Skip to main content
banner image
venafi logo

Stretching Certificate Safety and Trust: Lessons from the Equifax Breach

Stretching Certificate Safety and Trust: Lessons from the Equifax Breach

September 11, 2017 | Eva Hanscom

On September 7th, Equifax announced roughly 143 million Americans may have been impacted by a large scale data breach. According to the credit card reporting agency, cyber criminals stole customer names, Social Security numbers, birthdates, driver’s license numbers and much more.

As part of their response to the breach, Equifax launched equifaxsecurity2017.com, a website where concerned users could check to see if they were caught in the incident. Unfortunately, the launch of the website was impacted by technical issues.

“In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat,” wrote cyber security reporter and researcher, Brian Krebs. “In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they used the same information to check on their mobile phones.”

Any time an event like this occurs, cyber criminals take advantage of consumer confusion and trust by creating phishing websites, often on an ongoing basis. In late March, encryption experts affiliated with the SSL Store released a report on fraudulent certificates issued by Let’s Encrypt. According to researcher Vincent Lynch, Let’s Encrypt issued 15,270 certificates containing the word “PayPal” between January 1st, 2016 and March 6th, 2017. Lynch points out that: “based on a random sample, 96.7% of these certificates were intended for use on phishing sites.”

Sadly, the risks and prevalence of phishing websites always increase during the aftermath of a major data breach. It’s imperative that organizations take steps to make sure their websites are properly validated.




“We should expect more targeted phishing attacks as a result of this incident,” said Nick Hunter, Venafi senior digital trust manager. “In spite of the catastrophic loss of all this personal data, it’s also an excellent opportunity to educate the industry on how attackers take advantage of the chaos following a breach. We have an opportunity to monitor the situation in order to determine how ‘bad actors’ use compromised data to expand their attacks, especially those whose goal is to make a profit via ransom. Spear phishing websites can be used to gain even more privileged accounts, PII and access to other organizations.”

What lessons can organizations learn from the Equifax breach that will help them limit exposure to phishing attacks? In other words, how can organizations protect themselves and prove their websites are authentic?

First and foremost, organizations should use Extended Validation (EV) Certificates for their pages and certificates that are not Domain Validated (DV). “Major organizations can use this as a differentiator by clearly making demonstrating they have invested in the highest validated certificates. In addition, we must move away from the overuse of Wild Card certificates. Many organizations use, and rely on wildcard certificates for multiple domains. While this can be a valid strategy, attackers can also use these certificates to validate phishing domains.”

Ultimately, organizations must take steps now to validate their websites before cyber criminals take advantage of their customers’ trust. “Sadly, 99% of the public will trust the green padlock icon in that their browser that supposedly tells them if a website is safe or not,” Nick laments. “It’s up to us to educate our organizations and consumers about certificate safety.”

Can you tell if a website’s certificate is trustworthy?

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

lawyer reading from legal books on a desk, with a scale in the foreground

Do We Trust Governments to Effectively Regulate Privacy? [Ask Security Professionals]

hands reaching out of laptop screen holding ballot box, another person's hand casting a vote
Encryption

Will Encryption Backdoors Hurt Election Infrastructure? Security Professionals Say Yes.

Man standing in front of a cyber-secured world.

What If You Could Guarantee Eliminating Outages in Your Organization?

About the author

Eva Hanscom
Eva Hanscom

Eva is Public Relations Manager at Venafi. She is passionate about educating the global marketplace about infosec and machine-identity issues, and in 2018 grew Venafi's global coverage by 45%.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat