Article

There is still a popular misconception that skilled hackers predominantly focus on attacking banks and large financial services companies. This line of thinking misses the point that criminals do not just steal money: they also steal things that they can sell to other people, as an alternative means of achieving the same objective. For example, cigarettes have always been a prime target for “traditional” thieves - not because thieves have extreme smoking habits, but because packets of cigarettes are easy to sell in readily accessible “markets” (dodgy pubs and clubs etc.).

Research into Internet Relay Chatrooms is increasingly showing that customer credit card data is becoming the cyber criminal’s equivalent of cartons of cigarettes - with the chatrooms playing the role of the dodgy pub.

Leading UK newspaper The Times recently ran a major story on the “market” for stolen credit card data obtained by hackers breaking into databases. It appears that a structured market for such data now exists in certain internet chatrooms with a broadly understood pricing model:

• Regular credit card number: US$1
• Credit card with 3-digit security code: US$3-$5
• Credit card with code and PIN: US$10-$100
• Social security number (US): US$5-$10
• Mother’s maiden name: US$5-$10

So, if a hacker manages to gain access to a database containing just the basic credit card details (card number, 3 digit verification code and expiry date) of, say, 3,000 customers, they will be able to sell that data for somewhere between US$12,000 and US$18,000 in a recognised “market” (chatroom). Not bad for a few hours work.

This research serves to reinforce the point that cyber criminals can make a lot of money quickly and easily by gaining access to any customer database that contains credit card details and then selling that information - irrespective of whether that database belongs to a DIY store, a travel shop, or an interest group where subscribers pay an annual membership fee. So next time you hear an IT manager saying “oh, hackers wouldn’t be interested in us, we just sell wine / sports gear / didgeridoos”, you may like to make the point that irrespective of what you sell or what service you provide, if your customer databases contain credit card information then professional hackers will most likely be very interested in you.

The Times’ article goes on to state that specialist organisations monitoring the chatrooms that serve as the market places for the stolen data claim that the thieves are usually highly skilled gangs working out of Eastern Europe or Asia. These cyber criminals typically gain access through exploiting SQL injection vulnerabilities in web applications, and in a lot of instances the organisation whose database has been pillaged has no idea that the hackers have been and gone.

Of course, many countries now have legislation in place (data protection and privacy legislation) that is intended to force organisations that hold data such as credit card details to take reasonable care in ensuring that their data is properly protected. However, given the evidence that an international market in stolen credit card details has sprung up, it seems clear that this legislation is not working. Prosecutions under this type of legislation are rare, and many organisations that do hold credit card data seem unaware of the steps they should be taking to satisfy their legal obligation of taking “reasonable care”.

Things need to change before the problem hits epidemic proportions, potentially resulting in a mass loss of confidence in the whole concept of e-business. If governments and law enforcement agencies will not take action, it seems likely that the commercial enterprises that currently carry the losses flowing from the resultant fraud - mainly the banks and credit card companies - will look to find ways of getting the holders of the databases to step up to the mark and get an appropriate level of security in place.

Nick Gifford
Managing Director

The full story from The Times can be found at http://www.timesonline.co.uk/article/0,,2-2135302_1,00.html