How to be Secure in the Aftermath of Equifax

by Koshal N Makhija | published Nov. 3rd, 2017

Illustration by Aria Dines

Several students and faculty at RIT may be among the over 143 million American consumers affected by the massive Equifax cyber breach that came to light last month. Millions of transactions were stalled as consumers had to prove their identities even while buying groceries at the supermarket.

The breach entailed credit card numbers, social security numbers and other personal information that can easily be used for malicious purposes. It is still unknown how this data will be utilized, but precautions must be taken to be certain that peoples' information does not get abused.

Equifax is an organization that collects and harvests data about consumers and sells it to other organizations. Being one of the only credit monitoring agencies around, people would be hard-pressed to avoid them entirely. That ubiquity has also helped create a system where a failure on their part means that many more peoples' data is at risk — thus emphasizing the need for security.

The events surrounding the Equifax breach transpired as follows:

Mid-May–July 2017: The timeframe Equifax claimed hackers gained unauthorized access..
Thursday, July 29: Equifax discovered the hack and immediately stopped the intrusion.
Tuesday, Aug. 1 and Wednesday, Aug. 2: According to NPR,three top executives from Equifax sold nearly $2 million worth of company stock.
Thursday, Sept. 7: Equifax officially alerted the public about the security breach and provided a dedicated website for consumers to check if they were affected. Later on that night, the company also issued a statement saying the three executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”
Friday, Sept. 8: Shares of Equifax shed more than 13 percent of their value in trading. Sen. Elizabeth Warren (D-Mass.) tore into the company on Twitter for trying to push customers to give up their right to sue (customers were offered post-breach services by Equifax in exchange for their right to sue the company for mishandling the information).

“You are not Equifax’s customer, you are their product,” said Bill Stackpole, a full-time professor in RIT's Computing Security department. “The people exposed aren’t customers and so have no coverage.”

The breach was caused by a vulnerability present in a web application used by Equifax called “Apache Strut.” Interestingly, a fix for the issue was available on March 6, at least two months before the breach. Equifax neglected to update their software, which led to the loss of immense amounts of data.

It's also been claimed by Forbes Magazine that the website provided to consumers after the breach had cross-site scripting vulnerabilities; a vulnerability which enables an attacker to push commands to a website and retrieve data as consumers log in. This can easily be exploited to access personal information as it is being entered into the website. There is no confirmation on this issue having been patched as of now.

Additionally, Ars Technica pointed out that Equifax's website had again been hacked recently, this time pushing fraudulent Adobe flash updates which were actually crapware. Ultimately, the revelation prompted Equifax to pull the page down for maintenance.

“Equifax's inability to keep up with security updates reflects how poorly consumer information is being handled," said Josephine Wolff, an assistant professor in RIT's Public Policy and Computing Security departments. Wolff added that Equifax is indeed responsible for the initial breach and that there isn’t much that could have been done by the public to avoid this situation.

“Credit bureaus like Equifax are the heart of the financial system," she explained. Wolff noted that the general public's only choice would be to opt out of the bank loan/credit card economy and survive on a cash-only existence.

Post-Breach Remediation

There are two steps that can be taken to better monitor how secure you are. The following are highly recommended for people affected by the breach, especially since the motives of the hackers are still unknown.

Setting up a Fraud Alert: The simplest thing that can be done is setting up a fraud alert. This would add a certain amount of security at a mild inconvenience. A large transaction would require a call be made to the credit monitoring company (Equifax) where the user has to verify their identity through a driver’s license number or other form of identification. These usually last for 30 or 90 days and need to be renewed every so often.
Credit Freeze: A more permanent and effective solution. They usually cost money, but are currently offered for free by Equifax due to the breach. Freezes require providing more information in exchange for increased security. Enabling one stops all credit reports from being released to anyone requesting it. Credit reports are subsequently only released if a consumer can verify his identity prior to a credit report request.

“I had my bank set [a Credit Freeze] up as soon as I heard about the Equifax breach. It is a method to have security in exchange of additional forms and information being sent out.” Stackpole mentioned. “No one will keep your information safer than you.”

For more information one could go to the Federal Trade Commission's (FTC) site. The agency is in charge of protecting U.S. consumers and are the most accurate source of finding information on credit monitoring solutions.

Prevention

“Paying attention is key: learning to say no to agents requesting information that does not seem required and monitoring how much information you give out is key in reducing the chance of your information being compromised,” Stackpole stated. In his mind, people need to start believing that everyone (including themselves) could be targeted and have their information exploited.

All credit bureaus offer free credit reports for the year and it is worthwhile to check them to make sure things are in order. Should one's information gets compromised, implementing fraud alerts or credit freezes can be just as valuable.While being extra secure can be inconvenient, many breaches are enabled because not enough people (or organizations) do take these steps often enough.

Keeping close relations with your bank, for instance, and contacting them often can help keep everything in check. Ultimately, always striving to be aware of how secure you are can make you that much more prepared to share information securely and of course be safe for the next unexpected breach.