Computer criminals reset the “passwords” and stole W-2 tax information from customer employees of an Equifax subsidiary over the past year.
Unauthorized parties accessed TALX customers’ employee tax records sometime between 17 April 2016 and 29 March 2017.
A provider of HR, tax, and payroll services, TALX (now known as Equifax Workforce Solutions) has since notified several customers, including defense technology company Northrop Grumman and staffing/recruiting solutions provider Allegis Group, of the incidents.
The Equifax subsidiary sheds some light on what happened in a letter written to the New Hampshire Attorney General:
“TALX believes that the unauthorized third-party(ies) gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees’ pins (the password to the online account portal). Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected.”
As investigative information security journalist Brian Krebs notes, this notice contains way too many uncertain adverbs to inspire confidence in a recipient. But that’s only the beginning of what customers should be feeling after reading the statement above.
Now, tax records are serious business. They contain individuals’ Social Security Numbers, which fraudsters can use to claim a fraudulent refund. That’s why the United States Internal Revenue Service (IRS) seems to issue an alert about tax fraud and W-2 phishing attacks every year now.
Acknowledging the severity of the threat, one would hope a company like TALX would do everything in its power to create strong authentication measures for its customers and their employees. But it fell short because of what it considers to be a viable password. Just read the first sentence of the notice over again:
“TALX believes that the unauthorized third-party(ies) gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees’ pins (the password to the online account portal).”
PINs? Like the four digit pin codes we use for our payment cards? Those can be cracked in no time!
Don’t believe me? Just type any four-digit password into How Secure Is My Password. The amount of time it would take for a computer to crack any four-digit numeric combination ranges from “instantly” to two nanoseconds, i.e. two billionths of a second.
Sounds like another word for “instantly” to me.
Not only that, but the company used “knowledge-based authentication” (KBA) questions in the form of personal questions to verify employees. Attackers can easily guess the answers with some social engineering, or they can even use an online identity theft service that sometimes already contains people’s responses. As Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI), told Krebs:
“Whenever I’m faced with KBA-type questions I find that database tools like Spokeo, Zillow, etc are my friend because they are more likely to know the answers for me than I am.”
TALX is right to provide everyone affected by these incidents with free identity theft detection services. Employees might also want to consider placing a freeze on their credit report.
More importantly, they should demand that TALX strengthen its security program to use more complicated passwords, require multi-factor authentication (or at least two-step verification), and reject KBA questions. It’s the least any company can do when people’s Social Security Numbers are on the line.
And Equifax are one of the gov.uk Verify "trusted partners". it isn't the first time Equifax has had a data breach – see http://wp.me/p7MvnT-5
Come on now… 200 nanoseconds assumes there's is zero delay in trying each result to see if it is correct. Thats a ridiculous assertion. Login web pages rarely respond in under 1 second. So assuming there is no lockout feature it would take a few minutes. That is much more reassuring isn't it? (I jest). But- there is no evidence there that the PINs were brute forced, right? It's the RESET mechanism that was exploited.
Also, the accounts were reset one at a time, I see no count how many?
Yes, 4 digit PIN is lame. Yes, they are still used.
The funny part is watching security people like us run around with our hair on fire when we see it in the wild.
Surely these are all just bandaids for symptoms. The fundamental problem is that the US system seems to enable an attacker who simply knows someone's name and SSN to carry out a whole range of different frauds. Stop using a semi-public "secret" as an authenticator, for heaven's sake!