STE WILLIAMS

Equifax data breach defense: freezing your credit file

Updates as of 2017-09-08:

Various security experts have advised people to place a security freeze on their credit files with Equifax. Sophos CTO Joe Levy agrees. In fact, he believes reporting agencies should make the process easier:

After this incident, it’s time for the reporting agencies to step up and make freezing and thawing effortless. How about an app that operates like today’s easy-to-use push notification multi-factor authentication systems? I’d forgo my participation in the coming class-action suit if they would instead agree to that.

The general thinking is that a freeze is better than the typical credit monitoring companies offer after a breach. As Brian Krebs of KrebsOnSecurity has noted in the past, credit monitoring services do little if anything to stop thieves from stealing your identity. A security freeze, on the other hand, blocks creditors from looking at your file in order to, as Krebs put it, “grant that phony new line of credit to ID thieves.”

It’s a case of prevention being better than the cure. Levy put it this way:

Credit monitoring is useful in the way an intrusion detection system is useful, but their evolutionary descendants, intrusion prevention systems, provide more practical value. It’s time the monitoring agencies evolve in similar fashion.

There is a site for those who want to initiate a freeze with Equifax.

***

Original story:

To understand how bad the data breach at Equifax is, consider this: the US has a population of approximately 324m people. The credit services provider says its breach may have affected up to 143m Americans: nearly half the population is potentially involved.

The company said in a statement that cybercriminals “exploited a US website application vulnerability” to access certain files:

Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

What kinds of customer data did the culprits access? Names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers, according to Equifax chairman and CEO Richard Smith. In addition, he said, credit card numbers for approximately 209,000 US consumers and certain dispute documents with personal identifying information for approximately 182,000 US consumers were accessed.

And there’s more. Smith said:

As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps.

Many questions

There are a lot of questions surrounding this breach. Bloomberg reports that three Equifax senior executives sold shares worth almost $1.8m in the days after the company discovered the breach – but before Thursday’s disclosure. That’s bound to fuel anger from customers who will want to know why.

Equifax will also have to explain what it means by a “website application vulnerability.” Were the hackers exploiting a 0-day vulnerability in server software or one which was known, and for which there was a patch? Or was it perhaps something as simple as a SQL injection vulnerability in the website — the same type of vulnerability that compromised TalkTalk.

Speculation also abounds that the compromised data was stored in plain text, though at the time of writing it remained unclear if that was the case.

Defensive measures

Details of what exactly happened will become clearer in the coming days and weeks. For now, customers need to know what they can do to protect themselves. To that end, we suggest the following:

  • Equifax says people can click a link on its website to see if they’ve potentially been impacted by submitting their last name and the last six digits of their Social Security number. Furthermore, those affected will be given a date to enroll in free ID theft protection and credit monitoring services.

  • Change your password and other secret credentials.

  • If you used the same password on other accounts, change those passwords, too. 

  • Make all new passwords different and difficult to guess. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
  • Include upper- and lower-case letters, numbers and symbols to make passwords harder to crack – refer to the Sophos  How to Pick a Proper Password video for creating stronger passwords.
  • Be careful with your security questions: information such as your mother’s real maiden name is easy to track down. You don’t have to give the actual answer to the question: “what’s your favorite food?” – you only have to give an answer that you will remember.
  • Use two-factor authentication wherever possible.

We’ll update this article as more details become available.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/k-DoanI2rKo/

  • 08/09/2017
  • adm
Comments are closed.