Like metastatic cancer, the cyberattacks originating from ordinary hackers all the way up to national governments seem to be getting worse by the day, according to security experts who spoke Wednesday to a conference of e-commerce executives.
Case in point: last week, citizens of South Korea couldn’t use banks or watch TV because North Korea had launched a cyberattack against its neighbor’s broadcasting and financial systems, according to Richard Clarke, a prominent author, consultant and national security advisor to three presidents.
“The North Koreans gave us a little example of what they could do last week,” Clarke told attendees at the Merchant Risk Council’s 11th Annual eCommerce Payments & Risk Conference in Las Vegas.
Clarke said the firewalls and other measures used by everyone from leading tech companies to merchants are proving ineffective against increasingly sophisticated computer criminals and governments bent on stealing trade secrets or crippling their enemies. He pointed to the 2011 breach at EMC Corp.’s RSA division, one of America’s most sophisticated data-security companies. It happened after an RSA employee opened an e-mail that looked like it came from RSA’s human-resources department but in fact was the work of Chinese cyberspies looking for the technology behind RSA’s two-factor-authentication. The e-mail contained potent malware that when opened became the administrator of RSA’s computer system, found what it was looking for, gathered it up and sent it to China—all in seven minutes.
“Did the antivirus work? Did the firewall work? Did the intrusion-detection system work? No,” said Clarke. “That’s what’s happening to your company.”
Meanwhile, hackers who break into merchant and processor databases to steal payment card numbers and the resellers they work with are increasing applying the tools of automation to their trade, said Brian Krebs, a former Washington Post security report who now runs the KrebsOnSecurity blog. Krebs spends much of his time exploring underground online “carding shops” where stolen credit and debit card numbers are sold.
“The number of these has skyrocketed over the past year and a half … the bad guys creating turn-key solutions,” said Krebs, who spoke after Clarke.
An increase in automated software tools available to hackers is the reason such carding sites have proliferated is, according to Krebs. These tools enable sellers to offer buyers stolen card numbers sorted into ever more specialized groups, such as those in specific bank identification number (BIN) ranges, or groups of cards protected or not protected by so-called 3-D Secure technology such as Visa’s Verified by Visa or MasterCard’s SecureCode. Carding shops can assure buyers that a batch of numbers is recently stolen, meaning counterfeit cards created with the data are likely to get authorizations when they’re used.
Clarke urged online retailers and payments executives to work more closely together so that government hears their concerns. But he also urged them to find stronger data-security technology than the outmoded systems in use today. He praised the so-called Fast Identify Online (FIDO) Alliance formed last summer by several companies, including PayPal Inc. to develop stronger authentication systems.
“If that can be accomplished, we can make a real dent in cybercrime,” Clarke said.