Posted by Andre Edelbrock on Fri, Sep 04, 2009
Vacation is supposed to be a time when you finally relax and break away from the demanding pressures of work-a-day life. But with the economy down, and many worried about doing enough to keep their jobs, the increase in computing mobility means that larger than ever numbers of people are taking work with them when they head for the beach. Be honest -- you took your laptop or Blackberry with you, and if nothing else, checked for email while you were away this summer, didn't you?
So maybe you weren't working as you sipped pina coladas on the beach and surfed not on the water, but on your PC. Maybe you were "just shopping", or watching the latest viral videos on YouTube.
So guess what? Ever on top of new trends, fraudsters have spotted a big new vulnerability to capitalize on. Adding another coined phrase to our fraud glossary, Fox News reports, “vacation hacking” is a new avenue for criminals to steal from those who rely on free wifi or unsecured networks while away from the office to get their internet fix.
Beach fraud
Ok, so you aren't one of those clueless tourists walking around with a sign on your back saying "Hack Me". You're a businessperson who's been around the block a few times, you've got AV software and a firewall -- not so easily taken. Really? Have you ever logged on at the airport, trying to squeeze in just a couple more emails before departure?
So-called "white-hat" hackers recently surveyed a number of large airports, discovering what they said was an alarming amount of hacker generated connections. Hackers are now identifying these airport wifi access points as their new hotspots and enticing busy road warriors unaware that they are at risk, to sign on to a hacker’s portal, not just willingly handing over their credit card info, but also leaving their laptop at risk and their information unprotected.
Data breaches, phishing, botnets, spam, fake portals, unsecured networks -- all can be used to steal personal information for fraudulent gain. But what can you do to stop it?
Is there any escape? Is any protection good enough?
Everyone will always tell you ways to make your environment more secure, and build a better barrier to keep the bad from getting in. But that doesn't help much when the bad gets in, nor does it deal with the root of the problem. Just ask Heartland Payment Systems, who thought they had a totally secured PCI DSS compliant environment.
Only part of the problem is lack of security. Another critical part of the problem is the value of what gets stolen. We must re-double efforts to make the stolen data worth less, if not worthless. Make it harder to use. Fully thwart attempts to convert data to cash. Increase the penalties and prosecution efforts such that the perpetrator of the biggest data breach in history faces more than a couple slaps on the wrist and a cushy job as informant for the secret service.
Become more aware of what makes us vulnerable, and stop depending on technical solutions that no one understands and which often increase complacency and therefore the probability of loss.
Simple solution: address the problem at its source
The solution as I see it is two-fold:
- Educate users about risk, and what to look out for -- what makes something suspicious and why you shouldn't hand over a social security number when someone calls asking for it, for example
- Stop financial fraud at source, by getting banks, card issuers, card processors, anti-fraud vendors and the targeted merchants all working together to provide a backstop when security fails
Simple right?
Take the poll
Let us know what you think. More security? Better fraud detection? Stiffer penalties? Simplicity? Less technology? Collaboration? Smarter users? What is going to help us gain control of things?
Take our poll, and after you hit the button, you'll see a graph of the compiled results. And, if your answer isn't on the list, give us your solution in the comments below.
Aren't you glad that summer vacation is almost over and you're back to work?
Posted by Andre Edelbrock on Wed, Sep 02, 2009
Quiet congratulations to the authorities' for finally catching up with their man - Albert Gonzalez - and getting indictments handed down by the grand jury in two of the largest deliberate data breaches in history at Heartland Payment Systems and Hannaford Bros.
Gonzalez, going by the alias Segvec, was also indicted in breaches at 7-11 and 2 other unnamed national retailers, as investigations continue into whether he might have been the linchpin in a number of other systems intrusions. In a path of financial havoc rivalling the damages of Hurricane Katrina and Bernie Madoff combined, we wonder how many more shoes there are to drop, as Gonzalez is already being held on charges stemming from the TJX breach in 2007, the previous largest breach on record before Heartland came to light.
Low Key Celebrations
Perhaps a sigh of relief is in order, but not too much more in the way of celebration. Loud hurrahs and back-slapping would be inappropriate, lest we be lulled into complacency, and thinking this means the internet is safe again.
In fact, if you didn't feel a little uneasy about the inequality of armaments between the criminals and those defending against them, remember that Gonzalez pulled off his elaborate heist literally while authorities were watching. His crew deployed the worms that siphoned data from Heartland and others, while he was acting as an informant, after he had already been caught acting as an administrator for a prominent carding site called Shadowcrew.
End of the Beginning?
So, unlike many, we do not believe this heralds the beginning of the end for big time cybercrime -- rather just the opposite: it signals the end of the beginning. It will only get worse from here. How do we know?
Gonzalez is not the world's only smart hacker, and although authorities say there are few in his skill range, we believe there are many who are even smarter and who will learn from his mistakes. There are plenty of his kind working in crime hotspots all over the world. Not only are they well-trained, they are among the world's best mathematicians and scientists, often living in a climate where criminal behavior is tolerated, even respected -- where it is regarded as a legitimate tax-paying business, and even directly supported in some cases by the state.
Birth of a Hacker Hero
Gonzalez has shown the next generation of hackers how to win, and how to win big. Nevermind the arrogance and hubris which pushed him to take dumb chances that allowed him to be caught. He wrote the blueprint for others to follow.
His brazen finger-in-the-eye crime makes him a hacker hero, energizing the whole hacker community to go him one better. His primary misstep was getting too cocky, repeatedly going back to the same well as he perpetrated the biggest credit card scams in history under the noses of the Secret Service. If he had not already been known to law enforcement, and acting as an informer, is it possible he may have escaped detection entirely? Had he been a little less greedy, or a little less in-your-face with his tactics and scale of assault, might we still be looking for him for years to come?
Copycats Will Multiply
The hacker community is well-connected and well organized. Despite getting caught, Gonzalez's work is still impressive, and many will emulate his tactics. They will learn from both his success and his failure. The next big-time hacker, will be a little less full of bravado, and a little more cautious. They will evolve their M.O. a little more frequently, and run just below the radar.
So, while some see the catching of Gonzalez as a major blow to the fraudsters, I view it differently. Segvec is a harbinger of the increasing sophistication of attack on the horizon, and portends accelerating and increasingly deceptive attempts to commit CNP fraud against retailers to convert stolen data to cash.
Are you ready for what's coming?