Wednesday, April 15, 2009

280 Million Records Compromised Last Year

Over 280 million records compromised last year -

Damning report finds simple steps still being ignored
Phil Muncaster -, 15 Apr 2009

More than 280 million records were compromised in 2008, according to a new Data Breach Investigations Report from global comms and IT provider Verizon Business.

The report was written by the Verizon Business Risk team using first-hand evidence collected from the firm's data breach investigations over 2008.

Three-quarters of breaches resulted from external threats, the report found, while just 20 per cent were caused by insiders. This is despite the message from most security firms that the inside threat is more dangerous than that posed from the outside.

The sheer number of credit card and other details being compromised has driven their price down on the underground economy, forcing criminals into new tactics, explained Matthijs van der Wel, managing principal of forensics at Verizon Business.

The average price for a piece of stolen card information has dropped from around $10 (£6.70) in 2007 to 50 cents (33p) today.

"For the criminals it's becoming less profitable so they're looking for new ways to make money, which means targeting financial institutions much more, looking for richer data," said van der Wel.

"Attackers have to do a lot more work to get their information now. They're intercepting the PINs, which has been theorised before but now we're seeing it. "  To this end, criminals are creating customised 'memory scraping' malware to harvest customer PINs entered at ATMs from banks' servers.

Yet despite the increasingly creative ways some criminals are compromising customer data for sale on the black market, the majority of incidents appear to have been preventable, according to the report. For example, 81 per cent of affected organizations subject to the Payment Card Industry Data Security Standard were found to be non-compliant prior to being breached

Editor's Note: HomeATM is PCI 2.0 PED Compliant! 

A software application can never ever be certified because it would be literally impossible to know what malware may lurk in the darkness of each individual PC.  Since a software application would use the PC, the keyboard, or the the PIN Entry Device (PED) every single PC would need to be PCI PED certified. 

Since only 24 devices have been 2.0 certified worldwide and only 1 (HomeATM) designed for eCommerce, I would say that a software application being awarded PCI 2.0 PED certification is "impossible

Some 53 per cent of stolen data records came from organizations using shared or default credentials, and 83 per cent of hacks were considered avoidable through simple or intermediate controls.  Van der Wel recommended firms to check access controls regularly, change default credentials, keep up to date with patches, and test applications for vulnerabilities.  "You need to ask yourself 'Do I need to store this data?'" he said. "Many organisations today are data hungry, but if you don't store the data you'll reduce your risk."

Reblog this post [with Zemanta]

If Cybercriminals Focus on PIN's, Shouldn't We Focus on Security?

Complete item:

Description: Hackers stole 285 million electronic records in 2008, more than in the previous four years combined, with the vast majority of breaches targeting the financial services industry, according to a study from Verizon.

Lat year Verizon investigated 90 breaches with 285 million records stolen, of which 93% were accounted for by the financial sector. The industry also accounted for 30% of the breaches - double its share for 2007.

Verizon says the increase reflects the recent trends in cybercriminal activity, especially the focus on acquiring PIN numbers to sell on the black market. 

Editor's Note:  If there's a FOCUS on acquiring PIN numbers to sell on the black market, then "SECURITY" needs to be the financial sector's FOCUS.  Again...92% of all breaches are software-based (see left) and if cybercriminals are "focusing" on obtaining PIN's take an "educated guess" as to which one will be targeted. 

Between the Graph above and the Graph-itti on the right...the writing is "so on the wall" and it's clearly showing us the future.

I KNOW I'm not the only one who see's it!

93% of breaches target financial sector, 92% target software...and 90% of attacks come from organized crime) Leave your comment below on the 93/92/90 data...

The story continues: Organized crime was responsible for (90%)  nine in 10 breaches, with an explosion of attacks targeting PIN data, which Verizon says hit the consumer much harder than typical signature-based counterfeit attacks.

The higher monetary value commanded by PIN data has spawned a cycle of innovation in attack methodologies, with criminals re-engineering their processes and developed new tools, such as memory-scraping malware, to steal this valuable data.

Editor's Note:  Click the memory-scraping malware link to read more into the future of software based PIN Debit at Wired.

Reblog this post [with Zemanta]

Will V/MC Flip the KillSwitch on Interac?

Interac in a fight for its life

With lucrative banking fees in their sights, Visa and MasterCard aim to challenge a home-grown success

April 15, 2009

With the debate raging in Ottawa about credit card rates, you may have overlooked another issue in the mix: the uncertain future of your bank debit card.

Let's put it this way. Don't get too used to calling your debit transactions "Interac," because Visa Canada and MasterCard Canada may yet challenge the monopoly held by the national not-for-profit Interac Association, a co-operative payment system created in 1984 by the country's big banks and merchants.

Many Canadians don't realize that Interac is a low-cost anomaly.

In other countries, high-fee, for-profit systems from companies such as Visa, MasterCard and China UnionPay reign. Now the first two are considering a foray into Canada. Visa has held talks with Canadian banks and retailers, said Tim Wilson, head of Visa Canada. Visa debit is used by 844 million cardholders in 170 countries, according to company reports.

