MyEquifax.com is yet another security disaster

One would think that having one of the most high-profile breaches in recent memory would make a company take security to heart, but Equifax is full of surprises. The latest is that its MyEquifax.com site, to which the company invites those affected by its poor security practices to freeze and unfreeze their credit, itself has extremely poor security.

It’s all documented by security researcher Brian Krebs, who discovered the issue not in some special investigation but in the process of signing up at the site himself. What he found was that “getting an account at MyEquifax.com was easy. In fact, it was too easy.”

In matters of banking and credit, identity is a very important thing to establish. That’s why when you go to MyEquifax.com, it asks you for an email, then for your Social Security number and date of birth.

Slight problem: SSN and DOB were among the personal data leaked in the Equifax breach to begin with! And it doesn’t even check that you own the email address you submit. It does ask a few verification questions, but as Krebs points out these are often public information, such as the street you live on, or your mother’s maiden name, and as such rather worthless for security purposes.

One you have been “verified” with this process, you can immediately request a security freeze on your credit report, or unfreeze it if it’s frozen.

Oh, and don’t worry — if you established a PIN for this purpose when setting this up previously, you won’t need that. Yes, this poorly secured website specifically does not require a PIN, though a PIN is required for the same requests via phone or email. When Krebs asked a company representative about this, they explained:

We deployed an experience that embraces both security standards (using a multi-factor and layered approach to verify the consumer’s identity) and reflects specific consumer feedback on managing security freezes and fraud alerts online without the use of a PIN. The account set-up process, which involves the creation of a username and password, relies on both user inputs and other factors to securely establish, verify, and authenticate that the consumer’s identity is connected to the consumer every time.

None of that is true. Even elementary security standards like confirming the email address aren’t “embraced,” and multi-factor authentication is trivial to bypass.

This is bad but at least Equifax isn’t alone: It looks like credit reporting agencies Transunion and Experian also have ways of getting around PINs. You’d just think that Equifax, having failed so badly at security before, would want to make its setup a little more robust — even meeting basic standards would be good.

As Krebs points out, however, it’s in your interest to set up an account with your actual email address and information, since if you don’t, it seems pretty much anyone with a few data points on you can do so themselves, gaining the ability to freeze and unfreeze your credit.

Let’s block ads! (Why?)

Link to original source

Most of the Fortune 100 still use flawed software that led to the Equifax breach

Almost two years after Equifax’s massive hack, the majority of Fortune 500 companies still aren’t learning the lessons of using vulnerable software.

In the last six months of 2018, two-thirds of the Fortune 500 companies downloaded a vulnerable version of Apache Struts, the same vulnerable server software that was used by hackers to steal the personal data on close to 150 million consumers, according to data shared by Sonatype, an open-source automation firm.

That’s despite almost two years’ worth of patched Struts versions being released since the attack.

Sonatype wouldn’t name the Fortune 100 firms that had downloaded the vulnerable software, nor was it clear what the software was used for. Sonatype did say that the companies included more than half of the 26 financial and 19 energy companies, and more than half of all healthcare and technology companies.

In all, more than 18,000 businesses downloaded vulnerable versions of Struts, the company said.

Sonatype’s technology monitors millions of open-source commits per day, Sonatype’s chief executive Wayne Jackson told TechCrunch last year. In doing so, it can see what’s new and updated, and can advise and update vulnerable software with newer, patched versions.

The company, which already works with Fannie Mae and Tomitribe, announced Tuesday a new working relationship with Equifax to monitor the use of the credit agency’s open-source libraries across its network to help prevent another breach.

It’s a stark turnaround from its massive 2017 hack, which a House committee investigation late last year found that the Equifax breach was “entirely preventable” had the company patched its vulnerable servers months earlier when the patches — and the advisories to companies — were released.

Bryson Koehler, Equifax’s chief technology officer of just six months, said in remarks that the company is “focused on building security into each software application from the start and enhancing it throughout the development process.”

Sonatype raised $80 million in September following a $30 million round two years earlier.

Let’s block ads! (Why?)

