Online Data Theft: Know Your Enemy

The Department of Justice recently charged 11 people with the theft of millions of credit card accounts from the likes of TJ Maxx, Barnes & Noble, Dave & Busters and half a dozen other retailers. As details of the indictments surfaced, we learned that this group operated internationally and was comprised of American, Ukrainian, Chinese and Eastern European members. It’s estimated that their activities resulted in tens of millions of dollars stolen.

While the arrest is significant, and unusual, the fact is this group represents only a minute fraction of the hacking community. It’s helpful to put a face on the problem, and this case does expose the multinational, and international aspect of this crime. The reality is that the Internet binds us all together, and provides millions of places to hide and significant anonymity.

In part two of this three-part series on security and compliance (for part one, click here) we peel back the covers to show you the face of the enemy, explore their prime motivation, expose the scope of the problem and focus on the steps to take to defend yourself.

Are you at risk? Absolutely. If you have an Internet connection, you’re a target. Many businesses make the mistake of assuming that they’re too small, both in stature and in volume, to be a target for hackers.

What they fail to understand is that most attacks are highly automated and completely blind. It’s only when they’ve successfully breached your network that an attacker starts to explore and learn something about who you are, what you do, and where to find what they’re looking for.

So what are they looking for? Credit card and identity data tops the list of items that are easy to sell to a very active and lucrative black market. Would it surprise you to learn that you can find hundreds of individuals around the world offering credit card data for sale?

For example, it’s possible to purchase 100 Gold and Platinum cards, complete with associated Card Code Verification (CCV or CVV2) numbers for as little as $2,500. A real bargain is a block of 500 cards for only $5,000. Individual cards, depending on country of origin, might be $30-40.

Unfortunately, you can easily find sites offering to sell these cards, complete with “free samples” that are used to verify the authenticity of their offer. If that’s not frightening enough, you’ll find that the samples include personal details including name, address, phone, date of birth, and social security number.

(As a note of caution, I would not advise following the links to these sites – there is always the possibility the sites have been compromised or intentionally configured to attack any browser visiting the site.)

Of course, insiders are another risk that retailers face. The recent insider breach at Countrywide Financial revealed that a determined insider could capture significant amounts of data over very long periods of time. In this specific case, the individual involved is alleged to have stolen 20,000 customer records weekly for nearly two years.

What do all of these breaches have in common? They could have been avoided.

The 11 charged with the theft of millions of credit card accounts allegedly used wireless access from the victim’s own parking lots. The retailers apparently had little or no encryption on their wireless systems, in spite of being PCI compliant.

In the Countrywide case the insider allegedly came in every Sunday and copied records to a USB drive. Apparently there was no internal monitoring in place to detect or prevent this activity.

A retail supermarket and grocery store was allegedly compromised because its remote access system relied on weak passwords supplied by a contractor — again there was no monitoring of this access.

The lesson is to recognize you are at risk — even if you don’t think you are. A successful compliance audit isn’t a “silver bullet” for IT security. It’s critical to combine multiple layers of defense with continuous monitoring to ensure the systems, policies and procedures you’ve developed are effective and enforced.

As discussed in the first article in this series, security decisions are risk management decisions. Like the decision to purchase fire or flood insurance, you can only make an informed decision if you understand the risks.

By recognizing that external threats aren’t strategically targeted at larger organizations and that internal threats are equally viable risks, you can start to form a security strategy to protect your business.

Michael Maloof is chief technology officer at TriGeo Network Security.