Skip to main content
banner image
venafi logo

Stretching Certificate Safety and Trust: Lessons from the Equifax Breach

Stretching Certificate Safety and Trust: Lessons from the Equifax Breach

certificate security and Equifax breach
September 11, 2017 | Emil Hanscom

On September 7th, Equifax announced roughly 143 million Americans may have been impacted by a large scale data breach. According to the credit card reporting agency, cyber criminals stole customer names, Social Security numbers, birthdates, driver’s license numbers and much more.

As part of their response to the breach, Equifax launched, a website where concerned users could check to see if they were caught in the incident. Unfortunately, the launch of the website was impacted by technical issues.

“In the early hours after the breach announcement, the site was being flagged by various browsers as a phishing threat,” wrote cyber security reporter and researcher, Brian Krebs. “In some cases, people visiting the site were told they were not affected, only to find they received a different answer when they used the same information to check on their mobile phones.”

Any time an event like this occurs, cyber criminals take advantage of consumer confusion and trust by creating phishing websites, often on an ongoing basis. In late March, encryption experts affiliated with the SSL Store released a report on fraudulent certificates issued by Let’s Encrypt. According to researcher Vincent Lynch, Let’s Encrypt issued 15,270 certificates containing the word “PayPal” between January 1st, 2016 and March 6th, 2017. Lynch points out that: “based on a random sample, 96.7% of these certificates were intended for use on phishing sites.”

Sadly, the risks and prevalence of phishing websites always increase during the aftermath of a major data breach. It’s imperative that organizations take steps to make sure their websites are properly validated.

#tweet { background-color: #fff; padding: 20px; border-width: 3px; border-style:solid; border-color:orange; width:750px; font: 26px arial, sans-serif; }


Sadly, the risk of phishing websites always increases during the aftermath of a major data breach. @Venafi

Click to Tweettwitter logo

“We should expect more targeted phishing attacks as a result of this incident,” said Nick Hunter, Venafi senior digital trust manager. “In spite of the catastrophic loss of all this personal data, it’s also an excellent opportunity to educate the industry on how attackers take advantage of the chaos following a breach. We have an opportunity to monitor the situation in order to determine how ‘bad actors’ use compromised data to expand their attacks, especially those whose goal is to make a profit via ransom. Spear phishing websites can be used to gain even more privileged accounts, PII and access to other organizations.”

What lessons can organizations learn from the Equifax breach that will help them limit exposure to phishing attacks? In other words, how can organizations protect themselves and prove their websites are authentic?

First and foremost, organizations should use Extended Validation (EV) Certificates for their pages and certificates that are not Domain Validated (DV). “Major organizations can use this as a differentiator by clearly making demonstrating they have invested in the highest validated certificates. In addition, we must move away from the overuse of Wild Card certificates. Many organizations use, and rely on wildcard certificates for multiple domains. While this can be a valid strategy, attackers can also use these certificates to validate phishing domains.”

Ultimately, organizations must take steps now to validate their websites before cyber criminals take advantage of their customers’ trust. “Sadly, 99% of the public will trust the green padlock icon in that their browser that supposedly tells them if a website is safe or not,” Nick laments. “It’s up to us to educate our organizations and consumers about certificate safety.”

Can you tell if a website’s certificate is trustworthy?

Like this blog? We think you will love this.
Featured Blog

How to Remediate Keys and Certificates After a Data Breach

The Solution

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Emil Hanscom
Emil Hanscom

Emil is the Public Relations Manager at Venafi. Passionate about educating the global marketplace about infosec and machine-identity issues, they have consistently grown Venafi's global news coverage year over year.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more