16.9.17

How many people outside the U.S. are affected by the Equifax breach?


[ Update September 15, 2017: Equifax has released more detailed information pertaining to the stolen data from people in the UK. The names, dates of birth, email addresses and telephone numbers of up to 400,000 people in the UK may have been accessed.]
If you’ve been reading news about the recent Equifax breach, you may have noticed that many articles mention briefly that people in the United Kingdom and Canada are also affected. There has been little clarification as to how many people were affected, or what exactly was lost.
The current statement from Equifax is that there was “unauthorized access to limited personal information for certain U.K. and Canadian residents.” Due to this heavy emphasis on customers in the U.S., many of us have not really considered how much or how little this could mean to people in the UK and Canada.
Breach Maths
Certainly, in terms of total numbers and dramatic headlines, 143 million is a lot of victims. This means that 44 percent of all Americans could have been affected. If we assume that this breach primarily affects adults, it could be up to 60 percent of the population over the age of 18.
What we don’t currently know is how many people in the U.K. and Canada were affected. We know that Equifax has data on 820 million consumers worldwide and it operates in 24 countries. Of those 820 million, the company has information on 44 million people in the UK and 26 million in Canada.
If we assume again that this breach primarily affects adults, and if we assume that these numbers are the maximum number of possibly affected consumers in each country, this could mean that up to about 80 percent of adults in both countries may be affected.
While we do know that Equifax has found no evidence of unauthorized activity on their core consumer or commercial credit reporting databases, it’s entirely possible that this breach does not affect the total number of Equifax customers in either country. As much as anything, people are concerned about the lack of certainty.
Protect as if you’ve already been compromised
There is a popular saying in information security circles that says that everyone should protect their data as if they’ve already been compromised. While credit freezes were until recently considered a “drastic measure” – only for people who had already had identity theft-related fraud committed against them – they are now being widely recommended as a basic preventative measure for everyone. Equifax is now waiving fees for anyone wishing to set up this protection on their credit reports.
It seems wise, especially for people in the U.S., U.K. and Canada, to be extra vigilant until more specific information becomes available. Even if it turns out that few people in either country were affected, getting in the habit of double-checking what’s happening with your financial accounts and credit history is never a waste of time or effort.

12.9.17

State sponsored cryptocurrency: Could it ever be a reality?

Companies showcase their products, whether they are physical, virtual or services. Images of Steve Jobs launching an iPhone or Elon Musk announcing the latest Tesla generate media interest and hype. Cybersecurity companies are no different, ESET holds an annual event for journalists and security testers. At the event people discuss the latest research news and find out what’s new in the company and the cybersecurity industry.
This year’s event was held in Tallinn, the Republic of Estonia. A country that has a very unique digital offering; it’s the first country that offers e-Residency. Anyone in the world can apply for a Government issued digital ID that enables the holder freedom to start and run a global business from a trusted EU environment for only €100.
A person can create a company online from anywhere in the world, can get access to business banking, with no local director needed, sign documents digitally, encrypt documents and send them securely, plus they can submit taxes online without ever needing to relocate their global business. To date there have been 23,735 applicants from 138 countries establishing 3,877 companies. Incredibly, the number of people signing up exceeds Estonia’s birth rate.
In the last few weeks, it was reported that Kaspar Korjus, Estonia’s e-Residency Managing Director, announced the concept of adding cryptocurrency, Estcoins. The media excitement that a sovereign state was announcing its intention to create a digital currency resulted in some inaccurate reporting, with the idea that it came from Mr. Korjus rather than from the Estonian Government. As Estonia offers e-residency the concept of a digital cryptocurrency may sound appealing, but what is it?
Understanding cryptocurrency
If you are lucky enough to have some cash, you probably hold it in an account at a bank that provides you the ability to transact, get a balance and has access to a payment network. The financial institution works on a centralized methodology, and is typically accountable to a government regulator. The centralization stops the account holder from double spending, as every transaction is authenticated in one place.
Cryptocurrencies work on a decentralized methodology, there is no sever or centralized place that holds account details and transactions. Imagine 10 friends creating their own digital currency, to make this work every friend will need to know the balance and transactions of all the other friends in real-time. This stops friend #1 transacting with friend #2 and #3 to withdraw the same funds, making #1 overdrawn. When #1 transacts with #2 then all the friends need to be sent the details of the transaction and to confirm they received it, the effect is a distribution of your balance and history.
“Cryptocurrencies work on a decentralized methodology, there is no sever or centralized place that holds account details and transactions.”
To make this scale, such as Bitcoin do, waiting for everyone to confirm would be too difficult so you need to create trusted, but still distributed, confirmers of a transaction. These are called miners, and they have a special encrypted relationship with each other. Imagine 10,000 friends using the currency and 100 of them being miners that have a trusted place in the network to confirm transactions and spread the word to the remaining participants.
With Bitcoin anyone can me a miner if they are willing and able to create a cryptography hub that can talk to the rest of the network. Their reward for doing this is the payment of a transaction fee paid in the digital currency. Now you have a secure network incentivized to confirm transactions and to stop people spending their cash more than once.
If we simplify this, it’s just a big database that multiple entities have copies of and before a transaction can take place they all need to agree it’s able to take place. Bitcoin works on the following principals:
1.     It’s fast and secure, regardless of where you transact, it works on a global network of computers that use strong cryptography.
2.     The actual identity of the account holder is a digital address, there is no link between this and the real-life identity of the account holder.
3.     There are no permissions, anyone can create an account using software without the need to be identified.
4.     Lastly, Bitcoin transactions cannot be reversed, once a transaction has been made the distributed it’s final.
Cryptocurrency and state sponsorship
Is it possible for any government to create a cryptocurrency that would share the same values of the already established, and somewhat, successful cryptocurrencies available today?
The Republic of Estonia is a member of the European Union and part of the Eurozone currency, bringing with it regulation and procedures that may limit the success of any cryptocurrency that is state sponsored. Mario Draghi, the president of the European Central Bank, quickly dismissed the idea and stated the only currency for eurozone countries is the ‘euro’.
The success of Bitcoin is generally based on the lack of regulation, primarily it’s the currency of choice for people that wish to remain anonymous.
However, bad-intentioned people, like creators of ransomware, could use it also as the payment method to unlock infected machines, making them extremely difficult to identify – creating challenges for law enforcement trying to bring them to justice.
Allowing people to anonymously create accounts and transact with each other removes the visibility of tax authorities, financial regulators and law enforcement. Making it unthinkable that any government which is part of a regulated financial community could disregard the processes that have been established to create a safe and trusted financial system.
This is probably just as unthinkable to the cryptocurrency users that they should be regulated and identified in the same way they are with traditional bank accounts.
I would like to hear the opinion of cryptocurrency users and advocates on what the legitimate uses are for the technology driven currency.

