Saturday, September 16, 2017

Equifax Critics Missing the Point? Nope - The Lax Company Muffed A Critical Security Patch (Be Very Worried)

No automatic alt text available.
Diagram on personal exposure to Equifax (WSJ, Sept. 14, p. B1)

Reading the WSJ article 'Equifax Critics Are Missing The Bigger Point' (Sept. 13, p. A15) by Tufts University business prof Amar Bhide, had me wondering what planet he inhabited. It couldn't be the Earth. Bhide wrote:

"Outrage that Equifax exposed more than 143 million credit records to identity thieves misses the point. We really should worry about what makes impersonation so easy. Why do lenders know so little about the people to whom they issue credit?"

Later,  Bhide complains about the emphasis on the FICO score which "prevents factors that affect creditworthiness" from being seen. Hence the scores are over weighted by "statistical information that ignores crucial local circumstances".     For example, "they do not recognize substance abusers or distinguish judges with life tenure from workers in plants scheduled to close".  Implying the latter are bigger credit risks than the noble, trustworthy judges.

In other words, Prof. Bhide is  fixated  more on the potential of  likely identity thieves to wreak havoc after the fact than the preventative security steps Equifax needed to make BEFORE it was hacked. But this puts the cart before the horse. It is obvious that numerous loopholes exist throughout our nation's health and financial systems within which breakdowns, hacks can occur.  In the words of one TIME columnist ('Equifax and the Perils Of Password Protection', Sept. 25, p. 21):

"In the U.S. it's almost comically easy to hack someone's life. All you need are a few numbers to access most smartphones, a string of characters to access most email accounts and a handful of biographical details to steal most identities."

Of course, the Social Security number is the essential 'skeleton key' to 99.99% of all ID theft and that needs to change. The Social Security Administration has pointedly noted (WSJ, p. B1 today) it was never intended to be a universal ID number but rather to track workers' working years to figure benefits.  What we need instead is an alternative number with vastly less potential for disaster. As long as 3 years ago, the Ponemon Institute's Annual Study on Patient Privacy and Data Security noted that the health care industry accounted for 44% of all data breaches in 2013, the most, of any sector of the economy.

In fact, a survey done by the security firm ID Experts found that 90% of health care organizations polled had suffered a data breach during the past two years with 38% having had more than five data breaches during that period. Twice in 2014, the FBI  warned the health care industry that they are a prime target of hackers and that the industry's security measures were not adequate to meet the threat.

Worse, new legislation threatens to make the illegal thievery of health records, patient data even more rampant, e.g.

But it isn't just medical records. Systems - accounts from banks, large stores have also been compromised. Much of this is owing to the fact that excess information is demanded with so many financial transactions, including asking for the Social Security number  - the key to one's identity.  Many European friends of ours, indeed, are mystified and alarmed at how easy it is to grab information on most Americans. For just $39.95  many snoop websites promise to deliver the goods, including police records, bank account balances, etc. on anyone.   Public records are also available for all voters in many states, which deliver the name, date of birth, gender, address, telephone number, voter registration and other ancillary data.

The wonder isn't that so many identity thefts and credit card crimes have occurred, but so few have -in relation to what's out there.

In a way then, Bhide is correct to be concerned at the ease of impersonation when FICO scores are about the only measure for creditworthiness used. But he's wrong that this is the larger point, given that impersonation isn't what caused the Equifax hack and exposure of the 143 million records in the first place.

We now know, based on an update posted online from company officials:

"Criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts-CVE-2017- 5638. "

Note that the flaw in the Apache Struts framework was fixed on March 6. Three days later hackers were exploiting the flaw to install rogue applications on Web servers.  But Equifax stated the breach on its site occurred in mid-May more than two months after the flaw came to light and a patch was available.

In other words, Equifax was derelict in doing due diligence to install the security needed to protect its customers credit records. THIS is where responsibility begins and ends. The matter of "impersonation" to steal the subsequently exposed records comes after the fact, as Prof. Bhide ought to know.   In effect, had Equifax applied the security patch in a timely fashion the threat of impersonation to unlawfully adopt another's credit identity would not be a matter of priority. Thus, the threat of the hack to gain access trumps the threat of impersonation to steal the credit records.

So now, because of Equifax's cavalier approach to web security,  tens of thousands of frightened citizens are desperate to freeze their credit records to prevent fraud or worse, identity theft.   On Wednesday Equifax share values dropped 15 percent according to the WSJ. They are also bound to continue dropping.

The WSJ also noted in another Business and Investing piece ('Credit Freezes Create Chill', Sept. 14, p. B1):

"Demand to sign up for freezes appears to be so great that some customers were complaining of delays or being unable to register on credit reporting companies' websites."

I managed to freeze my credit records at all three of the major companies (Equifax, TransUnion, Experian) but wifey has had problems at Experian. She also found there were others in the same boat, e.g.

If you do decide to take this step be sure that you understand:

1) It is a more drastic step than credit monitoring

2) It can make getting additional credit more cumbersome, say if you plan to get a car loan in the next few months.

3) You will need to have your assigned pins to access the frozen accounts, i.e. in order to "unfreeze" them.

The process itself is straightforward but when you undertake it make sure you have all your financial data clear or on paper in front of you when you are asked the 3-4 questions to verify your identity. One wrong answer 'blows up' the process and closes your continuing. You will then likely have to send by snail mail all your confirming documents including copy of  a recent bill and Social Security card - say by certified mail.  Bottom line? Don't screw up.

The WSJ (op. cit., (2)) claims that mass credit freezes enacted by millions of freaked  out consumers will have a general 'freezing' effect on business and credit overall. That remains to be seen. In the meantime,  citizens will definitely be making a firm statement that their credit records are off limits to any old  snoop or spy especially after the Equifax security fiasco. The safest way to go at this point? A full credit freeze, especially as your S.S. numbers may definitely have been snatched - being used to change bank accounts and other personal, proprietary assets . (According to a front page story in today's WSJ, dozens of 'fraudulent calls' per week were received by Equifax, using personal data e.g. Social security numbers, to change to new bank accounts.) While a freeze imposes some minor inconvenience, it's nothing like trying to get back your identity once it's been stolen by a guttersnipe or other vermin.

One hopes that in the wake of this fiasco the other two credit companies, TransUnion and Experian, have taken note and ensured their own houses are in order!

See also:

No comments: