Saturday, May 30, 2020

Equifax breach: The impact for enterprises and consumers

WHAT WE KNOW ABOUT THE EQUIFAX BREACH

On September 7th, credit reporting agency Equifax announced “a cybersecurity incident potentially impacting approximately 143 million U.S. consumers.” To put this in context, at this time, this incident is almost seven times larger than the Office of Personnel Management breach of 2015. Equifax discovered the unauthorized access on July 29th and determined that the intrusion began in mid-May. Equifax stated that “the information accessed primarily includes names, Social Security Numbers (SSNs), birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.” In addition, the “limited personal information” for Canadian and United Kingdom citizens was all accessed. The initial attack vector was reported as a “web application vulnerability.”

Equifax Breach 1
Chairman and Chief Executive Officer, Richard F. Smith discusses the Equifax Breach

WHAT WE DON’T KNOW ABOUT THE EQUIFAX BREACH

Whenever doing any sort of analysis, it is important to state what we don’t know. Simply put there is a great deal we don’t know and most of the public will never know (despite what some talking heads might claim). As a former incident responder, I know that investigations aren’t completed in the time it takes to complete an episode of TV drama Scorpion. (Did you know that Scorpion is starting its fourth season?) Equifax stated that the investigation is “substantially complete,” but wisely added that “it remains ongoing and is expected to be completed in the coming weeks.”

  • We don’t actually know how many SSNs were compromised.
  • We don’t know if all 143 million individual’s SSNs were impacted.
  • We don’t know the threat actor responsible for this intrusion. Equifax claimed that “criminals exploited” a web application, but attribution is always a challenge. Structured Analytic Techniques, like the Analysis of Competing Hypothesis we did for WannaCry, can be useful for considering attribution.
  • Speaking of web applications, although we don’t know the specific vulnerability that was exploited, I’d bet 1,000 Gold Dragons it was SQL injection.

WHAT IS MOST LIKELY TO HAPPEN NEXT

There are a wide range of possibilities depending on the goals of the threat actor responsible for the Equifax intrusion. By the way, did I mention that attribution is challenging? Attribution aside, one thing is certain though, regardless of the motivations of the attackers, this data is perfect for social engineering attacks.

Tax Return Fraud

SSNs are highly valuable for criminals looking to commit tax refund fraud. Fraudsters use SSNs to file a tax return claiming a fraudulent refund and it can be hard to find out if you’re a victim until it is too late. There is some good advice from the IRS about what to do should you suffer from this form of fraud. You can read more about tax fraud in a blog we wrote earlier this year.

Opening Fraudulent Accounts

There is no shortage of alternative finance companies, such as those who provide short term loans. Fraudsters can successful open accounts in another individual’s name, using a combination of SSNs, fraudulent gas statements and other personally identifiable information (PII). Individuals should be extra vigilant for any evidence of accounts being opened in their name.

Carding

PII is valuable to payment card fraudsters, who require such information to bypass security controls such as “Verified by Visa”, which sometimes ask for digits of cardholders’ SSNs. There are plenty of high-quality cards that criminals use which do not require extra validation, but the lower-level carders must turn to SSNs to enrich lower-quality card dumps. It’s important to remember that SSNs and payment card fraud are inextricably linked.

Equifax Breach 2

 An example of a security control for online credit card payments

Benefits Fraud And Medical Care Fraud

Although less glamorous than tax return fraud and carding, benefit and medical care fraud is a real risk. As with tax return fraud, this is hard to detect when it happens, but individuals can be vigilant when checking their Explanation of Benefits statement and flag any unfamiliar activity to their insurance provider.

Resale Of Data

It’s important to note that the individuals responsible for the breach are unlikely to be the same criminals conducting the day-to-day fraud. In the case of the Experian breach, this stolen data soon made its way on the (now defunct) Hansa marketplace. As I’ve previously mentioned; there’s already a market for SSNs to enrich credit card information, so it’s likely that many actors could end up getting a piece of the pie.

