WEBVTT - Equifax

0:00:04.000 --> 0:00:07.960
<v Speaker 1>Equifax board metaphorical lemon juice on a paper cut after

0:00:08.119 --> 0:00:12.039
<v Speaker 1>company representatives directed customers to a fake site to find

0:00:12.039 --> 0:00:14.480
<v Speaker 1>out if they had been affected by a security bach.

0:00:14.920 --> 0:00:22.759
<v Speaker 1>I'm Jonathan Strickland, and this is tech stuff data. On

0:00:22.880 --> 0:00:29.000
<v Speaker 1>July en, hackers gained access to equifaxes database. Equifax is

0:00:29.040 --> 0:00:33.239
<v Speaker 1>a consumer credit reporting agency. Along with Experience and TransUnion,

0:00:33.360 --> 0:00:36.080
<v Speaker 1>it is part of the Big three credit reporting agencies,

0:00:36.320 --> 0:00:38.800
<v Speaker 1>and the company has records on more than eight hundred

0:00:38.960 --> 0:00:44.080
<v Speaker 1>million people and their credit histories. A vulnerability on Equifax's

0:00:44.120 --> 0:00:46.960
<v Speaker 1>website allowed the hackers to snoop around and take an

0:00:47.080 --> 0:00:50.440
<v Speaker 1>enormous amount of information, including credit card numbers for more

0:00:50.479 --> 0:00:53.800
<v Speaker 1>than two hundred thousand people and personal identifying data for

0:00:53.840 --> 0:00:57.360
<v Speaker 1>a hundred eighty two thousand people, including social security numbers.

0:00:57.760 --> 0:01:00.160
<v Speaker 1>It's possible that the breach affected as many as one

0:01:00.960 --> 0:01:04.560
<v Speaker 1>three million people to some degree. As security breaches go,

0:01:05.040 --> 0:01:09.360
<v Speaker 1>this one was particularly bad. It led to discussions about

0:01:09.360 --> 0:01:13.240
<v Speaker 1>everything from network security to the United States reliance on

0:01:13.280 --> 0:01:17.399
<v Speaker 1>the Social Security number system for just about everything. The

0:01:17.440 --> 0:01:21.720
<v Speaker 1>company kept the breach under wraps until early September twenty seventeen.

0:01:22.160 --> 0:01:25.119
<v Speaker 1>At that time, Equifax launched a tool that was supposed

0:01:25.160 --> 0:01:28.080
<v Speaker 1>to help customers determine if their data was among the

0:01:28.120 --> 0:01:31.399
<v Speaker 1>information stolen by hackers, so that they might then make

0:01:31.440 --> 0:01:34.920
<v Speaker 1>an informed decision about what to do next. Right away,

0:01:34.959 --> 0:01:37.560
<v Speaker 1>reports came out that the tool itself didn't appear to

0:01:37.600 --> 0:01:41.679
<v Speaker 1>be reliable. This wasn't helped when Equifax itself began to

0:01:41.720 --> 0:01:46.040
<v Speaker 1>send people to a fake testing site. The site Equifax

0:01:46.160 --> 0:01:48.800
<v Speaker 1>set up to help people verify whether or not they

0:01:48.800 --> 0:01:52.960
<v Speaker 1>had been affected has the u r L www dot

0:01:53.080 --> 0:01:57.800
<v Speaker 1>Equifax Security seventeen dot com. The u r L sets

0:01:57.800 --> 0:02:01.440
<v Speaker 1>this page apart from the primary domain, Equifax dot com,

0:02:01.560 --> 0:02:06.080
<v Speaker 1>and that's a big problem. At least one Equifax representative

0:02:06.120 --> 0:02:09.679
<v Speaker 1>tweeted out the wrong link to a potential victim. That

0:02:09.760 --> 0:02:15.640
<v Speaker 1>link was security Equifax dot com. The words Equifax and

0:02:15.680 --> 0:02:20.240
<v Speaker 1>security were swapped. Equifax deleted this incorrect tweet, but as

0:02:20.280 --> 0:02:25.359
<v Speaker 1>you're probably aware, nothing is ever truly deleted from the Internet.

0:02:25.840 --> 0:02:28.320
<v Speaker 1>That mistake in u r L would lead users to

0:02:28.400 --> 0:02:32.040
<v Speaker 1>an actual site. If the dark mirror version of our

0:02:32.160 --> 0:02:34.560
<v Speaker 1>universe were the one we were in, that site would

0:02:34.600 --> 0:02:37.480
<v Speaker 1>have been another data mind so that criminals could entice

0:02:37.600 --> 0:02:41.480
<v Speaker 1>users to give up valuable information and the information Security

0:02:41.520 --> 0:02:46.040
<v Speaker 1>Biz we call that fishing with a pH Fortunately, the

0:02:46.120 --> 0:02:50.160
<v Speaker 1>site wasn't in any way malicious. Instead, the site came

0:02:50.240 --> 0:02:53.760
<v Speaker 1>from Nick Sweeting, who wanted to show how Equifaxes approach

0:02:53.880 --> 0:02:58.600
<v Speaker 1>was dangerous and irresponsible. Sweeting knew that the way Equifax

0:02:58.720 --> 0:03:02.200
<v Speaker 1>set up that site was a mistake. By registering a

0:03:02.240 --> 0:03:05.360
<v Speaker 1>domain that doesn't actually live on the Equifax dot com

