This blog is credited to Derek Weakley, a valued manager of the U.S. Information Security Architecture team.
Identity verification methods everywhere are impacted
Equifax, one of the three major credit bureaus, was breached between May and July of 2017. This has many repercussions that remain an active threat to personal and company assets. The breach is estimated to impact as many as 143 million U.S. consumers in some way, but as we often find in breach notifications, initial numbers and impacts are usually conservative and could in fact be greater.
The impact of this breach is far greater than a simple information disclosure. This information may be used by attackers globally to:
- Initiate account resets via password reset or forgot password links
- “Verify” identity for phone-based verifications, etc.
- Gain unauthorized access to your accounts
- Enable identity fraud and theft.
Credit bureaus and financial institutions often use information from your credit report to verify your identity. To minimize the impact of this breach, we highly recommend any service using such information be promptly augmented with additional security controls to ensure the integrity of the identity verification process.
What should consumers do?
Consumers need to take action to minimize impact to their accounts.
- Set up two-factor authentication immediately where available. Many internet-based services such as email, site hosting, payroll servicers, banking institutions and processers already offer two-factor authentication.
- Actively, monitor credit reporting (active, not just annually).
- Actively and regularly monitor debit and credit accounts for unexpected transactions
- Consider implementing credit freezes. Available for a small fee from each bureau. Find out more. It should be noted that frozen accounts do cost money to “thaw” the credit freeze each occurrence. Most consumers do not have a need to regularly thaw their credit report.
- Set up free fraud alerts:
- Notify family and friends to also take action.
It is strongly advised not to enter your information into any site to validate if you have been compromised, including the verification site managed by Equifax called TrustedID. Due to the size of this breach, it is safe to assume you are impacted by this breach. If, in fact, you were not breached, there is no need to volunteer your information (last 6 of your social security number + last name) to a site maintained by the same company which was breached. The TrustedID service should be approached with a bit of skepticism at this time.
What can technology providers or implementers do?
Information technology and security implementers must take into consideration that many of their identity verification factors are now potentially compromised. Consider incorporating as many additional factors as feasible into password reset functions. A password reset process should provide the same level of identity assurance as the primary authentication method. The sum of password reset factors should always meet or exceed the primary authentication method’s controls.
Consider the following controls in addition to basic security practices:
- SMS verification (2FA).
- Hardware/software token (2FA).
- Email verification (2FA).
- Automated voice verification systems (2FA).
- Generic error messages. Do not confirm nor deny an account’s existence in errors messages.
- Time-delay between authentication attempts.
- Adjust help desk reset procedures as necessary to incorporate new controls.
- Inventory where and how personal information is used in your organization for identity verification.
- Notify employees of this breach.
- Consider disabling internet-based reset functions if not required.
- Encrypt sensitive information at rest, including account reset questions.
- Communicate to your clients/consumers what you are aware of the situation and monitoring things closely.
- Consider technologies such as CAPTCHA to fend off attackers targeting large amounts of users.
- Implement detective controls to alert on failed attempts, multiple successful resets from singular sources, and other irregular activities.
- Block IP addresses of suspected threat actors based upon detected activities.
- Lock accounts suspected of unauthorized access.
- Require administrative unlock.
This breach will impact millions of Americans and businesses for years to come. It is important we take immediate action to protect the accounts of our friends, family and colleagues. Never give out personal information unless absolutely necessary, and always question if such information is required. By implementing strong authentication methods, maximizing preventive controls and actively monitoring accounts and activity, we can collectively minimize the impact of this beach.