|
The indictment of Albert “Segvec” Gonzalez on charges of hacking into Heartland Payment Systems, Hannaford Brothers, 7-Eleven stores and others, has put a spotlight on the risks faced by every player in the payments system today. Although mass data compromise events, in which millions, if not hundreds of millions of customer records are compromised in a single attack, is nothing new, the delays between the early attacks and fraud associated with the breached accounts allowed the industry to hold on to the hope that perhaps the attacks were motivated by something other than financial crime. It was always possible that the attacks were launched by hackers showing off or that the breaches were due to human mistakes, such as a lost laptop or mismanaged password, rather than a concerted effort on the part of a criminal organization to compromise consumer identities.
With the Gonzalez indictment, however, it has become clear that the primary motivation behind these data compromise events is to facilitate identity theft and financial crime. According to the results a peer review conducted by Actimize, a provider of fraud and financial crime management solutions and managed by Infosurv, 30 percent of financial institution respondents believe they have witnessed fraud involving card track data stolen from TJX or Heartland.
Given the magnitude of these breaches and the rate at which they have started to turn into actual identity theft and fraud attacks, financial institutions, merchants and consumers should assume that major attacks are on the horizon, if not already underway, and should implement the strategies and technologies required to minimize fraud losses and customer impact.
In order to minimize the risk associated with the theft of personal identifying and financial information, it is important for financial institutions, merchants and consumers to understand the nature of the potential threat.
Data Compromise Attack Vectors Counterfeit Card Fraud
The Heartland-Hannaford attack may be the largest data breach to date, with data from an alleged 130 million cards now out in the open. The stolen card track data can be encoded onto counterfeit cards by creating duplicate magnetic stripes. The ease with which counterfeit card fraud can be committed has attracted the attention of organized crime such as the group indicted with Gonzalez both in connection to this attacks and the TJX breach. Fraud migrates to the path of least resistance and with large amounts of stolen card data exposed counterfeit credit and debit card fraud is an easily accessible path for criminals.
Cross-Channel and Phone Fraud
Phone banking operators typically verify a number of key data points to ensure that they are talking to the actual customer. When a majority or all of those data points are compromised, the phone channel can be a particularly easy access point for fraudsters. The real danger in this exposure is in part because of overconfidence in the security of authentication in combination with the “personal” interaction of the phone channel. A number of recent of post-breach attacks have involved the use of the phone channel to complete the information required to use card track data stolen in a mass compromise events. Although social engineering attacks like this are nothing new, criminals have added one innovation which is to imitate the actual fraud operations unit of the issuer. Using minor but effective innovations like this, criminals have shown that a key part of their post breach process is to collect additional information, perform test attacks across channels and fully penetrate via multiple channels or payment mechanisms in order to maximize their returns.
Trading of Credentials in the Black Market
As in any other industry, criminals tend to have specialized functions. For example, identity thieves sell identity information to other criminals who can then use this to defraud financial institutions by conducting transactions or opening new accounts under false pretenses. Compromised data is usually sold in small bundles of accounts and information through Internet transactions. Large volumes of information trading often begins with online introductions and is consummated offline or by using proprietary electronic transfers. With a large amount of information available in the black market on the Internet, one can expect this information to be broken up and sold to criminals around the globe in small transactions. As is evident from past cases, the fraudsters will usually attempt to verify the accuracy of the information by performing test transactions online, at unmanned gas stations, or through other anonymous channels.
Protecting Yourself from Mass Data Compromise
Although mass data compromise has become a fact of our financial lives, a great deal can be done to mitigate the impact that these attacks have on our wallets and on our bottom lines as consumers, merchants and financial institutions.
The advice offered to consumers in the aftermath of these attacks usually amounts to the types of things any responsible consumer should already be doing: monitoring their credit history, for example. The reality is that the best advice we can offer consumers is to assume that even if they haven’t been notified of a breach affecting them, they should assume that some part of their personal financial information is in the open. Assuming that you are at risk doesn’t have to lead to panic, but it should mean conducting our day-to-day financial lives with a certain degree of wariness. By assuming that some part of our financial information is already compromised, consumers may be better able to spot subsequent attacks looking for additional personal data. It may not be comforting to assume that we are already at significant risk, but it is the only real guiding principal that may keep a consumer safe from future attacks.
Merchants can also benefit from a similar degree of wariness. The Gonzalez indictment shows that degree of organization and determination on the part of organized criminals to find the weak points in the card and payments infrastructure. Current standards enforced by the card networks and emerging discussions on end-to-end encryption may one day create technical and regulatory schemes that provide a more predictable layer of security. But for now, the best defense is to assume that attacks like those allegedly perpetrated by Gonzalez are underway today. Following the implications of this assumption means asking basic questions about the security of internet connections, merchant and corporate intranets and email communications. It also means establishing an atmosphere in which suspicious encounters with persons claiming to be technicians or vendors are always questioned by employees no matter how convincing their paperwork or demeanor.
Financial institutions such as banks, issuers, acquirers and processors are equally as responsible for helping to establish a defense against financial crime by establishing an automated, cross-channel system for monitoring all accounts for signs that an attack originated by a data compromise event is in progress. Financial institutions need to ensure that they are not waiting for the fraud to happen, based on the idea that given the scale of the breach there is nothing that can be done, or over compensating for the breach on those accounts by unfairly impacting innocent customers. They should explore their options for introducing effective data compromise capabilities into their existing detection solutions and look, in the longer term, to deploy a solution focused on the increased data breach threat across the enterprise.
The reality is that while there is no silver bullet that will prevent mass compromise attacks to begin with nor stop every resulting fraud attempt, a multi-layered effort involving consumers, merchants and financial institutions can be used to control the threat and to keep our financial lives largely safe and sound. 
|
