Re: Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop — Krebs on Security

[Robert <http://dummy.us.eu.org/robert>]

Hard to say.

I'm hoping that Equifax will offer a mechanism to change your freeze pin.

Also, see my post:
https://www.linkedin.com/feed/update/urn:li:activity:6314120507772018688 .

 > From: Flora  <http://www.gmail.com/~flora>
 > Date: Thu, 14 Sep 2017 23:25:45 -0400
 >
 > Saw one of the comments about possible pin compromise. What do you think?
 > 
 > David M
 > September 14, 2017 at 9:34 pm
 > Iâ??m fairly certain that you can deduce whether your credit file is frozen by going through the steps again. If, once you enter in your personal information, you are NOT presented with the option to freeze your credit account, then it is still frozen.
 > 
 > One thing I have not heard mention is if freeze pins were a part of the data that was stolen. If they were, then freezing your account will do nothing (the thieves would have the tools to unfreeze the account).
 > 
 > Lastly, being a programmer, I suspect that the pin is simply the transaction date and time of the freeze document. Since we know that it is a timestamp, it is very likely that it is saved somewhere in the freeze document as a datetime entry. If so, then it is also highly likely that the pins WERE stolen along with the rest of the data.
 > 
 > https://krebsonsecurity.com/2017/09/equifax-hackers-stole-200k-credit-card-accounts-in-one-fell-swoop/
 > 
 > Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop
 > 
 > Visa and MasterCard are sending confidential alerts to financial institutions across the United States this week, warning them about more than 200,000 credit cards that were stolen in the epic data breach announced last week at big-three credit bureau Equifax. At first glance, the private notices obtained by KrebsOnSecurity appear to suggest that hackers initially breached Equifax starting in November 2016. But Equifax says the accounts were all stolen at the same time â?? when hackers accessed the companyâ??s systems in mid-May 2017.
 > 
 > Both Visa and MasterCard frequently send alerts to card-issuing financial institutions with information about specific credit and debit cards that may have been compromised in a recent breach. But it is unusual for these alerts to state from which company the accounts were thought to have been pilfered.
 > 
 > In this case, however, Visa and MasterCard were unambiguous, referring to Equifax specifically as the source of an e-commerce card breach.
 > 
 > In a non-public alert sent this week to sources at multiple banks, Visa said the â??window of exposureâ?? for the cards stolen in the Equifax breach was between Nov. 10, 2016 and July 6, 2017. A similar alert from MasterCard included the same date range.
 > 
 > â??The investigation is ongoing and this information may be amended as new details arise,â?? Visa said in its confidential alert, linking to the press release Equifax initially posted about the breach on Sept. 7, 2017.
 > 
 > The card giant said the data elements stolen included card account number, expiration date, and the cardholderâ??s name. Fraudsters can use this information to conduct e-commerce fraud at online merchants.
 > 
 > It would be tempting to conclude from these alerts that the card breach at Equifax dates back to November 2016, and that perhaps the intruders then managed to install software capable of capturing customer credit card data in real-time as it was entered on one of Equifaxâ??s Web sites.
 > 
 > Indeed, that was my initial hunch in deciding to report out this story. But according to a statement from Equifax, the hacker(s) downloaded the data in one fell swoop in mid-May 2017.
 > 
 > â??The attacker accessed a storage table that contained historical credit card transaction related information,â?? the company said. â??The dates that you provided in your e-mail appear to be the transaction dates. We have found no evidence during our investigation to indicate the presence of card harvesting malware, or access to the table before mid-May 2017.â??
 > 
 > Equifax did not respond to questions about how it was storing credit card data, or why only card data collected from customers after November 2016 was stolen.
 > 
 > In its initial breach disclosure on Sept. 7, Equifax said it discovered the intrusion on July 29, 2017. The company said the hackers broke in through a vulnerability in the software that powers some of its Web-facing applications.
 > 
 > In an update to its breach disclosure published Wednesday evening, Equifax confirmed reports that the application flaw in question was a weakness disclosed in March 2017 in a popular open-source software package called Apache Struts (CVE-2017-5638). 
 > 
 > â??Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,â?? the company wrote. â??We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.â??
 > 
 > The Apache flaw was first spotted around March 7, 2017, when security firms began warning that attackers were actively exploiting a â??zero-dayâ?? vulnerability in Apache Struts. Zero-days refer to software or hardware flaws that hackers find and figure out how to use for commercial or personal gain before the vendor even knows about the bugs.
 > 
 > By March 8, Apache had released new versions of the software to mitigate the vulnerability. But by that time exploit code that would allow anyone to take advantage of the flaw was already published online â?? making it a race between companies needing to patch their Web servers and hackers trying to exploit the hole before it was closed.
 > 
 > Screen shots apparently taken on March 10, 2017 and later posted to the vulnerability tracking site xss[dot]cx indicate that the Apache Struts vulnerability was present at the time on annualcreditreport.com â?? the only web site mandated by Congress where all Americans can go to obtain a free copy of their credit reports from each of the three major bureaus annually.
 > 
 > In another screen shot apparently made that same day and uploaded to xss[dot]cx, we can see evidence that the Apache Struts flaw also was present in Experianâ??s Web properties.
 > 
 > Equifax has said the unauthorized access occurred from mid-May through July 2017, suggesting either that the companyâ??s Web applications were still unpatched in mid-May or that the attackers broke in earlier but did not immediately abuse their access.
 > 
 > It remains unclear when exactly Equifax managed to fully eliminate the Apache Struts flaw from their various Web server applications. But one thing we do know for sure: The hacker(s) got in before Equifax closed the hole, and their presence wasnâ??t discovered until July 29, 2017.
 > 
 > Tags: apache struts, cve-2017-5638, Equifax breach, mastercard, Visa, window of exposure
 > 
 > This entry was posted on Thursday, September 14th, 2017 at 2:03 pm	 and is filed under Other. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.