One of the MANY lessons to be learned from the Equifax breach is how not to handle a breach. Here is just one of those lessons and it is a lesson for BOTH users and webmasters.
NOTE: TO SEE A BIGGER IMAGE OF ANY OF THE PICTURES IN THIS POST, JUST CLICK ONCE ON THE IMAGE.
When the breach finally became public – months after it happened – they created a web site for victims to go to in order to find out about the breach. That web site, equifaxsecurity2017.com, looks like this:
You will notice that it has the Equifax logo on it and that it has the little green padlock indicating that it is encrypted, but, of course, anyone can steal the Equifax logo and put it anywhere they want – like right here, for example:
But that doesn’t mean that the site belongs to Equifax.
You will notice that the web site URL includes the name Equifax, but so does www.equifaxsucks.com (yup, a real site. Totally benign, but real – see below). So, just because the word Equifax is in the web site name does not mean that it is owned by Equifax.
In this case, since the word Equifax is probably a trademark, they can, eventually, get this site taken down if they want. But, Equifaxx is not a trademark (note that there are two xxs and not one). That site is real (see below) and curiously, it seems to belong to EXPERIAN, their biggest competitor. Why they didn’t buy up similar sounding web sites for $10 a year each is beyond me and a lesson to learn from this. Here is Equifaxx.com.
But that is not the worst failure.
Why wouldn’t they send you to a site that you KNOW is theirs. Send people to BREACH.equifax.com or Equifax.con/BREACH or something like that? At least people know that they are going to a site owned by the company that they are looking for. In fact, this site was hastily set up and initially, if you looked, it wasn’t even owned by Equifax, it was owned by an Equifax vendor.
Still, that is not the worst failure.
Here is the worst failure and the lesson for everyone – users and webmasters both.
While they secured the site with HTTPS – what we geeks call an SSL (or more correctly a TLS) certificate protected site, they used the cheapest, least secure certificate they could find. What is called a DOMAIN VALIDATION certificate. All that certificate proves is that the person who requested it – you, me, my kid, whoever – had sufficient access to the web site to store a file on it. If the site had been hacked, a hacker could buy that kind of certificate.
THAT IS WHAT A GREEN PADLOCK PROVES. NOTHING MORE.
Now lets look at Apple’s website for a minute (see below).
Note that the address bar is different from the address bar on Equifax’s breach web site. This has the name Apple, Inc [US] in green in front of the URL. This is an EXTENDED VALIDATION certificate. In order for Apple (or Equifax) to get this, they had to prove they were Apple and not Mitch. This is a higher level of verification and a more expensive certificate.
It is designed to give the user a higher level of confidence that they really have landed on an Apple – or Equifax – web site.
Why is this important.
One more time, Equifax is the poster child for how to screw up.
Equifax’s offical Twitter account tweeted not once, not twice but three times, an incorrect web site for people to go to.
Instead of sending people to EquifaxSecurity2017.com, they instead sent people to SecurityEquifax2017.com.
Now it turns out that this alter ego site was set up by a security researcher, so even when Equifax’s crisis communications team sent people to the wrong site, it didn’t infect their computer. But if it was a hacker’s web site, it certainly could have. Or asked for and stolen even more information. Here is a look at the wrong web site. This site proved it’s point so it has been taken down, but the Internet never forgets, so here is a copy from the Wayback machine, the Internet Archive.
Notice that this web site ALSO had a green padlock and was accessed using HTTPS.
Which is why, as users, we need to look for the company name in the address bar and why, as webmasters, we need to pay a little bit more for an extended validation or EV certificate.
In this case, if, say, there was a phishing campaign and it got people to click on the link and it sent people to a bogus web site, the extended validation certificate is much harder to forge.
Be a smart Internet user. Look for the extended validation certificate.
Now that you are aware, as you surf the web, notice what companies have extended validation certificates. And which ones do not.
Information for this post came from The Verge.