Fraud techniques revealed in recent debit card case

On May 9, 2013, Federal prosecutors issued indictments against eight individuals for hacking and theft.  The case revealed the methods used by hackers to gain access to debit card numbers that were ultimately used to withdraw $45 million.

Hackers gained unauthorized access to credit card processing companies and conducted what hackers term ÔÇ£unlimited operationÔÇØ.┬á Unlimited operation is an attack where debit cards account balances and withdrawal limits are removed.┬á In this case, attackers performed unlimited operation on several prepaid MasterCard debit cards and then distributed the card numbers and pins to groups around the world.┬á These groups recoded gift cards and hotel entry cards with the stolen card numbers and then coordinated withdrawals from ATM machines.

I have spoken of the increase in coordination of cyber-attacks many times and this is an excellent example.  In a little over two hours on December 22, 2012, the criminals were able to withdraw $400,000 from 140 ATMs across New York City.  A series of thefts in February resulted in the theft of almost $2.4 million in 10 hours and the group is accused of stealing a total of $45 million by following this procedure for different card issuers and locations.

The banks involved in this case might have prevented the theft by monitoring for anomalous behavior such as the excessive use of a card number or the modifications required in unlimited operation attacks.  Anomalous behavior monitoring is valuable no matter where the next attack comes from and it is useful in other industries as well.

When and why companies disclose your information

The Electronic Frontier Foundation issued a report on 18 web and technology companies that routinely handle data.  The study looked at the following six security policy and practice areas related to how the company responds to requests for user information.

  • Does the company require a warrant before releasing information?
  • Does the company inform users of requests for data?
  • Are statistics published on how often data is provided to requesting agencies?
  • Does the company have a policy outlining how they respond to information requests?
  • Does the company stand firm when information requests are too broad in scope?
  • Does the company support revisions to electronic privacy laws?

Some of the results of the study are surprising.  Dropbox, Linkedin, Sonic.net and Twitter were some who ranked the highest.  Others such as Amazon, Yahoo, and Apple ranked towards the bottom and Verizon and Myspace were the lowest.

Download the EFF report

Florida Department of Juvenile Justice Data Breach

The Florida Department of Juvenile Justice (DJJ) had a mobile device containing 100,000 youth and employee records stolen on January 2, 2013.  The device was unencrypted and not password protected despite a policy by the DJJ requiring both encryption and password protection on mobile devices. This latest breach further demonstrates the importance of encrypting mobile devices but more importantly, it shows that a policy alone is not enough.  Organizations and government agencies need to make sure that employees are aware and adhering to their policies.  Without this, such policies are worthless.

Do you have a mobile device encryption policy?┬á If so, do you know if employees are following it?┬á DonÔÇÖt let this happen to you.

 

Vobfus malware steals 25,000 student social security numbers

Salem State University in Massachusetts issued a data breach warning to faculty and students on March 11.┬á The warning informed them that information for over 25,000 persons including social security numbers had been breached.┬á The breach was caused when malware, identified as Vobfus, infected the universityÔÇÖs human resources database.

Malware is often seen as a nuisance or a productivity inhibitor but an infected computer can pose a much great risk to organizations and it should not be overlooked.┬á Malware gets behind the organizationÔÇÖs perimeter and it can act with the credentials of legitimate users including administrators.┬á Just because a system is behind a firewall or in a demilitarized zone doesnÔÇÖt mean it is safe as threats from the inside are just as virulent as those from the outside.┬á Recently, malware has been the cause of a number of recent data breaches including supermarkets, banking institutions and retailers.

Antivirus software is essential but it is only the first step in protecting against malware.  New malware and revised versions of existing malware are continually being released and antivirus signatures will miss some malware, potentially even the most dangerous ones.  Understand what normal traffic looks like on your network so that abnormalities can be quickly identified.  Take notifications from users about suspicious activity seriously and consider implementing technologies that utilize behavior based scans to detect viruses and intrusions.  Lastly, know what to do and who to call if there is a data breach

Cyber Forensics: Collecting evidence for todayÔÇÖs data breaches | NEO ISACA

NEO ISACA has monthly meetings, and its membership here is primarily IT Auditors, with a number of IT Security Professionals from companies based in and around Cleveland. At each meeting, we get together to discuss a variety of pertinent IT topics, with a speaker leading the discussion.  This month I will be leading the discussion on cyber forensics.

Many forensic techniques focus on obtaining data from local machines, servers or data storage equipment but evidence for modern attacks often resides in many places and the techniques for obtaining this data go beyond those used in the typical forensic investigation.  In this presentation, ISACA members will learn about:

  • Detecting intrusions
  • Network evidence
  • Attack pattern analysis
  • Statistical flow analysis
  • Traffic analysis

View the ISACA event.

Unencrypted data at HHS exposes 50,000 Medicaid providers

On March 8, 2013, a contractor working for North CarolinaÔÇÖs Department of Health and Human Services (HHS) billing department stored unencrypted data of 50,000 Medicaid providers on a thumb drive that was to be transferred between facilities.┬á However, the drive was lost along with the data it contained which includes names, social security numbers, dates of birth and addresses of the 50,000 providers.

In last weekÔÇÖs article titled, data breach threats of 2013, I cited breaches by third parties as one of the top three highest rated threats in the Deloitte survey of technology, media and telecommunications companies and here is a perfect example of a third party data breach.┬á As mentioned last week, organizations can conduct vendor risk management to reduce this threat.┬á The vendor risk management process begins by evaluating the security of third parties that work with sensitive data, controlling what data they have access to and conducting periodic audits to ensure that they maintain the same security standing.

