Unsecure Customer Service Portal Exposes National ID Numbers
Equifax has a new problem on its hands: Argentina.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Investigators with Hold Security, a Wisconsin-based security consultancy on Tuesday afternoon, discovered an unsecure internal customer service portal for the company’s Argentinian operations. The national ID numbers for at least 14,000 Argentinians have been exposed, but the breach could potentially affect tens of thousands more people.
The website held thousands of credit-related dispute records, faxes and national identity numbers for Argentinians who had filed complaints. It also stored the usernames and passwords in plaintext for around 100 of the company’s customer service representatives.
The findings were first reported by cybersecurity blogger Brian Krebs, who notified Equifax. The website has now been shut down.
The findings will put further pressure on Equifax, which has been criticized for its haphazard and slow response to a breach that exposed the personal details of 143 million U.S. consumers, as well as an as-yet-unspecified number of British and Canadian residents. Equifax said a vulnerability in a web application exposed the data to hackers between mid-May and July 29 (see Equifax: Breach Exposed Data of 143 Million US Consumers).
Alex Holden, founder and CTO of Hold Security, says in a phone interview Wednesday that the Equifax website for Argentina “could be exploited by a 3-year-old.” He says he didn’t use any advanced hacking techniques to uncover the breach.
Holden – a veteran investigator credited with discovering the massive Adobe Systems and Target data breaches in 2013 – says he still found the Equifax findings “completely unexpected and surprising.” Officials from Equifax could not be immediately reached for comment.
Holden says he and his team began digging around, following Equifax’s Thursday breach disclosure, looking at other domains run by the company, including one for Argentina.
They began exploring Equifax’s dispute resolution service, where people can contest the accuracy of information the company has involuntarily collected about them.
Holden’s company has advisors from Argentina, who’ve told him that the credit industry is nascent there. Even so, Equifax appears to have amassed a fair bit of information on the country’s citizens.
Holden’s team found a small issue with the claim resolution service itself. It only requires someone to input their gender and the number of their national identity document, referred to as a DNI, in order to view any outstanding cases.
By shortening the site URL, however, Holden’s team also came across a portal called Veraz – meaning “truthful” in Spanish – which is used by customer service representatives to manage disputes. The username and password credentials for the web-facing portal were respectively “admin” and “admin,” Holden says.
“Honestly I tried [the credentials] once,” Holden says. “What we saw was really disturbing.”
His team took a cursory glance at the information stored inside the portal. The dispute cases go back to 2014, Holden says. They found 100,000 faxes recorded by the system and indications that Equifax’s system had also handled thousands of phone calls.
Holden says his team didn’t try to view the faxes. “We decided not to go too deep into it, to avoid trespassing,” he says. “We knew we were kind of in dangerous territory, but the idea is to let them know that there is exposure.”
Indeed, security researchers have landed in legal hot water for taking their research too far. Entering default authentication credentials would be illegal under most country’s computer security laws.
National ID Numbers
The Equifax database discovered by Holden’s team contained 715 pages of records with 20 records per page, each which contained someone’s DNI number, he says. That means more than 14,000 people are affected.
The breach is “a good way to undermine a country’s budding credit economy by having this [exposed],” Holden says.
The exposure also means that if an attacker has collected the information from the portal, it would be trivial to call Equifax and pretend to be someone else. “I can call and get them to do anything I want,” Holden says.
Credentials: Plaintext, Weak
Other aspects of the portal’s design also concerned the researchers. For example, the portal revealed a surprising amount of detail about 100 or so dispute resolution employees, both current and past. The page included their email address and employee ID, Holden says.
The authentication credentials for those employees were also stored in an unsecure manner. Pulling up an employee’s record, for example, showed their username in plaintext. The username appeared to be a variation of an employee’s real name.
The passwords for their accounts were obscured by asterisks. But Holden says that viewing the page’s HTML source revealed the plaintext password, which was the same as the employee’s username.
“Inside the [HTML] code, the password is there,” Holden says.
Holden left it to Krebs to break the bad news to Equifax. Krebs writes that Equifax confirmed that it had disabled the portal following Hold Security’s findings, and that it was investigating.