The Green Sheet Online Edition
January 28, 2013 • Issue 13:01:02
Fraudsters persisting in the new year
We saw several notable data breaches in 2012, and the need for vigilance continues when it comes to card system security in both mobile and card-present environments.
From Zappos.com and Global Payments Inc. to LinkedIn, we saw several notable data breaches in the year just ended. However, the most noteworthy breach of 2012 occurred at the South Carolina Department of Revenue, according to attorney Ronald Raether, a partner at Faruki Ireland & Cox PLL in Dayton, Ohio.
That state agency breach highlighted a lingering problem. Government agencies remain vulnerable to hackers, just as they did five years ago, Raether told BankInfoSecurity.com in December 2012.
In the last quarter of the year just ended, 10 major U.S. banks were the targets of powerful, distributed denial-of-service (DDoS) attacks. In these attempts to make a machine or network resource unavailable to its intended users, perpetrators interrupt and sometimes cause the suspension of service provided by a host connected to the Internet.
One of the most common methods involves saturating target machines with external communications so that they cannot respond to legitimate traffic, or they respond very slowly, essentially making the site unavailable.
On Dec. 10, 2012, a group calling itself Izz ad-Din al-Qassam Cyber Fighters posted to a website that it would begin a second phase of a DDoS campaign against five U.S. banks. The group has reportedly targeted Bank of America Corp., SunTrust Banks Inc., PNC Financial Services Group Inc., U.S. Bancorp and JPMorgan Chase & Co., according to several news organizations.
"In [this] new phase, the wideness and the number of attacks will increase explicitly; and offenders and subsequently their governmental supporters will not be able to imagine and forecast the widespread and greatness of these attacks," al-Qassam's posting stated. And recently, the New York Times reported that U.S. officials believe Iran is behind the group's attacks. These banks reportedly had experienced an earlier phase of al-Qassam's DDoS attacks in September and October. So far, no evidence of fraud has been linked to these attacks, although the group continues to make threats against American banks.
PNC has suffered sporadic online access issues related to high volumes of traffic in recent months, but the bank was unable to link those issues to a DDoS attack. PNC spokeswoman Amy Vargo said some customers reported having trouble accessing the bank's site during the afternoon of Dec. 27, 2012, but the issue was intermittent, and systems were quickly restored to normal.
Arm your merchants with info
How can you reduce your merchant's risk? Unfortunately, no foolproof means of preventing DDoS attacks has been developed. Yet the following steps may prove helpful:
- Use appropriate technology such as cloud-based web servers, which can handle overflow when high volumes of web traffic strike.
- Constantly assess DDoS risks, and test your system quarterly.
- Implement a plan of resolution for potential DDoS attacks.
- Train your staff to quickly recognize a DDoS attack.
The latest breach
Another recent breach that carried over into 2013 occurred at New York-based wholesaler Restaurant Depot. The company notified officials in several states of a POS network breach that exposed a to-be-determined number of customer debit and credit cards.
This company experienced a similar breach in 2011 that affected over 200,000 individuals. Jetro Holdings Inc., parent company of Restaurant Depot, announced the most recent breach in December after several customers complained of fraudulent activity on their credit cards following purchases at the company.
Richard Kirschner, President of Restaurant Depot and Chief Operating Officer of Jetro Holdings, told BankInfoSecurity.com that only card numbers were exposed. He said the breach was not made through an individual POS terminal, but the company was still trying to determine how hackers obtained access. "It will take time; this was very sophisticated," he said.
Trying to plug an invisible security hole
Jetro Holdings stated in December that it had spent considerable resources over the prior year upgrading its card-processing systems at all locations to ensure they met security mandates. After the 2011 breach was discovered, the company hired Trustwave to help monitor its network. But ongoing monitoring failed to detect the latest attack.
Financial fraud expert Shirley Inscoe, of Aite Group LLC, told BankInfoSecurity.com that Restaurant Depot likely had multiple security gaps, despite its belief that it was Payment Card Industry Data Security Standard-compliant at the time of the recent breach.
"Investigations of stated. She predicted the card brands would levy fines this time. And card issuers would likely seek compensation for their costs as well, if they had to issue many new cards as a result of this data breach. It will be
interesting to see how this breach plays out. As for 2013, the need for vigilance continues when it comes to card system security in both mobile and card-present environments.
Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.