Equifax hack: Credit report monitoring site and PINs to lock down credit reports could be hacked
A bug in Equifax's credit monitoring site could allow hackers to trick users into handing over more sensitive data.
The Equifax hack appears to be the one that keeps on giving. Days after the firm announced it suffered a breach, major security issues have been uncovered relating to how the firm is handling the incident.
Equifax's credit monitoring site, which the firm set up in the wake of the data breach is reportedly vulnerable to hacking. Meanwhile, the PIN codes the firm is providing users to lock down their credit report could also be compromised by hackers.
Equifax's credit monitoring site was reportedly found to contain a security vulnerability, which could potentially be exploited by hackers to steal even more data from users. Security researchers Martin Hall told ZDNet that the bug could allow hackers to easily spoof the site, via a cross-scripting (XSS) attack.
The vulnerability in the site could allow hackers to trick users into opening a malicious site, which in turn prompts victims into divulging their sensitive data such as social security numbers and more.
"Do you trust Equifax with your details? The problem is that post-breach they are asking people to enter their personal details all over again while they still have many insecure sites and pages," Hall said.
It is still unclear whether hackers are already actively exploiting the bug to launch fresh attacks. Equifax is yet to comment on the matter.
Hackers could brute-force PINs
Meanwhile, the firm is now moving to remove the vulnerable PINs that it provided its users affected by the breach to lock down their credit reports. The PIN was meant to help secure affected users from further damage, by keeping users' stolen data from being used by malicious entities to open credit in the victims' names.
However, it was discovered that the PINs which were generated could be brute-forced. Instead of generating random PINs, the codes generated were essentially date-time stamps of the time when users enrolled into Equifax's TrustedID service.
"While we have confidence in the current system, we understand and appreciate that consumers have questions about how PINs are currently generated. We are engaged in a process that will provide consumers a randomly-generated PIN," a spokesperson for Equifax told ArsTechnica.
"We expect this change to be effective within 24 hours. A consumer has an option, and will continue to have an option, to change an existing PIN. The requested new PIN is sent to the consumer by US Mail to their address of record."
US Senators demand answers
The massive scale of the data breach has led US Senators to demand answers from the firm about the hack. Senator Orrin Hatch, who chairs the finance committee, and Senator Ron Wyden have given the firm until 28 September to provide details on the timeline of the breach and when it was discovered by Equifax, Reuters reported.
"Equifax could face an enormous $500m clean-up bill following its major data breach disclosed on Friday. Major data breaches like this can be more complex and more costly to clean up than an oil slick," Graeme Newman, Chief Innovation Officer at CFC Underwriting told IBTimes UK.
"Ironically, the largest part of that bill will be identity theft protection services that should be provided to affected consumers, which is one of the main services Equifax provides.
"This could make Friday's breach one of the most expensive in history, following the Yahoo breach that affected over 1bn people globally. Luckily for Equifax though, they were hit before new data protection regulations were introduced in Europe," Newman added.
"The new GDPR which comes into effect in May next year allows for fines up to 4% of global revenue, which could have added another $125m to their overall costs."
© Copyright IBTimes 2024. All rights reserved.