Enhancing Trauma-Informed Approaches in Behavioral Healthcare


Teacher reading with children

Behavioral health service providers increasingly view trauma as an important element that must be addressed in providing effective services for mental and substance use disorders. Trauma may occur as a result of violence, abuse, neglect, loss, disaster, war and other emotionally harmful experiences. Left unaddressed, it may lead to long lasting effects that can compromise a person’s behavioral, emotional, cognitive, and physical health.

SAMHSA, through its Strategic Initiative on Trauma and Justice, has been a leader in identifying and supporting ways that service systems can become more attuned to trauma-related issues and skilled in responding to them.  Efforts include public education to raise awareness, prevention and early identification efforts, technical assistance for developing trauma-informed service environments, and trauma-specific treatment.

SAMHSA’s work in this area was strongly influenced by two seminal research studies:

Two of SAMHSA’s key efforts to address trauma are the National Child Traumatic Stress Network and the National Center for Trauma-Informed Care.

National Child Traumatic Stress Network

The National Child Traumatic Stress Network (NCTSN) is a nationwide network of researchers, intervention developers and service providers whose objective is to improve the access to and quality of services for children and families exposed to trauma. The NCTSN was established by Congress in 2000 under the Children’s Health Act that provides funding through the National Child Traumatic Stress Initiative (NCTSI). The NCTSI also supports a National Child Trauma Coordinating Center to manage the network, grants to intervention developers and grants for community service providers, as well as learning collaboratives in trauma-specific areas.

How NCTSN Works

As the network grantees and members work to address the needs of children and families, they also benefit from collaboration with one another. Treatment and Service Adaptation (TSA), centers run by universities and medical centers, develop evidence-based practices for which they then provide training throughout the network. Community Treatment and Services Centers of frontline and community organizations work together and also benefit from the TSA training.

The NCTSN facilitates the formation of collaborative workgroups or committees guided by strategic plans for specific areas such as child welfare, sexual abuse, trafficking, medical trauma, community trauma, and traumatic experiences of refugees and immigrants. These workgroups give grantees and members the opportunity to work together to advance practices with a specific topic in mind.

The NCTSN also hosts a Learning Center that offers free, open-forum training for providers and others supporting children who have experienced traumatic events. The trainings are self-paced and flexible, and CEUs are available for providers. This resource also includes podcasts, content on specific populations, and clinical training. Through the Learning Center and additional training events delivered by grantees, the NCTSN provides training to more than 200,000 participants annually.

National Center for Trauma-Informed Care and Alternatives to Seclusion and Restraint

SAMHSA’s National Center for Trauma-Informed Care and Alternatives to Seclusion and Restraint (NCTIC) focuses on reducing the use of seclusion and restraint through trauma-informed culture change in publicly funded organizations, systems, and communities. It provides training, technical assistance, and consultation to increase understanding and responsiveness to trauma in behavioral health, offering on-site and virtual support, as well as Virtual Learning Communities, webinars, and online tools.

NCTIC stresses the importance of involving trauma survivors and service recipients in all aspects of its work and in trauma-informed culture change, from conceptualization to implementation and evaluation.

In addition to providing technical assistance, facilitating collaboration, and awarding grants to continue this work, SAMHSA recently initiated an effort to train all agency staff in ways to understand and integrate a trauma-informed approach in SAMHSA grants, contracts, and program and policy development.



On SAMHSA’s YouTube Channel


The post Enhancing Trauma-Informed Approaches in Behavioral Healthcare appeared first on .

Posted in Solutions | Comments Off on Enhancing Trauma-Informed Approaches in Behavioral Healthcare

September 20, 2017: Registered Nurse Sentenced for Tampering with Fentanyl


September 20, 2017: Registered Nurse Sentenced for Tampering with Fentanyl

Posted in Solutions | Comments Off on September 20, 2017: Registered Nurse Sentenced for Tampering with Fentanyl

Equifax or Equiphish?

More than a week after it said most people would be eligible to enroll in a free year of its TrustedID identity theft monitoring service, big three consumer credit bureau Equifax has begun sending out email notifications to people who were able to take the company up on its offer. But in yet another security stumble, the company appears to be training recipients to fall for phishing scams.

