Bottom Line Upfront:
The Anatomy of Attacks
In our day and age, no company can be entirely certain of its network integrity, nor can it guarantee the data safety of its clients anymore. Whereas five years ago, mega-breaches were incredibly rare, today, we see them happening almost every month. Sadly, with each new compromise, the public is becoming more indifferent to the news, quickly dismissing the incidents and moving on with their lives.
However, on September 07, 2017, the news of Equifax losing privately identifiable data on 143 million Americans got everyone’s undivided attention. The prospect of having our most sensitive information available to the highest bidder on the dark web was more than disturbing. Round-the-clock discussion by the mainstream media, reminding the public about the impending repercussions were not helping either.
Yet when on October 03, 2017, Verizon announced that Yahoo lost not just 500 million records as was initially reported, but the data on its entire 3 billion member user-base, only a handful of experts raised the alarm. While the idea of having your social security and date of birth stolen, at first seems more disturbing than having your email address exposed to criminals, the latter may have a significantly more adverse effect.
The Use of Stolen Private Data in Fraud
Nowadays, obtaining privately identifiable (PII) records in order to commit identity fraud does not present much challenge to a determined criminal. For years, several underground services have been offering such data for only a couple of dollars, data which includes one’s Social Security number, date of birth and a history of all associated addresses and phone numbers.
Moreover, for about $50-$150 dozens of vendors will gladly sell you an entire background report based on your criteria, such as the desired credit score, geographical area, age, and gender.
However, here is the caveat most of the security analysts have never mentioned: to open a line of credit or perform an account-takeover attack, just having access to a random set of PII is nowhere near enough. Common notion assumes criminals begin their opportunistic endeavors with a set of PII data, and then move upstream, with vaguely defined goals.
In reality, the majority of identity theft victims are determined after criminals have already achieved the first stage of compromise, “worthiness” of the victim is confirmed, and only then a private data will be acquired to finalize a nefarious plan. Since companies have been fighting fraud for years, the process of identity verification will encompass a much broader validation obtained from a person’s credit and background reports. As a rule of thumb, among other things, a random set of questions such as the previous address, the name of current or past employer, and the amount of a car loan payment may be asked. Similar information would be needed to release an unauthorized bank transfer or to register a brand new cellphone account.
As you can see, obtaining a set of PII is a relatively trivial task; however, a highly detailed credit report is what is needed in order to complete a fraudulent operation successfully. If we are to believe Equifax that only personal names, Social Security numbers, birth dates, addresses and, some driver’s licenses were compromised, hackers have never obtained access to the most sensitive data – credit reports.
Why Fallout of Yahoo Hack may be More Dangerous Than Equifax Breach
Let us finally explain, why you should be more worried about the Yahoo breach than about Equifax losing your Social Security number. If you are not the CEO of a major corporation or do not work for a highly classified agency, it is very unlikely that someone will allocate significant resources to plan and execute a complex hacking attack. At the same time, most of us are more likely to fall victim of a random account takeover or to lose money because our banking login credentials were intercepted via malicious web-inject tools.
Because we tend to reuse the same passwords across a whole range of web services, three billion lost Yahoo passwords, although hashed, still represent an incredible opportunity for criminals to brute-force access to various payment, e-commerce and telecom accounts. However, along with passwords, the hack exposed associated names, birthdays, phone numbers, and, in some cases, “encrypted or unencrypted security questions and answers” At the same time many companies are heavily relying upon the same protection layer in order to detect a perpetrator from a legitimate user. If fraudsters can answer these secret questions, internal fraud controls are lowered automatically, and the opportunity to steal from you or to abuse your data is limitless.
Outcome
Not to downplay the severity of the Equifax breach. When it’s bad, it’s bad. When it’s very bad, it’s devastating. We’ve entered a new age of digital economy, and we depend on the internet like never before. As much as we want to outsource all the stress related to the protection of our data to companies we deal with, at the end of the day it will be you and I, working tirelessly and spending thousands of dollars to restore our shattered financial and personal reputation. Therefore, we have no choice but to learn how to protect our personal information and minimize the damage if one of the companies we are dealing with is compromised.