Hackers steel Card Data
>> Thursday, February 25, 2010
A growing emphasis by computer hackers on stealing payment card data from hotels and resorts and their increasingly sophisticated malicious software and attack methods are two highlights in a new report from security consulting and technology firm Trustwave Holdings Inc........
Trustwave’s Global Security Report 2010 summarizes findings from the Chicago-based firm’s investigations of 200-plus data breaches last year as well as 1,800 penetration tests of clients’ computer systems to find vulnerabilities. It’s the third such annual report Trustwave has done, and the number of data breaches has gone up every year, according to Nicholas J. Percoco, senior vice president of SpiderLabs, Trustwave’s investigative and research division. Hackers went after payment card data in 98% of the cases SpiderLabs investigated.
Restaurants for some time had been the most frequent targets of hackers looking for card data—data often stored on the older point-of-sale software systems common in many restaurants—but Trustwave’s new report shows that attackers are shifting toward the hospitality industry. Hotels and resorts accounted for 38% of the breaches that SpiderLabs investigated last year. This new focus on the hospitality industry is part of a movement by computer criminals away from opportunistic or random attacks and toward more targeted ones. “Hackers learned about a specific attack method and created cookie-cutter attacks.” Percoco tells Digital Transactions News.
Restaurants and related businesses still remain popular with hackers; the food and beverage category accounted for 13% of SpiderLabs’ data-breach investigations. Financial-services companies came in second after the hospitality industry, 19%; retailers, 14.2%; business services, 5%; technology firms, 4%; education and manufacturers, each with 1.4%, and other, 4%.
A common feature of most hotel/resort data breaches was the use by hackers of so-called remote-access application attacks. Such attacks exploit Internet-facing channels created by information-technology staffs or outside IT specialists in order to service their hotels’ computer systems, whose software typically intermingles payment card and related business data. Many such systems are lightly defended from outside attack. “The majority have very weak passwords,” Percoco says. In fact, some had no passwords at all while others had default passwords or common, easily guessed ones.
Hackers use remote-access application attacks against not just hotels but other businesses too, and the method is their most popular way of breaking into computer systems. Other frequently used attack methods include third-party connectivity, which can compromise dispersed data networks connected by a physical telecommunications line, and SQL injection, which uses code to exploit vulnerabilities in the database layers of software applications.
After gaining access to a computer system, hackers still have to actually capture the information they want and get it out. Harvesting such data is getting more sophisticated as security standards, including the Payment Application Data-Security Standard, or PA-DSS, take hold and reduce insecure data-storage practices, according to the report. In 54% of SpiderLabs’ cases, hackers went after data in transit using four main types of malicious software. By far the most common was the memory parser, used in 67% of such cases. Memory parsers monitor the random access memory (RAM) used by a certain process, such as a credit card transaction, and parse the data that they are specifically designed to look for. These can include card numbers or bank account and routing numbers. Once the targeted data are captured, the hackers “are able to dump data out of that system on a periodic basis,” says Percoco.
While still not common, representing 6% of malicious software, so-called credentialed malware is another example of the growing technological prowess of hackers, according to Percoco. Hackers place such malware on a targeted system and then charge other criminals for access to it. Fraudsters access the malware by entering user names and passwords, responding correctly to challenge-response questions, or by using related authentication protocols. “The tools are getting more sophisticated,” he says. “[Hackers] are becoming more knowledgeable.”
Other report highlights:
--Third-party vendors working on behalf of companies targeted by hackers actually were involved in 81% of incidents that SpiderLabs investigated. Third parties often introduce vulnerabilities such as weak password protection.
--Data breaches tended to have long lives. The median “window of data exposure,” or the time hackers actually had access to targeted information, for breaches involving data in transit was 101.5 days. The median window for stored data was 686 days. If a computer stored three years of data, for example, the window would be three years even if the hackers’ intrusion lasted only a short while, according to SpiderLabs.