= Subscriber content; or subscribe now to access all American Banker content.

Caution, Skepticism Follow News of Russian Password Mega-Heist

Financial institutions are on alert but also taking a wait-and-see approach following news that a gang of Russian hackers have amassed 1.2 billion sets of user names and passwords.

Companies are monitoring more closely for instances of fraudsters exploiting their customers' data in the wake of the heist. Often, cybercriminals will commit fraud by guessing or stealing login credentials to masquerade as legitimate customers. The cybercrime calls attention to the weakness of the password and serves as a reminder for banks to better educate their customers on the importance of regularly updating their login details. However, the incident is being taken with a grain of salt based on the limited information available so far.

The biggest risks for financial institutions are likely to come from spamming and spear phishing, said Jeff Johnson, senior vice president of information technology at Baxter Credit Union in Vernon Hills, Ill.

If the hackers have e-mail addresses, they can start "spear phishing" consumers or financial institution employees with authentic-seeming fake emails to gain further access, said Johnson, who is also a member of the executive committee for the Credit Union National Association's Technology Council.

Another concern is the hackers' ability to use those e-mail addresses to send out malware that harnesses a large number of computers for malicious purposes, he said.

The pilfered records, associated with about 500 million unique e-mail addresses, were discovered by Hold Security LLC, a Milwaukee-based company that sells information security and risk management services. The findings were based on seven months of research, though the company didn't give a time period for the theft or name any websites that were hacked.

The latest cache of user names and passwords was extracted from websites using a network of compromised computers known as a botnet, according to an Aug. 5 announcement from Hold Security.

The "list includes many leaders in virtually all industries across the world, as well as" small or personal websites, according to Hold Security.

But some are skeptical about the gravity of the situation. Although Hold Security said the hackers gained access to the largest known cache of stolen personal information, not all the records were current, and the company couldn't say if financial accounts were linked.

Also, user names and passwords are less valuable than credit card data and Social Security numbers, said Peter Toren, a partner in the Washington-based law firm Weisbrod Matteis & Copley Plc.

"People should step back and question what kind of accounts are we talking about," said Toren, who served as an attorney for the Department of Justice's computer crime and intellectual property section from 1992 to 1999. "Do I really care if they find out what kind of music I listen to?"

Consider the source, advised Robert Reh, chief information officer at Nassau Financial Federal Credit Union and another member of the CUNA Technology Council's executive committee.

Hold Security "sent this out obviously for their own reasons to get interest in their services... And when they announced it they also announced that they would notify the websites that were affected by this that this info was gleaned from, but only if you sign up for their breach notification services that start at $120 per year," Reh said.

Alex Holden, the founder and chief information security officer of Hold Security, said it made the announcement as a public service.

"We have been collecting information to help our customers stay more secure," he said. "We found that it was such a great impact to society that we decided to make a public statement."

This attack is a bit different than some of the other breaches seen in recent months such as those at Michaels Stores or Target because consumers haven't been directly targeted, Johnson said.

When retail shops are hit, for example, "we know the cards that have the potential to get fraudulently used in the future," he said.

"This is a little more generic, and I think this one's going to be a little bit more 'connect the dots over time,' as opposed to 'you've got these 10,000 cards that we know were in the list of cards that were compromised,'" Johnson said.

Despite those concerns, however, Baxter isn't planning to take any immediate action beyond closely monitoring the situation, he said.

If Baxter begins to get questions from members whether via its website, call center, e-mails or Facebook page then it might change its strategy, Johnson said.

Serious criminals, often in Eastern Europe, steal payment card numbers. The theft of at least 40 million such numbers from Target last year was one of their biggest hauls.

The bigger threat is that the Russian hackers could use whatever information they obtained to build profiles of people, which can be sold on the underground Internet market or used to obtain fake driver's licenses or passports, Toren said. Caveats aside, the threat should be taken seriously, he said.

This could, in fact, be another wake-up call for financial institutions, Reh said.


(1) Comment



Comments (1)
Aren't we just whistling past the graveyard by being "skeptical" about this breach?
Posted by DougParr | Tuesday, August 12 2014 at 3:59PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.