Equifax Breach Fallout: Your Salary History

In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach at Equifax.

twn

At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that “Your personal information is protected.”

“With your consent your personal data can be retrieved only by credentialed verifiers,” Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits.

Sadly, this isn’t anywhere near true because most employers who contribute data to The Work Number — including Fortune 100 firms, government agencies and universities — rely on horribly weak authentication for access to the information.

To find out how easy it is to view your detailed salary history, you’ll need your employer’s name or employer code. Helpfully, this page lets you look that up quite easily (although if you opt to list employers alphabetically by the fist letter of the company name, there are so many entries for each letter that I found Equifax’s database simply crashes half the time instead of rendering the entire list).

findemployercode

What’s needed to access your salary and employment history? Go here, and enter the employer name or employer code. After that, it asks for a “user ID.” This might sound like privileged information, but in most cases this is just the employees’s Social Security number (or a portion of it).

At the next step, the site asks visitors to “enter your PIN,” short for Personal Identification Number. However, in the vast majority of cases this appears to be little more than someone’s eight-digit date of birth. The formats differ by employer, but it’s usually either yyyy/mm/dd or mm/dd/yyyy, without the slashes.

Successful validation to the system produces two sets of data: An employee’s salary and employment history going back at least a decade, and a report listing all of the entities (ostensibly, the aforementioned “credentialed verifiers”) that have previously requested and viewed this information.

Once you’re successfully “authenticated,” the system asks you to change your PIN to something more secret than your birthday. When the default PIN is changed, The Work Number prompts users to select a series of six challenge/response questions, which Equifax claims will “improve the security of your data and create an extra layer of protection on your account.”

Unfortunately, consumers whose employee history is stored by this service effectively have no privacy or security unless they possess both the awareness that this service exists and the forethought to access their account online before identity thieves or others do it first.

newpin

The Work Number does allow employers to opt for TALX’s “enhanced authentication” feature, wherein after logging in with your employer ID and PIN (often the last four digits of an SSN plus the birth year), the system is designed to require the requester to respond to an email at a work address or a phone call to a work number to validate the login.

However, I did not find this to be the case in several instances involving readers whose employers supposedly used this enhanced authentication method. In cases where corporate human resources departments fail to populate employee email addresses and phone numbers, the system defaults to asking visitors to enter any email address and phone number to complete the validation. This is detailed here (PDF), wherein The Work Number states “if you do not have the required phone and e-mail information on file, you will be prompted to update/add your phone numbers/email addresses.”

squestionsa

Worse yet, while companies that use this service tend to vary their approaches to what’s required in terms of user IDs and PINs, a great many employers publish online detailed instructions on how to fill out these various forms. For example, the State of California‘s process is listed here (PDF); instructions for the Health Resources & Services Administration (HRSA) are here; employees at the National Institutes of Health (NIH) can learn the steps by consulting this document (PDF). The process for getting this information on current and former UCLA employees is spelled out here. There are countless other examples that are easy to find with a simple Internet search.

Many readers probably consider their current and former salaries to be very private information, but as we can see this data is easily available on a broad spectrum of the working population in America today. The information needed to obtain it has been widely compromised in thousands of data breaches over the past few years, and the SSN and DOB on most Americans is for sale in a variety of places online. In short, if you can get these details from Equifax’s online service, so can anyone else.

Fortunately, you can reduce the likelihood that an acquaintance, co-worker, stalker or anyone else can do this by claiming your own account, changing the PIN and selecting a half-dozen security questions and answers. As always, it’s best not to answer these questions truthfully, but to input answers that only you will know and that can’t be found using social networking sites or other public data sources.

I could see this service potentially helping to create a toxic workplace environment because it offers a relatively simple method for employees to glean data about the salaries of their co-workers and bosses. While some people believe that companies should be more transparent about employee salaries, this data in the wrong hands very often generates a great deal of resentment and hostility among co-workers.

Employers who use The Work Number should strongly consider changing as many defaults as possible, and truly implementing the service’s enhanced authentication features.

