This article presents more evidence about EquiFax Inc., and the threat they, and others, still pose to our private data. It demonstrates that none will enhance cyber security, until it costs more to not protect our data via fines and penalties implemented in law. As a cyber security professional, I am naturally judgmental and biased towards organizations like EquiFax Inc. when they bumble a breach and continue to have poor cyber security practices. Thus, I'm afraid when our information is handled by any entity related by them. I highly encourage ANY corporation using EquiFax or their subsidiaries to avoid this company until they demonstrably prove they are committed to protecting personal data. A company’s reputation and data is tied to their ineptitude. Without further digressions, I present a case of EquiHack, holding Tax data and asking for more! This investigation started when I received an electronic W-2 is ready email notification. Great I can start the heinous process of doing my taxes now. But in order to obtain said W-2 (oh boy did I ever forget what I was dealing with) I had to go through certain steps with a certain company. "Please visit this website:" https://www.mytaxform.com. "Okay, no problem" until I see the following footer at the bottom of the web site: Damn. Equifax. I have a personal bias and loathing for them. They didn't handle their MONUMENTAL breach well and I don't trust them. So I scrutinize this company/subsidiary of theirs, TALX Inc. which holds my data. See my list of what I found disturbing about this subsidiary of Equifax Inc. followed by varying degrees why each item is disturbing.
1. Their Privacy Policy ...dates to 2013. After Equifax Inc. just had an egregious cyber security breach. It also states they will sell to 3rd party affiliates. This is not okay to me. This is my tax information. I do not want ANY of my tax information sold to 3rd party affiliates. My Tax information is not for sale, at least I thought it wasn't. 2. The Security Policy... ...sounds good to a lay person. But it demonstrates a marketing or inexperienced person wrote it by boasting that "portions of our site make extensive use of Secure Socket Layer (SSL) encryption...password-like identifying information" though there's no reason to not use SSL for all of the data (cost or otherwise) and the term password-like does not mean anything. It's made up? What is a password-like password? A known-word? Anyway, they also boast they take "great care to safeguard all information that is transmitted to us and stored by us...using network intrusion prevention and detection technology as well as other industry accepted security practices...independent auditing firm KPMG completes their SAS 70 Type II audit" which is not true. If they did they'd SSL encrypt the entire site. They would not ask for MORE information, and they would not throw out a large name company who also suffered from an embarrassing cyber security breach, as shared by cyber security professional Graham Cluley, to instill confidence. 3. Uses easily obtained information as a username (SSN) The username for this company is your SSN (Social Security Number), even though Equifax Inc. lost ~154 million of these, and it contradicts their security policy claim as it is not an "industry accepted security practice" at all; it is Personally Identifiable Information not to be used as a username. Higher education had to go through the process of removing SSN as Student Identifiers already. But apparently it's okay for Private companies; there's no law. Why not. 4. and 5. Weak Password policy and process I remember when I originally signed up for an electronic W-2 that I had to do an all numeric 4-16 character password. This is not an industry best practice. So I hoped, when I reset the password recently, it would allow a secure one. But nope, see screenshot below. So, let me try some easy passwords to change it too, such as 1234, or 0000. Both were accepted. One good practice, they did not allow me to reuse old passwords. So they're retaining the passwords used already (hopefully encrypted). They use SMS text messaging for a 2nd factor to login. Our own government states this is a bad idea (June 2017) and why in laymen terms is reported by Wired Inc. here. 6. Requests Additional Personal Information
Upon login with my SSN/Username and Numeric only password, the site then requests additional information to store, for my safety. They want, a personal email address, though I received an email already telling me my W-2 was ready, personal phone number, last 4 of my social (which I already used to login), and my Date of Birth, which umm they already lost via the EquiFax breach and is easily obtainable. This is not extra security. A motivated teenager can hack me at this point. Also, if they're requesting additional information, this means they do not have it, and they are storing it in yet another database/location, which means additional copies of my information are spread around and poses more security risks. 7. Attempts to use Adobe Flash Upon signing in I notice the site attempts to utilize Adobe Flash Player to display information before failing over to alternative methods. Adobe Flash Player is being retired and most security aware companies have already migrated off of it as it has proven it is no longer secure. Yet this site shows additional risk by using it, and another method to display my information and interact with the site. The more complicated a site is, the harder it is secure, and we've already demonstrated cyber security is not this companies forte. 8. Using Symantec SSL Certificate While not inherently bad, in the cyber security realm Symantec SSL certificates have shown a serious lack of integrity. Symantec has some good products, but it's SSL business was not among them. Google and other major web browsers are no longer going to trust them, meaning your site is considered not secure while using SSL technology with Symantec Certificates because of a lack of integrity. An SSL Certificate is the 3rd party responsible for being the trusted entity that assures us our data is secure. Unfortunately, Symantec lost the community trust in 2016/2017 and thus continuing to use their certificates shows a lack of security awareness. Am I being overly hard on EquiFax and it's owned companies. Yes. Do I have a reason to be? Yes. This is yet another reason why we need Federal Regulations enforcing good cybersecurity practices. Organizations WILL NOT do this on their own. Humans have a tendancy to not want to do things until it's painful to them. This seems like the perfect case-study for why we need to create similar laws to that of Europe to protect our personal data, and penalize companies who do not care about it as much as we do. EquiFax has yet to demonstrate they care about me, you, or our data, and property. To that I plead.... Help us US-LEGISLATURE-KENOBI, you're our only hope.
3 Comments
S
1/26/2018 09:48:14 pm
"A companies reputation and data..." --> company's (?)
Reply
S
1/26/2018 10:11:26 pm
"companies forte." --> "company's forte."
Reply
Your comment will be posted after it is approved.
Leave a Reply. |
AuthorI am a Doctoral Scholar at Colorado Technical University and a graduate of the Cyber Security Operations and Leadership program from the University of San Diego. I work in cybersecurity, and have accumulated twenty years in the IT industry. There are few IT roles I have not performed, which gives me great insights into making sense of all the IT confusion. Archives
February 2022
Categories
All
|