Get Ready for Big Data Heists
The theft of big data will be one of 2014's recurring themes, so protect yourself.
Already there has been the massive plastic card data theft in South Korea, affecting about 60 million cards; the Target Corp. credit card disaster involving up to 40 million customers; the hacking of 16 million German e-mail accounts; data security breaches at Nieman Marcus Inc. and Easton-Bell Sports Inc.; and a group of Russian hackers who compromised the computer systems of Western energy and defense companies, governments, and academic institutions. We're still in January.
These security breaches were all different but had a common cause: negligence. Although the technology and techniques to protect data, or at least to make life more difficult for hackers, have been around for years, companies and their customers mostly assumed that data theft was something that happened to other people. They need to start getting wise.
The U.S. retail attacks are part of a recent trend, reported by the cybersecurity firm CrowdStrike, in which the hackers (or "adversaries," as the company describes them) target point-of-sale devices in which physical credit cards are swiped. "As that swipe occurs, the magnetic track of the card is read into memory and encoded to be transmitted to the payment processing systems," CrowdStrike explained in its 2013 report. The hackers found ways to access the data with programs that appear to have originated in Russia, allegedly with a 17-year-old living in Nizhny Novgorod. Security firm IntelCrawler named the youngster as the author of BlackPOS, a kit used to access the point-of-sale terminals. "The fallout from these attacks has been well publicized and as a result it is likely that other criminal adversaries" will use similar methods, CrowdStrike predicts.
These particular vulnerabilities would not have existed had U.S. banks and retailers made use of chip card technology, which has sharply reduced card fraud in Europe in recent years. The development of BlackPOS and its different flavors available to copycat thieves tells U.S. bankers and stores that it is time to catch up and invest in chip-and-PIN.
In South Korea, where 70 percent of payments are non-cash, the card information theft was apparently an inside job: A contractor working for a credit bureau simply downloaded the information onto a portable hard drive. He then began selling the database, and there were eager buyers precisely because, like in the U.S., chip-and-PIN technology is not common in Korea.
Chips and their associated PIN numbers do nothing to protect online transactions, where they can't be used. Yet the recent major data leaks involved face-to-face payments, which can be protected with a little determination.
In the cases of Target, the German e-mail theft and the supposedly government-backed Russian hacking group (which CrowdStrike dubbed "EnergeticBear"), the hackers appear to have exploited weak passwords. Software maker SplashData has just published its annual "Worst Passwords" list, where "worst" means most commonly used. At the top of the charts was "123456," displacing last year's winner, "password." Nor do "Letmein," "iloveyou" and "abc123" adequately protect your personal data. They may allow hackers to penetrate your employer's network, too, causing a major breach such as the ones mentioned above. It is also a bad idea to click on links e-mailed by people you do not know. CrowdStrike believes hackers working for the Chinese government are accomplished in mailing out those tempting links.
Cybercriminals, of course, abuse less obvious vulnerabilities, such as those in site-building software. In these cases, they often buy malware rather than develop it themselves. According to CrowdStrike, there has been a surge in so-called bug bounty programs from companies such as Microsoft, Yahoo! and PayPal that pay hackers to uncover bugs and vulnerabilities in their products. The risk is that these hackers then use the information gathered to write and sell malware, aimed at the same Microsoft, Yahoo or PayPal products. "This trend will continue in 2014 with an increase in black market activity of newly discovered vulnerabilities and newly developed exploits. As the black market activity increases, so will the demand for custom-made malware," said the CrowdStrike report.
This, too, is about negligence, only this time on the part of software makers. Rather than step up efforts to protect their products, they are helping create a market in malicious software.
The one lesson for everyone -- whether banks, retailers, software makers or customers -- is that in keeping information safe, it doesn't pay to be lazy or cheap.
(Leonid Bershidsky is a Bloomberg View contributor. Follow him on Twitter.)