A report from Verizon Business says that businesses are making it easier
than it should be to steal critical data. As criminals innovate, businesses
are ever more vulnerable, and many fail to comply with even basic security
standards such as PCI DSS, the credit card industry’s data security standard.
Past security failures have flooded the underground market with credit
cards, according to the 2009 Data Breach Investigations Report from Verizon
Business’ Response
Intelligence Solutions Knowledge (RISK) team, which summarizes the
lessons learned from investigations into 90 security breaches during 2008.
Credit cards are not valuable any more, so criminals now want PIN
numbers. Earlier this week, Symantec reported that credit card data
can sell for as little as six cents in online criminal markets, which
consist of “various forums, such as websites and Internet Relay Chat (IRC)
channels, which allow criminals to buy, sell, and trade illicit goods and
services.” Verizon reports the value of credit card data at fifty cents,
down from a minimum of $10 in mid-2007.
In contrast, Symantec said, bank credentials can sell for $10 or more.
Verizon did not disclose a price for PIN data, but said, “the big money is
now in stealing personal identification number (PIN) information together
with associated credit and debit accounts.”
Since PIN data is worth more, criminals are investing in malware tools
specifically designed to obtain it. The tools are working, said Verizon,
leading to “the successful execution of complex attack strategies previously
thought to be only theoretically possible.”
Victims lose money since PIN fraud typically leads to cash
being withdrawn directly from the consumer’s account. Victims will also find it harder to prove that an ATM withdrawal was fraudulent than, for example, a credit card transaction. “This makes the recovery of lost assets more difficult than with standard
credit-fraud charges,” the report said.
The blame
What can victims do to prevent the problem before it occurs? The report
has suggestions for businesses but none for end users. Others, however, are
responding to the report.
Martin McKeay of PCI consultancy TrustWave wrote in his Network Security Blog that those that complain about the cost of security, have “mortgaged the security of their company in favor short term savings. They’ve assessed the risk and come to the conclusion that it’ll be easier to ignore the problem and hope they don’t get compromised.”
Is it fair to blame the merchants? The report says that 81 percent of
the companies covered in the report were not PCI-compliant, meaning that
they failed to meet standards set by the credit card industry. On the other
hand, 19 percent were compliant and still suffered breaches, the report
notes.
Compliance limits but does not eliminate risk, said Verizon security team
member Alex Hutton in a blog post called There’s nothing wrong with the PCI DSS, noting,
“We can be more or less secure, but some risk will always exist.”
While the Verizon team urges readers not to rush to judgment, McKeay is
ready to do so. He wrote that the merchants covered in the study who were
not PCI compliant “played roulette and lost.”
Others agreed. “You have to ask yourself which you prefer: take PCI and
security seriously, or drive into work one morning and see your president in
front of a bunch of film crews explaining how you managed to lose all that
payment card information on all those people,” wrote Walt
Conway of the blog of the Treasury Institute for Higher Education, an
organization dedicated to improving the management of money by schools and
universities.
Because the report covers actual security events, one commentator found
it particularly insightful. “This is not your mother’s CSI/FBI survey; this
is actually objective data on security (= rare and valuable)!” wrote Anton Chuvakin, director of PCI compliance solutions at security
provider Qualys.