Equifax received a lot of criticism for how it handled a recent hacker intrusion that resulted in the theft of information belonging to potentially millions of people. To make matters worse, the tool Equifax created to help potential victims has problems of its own.
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Episode Transcript
Equifax board metaphorical lemon juice on a paper cut after
company representatives directed customers to a fake site to find
out if they had been affected by a security bach.
I'm Jonathan Strickland, and this is tech stuff data. On
July en, hackers gained access to equifaxes database. Equifax is
(00:29):
a consumer credit reporting agency. Along with Experience and TransUnion,
it is part of the Big three credit reporting agencies,
and the company has records on more than eight hundred
million people and their credit histories. A vulnerability on Equifax's
website allowed the hackers to snoop around and take an
enormous amount of information, including credit card numbers for more
(00:50):
than two hundred thousand people and personal identifying data for
a hundred eighty two thousand people, including social security numbers.
It's possible that the breach affected as many as one
three million people to some degree. As security breaches go,
this one was particularly bad. It led to discussions about
everything from network security to the United States reliance on
(01:13):
the Social Security number system for just about everything. The
company kept the breach under wraps until early September twenty seventeen.
At that time, Equifax launched a tool that was supposed
to help customers determine if their data was among the
information stolen by hackers, so that they might then make
an informed decision about what to do next. Right away,
(01:34):
reports came out that the tool itself didn't appear to
be reliable. This wasn't helped when Equifax itself began to
send people to a fake testing site. The site Equifax
set up to help people verify whether or not they
had been affected has the u r L www dot
Equifax Security seventeen dot com. The u r L sets
(01:57):
this page apart from the primary domain, Equifax dot com,
and that's a big problem. At least one Equifax representative
tweeted out the wrong link to a potential victim. That
link was security Equifax dot com. The words Equifax and
security were swapped. Equifax deleted this incorrect tweet, but as
(02:20):
you're probably aware, nothing is ever truly deleted from the Internet.
That mistake in u r L would lead users to
an actual site. If the dark mirror version of our
universe were the one we were in, that site would
have been another data mind so that criminals could entice
users to give up valuable information and the information Security
(02:41):
Biz we call that fishing with a pH Fortunately, the
site wasn't in any way malicious. Instead, the site came
from Nick Sweeting, who wanted to show how Equifaxes approach
was dangerous and irresponsible. Sweeting knew that the way Equifax
set up that site was a mistake. By registering a
(03:02):
domain that doesn't actually live on the Equifax dot com
domain itself, the company opened up the opportunity for someone
to create a fake or spoof site. Sweeting had no
intent on using the data people would submit through his
fake site to any malicious purpose. He just wanted to
drive home the fact that if he could do it,
so could a more criminal type person. The page he
(03:27):
created had a banner across the top that read cybersecurity
incident and important consumer information which is totally fake. Why
did Equifax use a domain that's so easily impersonated by
phishing sites? This happens frequently on the web. By copying
the look of an established trusted entity, data thieves can
(03:48):
convince people to hand over valuable information willingly. Upon casual observation,
the spoofed site seems perfectly legitimate. The thieves depend upon
the trust customers have with the institution or organization sation
they believe they are communicating with. In this case, not
only did Equifax set up a tool on a u
r L outside of Equifax dot com, the company also
(04:09):
mistakenly advised customers to go to the fake site itself,
after already suffering a major setback in public confidence. This
was not a great move, and it really illustrated how
quick responses to a crisis can go terribly wrong. Sweeting
also pointed out that while he intended no harm, there
are surely parties active online right now that have darker intentions.
(04:32):
Many of these will go to great links to create
a believable experience to full innocent users into giving up
more of their information. This is a double slap in
the face for people who are already worried that thieves
had stolen their data. It's a vulnerable population undergoing further exploitation.
Sweetings argument is one many cybersecurity experts agree with. It's
(04:53):
a better idea for an organization to make any official
tool part of their primary domain rather then to set
up a new web domain. This reassures users that they
are dealing with the actual entity and not some random
data fisher. While Equifax is a recent target of this
sort of spoofing. There are lots of other examples, from
fake news sites to link farms that only exist to
(05:16):
generate page views and rack up advertising money. Spoofing is
a big deal on the web. It always benefits the
user to be careful when navigating to a U r
L and to be absolutely sure that the site you're
visiting is a legitimate one before you share any of
your personal information. To learn more about information security, including
how good guys sometimes act like bad guys so that
(05:39):
they can stop the real bad guys, subscribe to the
Tech Stuff podcast. We dive deep into tech topics to
get a better understanding of how they work and affect
our lives. That's all to me for now, see you
next time. Eight
TechStuff Daily News
Host
Jonathan Strickland
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.