Target's data breach could signal cybercrime wave

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.morningjournal.com/general-news/20140210/targets-data-breach-could-signal-cybercrime-wave

The rash of attacks against Target and other top retailers is likely to be
the leading edge of a wave of serious cybercrime, as hackers become
increasingly skilled at breaching the nation's antiquated payment systems,
experts say.

Traditional defenses such as installing antivirus software and monitoring
accounts for unusual activity have offered little resistance against
Eastern European criminal gangs whose programmers write malicious code
aimed at specific companies or buy inexpensive hacking kits online. Armed
with such tools, criminals can check for system weaknesses in wireless
networks, computer servers or stores' card readers.

Nearly two dozen companies have been hacked in cases similar to the Target
breach and more almost certainly will fall victim in the months ahead, the
FBI recently warned retailers, according to an official who was not
authorized to speak publicly. The names of all of the compromised firms
have not been revealed, nor is it clear how many shoppers have had their
credit card numbers and other personal data stolen.

Banks, retailers and policymakers have been slow to address the growing
sophistication of cybercriminals. Only 11 percent of businesses have
adopted industry-standard security measures, said a recent report by
Verizon Business Solutions, and outside experts say even these "best
practices" fall short of what's needed to defeat aggressive hackers lured
by the prospect of a multimillion-dollar heist.

"You're going to see more and more people trying this," said Nicolas
Christin, a security researcher at Carnegie Mellon University. "If you just
saw your neighbor win the lottery, even if you weren't interested in the
lottery before, you may go out and buy a ticket."

Cybercrime cost U.S. companies an average of $11.5 million in 2012,
according to a study by the Ponemon Institute, up 26 percent compared with
the previous year. The effect on consumers can last for years, as they are
left vulnerable to bogus charges and potential identity theft.

Experts say that reversing the rise in major data breaches would require
expensive upgrades, including the adoption of end-to-end encryption, the
walling-off of the most sensitive data on separate networks, and the
adoption of newer credit card technology that holds customer information on
an embedded chip rather than the familiar black magnetic strip now on most
American cards.

Credit card chips can communicate with banks in a way that better protects
a user's private information, often requiring a personal identification
number to verify a purchase. Such systems are widespread in most of the
developed world but are appearing in the United States only gradually.

"Our decades-old payment system was not designed with cybersecurity in
mind," said Christopher Soghoian, principal technologist at the American
Civil Liberties Union. "Times have changed. Data breaches now occur on a
weekly basis, the result of which is that consumers become victims of fraud
and identity theft."

An industry group including the major American credit card issuers are
pushing for widespread adoption of chip cards by October 2015. Consumer
groups want Washington to mandate a faster and more complete shift, but
federal regulators have balked at forcing the politically influential
banking industry to invest in new technology, especially if there is a
chance that it might not thwart future attacks.

In a sign of the growing concern over credit card security, Congress held
four hearings last week to examine whether the industry and the government
are doing enough to protect consumers. Tuesday's meeting featured officials
from the largest retailers at the center of the recent run of data breaches.

"The unfortunate reality is that we suffered a breach, and all businesses --
and their customers -- are facing increasingly sophisticated threats from
cybercriminals," John Mulligan, Target's chief financial officer, told
lawmakers.

Hackers lifted 40 million debit and credit card numbers from Target
customers during the holiday season. The company later said thieves also
grabbed personal information, including names, home addresses and telephone
numbers, of an additional 70 million customers in that attack. Other
companies, including craft store Michael's and hotel-management firm White
Lodging Services, have since reported breaches of their computer systems.

"I think we're going to hear a lot about these breaches over the next
year," said Brian Krebs, a cybersecurity journalist who blogs at
KrebsOnSecurity.com. "It just looks like some of the guys involved in this
activity have compromised a ridiculous number of companies."

Krebs reported that the Target breach happened after criminals gained
access to the company networks through a contractor that was servicing
heating and air-conditioning systems at several stores.

Department store Neiman Marcus also was attacked recently. Its senior vice
president, Michael Kingston, told lawmakers Tuesday that the company's
antivirus software was virtually useless in defending its computers. The
retailer didn't detect that its credit card systems were being hacked, and
the company did not learn of the intrusion until the beginning of January,
many months after it began.

His reference to antivirus software drew scoffs from security experts, who
compare the protections offered by such programs to a flu shot -- capable of
staving off infection from wide and unfocused threats but of little value
against a serious attacker determined to breach a specific network.

Security experts say companies must install systems that detect and halt
intrusions quickly, before massive amounts of personal data can be lost.

"Companies need to be hunting on their networks constantly . . . looking
for signs of compromise," said Shawn Henry, former head of cybercrime for
the FBI and now president of Crowdstrike Services, a security company. "If
you give people unfettered access for weeks and months and years, they can
do a lot of damage."

The recent conviction of Russian national Aleksandr Andreevich Panin in
federal court offers a window into the robust market for malicious
software. Panin, the architect of SpyEye malware, sold his virus for as
little as $1,000 online through invitation-only forums, prosecutors said.

At least 150 hackers snagged versions of SpyEye between 2009 and 2011,
using the virus to set up servers designed to steal money from bank
accounts. One customer made more than $3.2 million in six months using the
virus. Panin's code, which automates the theft of user names, passwords and
PINs, infected more than 1.4 million computers worldwide.

Although experts predict that retail cyberattacks are likely to increase,
the long-term forecast is a matter of debate. Companies may succeed in
strengthening their defenses over the next several months, deterring
hackers. Or, the surge of stolen credit card information on the market may
cause a glut and drop prices to the point at which incentives for new
attacks shrink, said Christin, the Carnegie Mellon researcher. Currently,
the price is about $15 to $20 per card.

"From a researcher's point of view, it's actually very interesting," he
said. "I think there's going to be market saturation."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!