Feeds

Hackers develop 'memory-scraping malware' to steal PINs

They are probably watching you now and laughing

Top 5 reasons to deploy VMware with Tegile

More personal data records were breached last year than the previous four years combined, thanks to increased hacker activity rather than insider threats.

Verizon's second annual Data Breach Investigations Report also found that the financial services sector accounted for 93 percent of all such record compromises during 2008. The study is based on an analysis of data involving 285 million compromised records from 90 confirmed breaches, 90 per cent of which are blamed on the activities of cybercriminals.

Because the survey is based on actual cases of confirmed data breaches, rather than responses to surveys or questionnaires, it provides a much more revealing insight into cybercrime trends.

Most of the breaches (74 per cent) investigated were caused by external sources, while 32 per cent were linked to business partners. Only one in five (20 per cent) were attributed to insiders, a finding that runs against conventional wisdom in security circles. Some breaches were caused by more than one source, hence the overall figure adds up to more than 100 per cent.

The study also found that the majority of breaches resulted from a combination of events rather than a single security mistake. Two in three breaches were blamed on hackers. Typically, miscreants exploited vulnerabilities to install malware onto systems for later retrieval.

Two in three breaches (69 per cent) were discovered by third parties. Nearly all the records compromised (99 per cent) last year came from internet-connected systems, either servers or applications. The finding put concerns about mobile devices and portable media in context, the SANS Institute's Internet Storm Centre notes.

Much has been made of the fact that some organisations who achieved compliance with the credit card industry's PCI-DSS standard wound up becoming the target of some of the highest profile hacking attacks. However, Verizon's study found that 81 per cent of organisations hit by security breached subject to PCI-DSS had been found to be non-compliant prior to the attack.

PIN down

Verizon reports that attacks targeting PIN data "exploded" last year.

These PIN-based attacks hit the consumer much harder than typical signature-based counterfeit attacks in which a consumer's credit card is compromised. Investigators found that PIN fraud typically leads to cash being withdrawn directly from the consumer's account - whether it is a checking, savings or brokerage account - placing a greater burden on the consumer to prove that transactions are fraudulent.

The higher monetary value commanded by PIN data has spawned a cycle of innovation in attack methodologies. Criminals have re-engineered their processes and developed new tools, such as memory-scraping malware, to steal this valuable commodity.

Bryan Sartin, director of investigative response for Verizon Business, told Wired.com that these attacks involved assaults on both unencrypted data held on insecure systems and encrypted data.

"We're seeing entirely new attacks that a year ago were thought to be only academically possible," Sartin said. "What we see now is people going right to the source... and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks."

Hardware security modules, which act as a form of switch for encrypted data within bank networks, are under active attack. "Essentially, the thief tricks the HSM into providing the encryption key," Sartin explained. "This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device."

The class of attack has been understood in academic circles for some years (researchers at Cambridge and in Israel have published papers on it) but Verizon's detailed study is the first evidence that it's been used in anger.

Green cross code

Verizon analysts found - as they did in the firm's previous study, which covered 230 million compromised records from 2004 to 2007 - that nearly nine out of 10 breaches were avoidable with basic security precautions.

The survey concludes with a series of common-sense recommendations on how to guard against attack - such as patching, regular auditing and robust password security - explained in greater depth in the complete report (PDF) and in a summary here. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.