Hackers Claim Data Theft on 800 Million Cards — But Is It True?
A Senate Commerce Committee hearing Wednesday focused on Target and other organizations could have done to prevent massive breaches and possible legislative steps can be taken to improve data security.March 26
Thieves who stole card data for 40 million Target shoppers are now trying to sell their ill-gotten information as fast as they can on underground websites, says security blogger Brian Krebs.December 19
How could this happen? Why is the U.S. payments industry still using archaic and notoriously insecure magnetic stripe card technology? And will the episode change anything? American Banker answers frequently asked questions about the Target breach.January 22
Cybersecurity officials are still sizing up how much truth, if any, there is in a hacker group's claim that it stole data on hundreds of millions of U.S. card accounts.
The group, calling itself Anonymous Ukraine, said last week that it has seized information related to 800 million U.S. credit and debit card accounts including cards said to belong to President Obama and other political heavyweights. The group says it wants to harm the U.S. economy.
Two companies investigating the breach Risk Based Security and Battelle say they have been unable to verify that 800 million accounts, including those of the VIPs, have been compromised. And many of the records the group has produced as evidence of its theft are incomplete, out of date or fraudulent, the investigators say.
For that reason the threat doesn't appear to be as serious as the Target breach, where hackers obtained 40 million valid, current cards. Still, the claims and any further releases of information need to be vetted, and they serve as a reminder of the constant vigilance and collaboration required of financial firms, officials say.
"I would continue watching posts from the group, and checking their data dumps for validity," says Ernest Hampson, technical director for Battelle's cyber intelligence and counterintelligence group.
"It's really important to keep an eye on your enemy, find out what they're interested in, what their motivation is, what their capabilities are," Hampson says. "You have to have somebody out there watching the adversarial groups, watching inside these forums where they gather, and discuss and trade research back and forth, and discover where they're going next before they get there."
Little is known about Anonymous Ukraine, and it's hard to tell whether whoever is posting these data breach claims on Pastebin is even a member of that group. There are suspicions that the posts are the work of a Russian group aiming to stir trouble between Ukraine and the U.S.
The messages (which have been deleted) have been clearly anti-American. The first message, posted March 24, read in part: "After the USA showed its true face when she unilaterally decides which of the peoples to live independently and who under the yoke of the Federal Reserve, we decided to show the world who is behind the future collapse of the American banking system. We own all the financial information of the Fed. And even more than you think."
The post linked to four text files containing seven million card account data sets one for each of the four brands: Visa, MasterCard, Discover and American Express.
The four card companies did not immediately return calls seeking comment. Data investigators declined to say whether any of these companies are among their customers.
On March 26, Anonymous Ukraine announced on Twitter that it had released account data for five million more credit cards. The next day, it said it posted 20 million more.
Investigators working for Battelle, a nonprofit research and development organization based in Columbus, Ohio, counted a total of 10.2 million in these batches.
Battelle's researchers downloaded all the records and found only about 1% are complete. In the rest, important elements such as the expiration date or credit card validation code are missing, making the cards difficult for a criminal to use. Data sets are formatted differently, suggesting they came from different types of data breaches, or from phishing or malware attacks. The second set of data drops contain even less complete data; many of the records lack cardholder names and most have passed their expiration dates.
"It's worth noting that while the data appears to be valid, there is no evidence of a new breach," says Inga Goddijn, executive vice president of Risk Based Security, a security intelligence provider in Richmond, Va. She points out that it is difficult to commit fraud with a credit card number alone. For example, a card's expiration date and validation value (the three-digit code on back) are generally required to complete online transactions.
The hackers' implication that they acquired card data by hacking into the Federal Reserve seems unlikely. The central bank does not store credit and debit card data, a Fed spokeswoman says.
Anonymous Ukraine says it acquired card data for accounts held by President Obama, Secretary of State John Kerry and Sen. John McCain, R-Ariz. The group boasted on Twitter that it used John Kerry's stolen credit card data to buy toys for Syrian children on eBay.
Battelle investigators couldn't validate the card account information in any of those cases. But they did find that the stolen card data in these and other cases in its sample are correctly formatted for the banks from which they are said to have come, and include correct bank ID numbers.
Battelle's investigation has concluded that much of the data was taken from older dumps of stolen credit card data. One tell-tale sign: the card expiration dates are mostly in the 2012-2014 range.
"If this were a new data breach, we'd expect to see those dates more in the 2015-2016 range," Hampson says. Then there are some extremely far-off expiration dates, all the way up to 2030, which is outside of most credit card issuers' policies.
Most of the records that contain full account information, including credit card validation number and expiration date, appear to have come from fraudulent banking sites, according to Hampson, and were likely acquired through phishing attempts.
In fact, certain records show signs that some consumers began to realize they had been targeted by a phishing scheme. Some entered messages such as "Bite Me" or profanities in username fields, and some wrote "your momma" or "get lost" where they were supposed to provide their mother's maiden name.
Anonymous Ukraine may have carried out the phishing attacks themselves, or they may have purchased the ill-gotten information from an online forum.
Battelle investigators who downloaded these card data "dumps" also acquired malware that contained links to the Ukraine: the server hosting the malware was registered in the Ukraine and the malware itself had a digital certificate registered to an individual who seemed to come from Ukraine.
Spearphishing attacks, which appear to be involved in this case, are becoming more sophisticated and underscore why all threats even outlandish ones like Anonymous Ukraine's have to be investigated.
"These criminal organizations are acting more like armies every day. They have their own intel, they're gathering information about your employees, finding out who your friends are, and they can target attacks directly against you that make it unlikely that you would not click on that email," Hampson says. "It's getting tougher and tougher."
In a very recent case in point, Valley National Bank last week informed customers of a phishing campaign targeting consumers in northern New Jersey. The bank says automated calls are being sent to consumers informing them that their debit card has been locked. The call then requests that the consumer provide sensitive information through an automated system to reactivate the card.
The bank alerted its customers through a security alert posted on its homepage (valleynationalbank.com) and through an email campaign, according to Marc Piro, vice president of marketing and public relations.