SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

The Equifax Hack

Posted on September 18, 2017

The personal information of 143-million people may have been compromised when the consumer credit reporting agency Equifax was hacked. What do we know about the attack? And what can we do going forward? These are the questions we’re tackling on this week’s Checklist.

On a recent episode of the Checklist, we talked about hacks that affected billions of people. Today, we are talking about a hack that is smaller in number with only 143-million people affected, and yet the ramifications could be bigger than any of those hacks. If you watch local news, national news, or keep track of any blogs, you’ve no doubt heard about the Equifax hack. If you are like me, you got to the part where it says 143-million people affected and you said, “I wonder what’s on TV.” Sometimes numbers get just so big that we can’t get our heads around it. We know a couple of security guys that we can talk to about it, so we are going to do that. To start with, let’s recap exactly what happened and who Equifax is.

Who is Equifax?

Equifax is one of the three big credit data provides in the United States. If you have a loan or a credit card or have applied for any finance, or use money other than cash, you are most likely in their system. They are the people who calculate the credit score that determines whether you get a good or sky-high interest rate. In other words, they have lots of data on every American with a credit history. All the credit card companies provide the data to these companies.

To be clear, this is not something that anybody signed up for. Just because I am swiping a piece of plastic from time to time, Equifax is collecting data about me specifically, in other words, even if you don’t know who they are, and have never visited Equifax.com, they are still collecting data about you. In this case, you are not the customer of Equifax; you are the product. The banks and the lenders are the customers. They go to Equifax, Experian, or TransUnion to get credit scores and credit history. Before they give you a loan, they want to be sure that you are creditworthy first.

It may not seem right or fair, but it seems wise that if I apply for a loan, the lender would want some assurance apart from my word that I will pay back that loan. At the same time, we don’t know how much information is collected on us; we don’t even always know who is collecting data, be it websites we visit or Google or indeed a company such as Equifax.

What happened at Equifax?

Equifax recently announced that from mid-May to the end of July, they had been hacked, that the personal information of a 143-million Americans was exposed to parties unknown at this time. And it’s not just your credit card number – you could just get a new credit card, right? However, credit card numbers were actually relatively small in this hack with only around 209,000 numbers exposed. The problem here is the non–replacable, personally identifiable information: people’s names, people’s birthdays, addresses, driver’s license numbers and the BIG one, social security numbers.

What’s more, we don’t even know who has the information now. Equifax hired a security company to help them manage the crisis, but nobody has attributed the attack to anyone. There were rumors that the data was for sale on the Dark Web late last week, but that was proven false by some investigative journalists. Thus, we don’t know who has it or where it is, but it will probably come out through all the investigations and lawsuits that will follow the incident.

How to check if you were hacked?

So now the question is if your data has been exposed. Equifax has set-up a website where you can go and put in the last six digits of your social security number, and they will tell you if your data was compromised or not. So, while they could not keep our information safe, we now have to volunteer more information to find out if it is safe?! What’s more, the website seems to be returning conflicting information. For example, people have tried on their phones and received a positive response, but when they check from their desktop, they get a negative response. Similarly, people have entered fake information, that they were told were hacked. It returns a message along the lines of “oh, you were hacked, come back after September x, to sign up for our credit monitoring service.” It’s starting to become a joke now.

Not to mention the terms and conditions on that website which are saying that if you are signing up for this credit monitoring, you are waiving your rights for a class action lawsuit. We are talking about the site where you are supposed to go to find out if your information was hacked if you sign up there you are saying that you will agree to arbitration and not be part of a class action. This is separate from Equifax though, so in theory, you could still be part of a class action suit against them, provided you have never signed up for a service with them. Agreeing to arbitration seems to be a pretty standard part of terms and conditions, meaning that you won’t be able to sue if you signed any such agreement. While Equifax have since provided an way to opt-out of the arbitration clause, legal experts are still unclear on your actual rights. It’s all very murky and confusing.

