What You Need To Know:
- Hackers used FlowJacking to maliciously engineer ADP’s internal processes
- The impact is national and potentially impacts hundreds of thousands of companies.
- The apparent intention of the hackers is to claim fraudulent IRS and state tax returns on behalf of victims.
A recent major hack was recently disclosed by payroll processing giant ADP. In a notice last week U.S. Bank reported to its internal employees that unauthorized access to their W2’s may have been granted to attackers through a W2 portal maintained by ADP. Further investigation BY ADP and U.S. Bank has led to the disclosure that payroll, tax and benefits administration for more than 640,000 companies was vulnerable to an ID theft scam. The attackers made off with tax and salary data from an unknown number of individuals.
New Hacking Method: “Flowjacking”
Attackers are now using a process called “Flowjacking”, and are able to determine the work and data flow of ADP’s internal processes. ADP’s portal, like so many other authentication systems, relies entirely on static data that is available on just about every American for less than $4 in the cybercriminal circles (SSN/DOB, address).
The attackers found out that setting up a user account with the company was a two-step process. The first step involves setting up the account, which requires social security numbers and other personal data that is easily available in the underground internet economy. The second step is activating the account, and ADP sends activation codes to the companies that set up accounts with them. Unfortunately, some companies are not careful with their activation codes, and wind up placing them on their website or distributing them through insecure means to enable their employees to access and use them. Such insecure methods allow hackers to easily scrape and harvest the codes.
Armed with a stolen social security number and a code grabbed from a website, the bad guys injected themselves into ADP’s normal process, and made off with thousands, and maybe even millions of people’s personal information which can easily be marketed in the criminal internet economy.
U.S. Bank spokesman Dana Ripley stated “We viewed the [ADP] code as an identification code, not as an authentication code, and we posted it to a Web site for the convenience of our employees so they could access their W-2 information,” Ripley said. “We have discontinued that practice.”
Now Yet Known How Many Records Are At Risk
ADP has thus far not released information on how many records potentially compromised from this hack. Security experts stress that ADP itself was not hacked. Rather, the workflow itself was breached, and the hackers took advantage of the fact that some organizations weren’t as careful as they should have been with their activation codes.
Protecting yourself from this attack ADP does offer an additional layer of authentication — a personal identification code (PIC) — basically another static code that can be assigned to each employee. ADP’s Chief Security Officer Roland Cloutier added that ADP is trailing a service that will ask anyone requesting a new account to successfully answer a series of questions based on information that only the real account holder is supposed to know. These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions generally focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook. The IRS found this out the hard way, and over the past year has removed two separate authentication systems that placed too much reliance on KBA and static data to authenticate taxpayers. In May 2015, the IRS took down its “Get Transcript” service after tax refund fraudsters began using it to pull W-2 data on more than 724,000 taxpayers. In those cases, the fraudsters also already had the victim’s SSN, DoB and other personal data. In March 2016, the IRS suspended its “Get IP PIN” feature for the same reason.
But somehow, KBA questions are an innovation that’s worth looking forward to at ADP.
“The IRS didn’t have a PIC code or client code,” Cloutier said when referencing the IRS’s experience. “They didn’t have as many levels and individual authentication components that we provide our clients.”
If your organization uses ADP, you should contact your ADP rep and check if any of your employee records were affected. It could be none, it could be a very small percentage, but I suggest you take proactive measures.
The hackers made off with W-2 data, so tax refunds and returns could be impacted, but these stolen identities are being bought and used by other cyber criminals for increasingly targeted phishing attacks.
CIT is advising its clients to expect highly personalized (spear-) phishing attacks using the stolen ADP data, but sent to hundreds of thousands or millions of people. Employees should be inoculated against attacks like this with simulated phishing emails that train them to spot any red flags in messages. Clear communication and training concerning the danger of Phishing emails should be made to end users in conjunction with this hack announcement.
Not a CIT client yet? Join us to discover how Good IT can be!
We at CIT believe that people are the first line of defense against a successful attack. We take a proactive and security-first approach to managed services by including device security beyond the firewall and proactive ongoing anti-Phishing and Information Security awareness training for end users as part of our services.
Talk with one of our highly trained and experienced humans and learn how we can help secure your organization – including the humans!