Equifax site’s code had ma­li­cious con­tent

San Francisco Chronicle - - BUSINESS - By Jim Puz­zanghera and Lau­ren Raab Jim Puz­zanghera and Lau­ren Raab are Los An­ge­les Times writ­ers.

WASH­ING­TON — Equifax took part of its web­site off­line Thurs­day af­ter code on the site redi­rected users to a ma­li­cious URL urg­ing them to down­load mal­ware.

Also Thurs­day, a top Re­pub­li­can con­gress­man in­tro­duced a bill that would stop credit re­port­ing com­pa­nies such as Equifax from us­ing So­cial Se­cu­rity num­bers to ver­ify Amer­i­cans’ iden­ti­ties.

The moves come a month af­ter Equifax re­vealed that a data breach ex­posed the So­cial Se­cu­rity num­bers and birth dates of as many as 145.5 mil­lion Amer­i­cans. That hack took place af­ter Equifax failed for sev­eral months to fix a soft­ware flaw that fed­eral of­fi­cials had warned about in March.

Late Wed­nes­day, in­de­pen­dent se­cu­rity an­a­lyst Randy Abrams said in a blog post that while he was try­ing to down­load his credit re­port from the Equifax site, he clicked a link that kicked him to a third-party web­site with “one of the ubiq­ui­tous fake Flash Player Up­date screens.” His post was first re­ported by tech­nol­ogy news site Ars Tech­nica.

Equifax said Thurs­day af­ter­noon that the prob­lem stemmed from code pro­vided by a third party.

“The is­sue in­volves a third-party vendor that Equifax uses to col­lect web­site per­for­mance data, and that vendor’s code run­ning on an Equifax web­site was serv­ing ma­li­cious con­tent,” the com­pany said. “Since we learned of the is­sue, the vendor’s code was re­moved from the Web page and we have taken the Web page off­line to con­duct fur­ther anal­y­sis.”

Equifax em­pha­sized that its “sys­tems were not com­pro­mised” and said that de­spite early re­ports, the prob­lem “did not af­fect our con­sumer on­line dis­pute por­tal.”

Its rep­re­sen­ta­tives did not an­swer ques­tions about when the com­pany learned of the prob­lem or how many web­site vis­i­tors clicked the link.

Ev­ery­one uses third­party code, said Jeff Wil­liams, chief tech­nol­ogy of­fi­cer and co­founder of Con­trast Se­cu­rity. How­ever, he said in a state­ment, do­ing so “cre­ates an obli­ga­tion to an­a­lyze for vul­ner­a­bil­i­ties con­tin­u­ously and re­spond to new vul­ner­a­bil­i­ties/at­tacks within hours.”

This wouldn’t be the first time that peo­ple trust­ing Equifax have been sent to a ques­tion­able third-party site.

Af­ter an­nounc­ing the data breach last month, Equifax set up a web­site — www.equifaxse­cu­rity2017.com — to help peo­ple de­ter­mine whether they had been af­fected. But on mul­ti­ple oc­ca­sions, Equifax’s Twit­ter ac­count in­stead ad­vised peo­ple to go to a dif­fer­ent site with a sim­i­lar URL. That site had been cre­ated by an en­gi­neer who wanted to show how easy it would be to set up a phish­ing site that mim­icked Equifax’s.

Sep­a­rately, Rep. Pa­trick McHenry, R-N.C., in­tro­duced leg­is­la­tion Thurs­day that would crack down on credit re­port­ing com­pa­nies. It would re­quire Equifax, Ex­pe­rian and Tran­sUnion to phase out the use of So­cial Se­cu­rity num­bers by 2020.

The leg­is­la­tion also would cre­ate a na­tional frame­work for con­sumers to freeze ac­cess to their credit to pre­vent iden­tity theft as well as man­dat­ing the fed­eral govern­ment to cre­ate uni­form cybersecurity stan­dards for credit re­port­ing com­pa­nies and con­duct on-site ex­am­i­na­tions.

“The bill I’ve in­tro­duced to­day takes an im­por­tant first step in pro­vid­ing mean­ing­ful re­forms to help Amer­i­cans who have been im­pacted by this breach,” McHenry said. “It is fo­cused on preven­tion, pro­tec­tion and pro­hi­bi­tion.”

The breach re­vealed last month, and Equifax’s bun­gled han­dling of its af­ter­math, led to bi­par­ti­san out­rage. The com­pany’s for­mer chief ex­ec­u­tive, Richard Smith — who stepped down af­ter the breach was dis­closed — was slammed by law­mak­ers in four con­gres­sional hear­ings last week.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.