In aftermath of historic Equifax breach, cyber risks to banks rise as well as consumers
Thursday, September 14, 2017
Posted by: Brian Monroe
By Brian Monroe
September 14, 2017
In the aftermath of one of the worst data breaches in U.S. history, exposing sensitive personal and financial details of more than half the country's population, it is not only consumers who must be wary – financial institutions could also find themselves even more vulnerable to targeted phishing and malware attacks. To read an ACFCS sidebar on tips for consumers and banks, please click here.
Financial, business and personal aftershocks are still reverberating from the revelation by Equifax – part of the triune of credit reporting bureaus – that hackers took advantage of an unpatched security flaw to steal data on 143 million people. The historic incursion is largely the result of human error, the source of an estimated 90 percent of all successful cyberattacks.
The breach is yet another in a string of high-profile hacker wins in recent years that have punctured many of the country’s largest retailers, banks and government data hubs, attacks initiated by organized criminal groups, nation-state operations, fame-seeking opportunists and ideological hacktivists.
The attack is likely to impact institutions both indirectly and directly.
As criminal groups parse through the data, they may find employees working at large financial institutions – particularly those with executive positions, purview over large wires or staffers with high-level cyber clearances – and barrage them with mass phishing attacks, or more targeted spear phishing and business email compromise attacks.
Criminals can easily parse through data to cull emails from a particular bank and further sift through those for titles – details that are typically required when doing home and auto loans, the purview of Equifax.
With the depth of details available from the Equifax breach, hackers could send a detailed, believable email from a top-ranking bank officer to send high-value wires to certain companies, or even act like a company’s cybersecurity officer, directing employees to download a purported security update that is really malware or ransomware.
Apart from better protecting customers, banks could find themselves under smarter and more targeted attacks as a result of the breach, said Neal O’Farrell, founder of the Identity Theft Council, a Walnut Creek, Calif.-based group creating law enforcement and business partnerships to thwart cyber criminals and support identify theft victims.
“The easiest thing for a hacker to do after crunching the data is attack a bank with a phishing scheme,” O’Farrell said. “It will be a mixture of broad phishing, drift net attacks, and spear phishing emails,” potentially targeting banking executives and staffers with high-level security clearances.
Some criminal groups could even be creative enough to act as a security company offering services to prevent and respond to cyber attacks, even offering a purported “exclusive seminar." All bank staffers have to do is “click here to register,” and the link is malware, a trojan to get even more data.
“I have seen it again and again. Sometimes the most dangerous people in the organization are the C-suite,” he said.
To protect themselves, the Federal Trade Commission and other groups are advising customers to check the Equifax site to see if their data has been compromised and, if so, consider engaging in a “credit freeze,” that will halt any and all loans taken out in that person’s name.
In Equifax breach, hackers hit motherlode
The company last week stated that hackers captured a veritable treasure trove of data – enough to create synthetic and fake identities, create credit cards and loans and possibly even directly steal from current credit card and bank accounts. The information stolen includes names, Social Security numbers, birth dates, addresses and in some cases, driver’s license numbers.
The unknown group behind the attack also stole credit card numbers for about 209,000 people, and dispute documents with personal identifying information for about 182,000 people, including some residents of Canada and the United Kingdom, according to the company.
The breach lasted from mid-May through July. Equifax is under fire for not reporting the breach until recently, several weeks later and after several top company officials dumped more than a million dollars in stock – a prescient move as the company’s stock price has plummeted more than $50, from $142 to around $90.
Some pundits have even prognosticated the brewing federal and state investigations and consumer class action lawsuits could cause Equifax to fold.
That potential future for a company around since 1899 and with revenues of more than $3 billion last year reinforces that cybersecurity has risen to be on par with anti-money laundering (AML), fraud, corruption and other financial crime and compliance risks.
The company also suffered additional reputational damage when it steered victims to use a new service plan to provide protection and insurance for a year – but then allegedly buried in the fine print that doing so would bind groups using it to arbitration, negating their chance to sue for damages.
