After months of being distracted by distributed denial of service attacks, the $45 million fraud perpetrated last week against Rakbank in the United Arab Emirates and the Bank of Muscat in Oman is refocusing attention in the financial industry on data breaches and the security procedures and technology that can prevent them.
In phase one of the complex, international theft, hackers used malware to breach the card processors the two banks were using, EnStage, which is incorporated in Cupertino, Calif., and ElectraCard Services, which is based in Pune, India. The criminals overrode security protocols, found prepaid debit card systems and deleted limits on the accounts, paving the way for new access codes to be created and for account information to be loaded onto magnetic stripe cards used to withdraw cash from ATMs.
The case is still under investigation and it's not yet known what specific type of malware or hacking techniques were used to compromise the processors' systems in phase one. But according to Verizon's latest Data Breach Investigations Report, 76% of network intrusions exploit weak or stolen credentials, 40% incorporate malware and 29% leverage social tactics such as spearphishing.
Weak or stolen credentials — That this is such a common problem is not news; experts have been saying for years that the password is broken. One issue is that people tend to re-use passwords, notes Alphonse Pascual, senior analyst - security, risk and fraud at Javelin Strategy & Research. In a recent webinar he did for security professionals, 60% admitted they reuse their passwords. When a database has been breached and consumers' login credentials are exposed, "all those names and passwords are somewhere out on the web for you to find. If you know that certain people work at a card processor, you find their login credentials in the database, those may be similar to what they use to access their employer's login site," Pascual says.
Stronger user authentication is key. "We're allowing passwords alone to be the sole authentication method by which we're allowing access to databases of information," Pascual says. One-time passwords, out of band authentication biometrics, and geolocation could help provide better authentication.
Malware — Malicious software is installed directly by an attacker who has gained access to the system about 75% of the time, according to the Verizon report. Almost half the time (47%) it's installed through an email attachment. And 75% of the time, the malware takes the form of spyware (technology, such as tracking software, that aids in gathering information about a person or organization without their knowledge) or a keylogger (a software program or hardware device that records all keystrokes on a computer keyboard). Anti-malware software, which most companies use, can help mitigate the effect of malicious software. There are also specialized software programs, such as Strikeforce Technology's software that encrypt keystrokes so that they can't be picked up by a keylogger tool or screen scraped. User names and passwords can also be stolen by malware if they are stored or transmitted in unencrypted clear text. They can also be grabbed from within a computer's memory, where it isn't encrypted.
Malware can be kept at bay with good patch and configuration management, notes Rick Holland, senior analyst, security and risk management at Forrester Research. "Next, run host-based security solutions that can prevent the actual exploitation, think application whitelisting type solutions." Mobile platforms make anti-malware efforts much more challenging, he notes. "Apple has a bit more control of patching, but Android is particularly painful. As of today, only 26.1% of android devices are running the latest version of code available (Jelly Bean). So the unpatched vulnerabilities in the previous code releases are ripe for exploitation. If I were using an Android device I'd want to run a Google version so that I get access to the latest code versions without having to wait on my carrier to roll it out."
Be the first to comment on this post using the section below.