For lower level criminals, the expenses associated with criminal activities will get even lower. SSNs are already cheap; on one AVC (Automated Vending Cart) site (shown in Figure 3), there are over 3.4 million SSNs for sale at only $1. This includes full names, addresses, and – for a large number of accounts – dates of birth. In California alone, there were 334,000 SSNs for sale.

With tens (and potentially hundreds) of millions more SSNs potentially entering the market, the opportunities for criminals to commit fraud will increase and the price will decrease even more.

 Equifax Breach 3

 A screenshot of an AVC selling Social Security Numbers

So far, I’ve focused heavily on SSNs – but credit card information was also accessed. However, in the breach. While this number is hundreds of thousands (209,000), it is unlikely to have a significant impact on an already burgeoning black market for card credit information.

Enablement Of Nation State Campaigns

Although Equifax claimed this intrusion was conducted by a criminal threat actor, it is possible that this was a nation state actor. (Quick reminder to re-read my note from above “attribution is always a challenge.”) In the event that a nation state actor is responsible for the intrusion, then like the OPM breach, we won’t see the data being monetized in the criminal underground. The stolen data will be leveraged to enable nation states’ campaigns against their intelligence targets.

Enablement Of Hacktivist Campaigns

If we are going to consider nation state actors, we should also consider hacktivist threat actors and their activities around the stolen data.  If hacktivists were responsible (I think this is a pretty unlikely scenario, let’s call it #OPunlikely) you could expect to see them use the data to target organizations and individuals that run counter to their world views. Embarrassment and dox’ing, hacktivist go-tos, would come into play.

WHAT ENTERPRISES CAN LEARN FROM THE EQUIFAX BREACH

  1. Incident response takes time and eradication in particular takes time. Equifax said that the intrusion was discovered on July 29th and that they “acted immediately to stop the intrusion.” Equifax’s goal was to contain the adversary that first day, but that true eradication took much longer. It is important that you set expectations with your leadership into how long eradication could actually take.
  2. 3rd party risks raise their ugly head once again. Some aspects of this intrusion remind me of the September 2015 T-Mobile breach. In this intrusion, Experian was hosting T-Mobile data that an unauthorized party accessed and this resulted in the loss of 15 million individual’s records. Any organization with a business to business relationship with Equifax needs to find out the scope of any potential loss of their employee or customer data. This 3rd party exposure also highlights the need for 3rd party risk monitoring.
  3. Crisis communication is key. Effectively communicating during an intrusion is important, it won’t absolve you of your sins, but doing it wrong could make the situation far worse. Understanding when and what to communicate is also important. Equifax discovered the intrusion on July 29th and notified on September 7th. Some might ask why did it take so long for the notification, but I don’t think that a month is that long. The investigation needs to be far enough along so that you can confidently communicate the situation. A CEO that comes out 2 days after a breach and then minimizes what is a much more significant threat will be performing a mea culpa in little time.
  4. GDPR will change the breach notification game. Now let me really trip you up, how would this situation play out if it was after May 25, 2018 and Equifax lost European Union citizen’s data? General Data Protection Regulation changes everything with 72-hour breach notification windows. GDPR states, “This must be done within 72 hours of first having become aware of the breach.” When the fines do come into place, the timing of the communication will have a significant impact.

