IN THE WAKE OF THE EQUIFAX BREACH THEY PULLED DOWN ALL OF THEIR MOBILE APPS. READ ON TO FIND OUT WHY.
You’ve probably heard about the recent hack of Equifax data – now that the company finally fessed up and made public the breach of some 183 million records from its systems. Equifax, as a reminder, is one of the three largest credit reporting agencies in the US, collecting confidential information on more than 800 million consumers and 88 million businesses worldwide.
The company drew fire for the delay in reporting the breach and for its dubious offer of credit monitoring to impacted parties on the apparent condition that they waived rights to other compensation. In parallel, Equifax also managed to leave a web portal in its Argentinian office accessible to anyone who typed in “admin” as user ID and password, an astonishing second lapse in IT security.
But did you also know that Equifax was also found to be offering an insecure mobile app? While the authentication for the app used HTTPS, other functions used clear-text HTTP in a way that left it exposed to an attacker intercepting and modifying traffic. After being informed of the problem, Equifax yanked the app from the App Store and Google Play.
This mobile app vulnerability would have been a serious “egg-on-face” factor on its own. But in the wake of the system hack (due, it seems, to Equifax neglecting to apply patches to its Apache server) and the Argentinian “admin-admin” security hole, it makes for a particularly unfortunate trio of security blunders that raises the question, what else is waiting to be hacked in the house of Equifax?
The mobile app incident could have been easily avoided. Using a build-time application scanner, Equifax or its development subcontractor could have checked rapidly and reliably at all stages of the development and release cycle, not to mention post-release checks on the downloadable versions in the Apple and Google stores, just to be sure.
Perhaps we should avoid harping on these security errors (goodness knows, Equifax already has enough on its plate) and see what lessons we can all learn from them instead. As a sampler:
- Assess the risk associated with your mobile apps, whether you’re developing them or just using them. No app will be perfect, but you can get a fast, accurate reading on whether an app is safe enough or not, by using our RECON platform.
- Apply vendor security patches. They’re made to help you stay safe, whether you’re using integrated development environments or components, or again, simply using apps as an individual or a business.
- Avoid easy to guess passwords. Sounds obvious, but so many people are still using “1234” for instance, which is an open door for a hacker to get in, gain a foothold, and then figure out the next link in the kill chain to get to most valuable data or resources.
These precautions can help developers avoid the public embarrassment of having security flaws in their mobile apps pointed out on the web. It can also help them avoid having to take down apps, leaving only a “not currently available” screen, which is also food for rumors of all sorts. Every cloud has a silver lining, they say, so let’s hope the rain falling on Equifax will help better security practices to sprout elsewhere.
What to do next? Follow up with one the following articles or try our RECON platform now!