Some people who signed up for the service after Equifax announced Sept. 7 that it had lost control over Social Security numbers, dates of birth and other sensitive data on 143 million Americans are still waiting for the promised notice from Equifax. But as I recently noted on Twitter, other folks have received emails from Equifax over the past few days, and the messages do not exactly come across as having emanated from a company that cares much about trying to regain the public’s trust.

Here’s a redacted example of an email Equifax sent out to one recipient recently:


As we can see, the email purports to have been sent from trustedid.com, a domain that Equifax has owned for almost four years. However, Equifax apparently decided it was time for a new — and perhaps snazzier — name: trustedidpremier.com.

The above-pictured message says it was sent from one domain, and then asks the recipient to respond by clicking on a link to a completely different (but confusingly similar) domain.

My guess is the reason Equifax registered trustedidpremier.com was to help people concerned about the breach to see whether they were one of the 143 million people affected (for more on how that worked out for them, see Equifax Breach Response Turns Dumpster Fire). I’d further surmise that Equifax was expecting (and received) so much interest in the service as a result of the breach that all the traffic from the wannabe customers might swamp the trustedid.com site and ruin things for the people who were already signed up for the service before Equifax announced the breach on Sept. 7.

The problem with this dual-domain approach is that the domain trustedidpremier.com is only a few weeks old, so it had very little time to establish itself as a legitimate domain. As a result, in the first few hours after Equifax disclosed the breach the domain was actually flagged as a phishing site by multiple browsers because it was brand new and looked about as professionally designed as a phishing site.

What’s more, there is nothing tying the domain registration records for trustedidpremier.com to Equifax: The domain is registered to a WHOIS privacy service, which masks information about who really owns the domain (again, not exactly something you might expect from an identity monitoring site). Anyone looking for assurances that the site perhaps was hosted on Internet address space controlled by and assigned to Equifax would also be disappointed: The site is hosted at Amazon.

While there’s nothing wrong with that exactly, one might reasonably ask: Why didn’t Equifax just send the email from Equifax.com and host the ID theft monitoring service there as well? Wouldn’t that have considerably lessened any suspicion that this missive might be a phishing attempt?

Perhaps, but you see while TrustedID is technically owned by Equifax Inc., its services are separate from Equifax and its terms of service are different from those provided by Equifax (almost certainly to separate Equifax from any consumer liability associated with its monitoring service).


What’s super-interesting about trustedid.com is that it didn’t always belong to Equifax. According to the site’s Wikipedia page, TrustedID Inc. was purchased by Equifax in 2013, but it was founded in 2004 as an identity protection company which offered a service that let consumers automatically “freeze” their credit file at the major bureaus. A freeze prevents Equifax and the other major credit bureaus from selling an individual’s credit data without first getting consumer consent.

By 2006, some 17 states offered consumers the ability to freeze their credit files, and the credit bureaus were starting to see the freeze as an existential threat to their businesses (in which they make slightly more than a dollar each time a potential creditor — or ID thief — asks to peek at your credit file).

Other identity monitoring firms — such as LifeLock — were by then offering services that automated the placement of identity fraud controls — such as the “fraud alert,” a free service that consumers can request to block creditors from viewing their credit files.

[Author’s note: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they are not legally required to do this — and very often don’t.]

Anyway, the era of identity monitoring services automating things like fraud alerts and freezes on behalf of consumers effectively died after a landmark lawsuit filed by big-three bureau Experian (which has its own storied history of data breaches). In 2008, Experian sued LifeLock, arguing its practice of automating fraud alerts violated the Fair Credit Reporting Act.

In 2009, a court found in favor of Experian, and that decision effectively killed such services — mainly because none of the banks wanted to distribute them and sell them as a service anymore.


These days, consumers in all states have a right to freeze their credit files, and I would strongly encourage all readers to do this. Yes, it can be a pain, and the bureaus certainly seem to be doing everything they can at the moment to make this process extremely difficult and frustrating for consumers. As detailed in the analysis section of last week’s story — Equifax Breach: Setting the Record Straight — many of the freeze sites are timing out, crashing or telling consumers just to mail in copies of identity documents and printed-out forms.

