The Equifax Breach Gives Hackers an Inside Look at Millions of Americans Financial Data
Uncover how fraudsters will leverage data stolen from Equifax to compromise accounts, execute fraudulent transactions, and steal revenue from enterprises.
On Thursday, Equifax reported a massive data breach. The hackers targeted names, Social Security numbers, credit card numbers, and other personally identifiable information from 143 million Americans and over 8 million New Yorkers.
Equifax is one of the four main credit bureaus in the United States that aggregates and sells consumer credit and identity data, meaning the company has access to an extraordinary amount of personal and financial data for every American adult. So, how did the hackers get to our most sensitive information? Equifax says hackers accessed the data of millions of consumers between mid-May and July through a vulnerability in a web application, but the full details of the attack have not yet been disclosed.
While the details have not yet been fully disclosed, there is a good deal of consensus around the motive for this attack: It will be sold to the highest bidder. Yes, it is that simple.
The sensitivity of the compromised data is more substantial in this case than other recent breaches. This is not just “data,” but credit bureau data, the data we as a society have said is so sensitive that only the most trusted of institutions can access it. Unlike many of the breaches we hear about, this data is “sticky,” meaning it will not change in the future like a stolen credit card number. This sticky data includes information such as a person’s name, address, date of birth, and Social Security number.
To consumers, this breach represents a new level of invasiveness, but the true victim will be America’s economy: insurers, the Internal Revenue Service, and our banks will be on the frontline.
The Equifax data can be used to open accounts ranging from bank accounts, fake insurance policies, and to file unauthorized tax returns.
If credit history is included in this breach, criminals would be able to select the most trustworthy identities to steal, take out credit in their name, loot their bank accounts, or take an existing account on a shopping spree.
When fraud from this breach starts to appear consumers may be inconvenienced, but it is the banks, insurers, and government that will end up bearing the financial impact.
In light of this recent event, we expect to regulatory pressure to ensure institutions entrusted with this type of information are better protected in the future. But that won’t stop the impending onslaught of fraud, and banks, insurers, and the government are poorly equipped to handle the levels of exposure they’ll be subjected to as a result of this data breach.
The data taken in this breach is the same data institutions are currently relying on for verifying consumers.
Simply running an ID verification check is no longer a viable solution. Financial institutions, insurers, and government agencies need to take proactive measures to identify fraud in the most vulnerable area: the online environment.
As part of the fallout from this breach, we expect up to 44 percent of the U.S. population will have personally identifiable information (PII) dumped onto the black market. While we’ve been working with leading financial institutions on preventing the various types of fraud that can be attributed to this type of breach, the reality is many still rely on outdated technologies.
Because of the increased regulatory oversight in the U.S., we anticipate seeing similar guidance to what was recently passed in Mexico requiring biometric authentication for account origination. We’ve been working with banks and regulators in Latin America on this very subject. Institutions–in the United States and around the world–need to be aware of the heightened level of exposure, digest how this breach has accelerated the situation, and take necessary proactive measures.
Institutions can’t wait for regulators and need to be proactive.
Technologies like biometrics are effective but can also cause an inconvenience for consumers and take extensive time to implement. Today, however, alternative solutions can achieve similar results as biometrics without impacting consumer experience such as solutions that require special apps to login or authenticate a consumer.
At Precognitive, we develop technology that performs “passive multi-factor authentication” and protects against the types of fraud the industry expects to see stemming from this breach. By using a multi-layered approach and combining device intelligence, behavioral biometrics and machine learning, we’re able to discern fraudsters from legitimate consumers. We do this by analyzing devices, internet connections, behavioral patterns and biometric signals in the background with zero impact or visibility to the consumer.