Hackers develop 'memory-scraping malware' to steal PINs
They are probably watching you now and laughing
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
More personal data records were breached last year than the previous four years combined, thanks to increased hacker activity rather than insider threats.
Verizon's second annual Data Breach Investigations Report also found that the financial services sector accounted for 93 percent of all such record compromises during 2008. The study is based on an analysis of data involving 285 million compromised records from 90 confirmed breaches, 90 per cent of which are blamed on the activities of cybercriminals.
Because the survey is based on actual cases of confirmed data breaches, rather than responses to surveys or questionnaires, it provides a much more revealing insight into cybercrime trends.
Most of the breaches (74 per cent) investigated were caused by external sources, while 32 per cent were linked to business partners. Only one in five (20 per cent) were attributed to insiders, a finding that runs against conventional wisdom in security circles. Some breaches were caused by more than one source, hence the overall figure adds up to more than 100 per cent.
The study also found that the majority of breaches resulted from a combination of events rather than a single security mistake. Two in three breaches were blamed on hackers. Typically, miscreants exploited vulnerabilities to install malware onto systems for later retrieval.
Two in three breaches (69 per cent) were discovered by third parties. Nearly all the records compromised (99 per cent) last year came from internet-connected systems, either servers or applications. The finding put concerns about mobile devices and portable media in context, the SANS Institute's Internet Storm Centre notes.
Much has been made of the fact that some organisations who achieved compliance with the credit card industry's PCI-DSS standard wound up becoming the target of some of the highest profile hacking attacks. However, Verizon's study found that 81 per cent of organisations hit by security breached subject to PCI-DSS had been found to be non-compliant prior to the attack.
PIN down
Verizon reports that attacks targeting PIN data "exploded" last year.
These PIN-based attacks hit the consumer much harder than typical signature-based counterfeit attacks in which a consumer's credit card is compromised. Investigators found that PIN fraud typically leads to cash being withdrawn directly from the consumer's account - whether it is a checking, savings or brokerage account - placing a greater burden on the consumer to prove that transactions are fraudulent.The higher monetary value commanded by PIN data has spawned a cycle of innovation in attack methodologies. Criminals have re-engineered their processes and developed new tools, such as memory-scraping malware, to steal this valuable commodity.
Bryan Sartin, director of investigative response for Verizon Business, told Wired.com that these attacks involved assaults on both unencrypted data held on insecure systems and encrypted data.
"We're seeing entirely new attacks that a year ago were thought to be only academically possible," Sartin said. "What we see now is people going right to the source... and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks."
Hardware security modules, which act as a form of switch for encrypted data within bank networks, are under active attack. "Essentially, the thief tricks the HSM into providing the encryption key," Sartin explained. "This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device."
The class of attack has been understood in academic circles for some years (researchers at Cambridge and in Israel have published papers on it) but Verizon's detailed study is the first evidence that it's been used in anger.
Green cross code
Verizon analysts found - as they did in the firm's previous study, which covered 230 million compromised records from 2004 to 2007 - that nearly nine out of 10 breaches were avoidable with basic security precautions.
The survey concludes with a series of common-sense recommendations on how to guard against attack - such as patching, regular auditing and robust password security - explained in greater depth in the complete report (PDF) and in a summary here. ®
COMMENTS
btw
There is software available that logs users activity on their machine . file copying , creating etc ..
So IT security can , if they suspect someone of stealing internal data , check logs and find out exactly what has been copied , where & when ...
More & more firms are using this type of software ...
okay
Do you really think the banks give a shit if hackers take 3bn a year? NO they bloody dont, but they do care they have to replace it.
When i was new and first used the internet i asked the immortal question - how to protect myself online, and was quickly told - by not connecting to it.
when i was studying in the 80's it was common practice to have 1 machine with internet access - back then it was modem attached, and everything else could not even take a disk from that machine the entire network did not connect to that one machine, nothing passed to or from it.
A group of extremely fast typists took data from it, and manually fed it into the network servers, and vice versa.
Four of them could handle 3m transactions a week. which was as much data as the hayes could send / recieve.
They were later replaced by boxes, specially built that took raw data, and converted it, electronic switches that could not be exploited without physically changing the layout of the board, and reprogramming by moving electronics. It did not process anything it simply took a stream of data of one source, and outputted it formatted to the other source, and as it was encrypted the servers would not run it.
Thats how it used to be done, either manually or with very basic electronics, today with all the speed/ extras that does not work, but it can and should be re-introduced to banking, there is no reason why the atm system for banks should be anywhere near the internet, and the call back etc technology scrapped. The machines should be electronically tagged to only call 1 number, if the number changes rebuild the board.
Then pin theives couldnt go online and hack into weak links because there would be no connection, and they couldnt dial into a weak point as the machines dont have modems,
problem solved.
@AC: Memory scraping
http://wiredbytes.com/node/6
http://content.zdnet.com/2346-9595_22-189068-4.html
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