11.9.17

Equifax breach: 5 defensive steps to take now


As you may have heard from the copious news coverage (including our own), the credit monitoring bureau Equifax, was hit with a security breach which has given thieves access to the data of 143 million people; this information comes primarily from customers in the US, as well as some in the UK and Canada. The data stolen includes names, social security numbers, birth dates, addresses, and the numbers of some driver’s licenses and credit cards.
Normally, our first piece of advice would be for you to go directly to a vendor’s breach information site for further information. But at the time of writing, Equifax is having a number of technical difficulties with existing contact methods, at least partly as a result of unusually high traffic volumes.
Calling Equifax directly seems to be ineffective right now, and the Equifax breach-info site is having a variety of problems which seem to indicate that the rush to provide information may have led to further issues.
The Equifax breach notification site runs on a stock installation of WordPress. This is cause for concern as it appears to have insufficient security for a site that asks people to provide their last name plus six out of nine digits of their Social Security number. If this information was stolen, it would be more than enough fodder for criminals to perpetrate additional fraud.
But this isn’t the only cause for concern: software with phishing-detection functionality – including some Internet browsers and OpenDNS have been blocking access to the site and warning that it was a suspected phishing threat due to irregularities in its functionality. For example, the SSL/TLS certificate doesn’t perform proper revocation checks, which may cause browsers to display an error message. And the domain name is registered to a site that is not clearly labeled as belonging to Equifax.
An increasing number of reports appear to indicate that the information coming out of the website’s checking mechanism may be incomplete or inaccurate. Verbiage on the Equifax site led to significant debate as to whether signing up for free identity protection services would stop users from taking part in class action lawsuits against the company. This has prompted Equifax to clarify that this waiver does not apply to the current incident.
How to protect yourself
Indications are that this breach occurred between mid-May and July 2017, and that it was discovered by Equifax on July 29. As this has potentially affected almost half of all adults in the US, you may be wondering how to identify or mitigate problems caused by this breach. Here are a few steps you can take now:
1.   Check your accounts for suspicious activity
The first, and most important thing you can do is to check the transactions on all your financial accounts and credit history. Keep in mind that there is an overwhelming amount of traffic going to all the major credit reporting agencies right now, so they may be slow or only intermittently available for the next few days. As the breach was only recently reported, it’s likely that more information about the specifics of who was affected and what was stolen will become available in the coming days and weeks.
If you see activity that you do not recognize, it is important that you notify the bank or credit agency immediately.
Keep in mind that the thieves may not use or sell all of the stolen data right away. You will need to be vigilant with your accounts for a while.
2.   Consider a Credit Freeze
While freezing your credit does introduce an obstacle when it comes to allowing someone to access your credit report (such as when you apply for a new bank card, loan, apartment or job), it also makes it more difficult for thieves to create new accounts using your information. Laws differ from one state to another regarding who may request a freeze and how much they will be charged. For most states that do charge, if fraud against you has not yet been committed as the result of a data breach, you may be charged around $10 to place the freeze. It’s important to contact all three credit reporting agencies, including Equifax.
If your information was included in this breach, and you decide against a credit freeze, you may wish to place a fraud alert on your files instead. A fraud alert warns creditors that you may be a victim of identity theft and that they should take additional steps to verify that anyone seeking credit in your name really is you.
3.   File your taxes promptly
While thieves may use stolen information to create fraudulent bank accounts, they may also use it to file fraudulent tax returns. File your taxes as soon as you have the tax information you need and respond promptly to letters sent to you by the IRS. Note that the IRS will never communicate with you via email, so watch out for this type of fraud and don’t open emails purporting to be from the IRS.
4.   Improve your login security
With all the information that is now available to thieves, they may try to combine it with attacks on other online accounts and services. It’s always a good idea to make sure you have strong, unique passwords for each account you use. If you’ve not yet enabled two-factor authentication wherever it’s available to you, now is a great time to make sure you have this in place.
5.   Beware of scams
Criminals are aware that people will be feeling especially anxious about their security and privacy as a result of this incident. This could lead to other scams and has already inspired at least one phishing site passing itself off as an Equifax resource. Some people may, ironically, be more apt to fall for social engineering tactics and phishing schemes that prey on this fear. Never click on links in emails purporting to come from businesses using this angle, especially if they appear suspicious in any way. It’s a good idea, especially after major security events and other crises, to consider any link in an unsolicited email to be potentially malicious. Instead, you should type URLs that you know to be genuine into your browser directly if you need to contact companies.
There are plenty of things you can do to protect yourself without needing to contact Equifax right now. Equifax will contact affected consumers directly by mail, so for now, keep an eye on the news as more information comes to light.