October is National Cybersecurity Awareness Month, and as such KrebsOnSecurity will continue pointing readers to similar services that let anyone access your personal data armed with little more than static identifiers about you that should no longer be considered private. Although some readers may take issue with my pointing these out — reasoning that I’m only making it easier for bad people to do bad things — it’s important to understand that knowledge is half the battle: Planting your flag before someone else does is usually the only way to keep others from abusing such services to expose your personal information.

Related reading:

USPS ‘Informed Delivery’ is Stalker’s Dream
Student Aid Tool Held Key for Tax Fraudsters
Sign Up at IRS.gov Before Crooks Do It For You
Crooks Hijack Retirement Funds via SSA Portal
Social Security Administration Now Requires Two-Factor Authentication
SSA: Ixnay on txt msg reqmnt 4 e-acct, sry


Source: KrebsOnSecurity

Easy way to bypass passcode lock screens on iPhones, iPads running iOS 11

Update for iOS 11

With iOS 11, you can still bypass the iPhone lock screen and trick Siri into getting into a person’s phone. The bypass is the same as it was in the earlier version of the operating system:

  • Press the home button using a finger not associated with your fingerprint authentication, prompting Siri to wake up.
  • Say to Siri: Cellular data.

Siri then opens the cellular data settings where you can turn off cellular data.

As was the case before, anyone can do this. It doesn’t have to be the person who “trained” Siri.

By also turning off Wi-Fi, you cut off her connectivity access. You will get an error saying, “Siri not available. You are not connected to the internet.” But you don’t care about that error because you have already bypassed the iPhone lock screen.

To read this article in full or to leave a comment, please click here


Source: Computerworld.com | Security

iOS 11: 3 ways to really switch off Wi-Fi and Bluetooth

Many iPhone and iPad users are annoyed at Apple’s decision to change the way Control Center’s Wi-Fi and Bluetooth controls work, as they no longer work. Fortunately, you can still switch connectivity off quite easily.

What is the problem?

Apple in iOS 11 decided that when you tap the Wi-Fi or Bluetooth buttons in Control Center, the system now will disconnect you from any devices or networks you are currently on but no longer truly switches Wi-Fi or Bluetooth off.

This means that even though you thought you switched them off, they remain active for things like  AirDrop, AirPlay, Continuity, Hotspot, Location services and devices such as the Apple Watch and Pencil.

To read this article in full or to leave a comment, please click here


Source: Computerworld.com | Security

Step aside, Windows! Open source and Linux are IT’s new security headache

Windows has long been the world’s biggest malware draw, exploited for decades by attackers. It continues today: The Carbon Black security firm analyzed 1,000 ransomware samples over the last six months and found that nearly 99% of them targeted Windows.

That’s not news for IT administrators, of course. But this might be: Linux and other open-source software are emerging as serious malware targets. Several recent highly publicized attacks exploit holes in open-source software that many enterprise admins once considered solidly safe.

To read this article in full or to leave a comment, please click here


Source: Computerworld.com | Security

Machine learning-based threat detection is coming to your smartphone

Part of a growing trend, MobileIron announced today that it is adding machine learning-based threat-detection software to its enterprise mobility management (EMM) client, which it said will help address an increase in mobile attacks.

The Mountain View, Calif.-based company said it has partnered with Zimperium, a maker of machine learning-based behavioral analysis and threat detection software that monitors mobile devices for nefarious activity and apps.

MobileIron said it will integrate Zimperium’s z9 Engine software with its security and compliance client. The software will reside on users’ iOS or Android smartphones or tablets, and it will also become a part of IT administrators’ EMM control consoles. That upgrade to MobileIron’s EMM client will “automate the process of detecting and responding to mobile threats,” MobileIron stated.

To read this article in full or to leave a comment, please click here


Source: Computerworld.com | Security

Fear Not: You, Too, Are a Cybercrime Victim!

Maybe you’ve been feeling left out because you weren’t among the lucky few hundred million or billion who had their personal information stolen in either the Equifax or Yahoo! breaches. Well buck up, camper: Both companies took steps to make you feel better today.