Other bureaus, like TransUnion and Experian, are trying mightily to steer consumers away from a freeze and toward their confusingly named “credit lock” services — which claim to be the same thing as freezes only better. The truth is these lock services do not prevent the bureaus from selling your credit reports to anyone who comes asking for them (including ID thieves); and consumers who opt for them over freezes must agree to receive a flood of marketing offers from a myriad of credit bureau industry partners.

While it won’t stop all forms of identity theft (such as tax refund fraud or education loan fraud), a freeze is the option that puts you the consumer in the strongest position to control who gets to monkey with your credit file. In contrast, while credit monitoring services might alert you when someone steals your identity, they’re not designed to prevent crooks from doing so.

That’s not to say credit monitoring services aren’t useful: They can be helpful in recovering from identity theft, which often involves a tedious, lengthy and expensive process for straightening out the phony activity with the bureaus.

The thing is, it’s almost impossible to sign up for credit monitoring services while a freeze is active on your credit file, so if you’re interested in signing up for them it’s best to do so before freezing your credit. But there’s no need to pay for these services: Hundreds of companies — many of which you have probably transacted with at some point in the last year — have disclosed data breaches and are offering free monitoring. California maintains one of the most comprehensive lists of companies that disclosed a breach, and most of those are offering free monitoring.

There’s a small catch with the freezes: Depending on the state in which you live, the bureaus may each be able to charge you for freezing your file (the fee ranges from $5 to $20); they may also be able to charge you for lifting or temporarily thawing your file in the event you need access to credit. Consumers Union has a decent rundown of the freeze fees by state.

In short, sign up for whatever free monitoring is available if that’s of interest, and then freeze your file at the four major bureaus. You can do this online, by phone, or through the mail. Given how unreliable the credit bureau Web sites have been for placing freezes these past few weeks, it may be easiest to do this over the phone. Here are the freeze Web sites and freeze phone numbers for each bureau (note the phone procedures can and likely will change as the bureaus get wise to more consumers learning how to quickly step through their automated voice response systems):

Equifax: 866-349-5191; choose option 3 for a “Security Freeze”

Experian: 888-397-3742;
–Press 2 “To learn about fraud or ADD A
–Press 2 “for security freeze options”
–Press 1 “to place a security freeze”
–Press 2 “…for all others”
–enter your info when prompted

Innovis: 800-540-2505;
–Press 1 for English
–Press 3 “to place or manage an active duty alert
–Press 2 “to place or manage a SECURITY
–enter your info when prompted

Transunion: 888-909-8872, choose option 3

If you still have questions about freezes, fraud alerts, credit monitoring or anything else related to any of the above, check out the lengthy primer/Q&A I published here on Sept. 11, The Equifax Breach: What You Should Know.

Posted in credit lock, credit monitoring, Equifax, equiphish, Experian, Other, Solutions, Trans Union, trustedid.com, trustedidpremier.com | Leave a comment

Pharmaceutical Company Paying Penalty for Misleading Investors About Sales Metric


The Securities and Exchange Commission today filed fraud charges against a Massachusetts-based biopharmaceutical company that exaggerated how many new patients actually filled prescriptions for an expensive drug that was its sole source of revenue.

Aegerion Pharmaceuticals, now a subsidiary of Novelion Therapeutics, has agreed to pay a $4.1 million penalty to settle the charges that it misled investors on multiple occasions in 2013.  The SEC’s complaint alleges that Aegerion told investors that the number of unfilled prescriptions for Juxtapid was not material and the “vast majority” of patients receiving prescriptions ultimately purchased the drug.  The SEC alleges that Aegerion’s records reflect that it was actually around 50 percent of prescriptions that resulted in actual drug purchases.

“By no one’s math is 50 percent a vast majority,” said Paul Levenson, Director of the SEC’s Boston Regional Office.  “When companies publicly discuss their financial data, they must be truthful.  Whether they supply hard numbers or give broader descriptions, they cannot mislead investors.”

According to the SEC’s complaint, Juxtapid is used to treat a rare and potentially life-threatening genetic condition that causes extremely high cholesterol.  In 2013 and 2014, it was priced at approximately $250,000 to $300,000 annually per patient.  Following Juxtapid’s introduction in 2013, investors and investment analysts had little financial data to estimate Aegerion’s future revenues from sales of the drug. 

