Equifax board metaphorical lemon juice on a paper cut after company representatives directed customers to a fake site to find out if they had been affected by a security bach. I'm Jonathan Strickland, and this is tech stuff data. On July en, hackers gained access to equifaxes database. Equifax is a consumer credit reporting agency. Along with Experience and TransUnion, it is part of the Big three credit reporting agencies, and the company has records on more than eight hundred
million people and their credit histories. A vulnerability on Equifax's website allowed the hackers to snoop around and take an enormous amount of information, including credit card numbers for more than two hundred thousand people and personal identifying data for a hundred eighty two thousand people, including social security numbers. It's possible that the breach affected as many as one three million people to some degree. As security breaches go,
this one was particularly bad. It led to discussions about everything from network security to the United States reliance on the Social Security number system for just about everything. The company kept the breach under wraps until early September twenty seventeen. At that time, Equifax launched a tool that was supposed to help customers determine if their data was among the information stolen by hackers, so that they might then make
an informed decision about what to do next. Right away, reports came out that the tool itself didn't appear to be reliable. This wasn't helped when Equifax itself began to send people to a fake testing site. The site Equifax set up to help people verify whether or not they had been affected has the u r L www dot Equifax Security seventeen dot com. The u r L sets this page apart from the primary domain, Equifax dot com, and that's a big problem. At least one Equifax representative
tweeted out the wrong link to a potential victim. That link was security Equifax dot com. The words Equifax and security were swapped. Equifax deleted this incorrect tweet, but as you're probably aware, nothing is ever truly deleted from the Internet. That mistake in u r L would lead users to
an actual site. If the dark mirror version of our universe were the one we were in, that site would have been another data mind so that criminals could entice users to give up valuable information and the information Security Biz we call that fishing with a pH Fortunately, the site wasn't in any way malicious. Instead, the site came from Nick Sweeting, who wanted to show how Equifaxes approach was dangerous and irresponsible. Sweeting knew that the way Equifax
set up that site was a mistake. By registering a domain that doesn't actually live on the Equifax dot com domain itself, the company opened up the opportunity for someone to create a fake or spoof site. Sweeting had no intent on using the data people would submit through his fake site to any malicious purpose. He just wanted to drive home the fact that if he could do it, so could a more criminal type person. The page he created had a banner across the top that read cybersecurity
incident and important consumer information which is totally fake. Why did Equifax use a domain that's so easily impersonated by phishing sites? This happens frequently on the web. By copying the look of an established trusted entity, data thieves can convince people to hand over valuable information willingly. Upon casual observation, the spoofed site seems perfectly legitimate. The thieves depend upon the trust customers have with the institution or organization sation
they believe they are communicating with. In this case, not only did Equifax set up a tool on a u r L outside of Equifax dot com, the company also mistakenly advised customers to go to the fake site itself, after already suffering a major setback in public confidence. This was not a great move, and it really illustrated how
quick responses to a crisis can go terribly wrong. Sweeting also pointed out that while he intended no harm, there are surely parties active online right now that have darker intentions. Many of these will go to great links to create a believable experience to full innocent users into giving up more of their information. This is a double slap in the face for people who are already worried that thieves had stolen their data. It's a vulnerable population undergoing further exploitation.
Sweetings argument is one many cybersecurity experts agree with. It's a better idea for an organization to make any official tool part of their primary domain rather then to set up a new web domain. This reassures users that they are dealing with the actual entity and not some random data fisher. While Equifax is a recent target of this sort of spoofing. There are lots of other examples, from fake news sites to link farms that only exist to
generate page views and rack up advertising money. Spoofing is a big deal on the web. It always benefits the user to be careful when navigating to a U r L and to be absolutely sure that the site you're visiting is a legitimate one before you share any of your personal information. To learn more about information security, including how good guys sometimes act like bad guys so that they can stop the real bad guys, subscribe to the
Tech Stuff podcast. We dive deep into tech topics to get a better understanding of how they work and affect our lives. That's all to me for now, see you next time. Eight