Big Data Breaches -- The Shape of Things to Come

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.huffingtonpost.com/mary-buffett/big-data-breachesthe-shap_b_4726105.html

Get ready for more data breaches. Many more. Now that the impact of the
Target data breach has grown from 40 million card members to 70 million,
and to perhaps as high as 110 million, prepare for all sorts of mayhem
because this data theft is just the start of things to come.

Yesterday before Congress, Attorney General Eric Holder said, "The
Department of Justice takes seriously reports of any data breach,
particularly those involving personally identifiable or financial
information, and looks into allegations that are brought to its attention."
Those are tough words but as long as cyberthieves operate beyond American
borders, apprehension and prosecution will be little more than an empty
threat.

Think about it -- nearly two months have passed since the breach was
announced and today nobody at Target knows the depth of the damage. Worse,
when disaster struck, Target exacerbated matters by reversing course on a
number of earlier decisions. First we were told that PIN information was
safe, but then Target sheepishly announced that it was stolen too.
Incomplete information erodes the consumer confidence in brands we have
known for years.

The more we discover, the murkier things become. Law enforcement knows that
the breach stemmed from malware within Target's POS system, identified as
Kaptoxa, It is designed to scrape and store stolen data for future use by
the bad guys. According to press reports, these stolen names quickly went
underground into the netherworld of illicit clearing houses, "the chop
shops" in the illegal financial industry. Unlike other fraud, this
clobbered people right where they live. People burned by the Target breach
found that they bounced their mortgage checks, damaged their credit
ratings, and turned their lives upside down.

According to a Washington Post article, a Russian teenager has been
identified as the malware's creator. Maybe he wanted to impress a teenage
girl. While he did not launch the attack, we know that 60 copies were sold
to other cyberthieves. More shoes will drop and major retailers will find
themselves stumbling in the dark to assess the damage.

Here is our conundrum. We have a crazy relationship with our technology.
One on hand, we swipe our credit and debit cards at gas stations,
supermarkets, and other retail and online businesses, never realizing that
every time we use them, we open up a new window of vulnerability with each
transaction. For example, those who use pay-at-the-pump terminals at gas
stations don't realize that they're at Ground Zero in the fight against
transaction fraud.

Gas pump skimming is where the "small fries" operate. Those with greater
imaginations will aim for the larger retailers and will probe and poke
until a poorly created password gets them into the front door. Even as EMV
(Chip and Pin Cards) are poised replace our mag stripe cards with better
security measures, it's only a matter of time before that gets hacked to
pieces too.

So what does the future hold? More breaches will explode on to front pages.
We will wake to sad emails from friends announcing that their accounts have
been cleaned out by this madness. They will spend days if not weeks on the
phone with banks cleaning up the mess. Pundits and other Talking Heads will
bemoan the perceived lack of protection while the next Russian, Ukraine, or
Czech Math Camp champion launches the next surprise attack.

Senior management at retailers everywhere will forever live under a darker
cloud of fear. The Target breach will have a long tail echo and might even
drive a decline in consumer confidence. People might think twice about
using their debit card at Ground Zero of Retail Fraud, like Target or
Neiman-Marcus. Class action suits will flood the courtrooms. Finally
interchange, the base cost of electronic transactions, will have to move
upwards and that will hurt us all. Costs not absorbed by banks and other
institutions will be passed on to merchants or consumers.

Sometimes we're our own worst enemies. Anybody who fails to walk their card
inside a gas station and pay at the counter only courts danger. Gas station
breaches take place at the pump, not inside. Many people still use
sequential passwords like "1-2-3-4-5-6." Others use highly identifiable
clues like names of family members. Considering that we have so many
personal passwords (from our Netflix accounts to online banking accounts)
it's hard to keep everything straight in our heads.

So what do we do? We know that any online fraud will increase. Companies
will invest heavily into new fraud protection services because nobody wants
to be "Target-ed." Moving away from the mag stripes used on the back of our
cards and going toward a "chip and pin" approach is critical but how long
with it take for another Eastern European quiz kid to cook up new trends in
stealing your data? Answer: Not long at all.

The death of cash is premature. For all those prognosticators who predicted
that dollar bills would end up in museums, think again. You cannot hack a
dollar bill or use a smartphone to pickpocket the woman next to you on the
train. You have to do it manually. Cash has its limitations, but it in one
sense, it is conspicuously safe.

The rise of Tokenization. Many of us at work use tokens to generate dynamic
passwords, one time PIN numbers that just as quickly evaporate into thin
air and are replaced new passwords. Perhaps that will serve to further
narrow our window of vulnerability.

However, the "thin blue line" of fraud protection depends on us.Americans
need to purchase in a smarter fashion. We can no longer be so lazy with our
passwords and other PINS or else we'll be stripped clean.

Any password older than 30 days is ripe for theft. We roll our eyes
whenever we update our security passwords at work, but we should take that
approach to all of our personal passwords and PINS. We should update
everything on a monthly basis, and after what took place with Target, I am
going make that a priority.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!