Breach Days: Equifax and Beyond
Unveiling Vulnerabilities: EMV Chip Cards and Android Devices
When this post first appeared last summer, we called it “The Breach Days of August,” sounding various alarums from what had been the just concluded Black Hat conference in Las Vegas (a gathering of mostly “white hat” hackers). In what surely now must strike us a more innocent times, we mentioned that CNN Money was reporting that EMV chip cards — the very things allegedly keeping us safer at point of purchase could perhaps be rewritten to “appear like a chipless card again. This allows them to keep counterfeiting — just like they did before the nationwide switch to chip cards.”
This was in part possible because merchants then were not upgrading their EMV machines, and thereby not encrypting transactions, allowing duplicate cards to be easily “read.” At the same time, news had broken that up to a billion Android devices worldwide were potential hacking targets due to a security vulnerability detected on devices carrying Qualcomm chipsets, run under the name of ‘QuadRooter’ able to let hackers hijack a user’s device.
But as bad as that seemed, there was quickly an available scanner you could run to see if your device was vulnerable, and patches available shortly thereafter.
Reflecting on the “Good Old Days” of Hacking
All of these previous hacks — including the ones for Target, Home Depot, and the rest — must now strike us as “the good old days,” when the scope of the problem could at least be envisioned. The analogy would be hurricanes and changing weather: Nobody wants a Category 2 hurricane to blow over their house, but if you’re only dealing with a direct hit from one every 30 years or so, the problem seems manageable.
The Brave New World of Digital Insecurity
When you have two Category 4’s in a month’s time, as part of a new weather regimen, you’re dealing with a brand new scale of trouble, and the solutions — radically changing zoning and building laws, perhaps moving populations, etc. — can sometimes seem as daunting as the problem itself.
And so it is with the Brave New World of hackery, digital insecurity, and outright doxxing (the release of personal information) that we’re all left to deal with in the wake of that Category 5 hack known as the Equifax Breach.
Equifax Breach Exposes Structural Flaws in the System
The problem wasn’t simply that Equifax left their systems un-updated and thus unsecured (though in fact they did — is your office fully updated yet?), but as CNBC notes, some of the problems are structural, and bigger than the credit bureau itself: “More than sloppy cybersecurity measures, the massive data breach uncovered at Equifax revealed inherent flaws in the U.S: the over-reliance on Social Security numbers credit reporting system in need of reform.The Social Security number is a ‘chief means’ of identifying and gathering information about an individual… Among others, it is used in the opening of a bank account, application for loans and filing of tax returns…The wide usage in both government and private sectors, and the ease of using it to access highly-sensitive accounts, has made hacking systems such as credit reporting agencies more appealing, experts told us”
Uncovering the Scope: Incomplete Disclosures by Equifax
Which means that your information, that of your co-workers, that of yours, every adult in your family with a credit history (and ours, and theirs over there) — everyone’s information, addresses, Social Security numbers, etc., — all seem to have been taken in the wake of this digital intrusion, the scope of which Equifax still appears not to have completely disclosed.
The Growing Crisis at Equifax
In fact, Equifax may not have even told us how many times it’s actually happened. According to Bloomberg, the company “learned about a major breach of its computer systems in March — almost five months before the date it has publicly disclosed, according to three people familiar with the situation. In a statement, the company said the March breach was not related to the hack that exposed the personal and financial data on 143 million U.S. consumers, but one of the people said the breaches involve the same intruders. Either way, the revelation that the 118-year-old credit-reporting agency suffered two major incidents in the span of a few months adds to a mounting crisis at the company, which is the subject of multiple investigations and announced the retirement of two of its top security executives on Friday.”
Permanently Exposed: The Challenge of Personal Information Security
Everyone’s information may have been out there even longer than first thought. And now it’s just out there… permanently, really, unless someone comes with an easy way to change social security numbers.
Building Resilience: Protecting Companies and Consumers
So what’s next? Well, according to an analysis on Pymnts.com, “it’s probably fair to say that the Equifax hack is to consumer authentication what Target was to EMV at the physical point of sale: a catalyst for change. Companies who come in contact with consumers in the name of commerce, payments, retail or other financial services are now moving digital identity verification to the top of their lists to protect themselves and their consumers from the inevitable wave of digital identity fraud that’s about to hit them — and could crush them if they don’t.
Embracing Honest Finance: Innovations in Credit Decision Making
“And just like the shift to EMV, the ecosystem of payments and financial services companies will come together to meet this challenge — in this case, with a running head start of tools and technologies and innovators and platforms prepared to help meet this challenge head on. And since data and risk modeling is no longer the domain of three players and a credit score, innovators are building businesses around the notion of honest finance and complete consumer transparency into how credit decisions are made and how much credit will cost them — and slowly gaining traction with consumers and retailers.”
We will be keeping track of that traction, as it were, and letting you know about the changes coming. Meanwhile, this year’s Dog Days — and Hack Days — of August are behind us, but the fallout will be with us for years to come.