Saturday, April 18, 2009

New Cybercrime Study out

It's very interesting. Not because of the conclusions:
  • 2008 was the biggest year ever for Cybercrime.
  • The financial services industry was disproportionately targeted.
  • Most successful hacks were discovered by someone other than the victim.
Not hard to see that coming. No, what makes this very, very interesting indeed is that the data came from a study of 90 confirmed data breaches, representing 285 Million compromised credit cards.

Yes, that was "million". At around $15 to reissue each card, that's $4 Billion of hard cost damage, from 90 incidents. This doesn't cover theft from fraudulent transactions and the rest.

Yes, that was "billion".

The biggest news is that this finally puts to rest the old chestnut that "most attacks come from the inside" - from people who work for the organization. Only 20% of the 90 incidents were, something that will only surprise security researchers stuck in 1989.

The Old School attack methods - deceit, misuse, physical theft - are pretty clearly ineffective: only 10% of the card numbers were compromised that way, although people tried in 43% of the cases. Old School doesn't pay.

New techniques like malware and hacking were seen in the breaches that got 90% of the cards. This pays, which is why the Bad Guys are attracting some very good talent indeed.


It's not surprising that 69% of the organizations that were victimized didn't realized what was happening until someone (often Visa or Master Card) called them to let them know. Visa, Master Card, American Express (and a few other credit card companies) got together quite some time ago to form the "Payment Card Industry" (PCI). The PCI issued a Data Security Standard which sets actually quite a low bar for security, but all companies that process, store, or transmit card data are required to comply.

Want to guess what percent of the companies victimized here were compliant?

19%.

Companies hate to spend money to comply with PCI. Billions of dollars are lost because of this. Security is hard, and expensive, and you still often lose. Now, at least, there's some very good data that shows just how bad things are.

Most disturbing (for you and me) is that the Bad Guys are shifting their targets to something that will be much more painful to you and me:

Big Money Now: The big money is now in stealing personal identification number (PIN) information together with associated credit and debit accounts. In 2008, Verizon Business witnessed an explosion of attacks targeting PIN data.

Hitting Consumers Hard: PIN-based attacks hit the consumer much harder than typical signature-based counterfeit attacks in which a consumer’s credit card is compromised. Investigators found that PIN fraud typically leads to cash being withdrawn directly from the consumer’s account – whether it is a checking, savings or brokerage account – placing a greater burden on the consumer to prove that transactions are fraudulent.

If large numbers of account holders start losing big money from their accounts, expect big time class action lawsuits. I expect that companies will cover these losses, because with the high level of PCI non-compliance, the discovery process will expose what will only be explained as gross negligence. Note that I'm not talking about Banks here - in my experience, banks have very good (and very well funded) security programs. Instead, look to retailers (see the TJX incident) and processors (Heartland) as the most likely first class action target.

No comments: