It’s been a week since Equifax acknowledged a cybersecurity incident where criminals exploited a U.S. website application vulnerability to gain access to certain files, potentially impacting approximately 143 million U.S. consumers.
And experts like PointPredictive chief fraud strategist Frank McKenna are still processing the potential impact on auto finance of the unauthorized access that Equifax said occurred from mid-May through July.
“I was shocked to be honest, because if you think about the credit bureaus, they’re responsible for protecting the data of every consumer in the U.S. They’re in a real trusted position, and the fact like something like this could happen that could impact half of the population is pretty unbelievable,” McKenna said during a phone conversation with SubPrime Auto Finance News on Wednesday afternoon.
Like many people, McKenna said he has plenty of questions about how the criminals accessed Equifax’s database and what information has been taken. Equifax said the information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.
“I don’t think Equifax has all of the answers yet. If they do, they’re certainly not telling people,” McKenna said.
“I think their initial impression of this when they first found out apparently back in July that it was pretty limited. I guess over time as they brought in specialists they determined it was much more wide scale than they ever thought. I think that’s one of the reasons why they waited so long to inform people, because they just didn’t know the extent. And I don’t think they still do,” McKenna went on to say.
Meanwhile, lawmakers on Capitol Hill are looking for answers, too. And they might receive some early next month.
U.S. House Energy and Commerce Committee chairman Greg Walden, an Oregon Republican, and Digital Commerce and Consumer Protection Subcommittee chairman Bob Latta, an Ohio Republican, formally invited Equifax chief executive officer Richard Smith to testify on Oct. 3.
“We look forward to hearing directly from Mr. Smith on this unprecedented breach that has raised serious questions about the security of consumers’ personal information,” said chairmen Walden and Latta. “We know members on both sides of the aisle appreciate Mr. Smith’s willingness to come before the committee and explain how our constituents might be impacted and what steps are being taken to rectify this situation.”
The Energy and Commerce Committee has jurisdiction over the Federal Trade Commission and Consumer Financial Protection Bureau, the agencies responsible for regulating data security.
Depth of information theft
McKenna estimated that more than 9 billion pieces of information have been stolen by online criminals since 2013. He fears that the information taken during the Equifax incident could be used to commit fraud for as long as 10 years or perhaps even more down the road.
“The data that was stolen I like to call the keys to the kingdom — Social Security number, driver’s license, address, date of birth — everything you need to go fill out an application with an auto lender,” McKenna said.
The PointPredictive expert added that much of this material ends up on what’s known as the dark web. McKenna explained that the dark web can’t be found by a simple Google search. It's a place online only accessible through sophisticated browsers that can navigate encrypted sites where fraudsters register and exchange ill-gotten information.
“It’s why they’re so dangerous because they’re maintained by people who want to maintain privacy. There are some legitimate uses. But there are also a lot more sinister uses, people that want to share data that most people can’t see. That’s where we get the fraud issues,” McKenna said.
In a blog posted by the FTC on Thursday, Lisa Weintraub Schifferle, an attorney with the agency’s Division of Consumer and Business Education, indicated other unscrupulous individuals are looking to capitalize on the Equifax incident, too.
“Ring, ring. ‘This is Equifax calling to verify your account information.’ Stop. Don’t tell them anything. They’re not from Equifax. It’s a scam. Equifax will not call you out of the blue,” Weintraub Schifferle wrote.
“That’s just one scam you might see after Equifax’s recent data breach. Other calls might try to trick you into giving your personal information,” she continued.
What finance companies can do
While still a hefty figure, McKenna noted that PointPredictive has not modified its projection for how much auto finance fraud might occur this year, even though the Equifax matter has come to light. The firm is keeping its projection between $4 billion and $6 billion because as McKenna put it, “It’s not like all is lost. There is a lot that can be potentially done.”
McKenna began by auto finance companies taking extra measures within the underwriting department during their screening process, using models that can detect subtle differences in application patterns across the network to look for when these fraudsters might be using this data.
“As a normal consumer, when you walk in to buy a car and fill out an application, you’re going to fill out that application much differently than the fraudster,” McKenna said. “You’re going to put truthful information, and that truthful information when you look at it from a data perspective is going to look pretty normal.
“If you have a fraudster, they’re going to change information, and they’re going to not look normal. We can tell if someone walked and used these stolen Social Security numbers some of the data. There are going to be clues,” he continued.
McKenna also suggested that finance companies cross-check information that might be contained with an applicant’s bank account against what might be associated with a credit report.
“That’s instant validation not available to a fraudster because that can’t access that through the credit bureau. The bank statement is how many people manage their finances beyond the credit bureau,” he said.
McKenna went on to mention that a wide array of technology solutions also could be at a finance company’s disposal such as a solution that compares a selfie an applicant takes with their smartphone against the image contained on a driver’s license.