Five hackers have been charged with propagating a massive cyberscheme that helped them steal more than 160 million credit and debit cards from 2005 to 2012. One Ukrainian hacker and four Russians crept into networks of both U.S. and international companies, including 7-Eleven, Dow Jones, J.C. Penny and Nasdaq, and stole personal identifying information, according to the U.S. Attorney's Office for New Jersey.
The U.S. Attorney's office called it the largest cyberscheme ever prosecuted in America. Hundreds of millions of dollars were lost in the exploit. U.S. Attorney Paul Fishman said, "Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security ."
Industrialization of Fraud
We asked Tommy Chin, a Technical Support Engineer at CORE Security, for his take on the breach. He told us with such a large presence in the cybercrime space, it isn't going to be easy to shut down the global black market operation.
"The reward for a new leader to step up when the old leader isn't around anymore is very high," he said. "With 160 million credit card numbers, it's going to be difficult for any crime organization go to bankrupt."
From his perspective, Mike Gross, a senior manager of Risk Strategy and Professional Services at 41st Parameter, sees the compromise of 160 million credit and debit card numbers as further evidence that cyberattackers are using increasingly sophisticated tactics and closely coordinating their attacks, which can have devastating financial consequences.
"Fighting this rapid industrialization of fraud requires both innovative technology and broad visibility into all aspects of the criminal enterprise -- from the initial compromise through the underground sale of data and eventual use," he told us. "Without stronger situational awareness and solutions to harden defenses and proactively identify signals of fraud ahead of large-scale attacks, corporations will continue to see the effects of recent data breaches hitting their bottom lines."
Same Old Strategies
Kevin O'Brien, an enterprise solutions architect at CloudLock, believes criminal hacking is increasingly capable of obtaining information from any publicly accessible resource -- and the focus by organizations, especially those responsible for highly sensitive personal and financial information, needs to shift away from network and system security design toward information security if they wish to stay ahead of those criminals.
"We continue to see the same categories of mistakes leading to data breaches: poorly secured databases subject to SQL-injection attacks, website design issues leading to XSS (cross-site scripting) vulnerabilities, man-in-the-middle and other network-level attacks, and classic social engineering," O'Brien told us. "Some of these can certainly be solved by judicious use of technology, such as better hardware and more carefully implemented encryption technology; others will need to be addressed by way of better training and design in the first place."
As O'Brien sees it, if we assume that these were skilled hackers working to gain access to this data, it's safe to say that almost any technological security solution could have been bypassed at some point. What might have helped to prevent that from leading to a major breach would have been better separation of the high-value assets from the net-connected systems that were hacked.
"While this information is not yet -- and may never be -- known publicly, it's reasonable that there were one or more user accounts that were compromised, rather than poorly coded applications that were exploited," he said. "Unfortunately, if expectedly, human nature tends to dismiss these types of systemic weaknesses as 'lucky breaks' or 'unforeseeable accidents,' and as a result, attention and money in the security industry continues to be spent on solving those things that are easiest to address, rather than essential problems that would require substantive trade-offs to implement."