Yahoo! announced that, our bad!: It wasn’t just one billion users who had their account information filched in its record-breaking 2013 data breach. It was more like three billion (read: all) users. Meanwhile, big three credit bureau Equifax added 2.5 million more victims to its roster of 143 million Americans who had their Social Security numbers and other personal data stolen in a breach earlier this year. At the same time, Equifax’s erstwhile CEO informed Congress that the breach was the result of even more bone-headed security than was first disclosed.

To those still feeling left out by either company after this spate of bad news, I have only one thing to say (although I feel a bit like a broken record in repeating this): Assume you’re compromised, and take steps accordingly.

If readers are detecting a bit of sarcasm and cynicism in my tone here, it may be that I’m still wishing I’d done almost anything else today besides watching three hours worth of testimony from former Equifax CEO Richard Smith before lawmakers on a panel of the House Energy & Commerce Committee.

While he is no longer the boss of Equifax, Smith gamely agreed to submit to several day’s worth of grilling from legislators in both houses of Congress this week. It was clear from the questions that lawmakers didn’t ask in Round One, however, that Smith was far more prepared for the first batch of questioning than they were, and that the entire ordeal would amount to only a gentle braising.

Nevertheless, Smith managed to paint an even more dismal picture than was already known about the company’s failures to secure the very data that makes up the core of its business. Helpfully, Smith clarified early on in the hearing that the company’s customers are in fact banks and other businesses — not consumers.

Smith told lawmakers that the breach stemmed from a combination of technological error and a human error, casting it as the kind of failure that could have happened to anyone. In reality, the company waited 4.5 months (after it discovered the breach in late July 2017) to fix a dangerous security flaw that it should have known was being exploited on Day One (~March 6 or 7, 2017).

“The human error involved the failure to apply a software patch to a dispute portal in March 2017,” Smith said. He declined to explain (and lawmakers inexplicably failed to ask) how 145.5 million Americans — nearly 60 percent of the adult population of the United States — could have had their information tied up in a dispute portal at Equifax. “The technological error involved a scanner which failed to detect a vulnerability on that particular portal.”

As noted in this Wired.com story, Smith admitted that the data compromised in the breach was not encrypted:

When asked by representative Adam Kinzinger of Illinois about what data Equifax encrypts in its systems, Smith admitted that the data compromised in the customer-dispute portal was stored in plaintext and would have been easily readable by attackers. “We use many techniques to protect data—encryption, tokenization, masking, encryption in motion, encrypting at rest,” Smith said. “To be very specific, this data was not encrypted at rest.”

It’s unclear exactly what of the pilfered data resided in the portal versus other parts of Equifax’s system, but it turns out that also didn’t matter much, given Equifax’s attitude toward encryption overall. “OK, so this wasn’t [encrypted], but your core is?” Kinzinger asked. “Some, not all,” Smith replied. “There are varying levels of security techniques that the team deploys in different environments around the business.”

Smith also sought to justify the company’s historically poor breach response after it publicly disclosed the break-in on Sept. 7 — roughly 40 days after Equifax’s security team first became aware of the incident (on July 29). As many readers here are well familiar, KrebsOnSecurity likened that breach response to a dumpster fire — noting that it was perhaps the most haphazard and ill-conceived of any major data breach disclosure in history.

Smith artfully dodged questions of why the company waited so long to notify the public, and about the perception that Equifax sought to profit off of its own data breach. One lawmaker noted that Smith gave two public speeches in the second and third weeks of August in which he was quoted as saying that fraud was a “a huge opportunity for Equifax,” and that it was a “massive, growing business” for the company.

Smith interjected that he had “no indication” that consumer data was compromised at the time of the Aug. 11 speech. As for the Aug. 17 address, he said “we did not know how much data was compromised, what data was compromised.”

Follow-up questions from lawmakers on the panel revealed that Smith didn’t ask for a briefing about what was then allegedly only classified internally as “suspicious activity” until August 15, almost two weeks after the company hired outside cybersecurity experts to examine the issue.

Smith also maneuvered around questions about why Equifax chose to disclose the breach on the very day that Hurricane Irma was dominating front-page news with an imminent landfall on the eastern seaboard of the United States.

However, Smith did blame Irma in explaining why the company’s phone systems were simply unable to handle the call volume from U.S. consumers concerned about the Category Five data breach, saying that Irma took down two of Equifax’s largest call centers days after the breach disclosure. He said the company handled over 420 million consumer visits to the portal designed to help people figure out whether they were victimized in the breach, underscoring how so many American adults were forced to revisit the site again and again because it failed to give people consistent answers about whether they were affected.

Just a couple of hours after the House Commerce panel hearing ended, Politico ran a story noting that the Internal Revenue Service opted to award Equifax a $7.25 million no-bid contract to provide identity-proofing and anti-fraud services to the tax bureau. Bear in mind that Equifax’s poor security contributed to an epidemic of tax refund fraud at the IRS in the 2015 and 2016 tax years, when fraudsters took advantage of weak security questions provided to the IRS by Equifax to file and claim phony tax refund requests on behalf of hundreds of thousands of taxpayers.

Don’t forget that tax fraudsters exploited this same lax security at Equifax’s TALX payroll division to steal employee tax records from an as-yet undisclosed number of companies between April 2016 and March 2017.

Finally, much of today’s hearing centered around questions about the difference between a security freeze — a right that was hard-won on a state-by-state level over several years — and the “credit lock” services being pushed instead by Equifax and the big bureaus. Lawmakers on today’s panel seemed content with Smith’s answer that the two things were effectively the same, only that a freeze was more cumbersome and costly, whereas credit locks were free and far more consumer-friendly.

To those still wavering on which is better, I have only to point to reasoning by Christina Tetreault, a staff attorney on the financial services team of Consumers Union — the policy arm of Consumer Reports. Tetreault notes that perhaps the main reason a security freeze is the better option is that its promise to guard your credit accounts is guaranteed by law, whereas a credit lock is simply an agreement between you and the credit monitoring company.

“Having a contractual agreement is not as strong as having protections under law,” Tetreault said. “The contract may be unclear, may include provisions that allow the other party to change it, or include provisions that you may be better off not agreeing to, such as an arbitration agreement.”

What’s more, placing a freeze on your file is exactly what Equifax and the other bureaus do not want you to do, because it prevents them from making money by selling your credit file to banks and others (including ID thieves) who wish to grant new lines of credit in your name. If that’s not the best reason for opting for a freeze, I don’t know what is.

If anyone needs more convincing on this front, check out the testimony given in other committees today by representatives from banking behemoth Wells Fargo, which is under fire signing up tens of thousands of auto loan customers for insurance they did not need and in some cases couldn’t afford. That scandal comes on the heels of another debacle in which Wells Fargo was found to have created more than 3.5 million bank accounts without consumers’ permission between 2009 and 2016.

Mr. Smith is slated to testify before at least three other committees in the House and Senate this week before he’s off the hot seat. On Friday, KrebsOnSecurity published a lengthy list of questions that lawmakers should consider asking the former Equifax CEO. Here’s hoping our elected representatives don’t merely use these additional opportunities for more grandstanding and regurgitating the same questions.


Source: KrebsOnSecurity

C'mon, what else could it be?

Desktop support tech is helping a user at her desk, reports a pilot fish who happens to be close enough to hear what’s going on.

“He asked the user to enter her password,” fish says.

“She said, ‘Password.’

“Yes, he said, please enter your password.

“‘Password,’ she said.

“He then asked if her password is ‘password.’

“She said, ‘Of course.’

“We promptly changed and tightened up our password requirements.”

Sharky wants to pass the word to remind you about fresh guidelines for better passwords from the National Institute of Standards and Technology (along with an explanation of why NIST’s new rules are better). Take a look — and after that, don’t forget to send me your true tale of IT life at sharky@computerworld.com. You’ll snag a snazzy Shark shirt if I use it. Comment on today’s tale at Sharky’s Google+ community, and read thousands of great old tales in the Sharkives.

To read this article in full or to leave a comment, please click here


Source: Computerworld.com | Security

Predict – Prevent – Detect – Analyse – Respond | Cyber Security