Unfortunately, the North Carolina HHS assumed that their contractor, Computer Sciences Corporation (CSC), was taking adequate security precautions. ┬áHHS Secretary Aldona Wos said, ÔÇ£We expect my vendors to maintain the security of information.ÔÇØ ┬áHowever, N.C HHS is only now requesting validation of these assumptions.┬á Wos stated ÔÇ£I have instructed CSC that North Carolina expects an independent third-party assessment to assure CSCÔÇÖs adherence to required security standards.ÔÇØ

Awareness, DoS and third party breaches top security concerns of 2013

A recent study by Deloitte, titled Blurring the lines: 2013 TMT global security study, shows that 59% of Technology, Media and Telecommunications (TMT) companies suffered a data breach.  88% of these companies do not believe that they are vulnerable to an external cyber threat such as hacking.  Rather, the three highest threats were employee errors and omissions, denial of service attacks and security breaches by third parties.

Awareness is a critical factor here and Deloitte lists it as one of the top three security initiatives of 2013.┬á 70% of TMT companies responded in the survey that employee mistakes were an average of high vulnerability.┬á The risks, as stated by Deloitte, include, ÔÇ£talking about work, responding to phishing emails, letting unauthorized people inside the organization, or even selling intellectual property to other companies.ÔÇØ┬á To counter this, companies are conducting awareness training, often through security firms with experience in the area, and creating materials that employees will see on a regular basis to remind them of their responsibility to protect the data they work with.

Denial of Service (DoS) attacks was also rated a high threat.┬á DoS attacks overload targeted information systems making them slow to respond to requests or taking them down entirely.┬á Due to the relative ease of conducting a DoS and the criticality of information systems to todayÔÇÖs businesses, it is no wonder that DoS makes the list.┬á These attacks are often triggered by saying something that irks a hacker group or by opposing a hacker group of their interests.┬á Organizations can protect themselves by monitoring the messages they are sending especially through social networking and by working out an incident response plan for handing a DoS attack that includes the public relations factors in addition to the technical ones.

Breaches by third parties are at the top of the list party because the average company deals with so many third parties in the course of doing business.  In fact, 79% of respondents said the sheer number of third parties they deal with would be an average of high threat.  With so many third parties, it is difficult to determine if each has a sufficient level of security to adequately protect the data they work with and, as I all know, security is only as effective as the weakest link.  Organizations have responded by more thoroughly screening third parties and assigning them a risk rating for the type of data they will be working with through a process called vendor risk management.  The third party then needs to demonstrate security that is in line with the risk rating they have.  This process is required by regulations such as Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS) and Health Information Portability and Accountability Act (HIPAA).

The threat landscape of 2013 continues to grow and companies are tasked with more responsibility to protect the data they work with.┬á As can be seen from DeloitteÔÇÖs survey, security awareness, denial of service and third party breaches are three major concerns for companies in 2013.┬á To protect themselves, companies can conduct security awareness training, create incident response plans, and screen third parties who work with sensitive data.

The value of ePHI (electronic Protected Health Information)

On Wednesday I blogged about how hospitals are the highest risk for data breaches.┬á Some have emailed me asking why criminals would even care about Protected Health Information┬á(PHI).┬á Sure, itÔÇÖs private information but what use is it to a criminal?┬á The Digital Health Conference last year discussed this question and a panel of cyber security specialists determined that a single PHI record is worth $50 on the black market.┬á This is the same value given by Pan Dixon, executive director of the World Privacy Forum in a 2007 interview.┬á So what makes these records worth $50, a value higher than that of social security numbers or credit card information?┬á Criminals can use a health record to make fake medical claims, purchase prescriptions or receive treatment under a false name.┬á Since medical information cannot be ÔÇ£canceledÔÇØ as easily as a credit card number, criminals have a much larger window in which to exploit the information.

For these reasons, PHI records are a tempting target for criminals, especially with the rising costs of health care.┬á So, yes, you should be concerned about the disclosure of your medical records because it does present a real threat to patients. This is why it is so important for organizations that handle PHI to have adequate security controls in place whether they’re clinics, medical billing, insurance providers, or business associates.┬á Adhering to HIPAA helps but being compliant doesn’t necessarily mean you are secure.

Companies must know what they don’t know

The EU Information CommissionerÔÇÖs Office (ICO) has stated with its recent fine for Sony of ┬ú250,000 that lack of knowledge of a data breach is no longer an adequate defense.┬á This fine was given not because of actions Sony took on breaches they knew about but on their lack of knowledge of breaches that the EU deems they should have known about due to the technical knowledge and resources available at Sony.

To claim that you cannot act on vulnerabilities that you do not know of has been a common defense and one that seems rational and logical to most companies, but the ICO’s recent fine suggests that it is unlikely to work in the future.┬á This sort of thinking would be an inhibitor to security initiatives because once you know about a problem, you have to make a determination as to the risk it presents and how you will deal with it.

So how do you know what you donÔÇÖt know?┬á This has been a question for centuries but in this case, the expectation is that companies will perform activities such as regular risk assessments based on data collected from vulnerability scans to identify security controls that can reduce risks to an acceptable level and that they will monitor equipment to detect anomalous behavior.┬á The tools to perform these activities are easily available and various open source options can be implemented at a low cost to the company.┬á However, it will take someone experienced with risk assessment and the tools used to make the data obtained from them actionable.┬á Consider using a security consultant if this is not a skill your company has in-house.