The question seems to be were you affected or not? Well, if we just look at the numbers…

Back in 2014, based on census figures and data that the government has an average number of Americans with at least one credit card was estimated at around 170 million people. So, if we are saying a 143-million people were part of this breach, let’s just say you’re most likely in it. I’m probably in it; everybody is most likely part of this data breach. Which begs the question where is the data for the other handful of people kept? One wonders if they are the people who are the high rollers or the people who can’t get credit.

If you had all the gold…

So, if the bad guy gets all the gold in the world or all the power in the world, like in the movies, what is the value of that to the bad guy? Because now there’s nothing against which to trade it, right? If I have all the gold, I win, but nobody else has any gold then. In other words, since I have so much of this information does it not make the data almost without value?

If you think that you have 143-million records to sell – even at $30 a pop, you can’t possibly sell that. What good is all this information to the hackers? And what good is any of our data, since it all has been stolen in any case and has been hacked?

Why would you sell it all at once? You could break it into smaller batches and sell it off over time. In the past when credit card numbers were stolen, hackers would try to find out which of those cards had high limits. Those would be worth more than cards with a low credit limit.

In this case, the data probably had some markers to indicate good and bad credit scores, high or low credit limits and available credit. Consider a credit report compiled by one of these companies. It shows all your open credit cards, the card balances, the limits, etc. Thus, the hackers now know who has the high limit credit cards, with low balances – in other words, the prime targets for identity theft. You could get rid of the people with bad credit or a low credit limit and go for the juicy targets. The fact that they were in the system for as long before they were detected means that they had access to all those people’s identities and could have caused a lot of damage already.

One number to rule them all

This circles back to the fact that we use social security numbers as the one number that ties all this stuff back together. It makes it a number that we cannot easily replace, like a credit card number. The arguments as to why we are using social security numbers as identifiers go back years, but it is the reality of the situation and will have ramifications for quite some time.

The question is if they will change that. Will we not use social security numbers as identifiers anymore? So, what comes next? Is this just a matter of everybody is affected, so monitor your credit, monitor everything? Sign up for a free year of service with Equifax credit monitoring service and then after a year renew at this premium?

Is this the biggest troll that ever existed?

Your social security number won’t suddenly become secure after a year of free credit monitoring service. This is the crux of it, and why it is such a mess. We’ve never seen a data breach on this level where you are talking about the majority of American adults having their social security numbers out there.

We use the term data mining a lot, and the interesting part of a mine is that you can leave stuff sitting in a mine for a very long time, it’s still valuable once you go in and get it. So even with free credit monitoring for a year, the hackers can afford to be patient, since they have 143-million people’s information.

What’s more, there has never been a breach of this nature. In the past you could change your credit card numbers, you could put a fraud alert on your accounts for a couple of months, and that would be that. With an identifier, it’s different. As Americans we use our social security numbers for so many things, how would you secure that, especially if that data becomes public?

Who has the data?

While nobody has claimed responsibility, the question is if we have any idea of who might have done this. My thinking is that this is just someone who found a trove of information that they knew they would be able to sell. As in, there is so much information in this breach, that the hackers could sell it to many different people in many different ways. So, the question is, are we talking about some nefarious vendor, or are we talking about someone who is now planning to go on a mad financial spree? Could it be some disgruntled guy?

First, let’s consider what a company must do if they had a breach – legally they should disclose how many people could have been affected. Not simply who has been affected, but reporting at the higher number of people potentially affected.

There are a number of rumors online. How did they get in? Was it a web flaw? Was it a zero-day attack? We don’t know. Perhaps Equifax knows, but these are just speculations. One theory is that it was a foreign country that wanted to get more information on American citizens and their financial standing. Until we have an official report from the security company that is investigating we will not know for sure. However, the chance that it was a white hat hacker that reported it to the company are pretty slim.

The other weird thing is that no hacker group or individual has claimed responsibility. Some of the smaller groups would probably have boasted about the hack, “look what we did, we can cause chaos.” The fact that nobody is claiming responsibility and nobody is making any claims as to who it was is a bit strange. It’s almost as if everybody is waiting for the other shoe to drop.

