This is a guest post from Next Caller Consultant, Brett Johnson, @GOllumfun
For a cybercriminal involved in anything credit related, this breach is as good as it gets. Everything a crook needs to make substantial money, Equifax gave to them.
Here’s what we know has been compromised:
Date of Birth
Social Security Number
Credit Card Numbers
This May Only Be the Tip of the Iceberg
First, you can be almost certain that Equifax is downplaying the extent of the breach. They’ve gone public with a large number of those who may be affected, but I would expect it to be much larger. In particular, it’s likely that hackers got their hands on more credit card numbers and dispute documents than reported.
Unfortunately, the data leaked is such that victims of the data face a potential lifetime of identity theft. This data can be used for years and years. There’s a myriad of ways that bad actors will try and leverage what they’ve stolen.
Here’s a closer look at some of the breached data and just what can be accomplished with it when it’s in the wrong hands.
Criminals use the dispute process to quickly add information to a victim's credit report. For example, for a criminal that has a victim fullz (complete identity profile), they can use the dispute process to add an address or phone number to the credit report which he would control. Adding alternate addresses to credit reports has quickly become one of the go-to methods for online crooks. Two of the most popular ways to accomplish this has been made much easier thanks to the folks at Equifax.
The first way has the crook reading over the victim’s credit report and finding a low level (read low security) account. Think utilities. The crook will then call in and just ask for an update to billing address, or change of phone number. Since the utility is listed on the credit report, the crook knows the address or phone change will be reported to the credit bureau.
The other method works well with setting up synthetic identities, as well as adding information to existing credit reports. The fraudster will use a victims information and start a dispute process online with the credit bureau. They will go through all the steps of the dispute process, inputting the new address he wishes to add to the credit report. Depending on whether the crook is committing synthetic fraud or regular identity theft determines whether or not the crook even needs to submit the dispute form. Turns out our good friends at Equifax collect the data even if the user never actually submits the form. Once the address of the phone number is there, he or she can easily open new accounts or order replacement cards shipped to where the criminal wants. This is a VERY powerful tool. The exploit alone can net a criminal an easy $20k-$40k per profile. Do 5-10 of them a month and you get the idea.
Credit Card Numbers
Certainly, a criminal can use the card numbers to order stuff. That is a given and will be very prevalent. But, the criminal can also take the card number, along with the other data gotten, and take over the account, giving him or her complete access to the credit card. What’s the difference? Just using a credit card without taking over the account (ATO) will often net $500-$1000. Experienced criminals can get a few thousand depending on which site they card. But when they do take over the account the hacker can net 80% of whatever the available credit is on the card.
But that isn't all. So the criminal has the credit card number. Say it is an Amex number. The criminal can order a replacement card for the Amex number and because of an exploit in the Amex system can know the card number, expiration date, and cvv of the replacement before it is even sent out.
Personally Identifiable Information (PII)
The only thing not given to the criminals was the Mother’s maiden. What does that mean? It means that for the next several years, the information of all those people can easily be used to commit various types of fraud. So new accounts, ATO existing accounts, use the person's info to set up a business and apply for business credit, take out all types of loans. The list keeps going. This is really the best Christmas gift a criminal could ever get.
How can fraudsters use that PII? A whole slew of examples below:
Apply for new credit cards
Take over existing Credit cards
Apply for loans: Home Equity, Student, Business, Personal
Set up bank accounts
Use PII to apply for business credit
If senior citizen, use info to take over their SS benefits
Get lots of phones through providers
Use PII to get tax info, file taxes
Literally, the sky's the limit. The criminals who have persistent access to the data obtained are going to make a LOT of money.
Synthetic Fraud happens when a criminal combines real (usually stolen) and fake information to create a new identity, which is used to open fraudulent accounts and make fraudulent purchases. This is an area that’s only been mentioned briefly in the media coverage around the breach. The breach gives enough data to be able to manipulate information to an extent at Equifax. No, I’m not saying that you can go in and change your credit score. I am saying that the info leaked along with dispute documents, credit card numbers, etc., provides nefarious parties an easy way to manipulate data. In other words, the success rate for synthetic fraud for these guys just skyrocketed. To be fair, synthetic fraud was already easy to pull off. It just got a lot easier and even more profitable.
You cannot overstate how big this is breach is. To put it simply, If I were still breaking the law I would be an extremely happy camper.