Jump to content
ATX Community

EQUIFAX REVISITED


Lee B

Recommended Posts

Excerpted from a long article in the CPA Journal :

https://www.cpajournal.com/2018/12/06/icymi-the-equifax-data-breach/

Why Is This Breach Different?

"Over the past decade, over 3 billion people’s personal information has been hacked from email providers like Yahoo or retailers like Target. The Equifax breach, however, is the first in which the “big four” personal security identifiers—name, address, birth date and Social Security number—were stolen from so many at once. These are the security authentication foundations for many commercial and other purposes (Robert Lemos, “Identity Verification Becomes Trickier in Wake of Equifax Breach,” eWeek, Sept. 11, 2017, http://bit.ly/2yMVLOu).

Possession of these identifiers may increase two forms of identity theft: new account fraud and account takeover. In new account fraud, a criminal uses the identifiers and possibly other information to open new credit accounts in a person’s name; the target does not find out until his credit rating is wrecked after the bills go unpaid. The aggravation, costs, and time spent on the resulting credit repair can be significant. In account takeover, the criminal uses the four identifiers to impersonate someone for various purposes, including creating fraudulent transactions. To CPA firms, one of the more familiar frauds of this type is the filing of phony income tax returns to steal tax refunds. In some cases, local CPA firm computers have been breached, enabling thieves to successfully perpetrate this type of fraud.

Recently, account takeover has been used to steal cell phone numbers, which can compromise multifactor authentication (MFA), an important cybersecurity best practice (Nathaniel Popper, “Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency,” New York Times, Aug. 21, 2017, http://nyti.ms/2jws7dq). MFA requires providing authenticating information in a manner different than the initial authentication; for example, some websites will, after the user has inputted her password, send a second verification code via text message that must also be inputted to log in. Another MFA method requires that the initiator make a call from a predetermined phone number; unfortunately, such a phone number can be imitated, and the security of the MFA rendered ineffective.

Weak MFA approaches could lull CPAs into a false sense of security. Many accounting software programs rely on two-factor authentication for sign-in or to reset forgotten passwords, and an increasing number of these programs enable the electronic transfer of funds from bank and investment accounts. With this type of account takeover on the rise, it may be wise to revisit the use of cellphone text messages for MFA, as well as explore more secure approaches.

In previous major breaches, the public attitude has generally been to accept the risk as the price of convenience. The Equifax breach, however, has taken public frustration over weak cyber-security to unprecedented levels (Ron Lieber, “Why the Equifax Breach Stings So Bad,” New York Times, Sept. 22, 2017, http://nyti.ms/2jvZvkT). The breach is beginning to instill general fear that the cybersecurity underpinning electronic commerce cannot be trusted."

Recently, I talked to an Investment Adviser with Key Investment Services who was no longer allowed to email clients for any reason.

Any emails sent to him had to go thru a security review process that significantly delayed his receipt of emails from clients.

I have also read several articles where more than one highly regarded IT Security Expert said that he had stopped using email due to all the hacks and scams

that are everywhere. Another article estimated that in a another year or two that in excess of 80 % of all emails worldwide will be generated by scammers & hackers.

Be very careful out there, the world has changed. We will have to adjust. 🤬

 

 

  • Like 2
  • Thanks 2
Link to comment
Share on other sites

On my Charles Schwab account, voice pattern authentication is now being offered and encouraged.

How it works is a password phrase is repeated 3 times and recorded.

From that point forward, you have to repeat that phrase in order to authenticate who you are .

It sounds promising, but if hackers could access the servers where those phrase recording were kept, then even this could compromised. 🤬

  • Like 1
  • Angry 1
Link to comment
Share on other sites

3 hours ago, cbslee said:

It sounds promising, but if hackers could access the servers where those phrase recording were kept, then even this could compromised. 🤬

In the first line, of the first post, it mentioned over 3 BILLION hacks..

The Equifax heist gave them all the keys.

There will not be a system that can't be compromised....  It will just be a matter of time.  This year, MFA.  Next year.. MFB and the year after that, MFC, Etc.

We should be lobbying Congress to change the rules to remove liability from folks that get hacked for less than, say, 10k records.  If you have between 10k and 1 million, your liability is this, and above that, then your liability is TBD.

I am not that worried about my practice being hacked, yes, I could be one of the unlucky ones, but, I think it is much more likely that ATX or CCH gets all our client records hacked...

Rich

  • Like 3
  • Angry 3
Link to comment
Share on other sites

CCH is requiring cell phone numbers for users of ProSystem fx and SiteBuilder starting this month, today really with the download of the tax software. I'm a sole proprietor, so don't care about setting up employees. I do need to call Monday to see if they mean that all CLIENTS who upload/download using FileShare on my website must provide a cell.

Link to comment
Share on other sites

What method of authentication is being used?  It's optional for Drake this year Drake and any Thomson Reuters products, like UltraTax or any standalone platforms such as their fixed asset program I use .  We are to acquire and link an MFA account to our phone or tablet, download each software provider's MFA app, then use that device to scan a QR box to generate a code that is manually entered each time we log in to the program.   

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...