Celebrity hackers stole data from AnnualCreditReport.com, Equifax says

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://redtape.nbcnews.com/_news/2013/03/12/17286101-celebrity-hackers-stole-data-from-annualcreditreportcom-equifax-says

The Equifax credit bureau confirmed Tuesday that criminals have stolen
credit reports from AnnualCreditReport.com, the website designed to
allow consumers free access to their own credit reports.

The theft  suggests criminals have outfoxed AnnualCreditReport.com’s
defenses, potentially giving them access to potentially 200 million
Americans’ credit reports. According to the Consumer Financial
Protection Bureau, 16 million consumers use AnnualCreditReport.com
annually.

The nation's three largest credit bureaus -- Equifax, Experian and
TransUnion -- were required by federal legislation passed in 2003 to
offer consumers one free credit report every year. The three jointly
operate AnnualCreditReport.com to fulfill that obligation.

Entertainment news website TMZ first reported Monday that highly
detailed personal information on international celebrities and
political figures – including Jay-Z, Beyonce, Attorney General Eric
Holder and Hillary Clinton – had been published on a website, and that
the FBI was investigating. The same website identified in that report
published additional data on Tuesday, including details about first
lady Michelle Obama and Vice President Joe Biden, leading to a flurry
of interest in the source of the data.  Later Tuesday, Equifax
confirmed that some of the data associated with those identity thefts
had been stolen from AnnualCreditReport.com.

"Equifax can confirm that fraudulent and unauthorized access to four
consumer credit reports has occurred through the
AnnualCreditReport.com channel, a free public service that allows all
consumers to get annual access to their credit report," the company
said in a statement.  "Our initial investigation shows the
perpetrators had the (personal information) of the individuals whose
files were accessed and were therefore able to pass the required
authentication measures in place. We have launched a full
investigation into this matter and we are also working closely with
law enforcement authorities on this matter."

The statement did not identify which credit reports had been accessed
through the website or explain why more than four reports had been
published on the website.

TransUnion and Experian also confirmed unauthorized persons had
managed to access the credit report data.

"TransUnion’s systems were not hacked or compromised in any way," the
firm said in a statement to CNBC. "The sophisticated perpetrators of
these fraudulent activities had considerable amounts of information
about the victims, including Social Security numbers and other
sensitive, personal identifying information that enabled them to
successfully impersonate the victims over the Internet in order to
illegally and fraudulently access their credit reports. TransUnion is
taking steps to assist the individuals affected to help minimize any
potential impact. We are conducting our own internal investigation and
working closely with law enforcement."

Experian also said its systems weren't hacked, adding that "this looks
to be an isolated situation."

Consumers who attempt to obtain their credit reports from
AnnualCreditReport.com must answer a series of authentication
questions. Many of these are what's known as "out-of-wallet" questions
-- questions that a criminal who had stolen a wallet couldn't answer
-- such as, "which bank holds your mortgage" or "which of these former
addresses are valid."

That means the criminals who stole the credit reports probably had
access to a host of personal information about their targets, allowing
them to successfully answer the authentication questions. Some of that
data can be purchased from other online data brokers, culled from web
pages or even determined through guesswork and the process of
elimination.

The Federal Trade Commission regulated the creation of
AnnualCreditReport.com and its security procedures.

FTC spokesman Jay Mayfield said the data theft serves as another
reminder to consumers that they should protect their personal
information, but said the agency still recommends that consumers visit
AnnualCreditReport.com or call the credit bureaus to get a free copy
of their credit report every year. He would not comment specifically
about the theft of the celebrity credit reports, or about the security
of AnnualCreditReport.com

Consumers who hear that AnnualCreditReport.com has been compromised
might be dissuaded from using the site in the future, and perhaps
paying another third-party firm for their credit reports. Doing so
would not enhance their security, however.  The data available at
AnnualCreditReport.com could be accessed by criminals, even if the
consumer never asks for it.

Issues with the authentication procedures at credit report websites
have been raised in the past. Last year, security analyst Dan Clements
of CloudEyez.com gave NBCNews.com a tour of websites that sell stolen
credit reports. Several of the stolen credit reports viewed at the
time indicated they'd been taken from AnnualCreditReport.com or other
third-party websites that charge a fee for access to credit reports.

"I'm selling super prime credit reports and scores which include all
three bureaus and other information," bragged one advertisement on a
credit reports for-sale site.

Most of the websites were hosted in the .su domain, assigned to the
former Soviet Union. The recently celebrity credit reports are also
hosted on a .su web site.

In one how-to posted on a hacker bulletin board, a hacker describes
one brute-force attack used to gain access to credit report websites.
Most sites are protected by "challenge" questions such as, "Which bank
holds the mortgage on your home?"  But there's a critical flaw, the
hacker said:

"Normally all ... of them will ask you the same question," the hacker wrote.

Because the sites use the multiple choice format, it's easy to use the
process of elimination and determine the correct answers, he claims.

The hacker explained that the trick is to open several credit report
sites and keep trying random answers until one set works.

The recipe is highly detailed, including helpful tips such as, "Take a
shot of screen to remember what answers you gave. After that click the
submit button and see what it says."
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.