Equifax now 15.2m UK records stolen


(Danny) #1

Equifax has today confirmed that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in the cyber incident that took place in May 2017.


#2

This number continues to rise. I shall just assume that all of the records were stolen.


(Tony Hoyle) #3

I assumed that from the start… if you got that kind of access why would you just grab half of them?

This is the company that thought ‘admin’ was a good administrator password. I really doubt they had any safeguards preventing downloading all their data.

Heck, I’m surprised they even noticed…


(Geoff Pascoe) #4

The thing that’s scary about this is you don’t even have a choice. If my bank leaked my data, I would go to another bank, but as far as I know you can’t stop your data being reported to CRAs. (If anyone wants to contradict me, I would be very happy to find out I was wrong about this)


(Tony Hoyle) #5

At this stage we have to assume that all the data we previously used to identify ourselves is public knowledge… The best way is to find new ways that aren’t subject to duplication should they get compromised.

Monzo’s intro video is a good idea, for example… even if leaked it’s hard to convincingly fake a video of you talking.

Using a mobile phone as identity is increasingly becoming common… of course that means if you lose your phone, we need robust ways of cancelling that validity and transferring to a new phone, and I’m not sure we’re quite there yet.


(knows someone who knows Tom quite well) #6

yes, you simply need to change your date of birth, mother’s maiden name, sex and address.

(I recommend copying the queen by having a real birthday and an ‘official’ birthday)

The mobile phone system is way too insecure to adequately protect bank details.


(Tony Hoyle) #7

Good enough for Monzo… mobile phones are actually pretty secure these days. Phones are the gatekeepers now to all sorts of private information.

It’s also the best we have… phones have various forms of identification like fingerprint, not to mention it’s a physical device that travels with you and somewhat identifies you… The web has nothing like that other than passwords, and those are just not secure because people use the same password all over the place or use something that’s obvious… and type them in in public places.


(knows someone who knows Tom quite well) #8

I said the mobile phone system not mobile phones.

Many second factor systems can use SMS as the second factor - this is extremely dangerous - https://www.nytimes.com/2017/08/21/business/dealbook/phone-hack-bitcoin-virtual-currency.html


(Tony Hoyle) #9

“calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.”

So they got a migration code and opened a new account with another provider to migrate the number, and at no time during the migration did the losing phone company try to verify this? Send out a final bill even? Sounds like a problem with the phone company.

Security is only as strong at its weakest link… in this case it wasn’t SMS.


(knows someone who knows Tom quite well) #10

Sigh…


(Tony Hoyle) #11

Anyone able to get into the mobile phone network at that kind of level has the technical capability to screw you over lots of ways. The internet itself is the same… BGP is completely trusted and completely insecure, but the average person has no ability to exploit that (and those in a position to do so have too much to lose).

(SS7 is being phased out, btw. - 4G doesn’t use it at all).

Such things aren’t worth bothering about because there’s nothing you can do against someone that determined and with those kinds of tools.


(Danny) #12

(Sean) #13

cough Virtual cards cough :eyes:


(Tony Hoyle) #14

Virtual cards… then disable the number on the front of the card :stuck_out_tongue:

Even if you lose the card, little risk as the numbers are just a distraction…


(Andre Borie) #15

Not entirely correct. In case of BGP you’re running HTTPS/TLS on top so no big deal. SS7 is completely unencrypted and unauthenticated.


(Tony Hoyle) #16

Mobile apps can comunicate with aysmmetric encryption and completely refuse to work if they reach the wrong site. Browsers theoretically can but everyone ignores the padlock (humans are always the weak link).

Mobile isn’t perfect by any means but it’s the best we have at present because it’s a physical thing you and only you have. If we had proper smart ID cards they’d work but that was somewhat unpopular when it was proposed.

Lots of the population are still treating telephones as if they’re secure… I’m told the legal profession still uses fax!


#17

Yep. They’re using state of the ark technology :wink:


(Andre Borie) #18

This is just getting better and better: https://arstechnica.com/information-technology/2017/10/equifax-website-hacked-again-this-time-to-redirect-to-fake-flash-update :joy:


(Danny) #19

I really have no words for the level of incompetence for this company.


(Hugh) #20

I think that’s why their Infosec executive stood down…