Aegerion allegedly provided details on the number of Juxtapid prescriptions during several subsequent earnings calls, but this data alone was insufficient for analysts and investors trying to forecast the company’s future revenues because only prescriptions that were actually filled “converted” into sales. According to the SEC’s complaint, it wasn’t until October 2014 that Aegerion disclosed to investors that the conversion rate was actually in the range of 50 to 60 percent.  But Aegerion allegedly failed to reveal to investors even then that the conversion rate had hovered around 50 percent since 2013.

The SEC’s complaint, filed in federal court in Boston, charges Aegerion with violating Sections 17(a)(2) and (3) of the Securities Act of 1933.  Aegerion agreed to the settlement without admitting or denying the allegations.  The settlement is subject to court approval.

The SEC’s investigation, which is continuing, is being conducted by Emily R. Holness, Dawn A. Edick, Ruth Anne Heselbarth, Rachel Hershfang, Marc Jones, and Amy Gwiazda of the Boston office.  The SEC appreciates the assistance of the Federal Bureau of Investigation.

Posted in Solutions | Comments Off on Pharmaceutical Company Paying Penalty for Misleading Investors About Sales Metric

What’s New In Android 8.0 Oreo Security

In addition to the many tweaks and new features in Google’s Android 8.0 Oreo operating system introduced last month, the biggest changes are its security enhancements.

Oreo security additions are meaningful and go far beyond what recent OS updates have brought to the table.

With Android Oreo (referred to as simply O), Google has elevated security, introducing important device hardening such as Project Treble, System Alerts, device permissions and Verified Boot.

“With Android O, Google introduces a major re-architect of the Android OS framework,” said Kyle Lady, senior research and development engineer at Duo Security. “There are some big changes that will impact users, developers and device manufacturers for years to come.”

Mobile security experts point to the introduction of Project Treble in O as a major security milestone for Google. Project Treble is Google’s revamp of the Android OS framework—separating the vendor implementation (device-specific, lower-level software written by third-party manufacturers) from the Android OS framework.

One of the goals of Project Treble is to streamline the often maligned Android patching process that security experts say is one of the weakest links in Android security defenses. According to Google’s Android Security 2016 Year In Review, more than half of Android devices haven’t received a security update in the past year.

Project Treble

Project Treble aims to remedy that by making it easier, faster, and cheaper for OEMs and components manufacturers to send out Android updates.

Project Treble separates the hardware-specific drivers and firmware used by companies such as Samsung or Qualcomm from the Android operating system. The implications will be significant when it comes Google’s ability roll out OS patches without having to wait for things such as chipset compatibility. Google said by creating this modular base for Android, it will be able to support updates moving forward on older hardware that OEM partners may no longer support.

“Project Treble is part of a long term strategy that is going to help out all the Android OS stakeholders well past this latest OS release,” said Andrew Blaich, security researcher at Lookout.

With Project Treble, Google puts the Android OS framework and vender-specific implementations into different processes that communicate with each other using a standard vendor interface. The vendor interface will be maintained from version to version which means the new Android OS framework will run with minimal changes on top of an older device.

Android Compartmentalization

That strategy of segmenting parts of the Android platform and allowing for more efficient component management and better vulnerability containment should something go awry, is another meaningful part of Project Treble and part of an ongoing strategy by Google to reduce Android’s attack surface.

“Attack surface reduction means several different things. How do we make sure an application can only do what it is intended to do? How do we minimize the surface that is exposed? How do we contain processes within Android and follow the principle of least privilege?” said Nick Kralevich, head of Android platform security at Google at a recent Black Hat talk.

For a long time, Google approached security differently, focusing on exploit mitigations such as fstack-protector and ASLR, and preventing format string vulnerabilities. Those days are over.

By further reducing the attack surface in Oreo, Google believes it is taking a smarter approach to stopping the next Stagefright-like vulnerability.

In the old model, hackers were able to achieve remote code execution via MediaServer by bypassing SELinux with chained vulnerabilities. That changed in Android 7 (Nougat), where MediaServer functionality split into seven components such as MediaExtractor and MediaDrmServer, preventing format string vulnerabilities.

In Project Treble, Google accelerates the compartmentalizing of components and has introduced a bevy of new hardware abstraction layers (HALs) for the audio, camera and DRM servers inside the media framework. With those HALs in place more pieces of the Android framework are isolated in separate processes and sandboxes and no longer have access to the OS kernel—making it harder for hackers to chain vulnerabilities and compromise an Oreo device.

Kernel Lockdown

The reduction of user space attack surface has shifted focus by bad guys and researchers alike to finding vulnerabilities in the Android kernel. In 2014, Google said, kernel bugs represented four percent of reported bugs compared with 39 percent today.

To address that shift, Android O limits access to the kernel via the introduction of a seccomp filter. Seccomp (short for secure computing mode) is a security feature that filters system calls to the kernel using a configurable policy. Google said it found that shutting down unused system calls reduced the kernel attacks.

“In Android-powered devices, the kernel does the heavy lifting to enforce the Android security model. As the security team has worked to harden Android’s userspace and isolate and deprivilege processes, the kernel has become the focus of more security attacks,” wrote Paul Lawrence, security engineer with the Android development team, earlier this year.

Seccomp makes unused system calls inaccessible to application software. Because these syscalls cannot be accessed by apps, they can’t be exploited by potentially harmful apps, Lawrence said.

Better App Management and Controls

With Oreo, Google is also rethinking app permissions and scaling back what they are allowed to do.

One of the most common ways attackers try to exploit a device is by building malware into an application. Despite the fact Google does a lot of verification on its Play Store to ensure no malware is present in applications, users can side-load an application from a third-party app store.

In order to side-load an app, a user must first permit the installation of apps from “unknown sources” via a checkbox. That permission has been an all or nothing choice—allow one unknown third-party and allow them all.

Oreo changes this, allowing users to set permissions on a per-app basis, instead of globally allowing all applications to install if the checkbox is enabled. That means should a drive-by download attempt to be installed on a device, a user will forced to decide whether they want to download it and what it’s permissions should be.

System Alert

As part of Android O’s reeling in of app permissions, Google said it will also beef-up security on its System Alert window functionality. The System Alert feature allows developers to create apps that can pop-up or display windows on top of all other Android apps running on a handset.

This feature has been abused by malicious developers who create what users think are a persistent window on their Android device. Victims are asked to pay a ransom to make the window go away or are tricked into inputting credentials in hacker controlled text fields. In Android O, System Alert overlays will include visual notifications that can be clicked on to remove the overlay.

Verified Boot System

Android has had a Verified Boot system since 2013 that would check a user’s software as it loaded the OS for vulnerabilities.

Now with Oreo, Verified Boot goes a step further and prevents users or hackers from booting to older more vulnerable versions of the OS an adversary may have rolled the system back to.

The feature also supports the ability for apps and mobile device management firms to secure hardware areas of an Android device upon boot. That allows both to guarantee that the system has passed a Verified Boot check to ensure the device has a specific patch, for example, before granting user access to a banking app or enterprise resource.

Better, More Secure Protocols

Looking past features, Lookout’s Blaich said he is impressed with Oreo’s attention to deprecating the use of older insecure protocols for network connections. “The use of SSLv3 for secure HTTPS connections is being discontinued, this prevents the device and its apps from using a known insecure protocol that could leak sensitive data,” he said. He added, Google has also hardened certain network connection APIs from not falling back to older TLS versions that can leak sensitive data.

Reaping The Rewards

Right now, Android Oreo is only available on a handful of Google Pixel smartphones. According to Google, over the next six months O will pushed out to third-party flagship handsets made by Samsung, LG and HTC. But it could take years for the benefits of Android O benefit the masses. That’s because of slow adoption rates of Android operating systems. Android 7.0 (Nougat) was introduced in Aug. 2016 and a full year after its release it’s just now used on half of Android devices, according to Duo Security.

“Android O is a big step forward,” said Duo Security’s Lady. He said with O, Google closes the security gap on the iPhone. “It used to be if you cared about security you had to pay a premium and buy an iPhone. Soon, even a $50 Android device running O will be on par with a $1,000 iPhone X when it comes to security.”