"The bank card in Canada has been tremendously successful, but it's relatively plain vanilla," Mr. Wilson said.

MasterCard said recently it will "create competition in the Canadian debit market where it has never existed" with its debit system, Maestro, used by 652 million people in more than 100 countries. Under the system, Canadian customers could use their debit cards abroad, and retailers here could accept foreign cards.

Interac is in a fight for its life, says Mark O'Connell, its president and CEO. He maintains it is a world-class, low-cost payment system that won't survive unless its regulatory structure is altered by the Competition Bureau.

Interac should be "a more independently run commercial organization that has the ability to innovate," he said. As it stands, the not-for-profit association can't raise funds for research and development of new products, such as high-tech terminals.

"We cannot let such a successful debit system continue in this shackled fashion, as the market changes around it," Mr. O'Connell said. "I think it would be a tragedy to have this made-in-Canada success story obviated by U.S. card companies."

Analysts say that Visa and MasterCard can enter Canada with new products and set up lucrative fee structures for all involved - themselves, the banks, and the middlemen.

Continue Reading

, , ,

PIN Crackers

PIN Crackers Nab Holy Grail of Bank Card Security | Threat Level from

By Kim Zetter Email

Hackers have crossed into new frontiers by devising sophisticated ways to steal large amounts of personal identification numbers, or PINs, protecting credit and debit cards, says an investigator. The attacks involve both unencrypted PINs and encrypted PINs that attackers have found a way to crack, according to the investigator behind a new report looking at the data breaches.

"We're seeing entirely new attacks that a year ago were thought to be only academically possible," says Sartin. Verizon Business released a report Wednesday that examines trends in security breaches. "What we see now is people going right to the source ... and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks."

The revelation is an indictment of one of the backbone security measures of U.S. consumer banking: PIN codes. In years past, attackers were forced to obtain PINs piecemeal through phishing attacks, or the use of skimmers and cameras installed on ATM and gas station card readers. Barring these techniques, it was believed that once a PIN was typed on a keypad and encrypted, it would traverse bank processing networks with complete safety, until it was decrypted and authenticated by a financial institution on the other side.

But the new PIN-hacking techniques belie this theory, and threaten to destabilize the banking-system transaction process.

according to the 2009 Data Breach Investigations report, the hacks have resulted in "more targeted, cutting-edge, complex, and clever cybercrime attacks than seen in previous years."

"While statistically not a large percentage of our overall caseload in 2008, attacks against PIN information represent individual data-theft cases having the largest aggregate exposure in terms of unique records," says the report. "In other words, PIN-based attacks and many of the very large compromises from the past year go hand in hand."

Although there are ways to mitigate the attacks, experts say the problem can only really be resolved if the financial industry overhauls the entire payment processing system.

"You really have to start right from the beginning," says Graham Steel, a research fellow at the French National Institute for Research in Computer Science and Control who wrote about one solution to mitigate some of the attacks. "But then you make changes that aren't backwards-compatible."

PIN hacks hit consumers particularly hard, because they allow thieves to withdraw cash directly from the consumer's checking, savings or brokerage account, Sartin says. Unlike fraudulent credit card charges, which generally carry zero liability for the consumer, fraudulent cash withdrawals that involve a customer's PIN can be more difficult to resolve since, in the absence of evidence of a breach, the burden is placed on the customer to prove that he or she didn't make the withdrawal.

Some of the attacks involve grabbing unencrypted PINs, while they sit in memory on bank systems during the authorization process. But the most sophisticated attacks involve encrypted PINs.

Sartin says the latter attacks involve a device called a hardware security module (HSM), a security appliance that sits on bank networks and on switches through which PIN numbers pass on their way from an ATM or retail cash register to the card issuer. The module is a tamper-resistant device that provides a secure environment for certain functions, such as encryption and decryption, to occur.

According to the payment-card industry, or PCI, standards for credit card transaction security, PIN numbers are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data.

The problem, however, is that a PIN must pass through multiple HSMs across multiple bank networks en route to the customer's bank. These HSMs are configured and managed differently, some by contractors not directly related to the bank.

At every switching point, the PIN must be decrypted, then re-encrypted with the proper key for the next leg in its journey, which is itself encrypted under a master key that is generally stored in the module or in the module's application programming interface, or API.

"Essentially, the thief tricks the HSM into providing the encryption key," says Sartin. "This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device."

Sartin says HSMs need to be able to serve many types of customers in many countries where processing standards may be different from the U.S. As a result, the devices come with enabled functions that aren't needed and can be exploited by an intruder into working to defeat the device's security measures. Once a thief captures and decrypts one PIN block, it becomes trivial to decrypt others on a network.

Other kinds of attacks occur against PINs after they arrive at the card-issuing bank Once encrypted PINs arrive at the HSM at the issuing bank, the HSM communicates with the bank's mainframe system to decrypt the PIN and the customer's 16-digit account number for a brief period to authorize the transaction.

