Cybersecurity officials are still sizing up how much truth, if any, there is in a hacker group's claim that it stole data on hundreds of millions of U.S. card accounts.
The group, calling itself Anonymous Ukraine, said last week that it has seized information related to 800 million U.S. credit and debit card accounts — including cards said to belong to President Obama and other political heavyweights. The group says it wants to harm the U.S. economy.
Two companies investigating the breach — Risk Based Security and Battelle — say they have been unable to verify that 800 million accounts, including those of the VIPs, have been compromised. And many of the records the group has produced as evidence of its theft are incomplete, out of date or fraudulent, the investigators say.
For that reason the threat doesn't appear to be as serious as the Target breach, where hackers obtained 40 million valid, current cards. Still, the claims and any further releases of information need to be vetted, and they serve as a reminder of the constant vigilance and collaboration required of financial firms, officials say.
"I would continue watching posts from the group, and checking their data dumps for validity," says Ernest Hampson, technical director for Battelle's cyber intelligence and counterintelligence group.
"It's really important to keep an eye on your enemy, find out what they're interested in, what their motivation is, what their capabilities are," Hampson says. "You have to have somebody out there watching the adversarial groups, watching inside these forums where they gather, and discuss and trade research back and forth, and discover where they're going next before they get there."
Little is known about Anonymous Ukraine, and it's hard to tell whether whoever is posting these data breach claims on Pastebin is even a member of that group. There are suspicions that the posts are the work of a Russian group aiming to stir trouble between Ukraine and the U.S.
The messages (which have been deleted) have been clearly anti-American. The first message, posted March 24, read in part: "After the USA showed its true face when she unilaterally decides which of the peoples to live independently and who under the yoke of the Federal Reserve, we decided to show the world who is behind the future collapse of the American banking system. We own all the financial information of the Fed. And even more than you think."
The post linked to four text files containing seven million card account data sets — one for each of the four brands: Visa, MasterCard, Discover and American Express.
The four card companies did not immediately return calls seeking comment. Data investigators declined to say whether any of these companies are among their customers.
On March 26, Anonymous Ukraine announced on Twitter that it had released account data for five million more credit cards. The next day, it said it posted 20 million more.
Investigators working for Battelle, a nonprofit research and development organization based in Columbus, Ohio, counted a total of 10.2 million in these batches.
Battelle's researchers downloaded all the records and found only about 1% are complete. In the rest, important elements such as the expiration date or credit card validation code are missing, making the cards difficult for a criminal to use. Data sets are formatted differently, suggesting they came from different types of data breaches, or from phishing or malware attacks. The second set of data drops contain even less complete data; many of the records lack cardholder names and most have passed their expiration dates.
"It's worth noting that while the data appears to be valid, there is no evidence of a new breach," says Inga Goddijn, executive vice president of Risk Based Security, a security intelligence provider in Richmond, Va. She points out that it is difficult to commit fraud with a credit card number alone. For example, a card's expiration date and validation value (the three-digit code on back) are generally required to complete online transactions.
The hackers' implication that they acquired card data by hacking into the Federal Reserve seems unlikely. The central bank does not store credit and debit card data, a Fed spokeswoman says.
Anonymous Ukraine says it acquired card data for accounts held by President Obama, Secretary of State John Kerry and Sen. John McCain, R-Ariz. The group boasted on Twitter that it used John Kerry's stolen credit card data to buy toys for Syrian children on eBay.
Battelle investigators couldn't validate the card account information in any of those cases. But they did find that the stolen card data in these and other cases in its sample are correctly formatted for the banks from which they are said to have come, and include correct bank ID numbers.
Battelle's investigation has concluded that much of the data was taken from older dumps of stolen credit card data. One tell-tale sign: the card expiration dates are mostly in the 2012-2014 range.