Posted in Android 8.0, Android Compartmentalization, Android Oreo, Android Security, device permissions, google, Mobile Security, Project Treble, Security, System Alerts, Verified Boot | Leave a comment

September 20, 2017: Registered Nurse Sentenced for Tampering with Fentanyl

September 20, 2017: Registered Nurse Sentenced for Tampering with Fentanyl

Posted in Solutions | Leave a comment

Experian Site Can Give Anyone Your Credit Freeze PIN

An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.

Experian's page for retrieving someone's credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

Experian’s page for retrieving someone’s credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.

The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).

After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

What’s more, many of the companies that provide and resell these types of KBA challenge/response questions have been hacked in the past by criminals that run their own identity theft services.

“Whenever I’m faced with KBA-type questions I find that database tools like Spokeo, Zillow, etc are my friend because they are more likely to know the answers for me than I am,” said Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI).

The above quote from Mr. Weaver came in a story from May 2017 which looked at how identity thieves were able to steal financial and personal data for over a year from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering KBA questions about those employees.

In short: Crooks and identity thieves broadly have access to the data needed to reliably answer KBA questions on most consumers. That is why this offering from Experian completely undermines the entire point of placing a freeze. 

After discovering this portal at Experian, I tried to get my PIN, but the system failed and told me to submit the request via mail. That’s fine and as far as I’m concerned the way it should be. However, I also asked my followers on Twitter who have freezes in place at Experian to test it themselves. More than a dozen readers responded in just a few minutes, and most of them reported success at retrieving their PINs on the site and via email after answering the KBA questions.

Here’s a sample of the KBA questions the site asked one reader:

1. Please select the city that you have previously resided in.

2. According to our records, you previously lived on (XXTH). Please choose the city from the following list where this street is located.

3. Which of the following people live or previously lived with you at the address you provided?

4. Please select the model year of the vehicle you purchased or leased prior to July 2017 .

Experian will display the freeze PIN on its site, and offer to send it to an email address of your choice.

Experian will display the freeze PIN on its site, and offer to send it to an email address of your choice. Image: Rob Jacques.

I understand if people who place freezes on their credit files are prone to misplacing the PIN provided by the bureaus that is needed to unlock or thaw a freeze. This is human nature, and the bureaus should absolutely have a reliable process to recover this PIN. However, the information should be sent via snail mail to the address on the credit record, not via email to any old email address.

This is yet another example of how someone or some entity other than the credit bureaus needs to be in put in charge of rethinking and rebuilding the process by which consumers apply for and manage credit freezes. I addressed some of these issues — as well as other abuses by the credit reporting bureaus — in the second half of a long story published Wednesday evening.

Experian has not yet responded to requests for comment.

While this service is disappointing, I stand by my recommendation that everyone should place a freeze on their credit files. I published a detailed Q&A a few days ago about why this is so important and how you can do it. For those wondering about whether it’s possible and advisable to do this for their kids or dependents, check out The Lowdown on Freezing Your Kid’s Credit.

Posted in credit freeze, Equifax, Experian, Other, Solutions | Leave a comment

Equifax Breach: Setting the Record Straight

Bloomberg published a story this week citing three unnamed sources who told the publication that Equifax experienced a breach earlier this year which predated the intrusion that the big-three credit bureau announced on Sept. 7. To be clear, this earlier breach at Equifax is not a new finding and has been a matter of public record for months. Furthermore, it was first reported on this Web site in May 2017.

equihaxIn my initial Sept. 7 story about the Equifax breach affecting more than 140 million Americans, I noted that this was hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans.

On May 17, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.

That story was about how Equifax’s TALX division let customers who use the firm’s payroll management services authenticate to the service with little more than a 4-digit personal identification number (PIN).

Identity thieves who specialize in perpetrating tax refund fraud figured out that they could reset the PINs of payroll managers at various companies just by answering some multiple-guess questions — known as “knowledge-based authentication” or KBA questions — such as previous addresses and dates that past home or car loans were granted.

On Tuesday, Sept. 18, Bloomberg ran a piece with reporting from no fewer than five journalists there who relied on information provided by three anonymous sources. Those sources reportedly spoke in broad terms about an earlier breach at Equifax, and told the publication that these two incidents were thought to have been perpetrated by the same group of hackers.

The Bloomberg story did not name TALX. Only post-publication did Bloomberg reporters update the piece to include a statement from Equifax saying the breach was unrelated to the hack announced on Sept. 7, and that it had to do with a security incident involving a payroll-related service during the 2016 tax year.