If I were writing a novel about this, I would imagine that this was either someone that stumbled on it and are now afraid to take responsibility – or a nation-state. I mean if you did this without intent, you would run and hide because the guys with guns are most certainly after you. What if there was more than one person or group or instance of this hack? When someone finds flaws, it is likely that other security researchers or hackers used the same breach.

I’ve heard that Shadow Brokers has lined up some new leaks to release this fall. They had ransomware attacks tied to some zero-days that were released by them; this could be some zero-day that will be released by Shadow Brokers.

How were they protected?

Do we know anything about the security that Equifax had been running? Sometimes we find that someone was running an outdated operating system.

Some researcher went to investigate after they announced the breach and reported another set of holes in their websites. One white hat researcher said that he reported a flaw to them last Spring that was never patched. In general, there is a lot of guessing; we will have to wait for the official report.

The question is if it was something that Equifax did wrong, such as running outdated software or hardware, or was it an insider, or a zero-day, or misconfigured hardware? If they were running security software, the vendor would have to answer as to why the attack was not detected and reported sooner. Running amok in somebody’s system for a month and a half is, after all, a long time to go undetected. That leads one to think that they were not running security software, or the software missed it for some reason, or it was a really advanced hack. It could, of course, have been social engineering as well, where for whatever reason the hacker had something on someone inside and gained access that way. But we simply don’t know anything at this point, which is frustrating.

What to do

The question for me at this point is now what do we tell people to do going forward. Should I go to the Equifax site? Should I go to an independent company that offers credit monitoring? What are the next steps for an individual who may or may not have had their information accessed?

The good news is that there are some things to do – recommended by the FCC for all American credit card holders or anybody that thinks they may have been affected.

First of all, I’d say there is no real point in checking if you were affected on the Equifax site, especially in the light of class-action lawsuits and their sketchy terms and conditions. Also, since the results seem unreliable, it would be good to wait until they can guarantee that the information you get back is accurate. That way you won’t get a false sense of security or be unduly worried.

There’s already a $70-billion lawsuit that was filed against Equifax, and there will probably be more lawsuits brought. In the meantime:

1. Check your credit report – it’s free once a year with annualcreditreport.com. It is always a good idea. Also, check your credit history and check your monthly statements for any suspect charges.

2. Put a credit freeze on your accounts. This makes it harder for anybody else to open an account under your name. It also makes it harder for you to change your information, etc. You get a pin number that you have to enter whenever you want to unfreeze it. The cost is around $10 for each of the credit bureaus, and it’s probably the best action you can take at the moment.

3. Request a fraud alert, so all the banks or intuitions that you do business with know that there has been a breach of your information and they should pay extra scrutiny to any suspect transactions or any new accounts being opened in your name.

4. Make sure that you file your tax returns early next year – since the social security number breach may mean that tax fraud is a growing concern. In theory, someone could file a false return using your social security number and claim any refunds you may be owed.

There are some concrete steps that one can take, and they are all good steps.

Will we see more levels of security in future? Will we see two-factor authentication when you open a credit card? Will you perhaps get a ping to your phone number where you have to supply that secondary code before transacting?

It almost sounds as if biometrics is the next step.

And what about all those security questions you often have to create on your various accounts? Would those answers be part of the breach? We don’t know.

But that means we should be cautious and take the time to change that information on any other websites where you may have used the same security answers – even if you make up answers that only you could know. This is not a new recommendation – it’s far more secure to make up the answers than to use accurate information that someone could find about you with a little bit of digging. Of course, you can’t always do that, but it is a good countermeasure especially where you come up with the security question.

Well, that’s it for this episode of The Checklist. Join us next week for another episode!

Do you have a topic you’d like to see us cover in a future episode, or a security question in need of an answer? If you have anything to ask us, send us an email at checklist@securemac.com!

Share on Facebook5Tweet about this on TwitterShare on Google+0Email this to someonePrint this page

Join our mailing list for the latest security news and deals