Thursday, August 7, 2008
The future of mass card theft (and PCI)
The indictment of 11 people on a mass card theft is all over the news this week. I've seen reports about software developed to steal cards, war driving and other stuff that I really don't know if it's just bad press or actual facts. There are some good info here and here.Of course PCI will be brought into the middle of the discussion about the methods used by the group. It seems that the attacks happened a long time ago (2003), but it's interesting to look into the story with the eyes of the standard. Like, why was so easy to these guys to go into the card data environment (CDE)? PCI has very specific rules about wireless networks, what I'm almost sure that those companies were not following. Besides that, it seems that all that information was being transmitted without proper encryption.An interesting aspect of the attacks is that they used tools developed specifically to steal card data. In the same way that there are tools being designed to identify sensitive data in order to protect it (DLP tools, e-discovery stuff), tools designed to steal that data will also be developed. I was reading on Hay's blog today about the Coreflood Trojan. Criminals developed a trojan and deployed that in a clever way to avoid being detected. They used a strategy that we have been using on "penetration tests" for years, to leverage access to a workstation and wait for an domain administrator to log in there to steal his passwords (and the keys to the kingdom). The results? According to Joe Stewart from SecureWorks, "463,582 user names and passwords to more than 35,000 domains. Nearly 8,500 passwords were for banks and credit unions in the United States and overseas. "So, we can see that criminals have leveraged the ability to go into large corporate networks with high privileged access rights. They also know what information they need to get, and the technology to look for that is improving everyday. It's not hard to play the oracle and say that in a near future we will witness some huge scams performed by very organized criminal groups. Welcome to the future.