Link to original source

New York settles with Equifax and others over lax mobile app security


SIPA USA/PA Images

New York Attorney General Barbara Underwood announced that the state has reached settlements with five companies regarding a security vulnerability present on each of their mobile apps. Going forward, the companies — Equifax, Western Union, Priceline, Spark Networks and Credit Sesame — will be required to implement security programs aimed at protecting their customers’ information.

“Businesses that make security promises to their users — especially as it relates to personal information — have a duty to keep those promises,” Underwood said in a statement. “My office is committed to holding businesses accountable and ensure they protect users’ personal information from hackers.” Underwood’s office said the apps in question failed to properly authenticate SSL/TLS certificates, which could allow third parties to intercept user data like passwords, social security numbers, credit card information and bank account numbers.

The attorney general’s office confirmed to Engadget that there were no monetary penalties associated with the settlements. But it said in a press release that the agreements were a result of an ongoing effort to identify security vulnerabilities before any user information had been stolen. “As part of this initiative, the office tested dozens of mobile apps that handle sensitive user information, such as credit card and bank account numbers,” it said.

Update 12/14/18 9:25PM ET: A Priceline spokesperson sent Engadget the following statement on the matter:

In March 2016, the New York State Office of the Attorney General notified Priceline about a potential vulnerability on our Android app. Priceline fixed this issue shortly thereafter. The vulnerability was due to a flaw in a third party’s software library that overrode the code in certain versions of the app. Despite the flaw, SSL encryption was still deployed on the app. Over the course of the inquiry, Priceline did not uncover evidence that any customer data was impacted. As the NYS AG’s office correctly noted, the office’s inquiry was intended to find vulnerabilities before any information was compromised. Priceline cooperated fully to address this issue in 2016, and has continued to evolve our security capabilities. The careful stewardship of customer data is our highest priority.

Let’s block ads! (Why?)

Link to original source

House committee says Equifax data breach was 'entirely preventable'


Andrew Harrer/Bloomberg via Getty Images

Congress clearly didn’t buy Equifax’s attempt to pin its massive data breach on one lone technician. The House Oversight and Government Reform Committee has released a staff report declaring that the breach was “entirely preventable” and the result of widespread, systemic flaws in Equifax’s security policies. The company didn’t have “clear lines of authority” in its IT structure that would have properly enacted policies, for one thing. It also had “complex and outdated” systems that didn’t keep pace with its growth, wasn’t prepared to help victims and made basic security missteps. Equifax let more than 300 security certificates expire, for example, making it difficult to spot intrusions.

The committee also made a number of recommendations that it said would need the cooperation of Congress, the White House and private companies. It called for greater transparency on data collection and security risks, “modernized” IT, reduced uses of Social Security numbers as identifiers. The government should also determine whether or not the FTC’s oversight is enough, keep federal contractors more accountable for their security and verify the effectiveness of post-breach services like identity protection.

In response, Equifax argued there were “significant inaccuracies” in the report and that it didn’t have much time to review the findings, although TechCrunch said the ostensible errors were “nit-picks” such as the duration of credit monitoring offers and a state settlement that hasn’t taken place. There weren’t fundamental disagreements with the report’s conclusions. Equifax added that it had implemented “meaningful steps” to bolster security and was “generally supportive” of the recommendations.

The larger question is whether or not anything will change as a result. It’s easy to make recommendations, but it’s another to have multiple parties implement improvements. And as we’ve seen, Equifax leadership hasn’t always been forthright about what’s going on. On top of its attempted scapegoating, it has also faced investigation for suspicious stock trades and made questionable claims that executives were ‘retiring‘ in the wake of the breach. Equifax will have to show that it really did learn its lessons if it’s going to regain trust, while officials will have to update laws and regulations to reduce the chances of a repeat.

Let’s block ads! (Why?)

Link to original source

Equifax Breach Was Just as Infuriating and Dumb as You Thought, New House Report Finds

[unable to retrieve full-text content]

House Republicans spent 14 months investigating the 2017 Equifax breach only to reach the same conclusions that virtually everyone else with a brain did in the immediate aftermath of the company’s disclosure. The breach was “entirely preventable,” lawmakers found, and the credit reporting agency’s shit management did…

Read more…

Link to original source