I have thus far seen zero evidence that these two incidents are related. Equifax has said the unauthorized access to customers’ employee tax records (we’ll call this “the March breach” from here on) happened between April 17, 2016 and March 29, 2017.

The criminals responsible for unauthorized activity in the March breach were participating in an insidious but common form of cybercrime known as tax refund fraud, which involves filing phony tax refund requests with the IRS and state tax authorities using the personal information from identity theft victims.

My original report on the March breach was based on public breach disclosures that Equifax was required by law to file with several state attorneys general.

Because the TALX incident exposed the tax and payroll records of its customers’ employees, the victim customers were in turn required to notify their employees as well. That story referenced public breach disclosures from five companies that used TALX, including defense contractor giant Northrop Grumman; staffing firm Allegis GroupSaint-Gobain Corp.; Erickson Living; and the University of Louisville.

When asked Tuesday about previous media coverage of the March breach, Equifax pointed National Public Radio (NPR) to coverage in KrebsonSecurity.

One more thing before I move on to the analysis. For more information on why KBA is a woefully ineffective method of stopping fraudsters, see this story from 2013 about how some of the biggest vendors of these KBA questions were all hacked by criminals running an identity theft service online.

Or, check out these stories about how tax refund fraudsters used weak KBA questions to steal personal data on hundreds of thousands of taxpayers directly from the Internal Revenue Service‘s own Web site. It’s probably worth mentioning that Equifax provided those KBA questions as well.


Over the past two weeks, KrebsOnSecurity has received an unusually large number of inquiries from reporters at major publications who were seeking background interviews so that they could get up to speed on Equifax’s spotty security history (sadly, Bloomberg was not among them).

These informational interviews — in which I agree to provide context and am asked to speak mainly on background — are not unusual; I sometimes field two or three of these requests a month, and very often more when time permits. And for the most part I am always happy to help fellow journalists make sure they get the facts straight before publishing them.

But I do find it slightly disturbing that there appear to be so many reporters on the tech and security beats who apparently lack basic knowledge about what these companies do and their roles in perpetuating — not fighting — identity theft.

It seems to me that some of the world’s most influential publications have for too long given Equifax and the rest of the credit reporting industry a free pass — perhaps because of the complexities involved in succinctly explaining the issues to consumers. Indeed, I would argue the mainstream media has largely failed to hold these companies’ feet to the fire over a pattern of lax security and a complete disregard for securing the very sensitive consumer data that drives their core businesses.

To be sure, Equifax has dug themselves into a giant public relations hole, and they just keep right on digging. On Sept. 8, I published a story equating Equifax’s breach response to a dumpster fire, noting that it could hardly have been more haphazard and ill-conceived.

But I couldn’t have been more wrong. Since then, Equifax’s response to this incident has been even more astonishingly poor.


On Tuesday, the official Equifax account on Twitter replied to a tweet requesting the Web address of the site that the company set up to give away its free one-year of credit monitoring service. That site is https://www.equifaxsecurity2017.com, but the company’s Twitter account told users to instead visit securityequifax2017[dot]com, which is currently blocked by multiple browsers as a phishing site.



Under intense public pressure from federal lawmakers and regulators, Equifax said that for 30 days it would waive the fee it charges for placing a security freeze on one’s credit file (for more on what a security freeze entails and why you and your family should be freezing their files, please see The Equifax Breach: What You Should Know).

Unfortunately, the free freeze offer from Equifax doesn’t mean much if consumers can’t actually request one via the company’s freeze page; I have lost count of how many comments have been left here by readers over the past week complaining of being unable to load the site, let alone successfully obtain a freeze. Instead, consumers have been told to submit the requests and freeze fees in writing and to include copies of identity documents to validate the requests.

Sen. Elizabeth Warren (D-Mass) recently introduced a measure that would force the bureaus to eliminate the freeze fees and to streamline the entire process. To my mind, that bill could not get passed soon enough.

Understand that each credit bureau has a legal right to charge up to $20 in some states to freeze a credit file, and in many states they are allowed to charge additional fees if consumers later wish to lift or temporarily thaw a freeze. This is especially rich given that credit bureaus earn roughly $1 every time a potential creditor (or identity thief) inquires about your creditworthiness, according to Avivah Litan, a fraud analyst with Gartner Inc.

