Feeds

Hackers develop 'memory-scraping malware' to steal PINs

They are probably watching you now and laughing

SANS - Survey on application security programs

More personal data records were breached last year than the previous four years combined, thanks to increased hacker activity rather than insider threats.

Verizon's second annual Data Breach Investigations Report also found that the financial services sector accounted for 93 percent of all such record compromises during 2008. The study is based on an analysis of data involving 285 million compromised records from 90 confirmed breaches, 90 per cent of which are blamed on the activities of cybercriminals.

Because the survey is based on actual cases of confirmed data breaches, rather than responses to surveys or questionnaires, it provides a much more revealing insight into cybercrime trends.

Most of the breaches (74 per cent) investigated were caused by external sources, while 32 per cent were linked to business partners. Only one in five (20 per cent) were attributed to insiders, a finding that runs against conventional wisdom in security circles. Some breaches were caused by more than one source, hence the overall figure adds up to more than 100 per cent.

The study also found that the majority of breaches resulted from a combination of events rather than a single security mistake. Two in three breaches were blamed on hackers. Typically, miscreants exploited vulnerabilities to install malware onto systems for later retrieval.

Two in three breaches (69 per cent) were discovered by third parties. Nearly all the records compromised (99 per cent) last year came from internet-connected systems, either servers or applications. The finding put concerns about mobile devices and portable media in context, the SANS Institute's Internet Storm Centre notes.

Much has been made of the fact that some organisations who achieved compliance with the credit card industry's PCI-DSS standard wound up becoming the target of some of the highest profile hacking attacks. However, Verizon's study found that 81 per cent of organisations hit by security breached subject to PCI-DSS had been found to be non-compliant prior to the attack.

PIN down

Verizon reports that attacks targeting PIN data "exploded" last year.

These PIN-based attacks hit the consumer much harder than typical signature-based counterfeit attacks in which a consumer's credit card is compromised. Investigators found that PIN fraud typically leads to cash being withdrawn directly from the consumer's account - whether it is a checking, savings or brokerage account - placing a greater burden on the consumer to prove that transactions are fraudulent.

The higher monetary value commanded by PIN data has spawned a cycle of innovation in attack methodologies. Criminals have re-engineered their processes and developed new tools, such as memory-scraping malware, to steal this valuable commodity.

Bryan Sartin, director of investigative response for Verizon Business, told Wired.com that these attacks involved assaults on both unencrypted data held on insecure systems and encrypted data.

"We're seeing entirely new attacks that a year ago were thought to be only academically possible," Sartin said. "What we see now is people going right to the source... and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks."

Hardware security modules, which act as a form of switch for encrypted data within bank networks, are under active attack. "Essentially, the thief tricks the HSM into providing the encryption key," Sartin explained. "This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device."

The class of attack has been understood in academic circles for some years (researchers at Cambridge and in Israel have published papers on it) but Verizon's detailed study is the first evidence that it's been used in anger.

Green cross code

Verizon analysts found - as they did in the firm's previous study, which covered 230 million compromised records from 2004 to 2007 - that nearly nine out of 10 breaches were avoidable with basic security precautions.

The survey concludes with a series of common-sense recommendations on how to guard against attack - such as patching, regular auditing and robust password security - explained in greater depth in the complete report (PDF) and in a summary here. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.