight before publishing them.

But I do find it slightly disturbing that there appear to be so many reporters on the tech and security beats who apparently lack basic knowledge about what these companies do and their roles in perpetuating — not fighting — identity theft.

It seems to me that some of the world’s most influential publications have for too long given Equifax and the rest of the credit reporting industry a free pass — perhaps because of the complexities involved in succinctly explaining the issues to consumers. Indeed, I would argue the mainstream media has largely failed to hold these companies’ feet to the fire over a pattern of lax security and a complete disregard for securing the very sensitive consumer data that drives their core businesses.

To be sure, Equifax has dug themselves into a giant public relations hole, and they just keep right on digging. On Sept. 8, I published a story equating Equifax’s breach response to a dumpster fire, noting that it could hardly have been more haphazard and ill-conceived.

But I couldn’t have been more wrong. Since then, Equifax’s response to this incident has been even more astonishingly poor.

EQUIPHISH

On Tuesday, the official Equifax account on Twitter replied to a tweet requesting the Web address of the site that the company set up to give away its free one-year of credit monitoring service. That site is https://www.equifaxsecurity2017.com, but the company’s Twitter account told users to instead visit securityequifax2017[dot]com, which is currently blocked by multiple browsers as a phishing site.

equiphish

Continue reading →


19
Mar 14

Are Credit Monitoring Services Worth It?

In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America.

Experian 'protection' offered for Target victims.

Experian ‘protection’ offered for Target victims.

Having purchased credit monitoring/protection services for the past 24 months — and having been the target of multiple identity theft attempts — I feel somewhat qualified to share my experience with readers. The biggest takeaway for me has been that although these services may alert you when someone opens or attempts to open a new line of credit in your name, most will do little — if anything — to block that activity. My take: If you’re being offered free monitoring, it probably can’t hurt to sign up, but you shouldn’t expect the service to stop identity thieves from ruining your credit.

Avivah Litan, a fraud analyst at Gartner Inc., said offering credit monitoring has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud).

“These are basically PR vehicles for most of the breached companies who offer credit report monitoring to potentially compromised consumers,” Litan said. “Breached companies such as Target like to offer it as a good PR move even though it does absolutely nothing to compensate for the fact that a criminal stole credit card mag stripe account data. My advice for consumers has been – sure get it for free from one of the companies where your data has been compromised (and surely these days there is at least one).  But don’t expect it to help much – by the time you get the alert, it’s too late, the damage has been done.  It just shortens the time to detection so you may have a slightly improved chance of cleaning up the damage faster.  And you can get your credit reports three times a year from the government website for free which is almost just as good so why pay for it ever?”

FRAUD ALERT BREAKDOWN

Normally, I place fraud alerts on my credit file every 90 days, as allowed by law. This step is supposed to require potential creditors to contact you and obtain your permission before opening new lines of credit in your name. You merely need to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union). Whichever one you file with is required by law to alert the other two bureaus as well.

Most consumers don’t know this (few consumers know the names of the three main credit bureaus), but there is actually a fourth credit bureau that you should alert: Innovis. This bureau follows the same rules as the big three, and you may file a fraud alert with them at this link.

Fraud alerts last 90 days, and you can renew them as often as you like (a recurring calendar entry can help with this task); consumers who can demonstrate that they are victims or are likely to be victims of identity theft can apply for a long-term fraud alert that lasts up to 7 years (a police report and other documentation may be required).

Continue reading →


13
Mar 13

Credit Reports Sold for Cheap in the Underweb

Following the online publication of Social Security numbers and other sensitive data on high-profile Americans, the three major credit reporting bureaus say they’ve uncovered cases where hackers gained access to users’ information, Bloomberg reports. The disclosure, while probably discomforting for many, offers but a glimpse of the sensitive data available to denizens of the cybercrime underworld, which hosts several storefronts that sell cheap, illegal access to consumer credit reports.

mueller

Redacted screen shot of leaked records.

The acknowledgement by Experian, Equifax and Trans Union comes hours after hackers posted online Social Security numbers and other sensitive data on FBI Director Robert Muller, First Lady Michelle Obama, Paris Hilton and others.

Sadly, Social Security numbers and even credit reports are not difficult to find using inexpensive services advertised openly in several cybercrime forums. In most cases, these services are open to all comers; the only limitation is knowing the site’s current Web address (such sites tend to move frequently) and being able to fund an account with a virtual currency, such as WebMoney or Liberty Reserve.

