Worried About the Equifax Breach? Why Yahoo’s Was More Alarming
January 3, 2018
Bottom Line Upfront:
On September 07, 2017, Equifax announced that an unauthorized party may have accessed the highly sensitive data of more than 143 million of its US consumers, as well as that of a certain number of Canadian and UK residents.
On October 03, 2017, Yahoo revealed that the data of all of its 3 billion users were compromised in 2013.
Since personal credit reports were not stolen during the Equifax hack, we assess that the compromised data will have a limited versatility to fraudsters.
Yahoo had announced that along with passwords, the hack exposed associated names, birthdays, phone numbers, and, in some cases, “encrypted or unencrypted security questions and answers”
As more companies are relying on the second level of authentication (2FA), by utilizing a set of similar security questions, compromised Yahoo data presents attackers with highly-effective capabilities to compromise a wide range of web-services.
The problem of reused passwords is widespread and contributes to the significant increase of account takeovers observed in the past two years.
The Anatomy of Attacks
In our day and age, no company can be entirely certain of its network integrity, nor can it guarantee the data safety of its clients anymore. Whereas five years ago, mega-breaches were incredibly rare, today, we see them happening almost every month. Sadly, with each new compromise, the public is becoming more indifferent to the news, quickly dismissing the incidents and moving on with their lives.
However, on September 07, 2017, the news of Equifax losing privately identifiable data on 143 million Americans got everyone’s undivided attention. The prospect of having our most sensitive information available to the highest bidder on the dark web was more than disturbing. Round-the-clock discussion by the mainstream media, reminding the public about the impending repercussions were not helping either.
Yet when on October 03, 2017, Verizon announced that Yahoo lost not just 500 million records as was initially reported, but the data on its entire 3 billion member user-base, only a handful of experts raised the alarm. While the idea of having your social security and date of birth stolen, at first seems more disturbing than having your email address exposed to criminals, the latter may have a significantly more adverse effect.
The Use of Stolen Private Data in Fraud
Nowadays, obtaining privately identifiable (PII) records in order to commit identity fraud does not present much challenge to a determined criminal. For years, several underground services have been offering such data for only a couple of dollars, data which includes one’s Social Security number, date of birth and a history of all associated addresses and phone numbers.
Moreover, for about $50-$150 dozens of vendors will gladly sell you an entire background report based on your criteria, such as the desired credit score, geographical area, age, and gender.
However, here is the caveat most of the security analysts have never mentioned: to open a line of credit or perform an account-takeover attack, just having access to a random set of PII is nowhere near enough. Common notion assumes criminals begin their opportunistic endeavors with a set of PII data, and then move upstream, with vaguely defined goals.
In reality, the majority of identity theft victims are determined after criminals have already achieved the first stage of compromise, “worthiness” of the victim is confirmed, and only then a private data will be acquired to finalize a nefarious plan. Since companies have been fighting fraud for years, the process of identity verification will encompass a much broader validation obtained from a person’s credit and background reports. As a rule of thumb, among other things, a random set of questions such as the previous address, the name of current or past employer, and the amount of a car loan payment may be asked. Similar information would be needed to release an unauthorized bank transfer or to register a brand new cellphone account.
How criminals are using stolen identity to commit fraud
As you can see, obtaining a set of PII is a relatively trivial task; however, a highly detailed credit report is what is needed in order to complete a fraudulent operation successfully. If we are to believe Equifax that only personal names, Social Security numbers, birth dates, addresses and, some driver’s licenses were compromised, hackers have never obtained access to the most sensitive data – credit reports.
Why Fallout of Yahoo Hack may be More Dangerous Than Equifax Breach
Let us finally explain, why you should be more worried about the Yahoo breach than about Equifax losing your Social Security number. If you are not the CEO of a major corporation or do not work for a highly classified agency, it is very unlikely that someone will allocate significant resources to plan and execute a complex hacking attack. At the same time, most of us are more likely to fall victim of a random account takeover or to lose money because our banking login credentials were intercepted via malicious web-inject tools.
Because we tend to reuse the same passwords across a whole range of web services, three billion lost Yahoo passwords, although hashed, still represent an incredible opportunity for criminals to brute-force access to various payment, e-commerce and telecom accounts. However, along with passwords, the hack exposed associated names, birthdays, phone numbers, and, in some cases, “encrypted or unencrypted security questions and answers” At the same time many companies are heavily relying upon the same protection layer in order to detect a perpetrator from a legitimate user. If fraudsters can answer these secret questions, internal fraud controls are lowered automatically, and the opportunity to steal from you or to abuse your data is limitless.
Not to downplay the severity of the Equifax breach. When it’s bad, it’s bad. When it’s very bad, it’s devastating. We’ve entered a new age of digital economy, and we depend on the internet like never before. As much as we want to outsource all the stress related to the protection of our data to companies we deal with, at the end of the day it will be you and I, working tirelessly and spending thousands of dollars to restore our shattered financial and personal reputation. Therefore, we have no choice but to learn how to protect our personal information and minimize the damage if one of the companies we are dealing with is compromised.
First, start replacing your passwords with complex and randomly generated ones. Services such as 1Password and LastPass will cost you a couple of dollars monthly, however, they are worth every penny and work amazingly well in organizing and encrypting all your credentials. If you are an Apple user and can’t afford to subscribe to a third-party service, you can take advantage of the Keychain Access that is built into every iPhone and Mac computer.
Second, whenever the feature is available, activate two-factor authentication (2FA), and preferably, use mobile-based Google authenticator rather than your cell phone to receive one-time passcodes. Determined criminals can clone a sim card and intercept the code, while a mobile app can only be accessed from the device you control and provides the best level of security. Moreover, make sure the code confirmation not only required to log in but also whenever a transaction is initiated.
Last, activate alerts across all of your financial services for any amount. Criminals will often test an authorized transfer using a small amount prior initiating a large one. Having alerts in place will help you to spot suspicious activity immediately and prevent fraud from happening.