'Fake news' becomes a business model: researchers

For a few bracing weeks this fall, consumers harmed by Equifax, Wells Fargo or another financial institution had the right to their day in court.

But in late October, Senate Republicans voted to overturn the newly minted rule by the Consumer Financial Protection Bureau, which gave consumers the right to join class-action lawsuits against banks, credit bureaus and lenders. Now  consumers' only recourse is a secret arbitration hearing – which corporations win 93 percent of the time.

“This vote marked a truly shameful moment in Congress, said Amanda Werner, campaign manager for Americans for Financial Reform and Public Citizen, who dressed as Monopoly Man to “troll” Equifax CEO Richard Smith during a Senate hearing in October. “Just weeks after holding hearings on scandals of historic proportion, the Senate granted Equifax and Wells Fargo a ‘Get Out of Jail Free’ card.”

Werner maintains it’s now unlikely Equifax will be held accountable for the errors leading to its massive security breach – errors that consumer advocates say they’d expect to find in a small, not-so-savvy business rather than in a multibillion dollar global security company.

Equifax’s “rookie mistakes”

Meanwhile, cybersecurity experts are mystified at how a giant multinational like Equifax had such lax control over customer data security.

Besides the security issues that led to the hacking of 145 million accounts, the credit bureau used stunningly simple PIN numbers that were composed of the date and time that someone signed up for its free identity theft tracking after the breach – an easy-to-break PIN first reported in this column on September 9.

“Absolutely yes, this is a rookie mistake,” says Wes Moehlenbruck, MS, CISSP, CEH, CHFI, a California-based senior cybersecurity engineer with a master of science degree in cybersecurity. “The PINs used to lock and unlock credit files were simply based on the time and date – nothing more complicated than that. Turns out they had been doing that for a long time. Clearly, in using such a simplistic approach in PIN generation, a user’s PIN could easily be guessed or brute-forced by testing every possible combination using a computer program.”

Moehlenbruck says the other error revolved around PIN integrity. “All [a potential hacker] needed was to possess the PIN; you didn’t need to be authorized to use it,” says Moehlenbruck. “Normally a company would use what we call 2FA, or two-factor authentification, which requires all users to “authenticate” receipt of a pin via an additional channel or key piece of information, such as an email address, cell phone number, and so on. This is because a PIN or password can be easily guessed, but obtaining the victim's cell phone and login to their authenticator application is much harder. 2FA is common practice now on banking websites, email accounts, and social media.  We’re all surprised that a company the size of Equifax isn’t current with the times.

Moehlenbruck points to a still more alarming example “of some very grossly negligent security practices” at Equifax.” As reported by security researcher Brian Krebs within a week of the Equifax breach and picked up in TechCrunch, a company called Hold Security LLC investigated Argentina’s Equifax site “and unbelievably, found it was ‘protected’ by the user name ‘admin’ and the password ‘admin.’” (!)  Once the investigators typed in that combo, they had access to all the users’ names and emails. And, after cracking another “unbelievably” bad Equifax ID and password combo, which consisted of the employees’ last names for both slots, researchers could access and modify all kinds of private information, including the Argentine version of the employees’ social security numbers.

“‘Admin/admin’ as a database password is a surefire way to get hacked almost instantly,” Moehlenbruck says. “A production database with this account smells of poor security policy and a lack of due diligence rather than simple oversight. Breaches at Equifax or other companies will continue unless information security becomes top priority at the highest levels of the organization.”

There is no perfect security, Moehlenbruck adds, “but this breach should be a reminder to everyone to change their passwords, pins and security questions regularly, as well as enable 2FA on all the sites that provide it...In fact, if your bank doesn’t offer it, you should change banks.”

In a roundtable discussion on the Equifax breach this fall with Security Solutions Watch, some experts remarked mordantly that the “Internet of Things” was fast becoming the “Internet of Insecure Things.” One reason for the increased attacks, Cyberinc CEO Samir Shah suggested, is that many corporations are far behind the times when it comes to hackers.

“The real question we should be asking ourselves is will anything change in how companies protect against attacks,” said Shah, whose information security company offers an integrated solution to malware and other cyberattacks. He said attackers are quick to take advantage of weak or outdated access systems or to use advanced malware to sneak inside a company’s platform through browsers. “As this latest attack suggests, it certainly is time for a change.”

Equifax’s post-attack snafus

But change is slow in coming. Even after the Equifax security hack, which opened up nearly half the country to potential identify theft, the security giant stumbled again.

As discussed in my last Equifax story for Forbes, Equifax created a site where people could enter the last four digits of their social security number to see whether they were caught up in the security breach. Unfortunately, according to a a story in Mashable, a prankster cloned that site and used a similar URL to host it. Not realizing the error, Equifax tweeted out a link to the phishing site eight times (Mashable provided screenshots).

Moehlenbruck attributes the debacle to human error and a likely hole in Equifax’s overall security information assurance (IA) training. “The Twitter story hints strongly at a lack of adequate security awareness training, which if provided at least annually, might have prevented the embarrassment of re-tweeting a phishing site link from the Equifax Twitter account not once, but 8 times!” said Moehlenbruck. “You would think that this type of training would be front and center of every employee's mind when interacting online for one of the largest credit monitoring companies, especially right after the breach.”

The apparent lack of adequate IA training may have left Equifax more vulnerable to attack, according to Moehlenbruck. The breach was reportedly made possible by the failure to patch a critical vulnerability in Apache Struts, though Equifax  was aware of the vulnerability, he said. But from what he’s read, Moehlenbruck says, “The real problem was a very poor focus on information security at the highest levels of the company – what we call C-level [CEO, CIO, CSO-suite level]. Training is great if it's practiced and preached throughout the organization. But evidence hints to the contrary.”

As one example, he points to Equifax’s choice for its chief of security, who retired after the recent breach and whose LinkedIn profile (now scrubbed) did not list any advanced technology or security training, according to news reports. Some news outlets pounced on the finding that her college degree was in music composition, prompting a rightful backlash from liberal arts majors turned engineers and tech leads. Moehlenbruck agrees that a music major in no way hampers someone from working in tech, but anyone in the position of chief security officer, he says, “should have a deep background in information security, whose policies and practices need to come from the top-down throughout the organization.”

“In its business model, customer privacy and data is Equifax's biggest concern and most prized asset,” Moehlenbruck observes. “But it seems that adequate security training and other best practices weren't in place to guard it.”

Consumer advocates say that the best way to drive home that and other pro-consumer messages is to take negligent corporations to court. Of course, the Senate and Trump just took away consumers' right to sue financial institutions, noted Rosemary Shahan of Consumers for Auto Responsibility and Safety (CARS), adding that many car owners ruined financially in an auto loan scandal at Wells Fargo now have little hope for justice. “It hurts, but we’ll keep on fighting,” she says. “I expect more people will send a message on election time, especially since abuses will likely proliferate – especially because corporations no longer feel they have to be on their best behavior.”

Source: AFP