Senators push to ditch social security numbers in light of Equifax hack

 Eyeing more secure alternatives to social security numbers, lawmakers in the U.S. are looking abroad. Today, the Senate Commerce Committee questioned former Yahoo CEO Marissa Mayer, Verizon Chief Privacy Officer Karen Zacharia, and both the current and former CEOs of Equifax on how to protect consumers against major data breaches. The consensus was that social security numbers have got to… Read More

Equifax hack being probed by UK’s financial watchdog

 The fallout from the massive Equifax hack, publicly disclosed last month, continues: Today the UK’s financial watchdog said it also wants to get to the bottom of what happened.    Read More

Federal watchdog tells Equifax—no $7.25 million IRS contract for you

The Government Accountability Office (GAO) on Monday rejected Equifax’s bid to retain its $7.25 million “taxpayer identity” contract—the one awarded days after Equifax announced it had exposed the Social Security numbers and other personal data of some 145 million people.

At its core, the Equifax-IRS ordeal reveals the strangeness of the government contacting system. That’s because Equifax wasn’t even originally chosen to continue its contract with the IRS’s Secure Access online program, which enables taxpayers to store and retrieve online tax records. But because Equifax protested when the agency gave the contract to rival Experian for a fraction of the cost, the IRS said contracting rules demanded that it offer a “bridge” contact to Equifax until the GAO sorts out the protest.

The GAO sorted everything out on Monday. It set aside the challenge from Equifax which contended that Experian, whose bid was worth up to $795,000 annually, didn’t have the technological wherewithal to verify taxpayers signing up for the Secure Access program.

Read 3 remaining paragraphs | Comments

After second bungle, IRS suspends Equifax’s “taxpayer identity” contract

Last week we brought news that the Internal Revenue Service awarded a $7.2 million contract to Equifax to allow Equifax to “verify taxpayer identity.” The contract was awarded days after Equifax announced it had exposed the personal data, including Social Security Numbers, of about 145 million people.

The tax-collecting agency is now temporarily suspending the contract because of another Equifax snafu. The Equifax site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors’ computers with adware that was detected by just three of 65 antivirus providers. The development means that at least for now, taxpayers cannot open new Secure Access accounts with the IRS. Secure Access allows taxpayers to retrieve various online tax records and provides other “tax account tools” to those who have signed up.

An “alert” on the IRS website says the Secure Access service “is unavailable for new users at this time.” The alert notes that taxpayers who already have an account can “continue the login process.”

Read 6 remaining paragraphs | Comments

Equifax rival TransUnion also sends site visitors to malicious pages

Equifax isn’t the only credit-reporting behemoth with a website redirecting visitors to fake Adobe Flash updates. A security researcher from AV provider Malwarebytes said transunioncentroamerica.com, a TransUnion site serving people in Central America, is also sending visitors to the fraudulent updates and other types of malicious pages.

As Ars reported late Wednesday night, a portion of Equifax’s website was redirecting visitors to a page that was delivering fraudulent Adobe Flash updates. When clicked, the files infected visitors’ computers with adware that was detected by only three of 65 antivirus providers. On Thursday afternoon, Equifax officials said the mishap was the result of a third-party service Equifax was using to collect website-performance data and that the “vendor’s code running on an Equifax website was serving malicious content.” Equifax initially shut down the affected portion of its site, but the company has since restored it after removing the malicious content.

Now, Malwarebytes security researcher Jérôme Segura says he was able to repeatedly reproduce a similar chain of fraudulent redirects when he pointed his browser to the transunioncentroamerica.com site. On some occasions, the final link in the chain would push a fake Flash update. In other cases, it delivered an exploit kit that tried to infect computers with unpatched browsers or browser plugins. The attack chain remained active at the time this post was going live. Segura published this blog post shortly after this article went live on Ars.

Read 7 remaining paragraphs | Comments

Equifax website hacked again, this time to redirect to fake Flash update

In May credit reporting service Equifax’s website was breached by attackers who eventually made off with social security numbers, names, and a dizzying amount of other details for some 145.5 million US consumers. For several hours on Wednesday the site was compromised again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors’ computers with adware that was detected by only three of 65 antivirus providers.

Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp:centerbluray.info that looked like this:

(credit: Randy Abrams)

He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the control of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he’d see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once.

Read 3 remaining paragraphs | Comments

Equifax hack included nearly 11 million US driver’s licenses

 The latest news from the enormous Equifax hack is that the stolen records included 10.9 million driver’s licenses from U.S. citizens, according to the Wall Street Journal’s sources. This isn’t much of a surprise given how poorly all the other information was secured, but it’s nice to put a number on just how many of various personal documents Equifax’s poor… Read More

Chatting corporate greed with Mr. Monopoly, hero of the Equifax Senate hearing 🎩💸

 In a particularly dark week for America, one ray of hope shone bright, its monocle glinting bravely in the harsh media flash. Enter Rich Uncle Pennybags, the board game fat cat better known as the Monopoly man, who made a high-profile appearance at today’s Senate hearing on the Equifax hack. Read More