Case in point: ssndob.ru, a Web site that sells access to consumer credit reports for $15 per report. The site also sells access to drivers license records ($4) and background reports ($12), as well as straight SSN and date of birth lookups. Random “fulls” records — which include first, middle and last names, plus the target’s address, phone number, SSN and DOB — sell for 50 cents each. Fulls located by DOB cost $1, and $1.50 if searched by ZIP Code.

Credit report lookup page at ssndob.ru

Credit report lookup page at ssndob.ru

It’s not clear from where this service gets its credit reports and other data, but it appears that at least some of the lookups are done manually by the proprietors. Pending new records requests are tracked with varying messages, such as “in queue,” and “in progress,” and often take more than 15 minutes to process.

A source who agreed to have their information looked up at this service provided his Social Security number, date of birth and address. Within 15 minutes, the site returned a full credit report produced by TransUnion; the report, saved as an HMTL file, was archived in a password protected zip file and uploaded to sendspace.com, with a link to the file and a password to unlock the archive.

Continue reading →


10
Oct 11

Identity Theft More Profitable Than Car Theft

Buying a car or making any other expensive purchase can be a hassle. And when it’s necessary to finance a purchase, there’s one more hurdle. If you want merchant financing, you’ll often be required to fill out a credit application or, at the least, to provide information like a credit card or your Social Security number.

Recent hacker break-ins at a half-dozen car dealerships nationwide are a reminder of just how easily one’s personal and financial information can be jeopardized by poor security at any of of tens of thousands of organizations that have access to that data.

Earlier this month, Farmington Hills, Mich. based RouteOne LLC sent a letter to more than 20,000 dealerships around the country, warning of probable malware infections at six dealerships that use its service. Formed in 2002, RouteOne is a joint venture by GMAC (now called Ally Financial), Ford Motor Credit, Toyota Financial Services, and DaimlerChrysler Financial Services. Dealerships use RouteOne’s credit application software and Web portal to run credit checks and process financing for car buyers. The service also allows authorized users to pull credit reports from the three major credit reporting bureaus.

In September 2011, RouteOne issued a “security bulletin,” to its affiliates, stating in part:

A letter from RouteOne to partner dealerships.

“Over the recent past, RouteOne has received information regarding a small number of dealerships (6) that have experienced compromises in their system security environments (including misappropriation and misuse of their RouteOne log on credentials likely as a result of their dealership computers being infected with spyware). RouteOne is in contact and working with affected dealerships in an attempt to help them address their security issues.”

The bulletin states further than RouteOne “takes these matters very seriously and therefore has been in contact with the FBI and the U.S. Secret Service. Ryan Holmes, the Secret Service agent assigned to the investigation of the attacks on RouteOne’s customers, said he could not release any information on an active investigation.

Mass data collection, and the resulting potential for cybertheft, is a relatively recent problem. Ten years ago, data aggregation points like RouteOne didn’t exist. RouteOne was created to speed credit and financing processes at dealerships, which previously had to navigate to and authenticate at multiple finance vendors, lenders and credit bureaus. Today, dealerships can access all this information with a username and password at RouteOne.net, or via a RouteOne iPhone app.

Dan Doman, vice president and general counsel for RouteOne, said the company became aware of the unauthorized activity after it was notified by the affected dealers.

“It’s important to note that RouteOne has not been breached in this instance, or ever in the past,” Doman said. “What we do when we learn of these matters is we try to get it out to our dealers as quickly as possible so they can take appropriate steps to fix it.”

ID theft services for sale.

Technically, RouteOne is correct. It did not have a data breach: Some of the customers who use their service did. But that distinction is irrelevant to thieves who prize such access, and to consumers who find their identities hijacked and themselves saddled with unexpected debts from fraudulent new lines of credit opened in their names. The criminal underground is full of services that allow miscreants to look up Social Security numbers, dates of birth, maiden names, and other sensitive information. It’s not clear where that data comes from, but the most likely sources are compromised accounts at businesses and organizations that have easy and frequent access to consumer data.

This blog post isn’t intended to single out RouteOne; that is just a recent example of a vast problem for individuals who must share personal data. The same kind of data aggregation exists in many other businesses and tens of thousands of organizations that routinely access sensitive consumer data, including medical, dental and real estate services. Thieves can access a gold mine of consumer data just by compromising PCs at any of these places. Continue reading →