Under pressure from authorities, Equifax has apparently dropped that language from the service – which victims will have to pay for after the first year, even though the reason they were forced to pay for the service is due to the hack of Equifax.
That situation is raising the communal eyebrows of commentators, and decried by consumers in droves on online forums.
It is a serious attack with country-wide ramifications – some say consumers may have to more closely monitor their credit history for years if not for life. Yet there have been some moments of levity coming this week, when Equifax tried to blame the breach on a web application vulnerability.
In an update on its site posted Wednesday, Equifax stated it has been “intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted.”
As a result, they concluded that “criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638,” which dated back to March. Apache Struts is an open source framework for creating enterprise-grade Java applications.
Then, on Thursday, the Apache Software Foundation responded that the application, used by many of the world’s largest banks, government agencies and technology firms, had been patched on March 7, the “same day it was announced. In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner.”
In short, Apache made no bones stating that the Equifax data breach is due to the company not installing an available patch in March – something easily preventable that could now affect tens of millions of Americans for an untold number of years.
Banks may have to tweak AML, fraud systems to better protect customers
If you are a bank, the data breach is “going to hit you at some point,” said O’Farrell, who has more than 30 years of experience in financial services and cyber countermeasures advising companies, governments and technology firms. “This is not just Equifax customer data. This is your customer’s data.”
Banks also must take a different tack than Equifax, which is no doubt trying to get over the breach and out of the news in as short a time as possible.
“Equifax officials will try to get over this breach quickly, as that is what their crisis communications team will tell them,” said O’Farrell.
“But banks must take the opposite tack,” he said. “They need to tell their [fraud and financial crime compliance teams] to have their shields up for the next year. Frankly, they should be up anyway as financial institutions are attacked higher than any other industry. This hack is a great reminder you can do more and you have to do more” when it comes to cybersecurity.
To better protect customers, banks may have to tune their transaction monitoring systems to be more sensitive in triggering alerts at lower thresholds for aberrant behavior, as well as create internal and external alarms that warn analysts at the same time as pinging customers to ensure they are the real ones initiating a new loan, wire or credit line that appears out-of-scope with past transactional behavior, O’Farrell said.
Part of that initiative could be in the form of automated alerts to known customer phone numbers and email addresses before allowing certain transactions, particularly if they involve foreign locales or are large cash withdrawals, and halting the movement of funds until a customer proves they are in actuality the originator.
As well, the hack could nudge more banks to adopt multi-factor authentication, something certain institutions have been reticent to do to not create friction in customer transactions – but what could reap huge dividends when customer data is broached, he said.
Even so, those might not be enough due to the breadth of the breach, O’Farrell said, adding that banks may have to alert customers directly about the breach so both parties can work in a closer partnership to thwart criminal groups profiting from the data in a “frank, come to Jesus” discussion that could make it easier for customers to jump through additional security hoops.
Equifax is already attempting mea culpas to assuage building consumer vitriol.
Equifax Chief Executive Officer Richard Smith apologized Tuesday in a USA TODAY op-ed, stating that the company at first didn’t realize the extent of the breach, noting it believed "the intrusion was limited" after discovering it on July 29.
“We are devoting extraordinary resources to make sure this kind of incident doesn’t happen again,” Smith said. “We will make changes and continue to strengthen our defenses against cyber crimes.”
In the Equifax hack, though, there are bevy of lessons to take away to improve cyber preparedness, resilience and recovery, including quickly patching systems when updates are available, better encrypting large blocks of data and restricting access to sensitive systems and data hubs, O’Farrell said.
“In the world of cybercrime and identity fraud, there is really a conspiracy of failures,” he said. “There are failures by all of us, such as a patch being available and people knew about it, but it was never implemented. Companies need to make it clear that if someone doesn’t make sure everything is patched, tested and double-checked properly, their job is on the line.”