Now that all the click-bait panic buttons have been exhausted from the Equifax breach, we take a calm, collected look at it… from the perspective of black-hat experts. To them, the breach and its fallout are just business as usual. This wasn’t even the first major breach of a credit score agency, and not even the worst of its kind. So don’t expect a deluge of new fraud attacks; this latest breach is par for the course. The bigger concern is that big-data aggregators like Equifax consistently fail to adjust from these breaches.
More on that later; first let’s hack the hype around this particular episode…
For starters, any firm with “fax” in their name is just asking to get hacked. And just like their name, Equifax also failed to update a well-known open-source vulnerability called Apache Struts, which lead to the hack. A similar breach happened to Experian in 2014, exposing the same vital information of upwards of 200 million records. So, the data was most likely already out there; it just got updated by Equifax.
For some perspective, of the 143 million records that were hacked off Equifax, only 209,000 were actionable credit card numbers. That is a relatively low number compared to the massive hacks on Target, Home Depot, etc. where millions of card numbers were dumped onto the dark web, ready for action.
The rest of the 143 million records that were hacked are what’s called Personally Identifiable Information (PII) or ‘Fullz’. Fullz alone can not be used to make purchases. Fraudulent accounts must first be created with the Fullz before a fraudster has an actionable account to attack merchant gateways with. This requires a more specialized fraudster than your average dark-web neckbeard shopping for stolen credit cards. There are more risks and pitfalls for fraudsters using PII data because “identify and impersonation fraud are harder to pull off than credit card fraud.”
What you're up against, and how to fight it
So for the short term, unless you authenticate with social security or drivers’ license numbers, it will be business as usual. The onus is on government agencies and other entities that do authenticate with PII; they are far more likely targets as a result of this hack. For them, this is a blunt reminder that using PII as authenticators is bad practice. SSN and birth dates don’t change over time like passwords do, so once hacked, they stay hacked. The question is, will anyone take the appropriate actions to correct this?
Sadly, the record suggests the answer is “probably not.”
“The pattern has become so familiar in recent years that there really are no new lessons to be learned from these breaches anymore, at least from a security preparedness standpoint.” says Jai Vijayan of DarkReading. “[Equifax] appears to have allowed the breach to happen because of its failure to address a vulnerability that it should have known about and addressed.”
The big takeaway from these PII hacks is the stunning lack of effective damage control taken by stakeholders in their wake. Equifax knew about this breach for over 40 days before they went public with it. But the industry as a whole should have known for YEARS about the vulnerability the hackers exploited. A mere software update could have prevented this whole fiasco.
If you’re safeguarding your transactions from fraud, you’re already ahead of the learning curve. If you’re not, consider the Equifax breach a “friendly reminder” to get your act together against fraud.