During that period, the data is briefly held in the system's memory in unencrypted form.

Sartin says some attackers have created malware that scrapes the memory to capture the data.

"Memory scrapers are in as much as a third of all cases we're seeing, or utilities that scrape data from unallocated space," Sartin says. "This is a huge vulnerability."

He says the stolen data is often stored in a file right on the hacked system.

"These victims don't see it," Sartin says. "They rely almost purely on anti-virus to detect things that show up on systems that aren't supposed to be there. But they're not looking for a 30-gig file growing on a system."

Information about how to conduct attacks on encrypted PINs isn't new and has been surfacing in academic research for several years. In the first paper, in 2003, a researcher at Cambridge University published information about attacks that, with the help of an insider, would yield PINs from an issuer bank's system.

The paper, however, was little noticed outside academic circles and the HSM industry. But in 2006, two Israeli computer security researchers outlined an additional attack scenario that got widespread publicity. The attack was much more sophisticated and also required the assistance of an insider who possessed credentials to access the HSM and the API and who also had knowledge of the HSM configuration and how it interacted with the network. As a result, industry experts dismissed it as a minimal threat. But Steel and others say they began to see interest for the attack research from the Russian carding community.

"I got strange Russian e-mails saying, Can you tell me how to crack PINs?" Steel recalls.

But until now no one had seen the attacks actually being used in the wild.

Steel wrote a paper in 2006 that addressed attacks against HSMs as well as a solution to mitigate some of the risks. The paper was submitted to nCipher, a British company that manufactures HSMs and is now owned by Thales-eSecurity. He says the solution involved guidelines for configuring an HSM in a more secure manner and says nCipher passed the guidelines to customers.

Steel says his solution wouldn't address all of the types of attacks. To fix the problem, would take a redesign.

But he notes that "a complete rethink of the system would just cost more than the banks were willing to make at this time."

Thales-eSecurity is the largest maker of HSMs for the payment-card and other industries, with "multiple tens of thousands" of HSMs deployed in payment-processing networks around the world, according to the company. A spokesman said the company is not aware of any of the attacks on HSMs that Sartin described, and noted that Thales and most other HSM vendors have implemented controls in their devices to prevent such attacks. The problem, however, is how the systems are configured and managed.

"It's a very difficult challenge to protect against the lazy administrator," says Brian Phelps, director of program services for Thales-eSecurity. "Out of the box, the HSMs come configured in a very secure fashion if customers just deploy them as is. But for many operational reasons, customers choose to alter those default security configurations — supporting legacy applications may be one example — which creates vulnerabilities."

Redesigning the global payment system to eliminate legacy vulnerabilities "would require a mammoth overhaul of virtually every point-of-sale system in the world," he says.

Responding to questions about the vulnerabilities in HSMs, the PCI Security Standards Council said that beginning next week the council would begin testing HSMs as well as unattended payment terminals. Bob Russo, general manager of the global standards body, said in a statement that although there are general market standards that cover HSMs, the council's testing of the devices would "focus specifically on security properties that are critical to the payment system." The testing program conducted in council-approved laboratories would cover "both physical and logical security properties."

Reblog this post [with Zemanta]

Software Based PIN...Doin' It Wrong?

Over 60% Of Breaches Tied To Flaws In Business-Critical Applications - DarkReading
Secure Software Development Programs are Rare

Survey by Forrester Consulting and Veracode shows businesses struggling to stay on top of application security

Apr 14, 2009 | 03:20 PM
By Kelly Jackson Higgins

If you still don't think security vulnerabilities in software will necessarily catch up with you, think again: 62 percent of organizations in the last 12 months suffered data breaches as a result of bugs being exploited in their major applications, according to a newly released survey.

Forrester Consulting, commissioned by Veracode, surveyed application developers and security and risk professionals in 200 organizations in the U.S. and U.K., and found that secure software development programs are rare -- only 34 percent said they have a software development lifecycle program that integrates security.

"The survey showed that people, process, and culture are the primary inhibitors," says Matt Moynahan, CEO of Veracode, in an interview. "Security is not a core competence of enterprises developing code."

Continue DarkReading

How to Hack an ATM Part IV

ATM blast gang strikes again | The Daily Telegraph
By Amy Dale
April 15, 2009 06:05am

POLICE are searching for three men seeing running from an ATM explosion in Lane Cove early today. The explosion occured outside the National Australia Bank in Longueville Road at about 2am.

The ATM was badly damaged_ with debris strewn around the footpath_ however no cash was stolen.

Witnesses reported seeing two men sprint from the scene of the blast into a car driven by a third man but a police search failed to locate them.

Detectives from Strike Force Piccadilly, which was established following a string of ATM blasts across the state, were called to the scene.

NAB ATMs were the targets of two successful bamraids in St Ives and Neutral Bay in February.

Reblog this post [with Zemanta]

Disqus for ePayment News