TRENDING
What we know about the
Equifax breach
On 7 September, credit reporting
agency Equifax announced “a
cybersecurity incident potentially
impacting approximately 143 million
US consumers”. To put this in context, at
this time, this incident is almost seven
times larger than the Office of Personnel
Management breach of 2015. Equifax
discovered the unauthorised access
on 29 July and determined that the
intrusion began in mid-May. Equifax
stated that “the information accessed
primarily includes names, Social Security
Numbers (SSNs), birth dates, addresses
and, in some instances, driver’s license
numbers. In addition, credit card
numbers for approximately 209,000
US consumers, and certain dispute
documents with personal identifying
information for approximately 182,000
US consumers were accessed.” The
‘limited personal information’ for
Canadian and United Kingdom
citizens was also accessed. The initial
attack vector was reported as a ‘web
application vulnerability’.
What we don’t know about the
Equifax breach
Whenever doing any sort of analysis,
it is important to state what we don’t
know. Simply put there is a great
deal we don’t know and most of the
public will never know (despite what
some talking heads might claim).
Equifax stated that the investigation
is “substantially complete,” but wisely
added that “it remains ongoing and
is expected to be completed in the
coming weeks.”
• We don’t actually know how many
SSNs were compromised.
• We don’t know if all 143 million
individual’s SSNs were impacted.
• We don’t know the threat actor
responsible for this intrusion. Equifax
claimed that “criminals exploited”
a web application, but attribution
is always a challenge. Structured
Analytic Techniques, like the Analysis
of Competing Hypothesis we did
for WannaCry, can be useful for
considering attribution.
• Speaking of web applications,
www.intelligentcio.com
until it is too late. The IRS offers some
good advice on its website about what
to do should you suffer from this form
of fraud.
Opening fraudulent accounts
There is no shortage of alternative
finance companies, such as those who
provide short-term loans. Fraudsters can
successfully open accounts in another
individual’s name, using a combination
of SSNs, fraudulent gas statements and
other personally identifiable information
(PII). Individuals should be extra vigilant
for any evidence of accounts being
opened in their name.
Rick Holland, VP Strategy,
Digital Shadows
“Attribution aside,
one thing is certain,
regardless of the
motivations of
the attackers, this
data is perfect for
social engineering
attacks.”
although we don’t know the specific
vulnerability that was exploited, I’d
bet it was SQL injection.
What is most likely to happen next
There are a wide range of possibilities
depending on the goals of the threat
actor responsible for the Equifax
intrusion. Attribution aside, one thing
is certain, regardless of the motivations
of the attackers, this data is perfect for
social engineering attacks.
Tax return fraud
SSNs are highly valuable for criminals
looking to commit tax refund fraud.
Fraudsters use SSNs to file a tax return
claiming a fraudulent refund and it
can be hard to find out if you’re a victim
Carding
PII is valuable to payment card
fraudsters, who require such information
to bypass security controls such as
‘Verified by Visa’, which sometimes ask
for digits of cardholders’ SSNs. There
are plenty of high-quality cards that
criminals use which do not require extra
validation, but the lower-level carders
must turn to SSNs to enrich lower-
quality card dumps. It’s important to
remember that SSNs and payment card
fraud are inextricably linked.
Benefits fraud and medical
care fraud
Although less glamorous than tax
return fraud and carding, benefit and
medical care fraud is a real risk. As
with tax return fraud, this is hard to
detect when it happens, but individuals
can be vigilant when checking their
Explanation of Benefits statement and
flag any unfamiliar activity to their
insurance provider.
Resale of data
It’s important to note that the individuals
responsible for the breach are unlikely
to be the same criminals conducting
the day-to-day fraud. In the case of the
Experian breach, this stolen data soon
made its way on the (now defunct)
Hansa marketplace. As I’ve previously
mentioned; there’s already a market for
SSNs to enrich credit card information, so
it’s likely that many actors could end up
getting a piece of the pie.
INTELLIGENTCIO
17