WHAT CONSUMERS CAN LEARN FROM THE EQUIFAX BREACH

  1. Consider taking advantage of Equifax’s offer. Although the irony is not lost to me, taking advantage of credit file monitoring and identity theft protection offers is important. Check out equifaxsecurity2017[.]com for more. If you don’t want to use Equifax for these services, I get it, look for at alternatives with someone like Transunion or Experian.
  2. Be vigilant about your payment card activity. Use email/SMS alerts to notify of account transactions ($100) over and under ($5) a specific amount. If an unauthorized transaction occurs you can be notified immediately, and can quickly take action. Be vigilant about your card activity and alert your bank about any suspicious activity.
  3. Address tax fraud with IRS Form 14039. If you find out you are a victim of tax return fraud, there are still things you can do. Victims can file and send a IRS Form 14039. Further details are available here.
  4. Check your Explanation of Benefits (EOB) statement. It might look like another piece of spam mail, but it is important to reconcile the EOB statements that your insurance sends you. This your best bet to monitor for medical card fraud. Make sure to report any unfamiliar activity as soon as you observe it.
  5. Assume breach. In the corporate cyber security world, we have learned to “assume breach”. Consumers should also operate under the impression that their confidential data has been compromised.

MOST READ

Gulf Air imports more than 80 tons of medical supplies in May

In response to national COVID-19 mitigation efforts, Gulf Air, the national carrier of the Kingdom of Bahrain, has successfully imported 82 tons of medical...

KHK Heroes extends further support to UCO Parents Care Centre

UCO Parents Care Centre was founded in 1994 as an initiative of UCO Marine Contracting Co. and with support of the Ministry of Health...

The Rotary Club of Salmaniya organizes virtual meeting

The Rotary Club of Salmaniya held it’s 8th virtual meeting on May 20th 2020 on zoom. In the spirit of the Month of May...

Royal Humanitarian Foundation launches new charity initiative

A charity initiative aimed at supporting Bahraini citizens and families and other needy people affected by COVID-19 has been unveiled. The Royal Humanitarian Foundation (RHF)...

HRH Premier: Bahrain’s successful experience in facing pandemic will be recorded in history

His Royal Highness Prime Minister Prince Khalifa bin Salman Al Khalifa has extended heartfelt congratulations to the citizens and residents on Eid Al-Fitr, wishing...

Eid Al Fitr on Sunday

Eid Al Fitr will be on Sunday, the moon-sighting committee has announced. In a statement, the committee, made up of four well-known religious scholars, said...

The S60 named “Best Midsize Executive Sedan” at the 2020 Middle East Car of the Year Awards

The Volvo S60 has been named “Best Midsize Executive Sedan” at the 2020 Middle East Car of the Year Awards. The prestigious award comes...

INJAZ Bahrain concludes the fifth edition of “INJAZ Talk”

INJAZ Bahrain has recently concluded the fifth edition of its annual program, “INJAZ Talk”. The virtual talks were held remotely through a series of...

stc Bahrain and NEC Payments partner to launch Bahrain’s first mobile wallet Prepaid MasterCard

Setting a new benchmark in mobile payment solutions; stc Bahrain, a world class digital enabler, has partnered with NEC Payments, a regional leader in...

Always Banish Negative Thoughts from Mind by Dhananjay Mahadev Datar

The decade of 1995 gave a strange turn to my life. I describe that period with the borrowed title of a movie- The good,...

Update your official listed address conveniently through Bahrain.bh!

If you’re looking for the most convenient method of updating government records of your official address, then your best bet would be to do...

Bahrain’s efforts to deal with COVID-19 impact on workers praised

Director General of the International Organisation for Migration (IOM), Antonio Vitorino, praised the efforts made by the Kingdom of Bahrain to rectify the conditions...

Babasons Replaces their Fleet with New Maxus V80 Vehicles

Motorcity, the exclusive distributor of Maxus vehicles in Bahrain has delivered a fleet of five Maxus V80 vehicles to Babasons, a leading supermarket chain...

The National Taskforce for Combating the Coronavirus (COVID-19) stresses importance of continuing to adhere to social distancing guidelines during Eid Al-Fitr holidays

The National Taskforce for Combating the Coronavirus (COVID-19) held a press conference at the Crown Prince Centre for Training and Medical Research at the...

BRAVE Combat Federation will expand into professional boxing

The fastest-growing MMA organization in the world is set to take the world of boxing by storm. BRAVE Combat Federation has announced that, in...