“There are only two kinds of companies: those who have been breached and those who will be breached.”
Such is the claim of Cynthia James, director of business development for Kaspersky Lab, a leading antivirus and Internet security firm. Her assessment may not be far off, either. Identity theft against Target and Neiman Marcus during the holidays last year ended with millions of debit and credit card numbers stolen. It was deemed even worse than the breach of data on T.J. Maxx and Marshalls about ten years ago. Some experts believe it may continue to get worse, too.
Why?
Well, in Target’s case, it was somewhat opportunistic. Hackers scored a holiday treat after an AC company employee with access to Target’s network clicked on a malicious email. From there, the thieves had free reign of the company’s system to steal the retailer’s payment card information. For the most part, though, criminal technology is evolving while the technology that stops them is pretty archaic.
“The unfortunate reality is that we suffered a breach,” John J. Mulligan, Target’s Chief Financial Officer stated during recent legal meetings.
He added, “And all businesses and their customers are facing increasingly sophisticated threats from cybercriminals.”
Consider, for example, Aleksandr Andreevich Panin. The Russian national was recently convicted in federal court after constructing a malware virus called SpyEye. According to prosecutors, he sold it for just $1,000 online. Between 2009 and 2011, a minimum of 150 hackers used Panin’s program to set up servers that would let them to drain strangers’ bank accounts from afar. In fact, one criminal customer managed to rake in $3.2 million in half a year via the virus.
Codes like Panin’s make theft automatic. SpyEye infected over 1.4 million computers across the world and when computers were overtaken, information was immediately compromised.
The only way to fix credit card theft is to change the credit card. Pin and number has never been secure. http://t.co/2NyM5S6zNT
— Jonathan Davis (@subnetwork) January 24, 2014
“Our decades-old payment system was not designed with cybersecurity in mind,” said Christopher Soghoian, principal technologist at the American Civil Liberties Union.
Some surmise promising prospective changes include: acquiring end-to-end encryption, walling-off sensitive information off on separate networks, and utilizing new technology that secures the credit card customer’s information on an embedded chip (rather than the black magnetic tape most have in America).
Where the magnetic strip we swipe at retail counters harbors security flaws, the embedded “chip and pin” technology could potentially put an end to all of that.
Dan Kaminsky, the founder of White Ops (a company that uses hacking to stop fraud online), explains, “It’s like having a small computer on a credit card. The computer negotiates with retailers and has a unique number for every transaction, rather than one number that is repeated over and over.” However, the long-term outlook on identity theft is a matter of debate.
“Companies may succeed in strengthening their defenses…deterring hackers,” Security researcher Nicolas Christin said. He went on to add, “Or the surge of stolen credit card information on the market may cause a glut and drop prices to the point at which incentives for new attacks shrink.”
Implanted security chip cards might thus just be the answer.
They could even replace our existing ones in the next few years. In fact, an industry group including big credit card issuers wants assimilation of chip card use by October 2015. However, there’s been reluctance by federal regulators to invest if there’s a possibility that it won’t prevent future attacks.
Before the thought of a multi-million dollar criminal income starts seducing some of you into scouring the undernet, consider first what befell the nefarious Russian responsible for multitudinous Trojan attacks. Mr. Panin demonstrated the inverse relationship his computer and street savvy have during a holiday last year when the FBI nailed him on a sting operation. He now is facing 30 years in prison after trying to sell his inimical invention to an undercover agent.
SpyEye for a SpyEye, justice is served.
Image via Youtube