The Equifax Breach: A Researcher’s Perspective

What Every US Taxpayer Needs to Know

SSN, DoB and other information (known as Fullz) have been floating around en masse throughout the Underground prior to the recent Equifax breach.  The barrier to entry for acquiring and vetting fullz for sale made them valuable.  Usually, fraudsters would capture SSN’s and other personally-identifiable information (PII) only after taking over a victim’s account, often times by knowing their respective passwords. And even then, most companies would redact enough to make full SSN’s difficult to acquire.  Before the Equifax breach, if you had good account level security and were confident that none of your accounts had been taken over, your SSN was relatively safe.  The Equifax breach represents a shift in how we must think about our personal security in a new world where everyone is vulnerable. Regardless of how much you protect your online accounts, your SSN–and other PII– are most likely for sale right now.

A New Normal

The Equifax breach has opened the door to a new normal. But this wasn’t an isolated incident – let’s not forget the OPM breach. The scale of the Equifax breach was something that was going to happen eventually. Equifax was the unfortunate victim that opened the door and will be long remembered for doing so.  The new assumption must be that everyone’s information is now in the hands of threat actors.  Your SSN has now become less secure than your phone number – given that you can easily change your phone number. Unfortunately, your SSN and DoB can be used to activate new accounts even if your phone number isn’t accurate.  

What do we do now that Equifax has opened the door to high volumes of fraud? We need to adjust. But how? Can we ask the Social Security Administration to change our social security numbers? It might be worth asking if the standard procedure to change one’s SSN will scale to the level of the Equifax breach. Even then, old social security numbers are not destroyed. The Social Security Administration cross-references the new number to the original “to make sure the person receives credit for all earnings under both numbers.” But could this also be exploited by threat actors?

 It’s not likely that we’ll see a change to the SSN process quickly.  The Equifax breach will likely lead directly to massively high volumes of tax fraud.  Tax fraud increases every year.  It’s a volume play and threat actors are so advanced that they measure year-over-year performance.  They even share their multi-year stats within their respective communities.

What Does This Mean and What Can I Do?

Each year, Federal Tax fraud gets more and more difficult for threat actors, so they increase the volume to get the results they need.   State tax fraud (depending on the state) usually remains vulnerable at the same rate and provides better results.  Either way, this is a numbers game. But this was before Equifax, when criminals had thousands of SSN’s at their disposal.  Now they have millions.

File your tax return as soon as possible.  Don’t give a fraudster ample time to target you by filing at the last minute.  Threat actors can automate the process and stage it. This is their business. If you don’t want to spend days upon days recovering from a fraudulent tax return that resulted in overpaid taxes being refunded to the threat actor, do not wait in 2018.  File on the first day.

Aside from filing your taxes as quickly as possible, you should also freeze your credit info and monitor your online identities.  The Steps for these have been shared by many, we included them below for the sake of being complete:

Step 1: Obtain a free credit report – you need a baseline now. You can start that process here: (federally mandated joint venture for free credit reports).

Step 2: Go to all three companies below and freeze your credit. Pay the $10 fee per site ($30 total) – it’s worth it. We recommend that you pay the fee but do not purchase the deep web scan – you get higher quality data and full context for free from SpyCloud.

Step 3: Continuously monitor your existing bank accounts closely. Follow up on all strange activity.

Step 4: Every 3 months, run another free credit report (each company above will give you 1 free report a year) to make sure that no new accounts have been opened.

Step 5: Enable Multi-Factor Authentication (MFA) on your bank accounts and your email accounts! Your SSN, DoB, phone numbers and passwords could all be put together by these threat actors.

Step 6: File your taxes as soon as possible (even if you have to pay additional taxes).  The belief that there is no advantage to filing early, is no more.  

Stop exposures from becoming account breaches.