0:03:05.480 --> 0:03:09.320
<v Speaker 1>domain itself, the company opened up the opportunity for someone

0:03:09.400 --> 0:03:12.920
<v Speaker 1>to create a fake or spoof site. Sweeting had no

0:03:13.000 --> 0:03:16.000
<v Speaker 1>intent on using the data people would submit through his

0:03:16.040 --> 0:03:19.160
<v Speaker 1>fake site to any malicious purpose. He just wanted to

0:03:19.240 --> 0:03:21.639
<v Speaker 1>drive home the fact that if he could do it,

0:03:22.160 --> 0:03:27.120
<v Speaker 1>so could a more criminal type person. The page he

0:03:27.160 --> 0:03:31.000
<v Speaker 1>created had a banner across the top that read cybersecurity

0:03:31.040 --> 0:03:35.560
<v Speaker 1>incident and important consumer information which is totally fake. Why

0:03:35.600 --> 0:03:38.640
<v Speaker 1>did Equifax use a domain that's so easily impersonated by

0:03:38.720 --> 0:03:44.000
<v Speaker 1>phishing sites? This happens frequently on the web. By copying

0:03:44.040 --> 0:03:48.000
<v Speaker 1>the look of an established trusted entity, data thieves can

0:03:48.000 --> 0:03:53.080
<v Speaker 1>convince people to hand over valuable information willingly. Upon casual observation,

0:03:53.120 --> 0:03:56.760
<v Speaker 1>the spoofed site seems perfectly legitimate. The thieves depend upon

0:03:56.840 --> 0:04:00.200
<v Speaker 1>the trust customers have with the institution or organization sation

0:04:00.280 --> 0:04:03.400
<v Speaker 1>they believe they are communicating with. In this case, not

0:04:03.480 --> 0:04:05.840
<v Speaker 1>only did Equifax set up a tool on a u

0:04:05.960 --> 0:04:09.080
<v Speaker 1>r L outside of Equifax dot com, the company also

0:04:09.120 --> 0:04:12.360
<v Speaker 1>mistakenly advised customers to go to the fake site itself,

0:04:12.800 --> 0:04:16.640
<v Speaker 1>after already suffering a major setback in public confidence. This

0:04:17.160 --> 0:04:20.679
<v Speaker 1>was not a great move, and it really illustrated how

0:04:20.800 --> 0:04:25.320
<v Speaker 1>quick responses to a crisis can go terribly wrong. Sweeting

0:04:25.320 --> 0:04:27.920
<v Speaker 1>also pointed out that while he intended no harm, there

0:04:27.920 --> 0:04:32.200
<v Speaker 1>are surely parties active online right now that have darker intentions.

0:04:32.640 --> 0:04:34.680
<v Speaker 1>Many of these will go to great links to create

0:04:34.680 --> 0:04:38.160
<v Speaker 1>a believable experience to full innocent users into giving up

0:04:38.200 --> 0:04:41.400
<v Speaker 1>more of their information. This is a double slap in

0:04:41.440 --> 0:04:44.040
<v Speaker 1>the face for people who are already worried that thieves

0:04:44.040 --> 0:04:48.880
<v Speaker 1>had stolen their data. It's a vulnerable population undergoing further exploitation.

0:04:50.279 --> 0:04:53.920
<v Speaker 1>Sweetings argument is one many cybersecurity experts agree with. It's

0:04:53.920 --> 0:04:56.880
<v Speaker 1>a better idea for an organization to make any official

0:04:56.920 --> 0:05:00.599
<v Speaker 1>tool part of their primary domain rather then to set

0:05:00.680 --> 0:05:03.919
<v Speaker 1>up a new web domain. This reassures users that they

0:05:03.960 --> 0:05:07.120
<v Speaker 1>are dealing with the actual entity and not some random

0:05:07.240 --> 0:05:10.640
<v Speaker 1>data fisher. While Equifax is a recent target of this

0:05:10.760 --> 0:05:13.680
<v Speaker 1>sort of spoofing. There are lots of other examples, from

0:05:13.720 --> 0:05:16.840
<v Speaker 1>fake news sites to link farms that only exist to

0:05:16.880 --> 0:05:20.599
<v Speaker 1>generate page views and rack up advertising money. Spoofing is

0:05:20.640 --> 0:05:23.720
<v Speaker 1>a big deal on the web. It always benefits the

0:05:23.800 --> 0:05:26.160
<v Speaker 1>user to be careful when navigating to a U r

0:05:26.320 --> 0:05:28.920
<v Speaker 1>L and to be absolutely sure that the site you're

0:05:29.000 --> 0:05:31.560
<v Speaker 1>visiting is a legitimate one before you share any of

0:05:31.560 --> 0:05:36.080
<v Speaker 1>your personal information. To learn more about information security, including

0:05:36.080 --> 0:05:38.960
<v Speaker 1>how good guys sometimes act like bad guys so that

0:05:39.000 --> 0:05:41.680
<v Speaker 1>they can stop the real bad guys, subscribe to the

0:05:41.720 --> 0:05:44.960
<v Speaker 1>Tech Stuff podcast. We dive deep into tech topics to

0:05:45.000 --> 0:05:47.240
<v Speaker 1>get a better understanding of how they work and affect

0:05:47.279 --> 0:05:50.359
<v Speaker 1>our lives. That's all to me for now, see you

0:05:50.400 --> 0:06:01.560
<v Speaker 1>next time. Eight