In light of this, it’s difficult to view these freeze fees as anything other than a bid to discourage consumers from filing them.

The Web sites where consumers can go to file freezes at the other major bureaus — including TransUnion and Experian — have hardly fared any better since Equifax announced the breach on Sept. 7. Currently, if you attempt to freeze your credit file at TransUnion, the company’s site is relentless in trying to steer you away from a freeze and toward the company’s free “credit lock” service.

That service, called TrueIdentity, claims to allow consumers to lock or unlock their credit files for free as often as they like with the touch of a button. But readers who take the bait probably won’t notice or read the terms of service for TrueIdentity, which has the consumer agree to a class action waiver, a mandatory arbitration clause, and something called ‘targeted marketing’ from TransUnion and their myriad partners.

The agreement also states TransUnion may share the data with other companies:

“If you indicated to us when you registered, placed an order or updated your account that you were interested in receiving information about products and services provided by TransUnion Interactive and its marketing partners, or if you opted for the free membership option, your name and email address may be shared with a third party in order to present these offers to you. These entities are only allowed to use shared information for the intended purpose only and will be monitored in accordance with our security and confidentiality policies. In the event you indicate that you want to receive offers from TransUnion Interactive and its marketing partners, your information may be used to serve relevant ads to you when you visit the site and to send you targeted offers.  For the avoidance of doubt, you understand that in order to receive the free membership, you must agree to receive targeted offers.

TransUnion then encourages consumers who are persuaded to use the “free” service to subscribe to “premium” services for a monthly fee with a perpetual auto-renewal.

In short, TransUnion’s credit lock service (and a similarly named service from Experian) doesn’t prevent potential creditors from accessing your files, and these dubious services allow the credit bureaus to keep selling your credit history to lenders (or identity thieves) as they see fit.

As I wrote in a Sept. 11 Q&A about the Equifax breach, I take strong exception to the credit bureaus’ increasing use of the term “credit lock” to divert people away from freezes. Their motives for saddling consumers with even more confusing terminology are suspect, and I would not count on a credit lock to take the place of a credit freeze, regardless of what these companies claim (consider the source).

Experian’s freeze Web site has performed little better since Sept. 7. Several readers pinged KrebsOnSecurity via email and Twitter to complain that while Experian’s freeze site repeatedly returned error messages stating that the freeze did not go through, these readers’ credit cards were nonetheless charged $15 freeze fees multiple times.

If the above facts are not enough to make your blood boil, consider that Equifax and other bureaus have been lobbying lawmakers in Congress to pass legislation that would dramatically limit the ability of consumers to sue credit bureaus for sloppy security, and cap damages in related class action lawsuits to $500,000.

If ever there was an industry that deserved obsolescence or at least more regulation, it is the credit bureaus. If either of those outcomes are to become reality, it is going to take much more attentive and relentless coverage on the part of the world’s top news publications. That’s because there’s a lot at stake here for an industry that lobbies heavily (and successfully) against any new laws that may restrict their businesses.

Here’s hoping the media can get up to speed quickly on this vitally important topic, and help lead the debate over legal and regulatory changes that are sorely needed.

Posted in credit lock, Elizabeth Warren, Equifax breach, Experian, Other, Solutions, TransUnion, TrueIdentity | Leave a comment

September 20, 2017: Miami-Dade Resident Sentenced to More Than 4 Years in Prison for Managing a Miami Spa Performing Illicit Silicone Injections

September 20, 2017: Miami-Dade Resident Sentenced to More Than 4 Years in Prison for Managing a Miami Spa Performing Illicit Silicone Injections

Posted in Solutions | Leave a comment

Investor Bulletin: Financial Professionals’ Use of Professional Honors – Awards, Rankings, and Designations


The SEC’s Office of Investor Education and Advocacy is issuing this Investor Bulletin to educate individual investors about the professional awards, rankings, and designations that financial professionals often use to market themselves to prospective clients.

Posted in Solutions | Comments Off on Investor Bulletin: Financial Professionals’ Use of Professional Honors – Awards, Rankings, and Designations