What potential threats lie ahead after the hack of equifax in 2017?

Question

Having that literally every single US resident's information is now exposed to hackers and malicious social engineers. What are some threats that we will inevitable encounter in the coming months or years with this massive data breach?

Tom K. · Answer 1 · 2017-10-10T10:51:26.203

Disclaimer: There is a lot of speculation involved with this one.

TL;DR:

A truckload of very useful data has been stolen. We don't really know who the attackers are and Equifax wasn't really helpful to provide transparency to customers. It might be different, when they interact with law enforcement (let's all hope so). If a well-organized group of hackers has the right tools and a cause, identity theft might become even more common that it is now, just because of the sheer mass of people affected. If you are one of them, take action, freeze your credit files and stay informed! In any case, a lot of money will be lost through credit card fraud. The only question is: how much? The amount will be determined by the actions of policy makers and credit reporting agencies in the near future. Hopefully they will learn from this event and take action as well.

At first we have to look at, what has been stolen from Equifax. According to this NYT article, as of the 7th of October we are talking about:

According to the company, thieves took names, Social Security numbers, birth dates and addresses for up to 145.5 million people. They also helped themselves to some smaller number of driver’s license numbers.

Thieves may have your credit card number, too; this is the case for more than 200,000 people, and Equifax has said that it let those people know by mail.

Equifax has said that it has no evidence of a breach in its core consumer or commercial credit reporting databases, so your payment history is not floating around in the ether somewhere. Nor did the thieves get PINs that people use to unlock their frozen credit files.

^{Emphasis mine.}

Wikipedia also mentions between 400,000 and 44 million(!) British residents whose data may have been compromised.

You could argue, that this information has a lot of potential to be incorrect. Equifax hasn't been the most transparent and trustworthy institution while handling this whole mess. But let's be faithful and hope this is all there is.

After gathering the information that we have been given until now, let's get to the real questions here:

What can one bad guy do with a name, a birth date, an address and:
1. one social security numer?
2. one credit card number?
3. one driver's license number?
What can a group of bad guys do with a million names, addresses, birthdays and all of the above?
What can a big group of bad guys do with a hundred million names and all of the above?

1.1. What can a bad guy do with a name, a birth date, an address and one social security numer?

You can do a whole lot of crazy stuff with this dataset. Apart from identity theft you can apply for a credit card, for a loan, open a bank account, rent a flat and so on and so forth. But: A service provider - for basically every kind of finance related service in the US - needs to access your credit files beforehand. That is why Equifax and most media outlets recommend to freeze your credit files if you are a victim of the breach^{[but this may be also a good idea if not]}. As far as I understand the matter, if your files are frozen, no such services can be used.

1.2. What can a bad guy do with a name, a birth date, an address and one credit card number?

I'm not a 100% familiar with credit card fraud, but typically the most crucial part beside the data mentioned above is the 3-digit security number that is on the back of a credit card, typically known as the CVV (card verification value) or CSC (card security code). And, as far as the leaks go, they seem to be safe. But: As an attacker you could just start guessing the CVVs. I've found this article, that describes how a distributed guessing attack works. (In short: a webshop gives you five attempts before you get locked out, you guess 5 times, if you are lucky: hooray, if not, you move on to the next shop.) If you have 200,000 credit card numbers (plus names and everything else), you compile a big list of webshops, get a good ip range or some bots, start guessing today, and have all the CVVs in a week's time tops.

What then? You either start buying some nice gear or you get some inspiration here or from a lot of other sources around the web.

1.3. What can one bad guy do with a name, a birth date, an address and one driver's license number?

I'm not entirely sure how valuable/useful this information is. From what I've read, it seems that it's not that hard to come by. So this is probably the least of your concerns.

2. What can a group of bad guys do with a million names, addresses, birthdays and all of the above?

Now it gets in-te-res-ting! So far we have seen, that it is pretty easy to use the data that has been obtained from Equifax. But how big is the impact, if it is used in the most harmful ^{towards customers and corporations} way?
After large breaches of data most users typically don't change their login credentials^{[citation needed]}. This has several reasons: 1. they are not aware of the situation, 2. they don't know that they are affected, 3. they are just too lazy. I assume that we will see the same behavior in regard to credit file freezes. This is highly speculative, but I would say, that a generous estimate would be, that maybe a third of the affected population freezes their credit files.
Let's do a little math, people!: 145M - (145M * 0,33) = 97,15M so this would leave roughly 100 Million people affected! A possible scenario for a big number (one million) of cards can be found in this wikipedia article (under Fraud). To give a short summary: on a very large amount of credit cards, a relatively low amount of money was charged. This amount was so low that it was just under the estimated threshold of when a credit card company would start a fraud investigation, if they suspect suspicious behavior ($9 vs. $10). The money was then transferred overseas and could not be traced by the authorities. This seems like an operation that can be done by a small team of not more than 10 people. The more manpower you have, the faster you can attack each credit card. This is one possible scenario. There are plenty of others.
The damage done in this case would be $1,800,000. That's a lot at first glance, but it is evenly distributed over a lot of people and several companies. So this will definitely not hurt the American economy as a whole. It gets problematic, if a malicious group starts targetting a small group of individuals or companies.
You want to ruin any medium sized company X with a webshop? Start ordering their products with a 100,000 credit cards over 6 months. This will be joyful for them at first. Company X thinks, they somehow made the deal of the century, selling all their products and making new ones as fast as they can, but when customers start to phone them 24/7, because they got some weird stuff in their mail that they never ordered and got charged 50 bucks as well, this will get ugly quickly.
With great money, comes great responsibility. Hackers oftentimes don't have any.

3. What can a big group of bad guys do with a hundred million names and all of the above?

The scenarios I mentioned before, can probably be done by a well-organized small group of people. We have seen big scale attacks that have been planned and executed by small groups of hackers. If you have a big (>15), well-organized group (or groups) of hackers with a cause, a lot of time and good equipment, they could do some serious work. Imagine this: what if 200,000 Americans were using their credit cards right now online in a concerted action? That could DDoS a lot of financial services, shops or banks. Or: You could donate a lot of money somewhere. These are only the sets of data, where the credit card data is available. If the bad guys are somehow able to open up bank accounts or to apply for a looooot of credit cards and use these, the damage could be really big. But this is a point, where the speculation gets probably a bit out of hand, so I will stop here.

One last thing I want to mention is the sale of compromised data.
A phenomenon we could observe after a significant breach, is that one single group of hackers was not able to make use of all the data they had stolen or they didn't even try to use the data at all. So what they did was this: Either they kind of "sorted" the stolen data Cinderella-style. The good ones go into the pot, the bad ones go into your crop. Everything that went into the crop was put into neat purchaseable portions. After a while bits and pieces of the once big chunk of compromised data was then found scattered over the dark net. Or they just sold everything there. If this happens, this might be good news, because less data in a lot of people's hands might be better, than all of the data in the hands of one small group.