Equifax: Rolling Thunder for Authentication

by Robert Capps 0

The Military plays a haunting melody known as taps to pay homage to those who have died for our country, and that tune should now be playing for the loss of America’s identity. The tsunami of data breaches exposing the personal identification of almost every person in the US looks like this:

*Yahoo – 1 Billion User Accounts breached

*Target – 41 million users’ information hacked

*Government Office of Personnel Management (OPM) – 22.1 million people’s information stolen

*Verizon Breach 14-Million Persons’ information exposed

*Anthem breach – 78.8 million people affected

And finally, the biggest breach yet is now the Equifax Breach that will affect 143 million Americans or more than half of the adult population in the US. Through this breach alone, cybercriminals were able to access social security numbers, names, addresses, phones, emails, passwords, and tax information that includes such things as all members of a family and their personally identifiable information (PII). If previous retail, healthcare, government, and telecom breaches were not serious enough, this time hackers got away with the most important PII – social security numbers and the ramifications for those affected will last a lifetime.

Equifax says the hackers were able to access the company’s network by exploiting a weak spot in the website software. This is just the beginning of the discovery as more revelations cascade out.  Hackers could release a portion of the information and hold the rest for ransom, but there are many complicated scenarios that could occur in the days and weeks to come.

Tsunami of Ramifications

The magnitude of the Equifax breach will be felt for years and online businesses every will be dealing with the effects for a long time. The most immediate danger will be the creation of fraudulent accounts and account takeovers as hackers now have credible information to impersonate most people in the U.S. While merchants may be starting to feel a spike in fraud as the torrent of in-depth information hits the market, it will be a while before we see the worst of it. With this information, hackers can create new accounts, apply for credit cards, open lines of credit, apply for bank loans. They may also choose to pick different pieces of various identities and combine them to create a new “identity.” Utilizing an existing consumer’s account allows the fraudster to masquerade as a genuine customer to transfer funds, use the payment method on file to make a high-value purchase, or simply use their legitimate history to mask fraudulent transactions. Everything can be easily spoofed all in someone else’s name. The ability to identify the real customer has just gotten much harder.

While credit monitoring will alert consumers to new lines of credit being taken out in their names, it will not alert them to fraudulent activity occurring on existing accounts, credit cards, or online accounts. The most you can hope for is that companies like ExperianInnovis and TransUnion give consumers immediate notice when a criminal has stolen their identity. The implications for affected consumers will be profound, and for any online or offline service that uses the four big personal identifiers—name, address, birth date and Social Security number— they will have to use some other method to verify identities. Specific steps for consumers are outlined on the Federal Trade Commission’s website, www.ftc.gov/idtheft.

Consumers should employ 2-factor authentication on all computing devices and immediately change all passwords and any other information that can be changed. Consumers must employ a defensive posture and assume that their identities have already been stolen. It is only a matter of time when identities will be attacked and compromised and now the clock is ticking.

Industry experts are urging Americans to put a credit freeze on all four credit bureaus, but there is a significant concern as to how such advice will impact merchants and Financial Institutions that rely on the flow of credit data to enable frictionless business transactions in the US. This will also put the onus on the merchants and financial institutions to take extra precautions to confirm and verify identity – adding friction to the consumer experience and putting an added burden on fraud teams.

The Call for New Authentication -Trust the user not the machine

This latest breach with such deep and accurate information is part of the rolling thunder of breaches that should provide a deafening and clear message for all industries. The need to create and define new authentication and verification methods has never been more urgent. With the latest breach, hackers now have all the pertinent information needed to perpetrate almost any type of fraud.

Financial, retail, government and all industries should be immediately implementing a multi-layer authentication and security framework that employs passive biometrics and behavioral analytics combined with the contextual data used in applications, logins and solutions. This multi-layer approach can monitor and analyze consumer behavior and data points to determine if it is the authentic user or an imposter. This approach allows entities to discern the real user even if someone has stolen the correct credentials or device by identifying customers based on their behavior. Hackers are not able to mimic individual human behavior and allows a frictionless approach to authentication.

Industries across the US need to make single points of authentication valueless to the hacker by developing in-depth authentication based on behavior as well as a variety of data points to accurately identify the true customer and lock out criminals at the login.

About the author:

Robert Capps is authentication strategist, Vice President for NuData Security. He is a recognized technologist, thought leader and advisor with more than 20 years of experience in the design, management, and protection of complex information systems – leveraging people, process, and technology to counter cyber risks.

 

*Yahoo Says 1 Billion User Accounts Were Hacked – The New York …

Dec 14, 2016 – The company says the attack was separate from the breach that led to an … It is unclear how many Yahoo users were affected by both attacks.

 

*Target to pay $18.5M for 2013 data breach that affected 41 million …

https://www.usatoday.com/story/money/…/target-pay…breach-affected…/102063932/

May 23, 2017 – More than 41 million customer accounts affected by 2013 Target data breach.

 

*Hacks of OPM databases compromised 22.1 million people, federal …

https://www.washingtonpost.com/…/hack-of-security-clearance-system-affected-21-5-…

Jul 9, 2015 – Hacks of OPM databases compromised 22.1 million people, federal authorities say … Office of Personnel Management of how many people were affected … At least 4.2 million people were affected by the breach of a separate …

 

*Verizon Data Breach

https://www.wsj.com/articles/anthem-hacked-database-included-78-8-million-people-1424807364

 

*Anthem: Hacked Database Included 78.8 Million People

https://www.csoonline.com/article/3223232/data-breach/what-is-the-biggest-threat-from-the-equifax-breach-account-takeovers.html