FBI Takedown Won't Curb Card Fraud

The Real Problem is Malware and Outdated Payments Tech

By , June 29, 2012.
FBI Takedown Won't Curb Card Fraud

In the wake of what federal authorities have called the biggest international carding-crime takedown in history, industry experts say the bust, while positive, won't have any long-term impact on card fraud.

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

"This is just the tip of the iceberg," says Bill Wansley, a financial fraud and security consultant at Booz Allen Hamilton. "The amount of credit card fraud that is going on is phenomenal."

Still, learning how alleged fraudsters hacked systems and traded in stolen credit- and debit-card numbers can help organizations take steps to protect their customers' and stakeholders' sensitive information.

Authorities in the United States and abroad earlier this week arrested 24 suspects linked to underground forums used to sell stolen card information and perpetrate financial fraud. The takedown resulted from a two-year undercover program named Operation Card Shop, an initiative that revolved around collaborative investigations conducted by U.S. authorities and numerous international law-enforcement agencies [see 24 Busted in Int'l Card Fraud Sting].

As part of the investigation, the FBI notified 47 different companies, government entities, and educational institutions about breaches to their networks that exposed card details, as well as other personal and financial information. More than 411,000 credit and debit cards were compromised as a result, and the FBI says it notified multiple institutions and individuals, so that they could take action to respond and protect their accounts. The FBI estimates its timely notification of the card exposures likely prevented more than $205 million in fraud losses.

"The Internet has opened up fabulous ways for doing business and conducting commerce globally, but now we are paying the consequences for not keeping it secure," Wansley says.

How Hackers Get In

Though the FBI declines to discuss exactly how the fraudsters hacked the networks from which they allegedly collected card details, most of the breaches were likely perpetrated through phishing attacks, says George Tubin, a financial fraud expert with online security provider Trusteer.

"It's all malware-driven, and these enterprise, organizational-level, attacks are on the rise," Tubin says. "The enterprise has employees that are using PCs that they take home and get hit with malware. Then they come back to work and connect to the network. And it's easy pickings for hackers, because these companies are just not used to protecting themselves from this sort of thing."

It's a serious problem, and the real answer is ensuring organizations implement tools to detect malware and stop it.

But it's not all malware. Wansley says underground crime sites, like the ones monitored in Card Shop, are too prevalent. Even if authorities could shut them all down, security risks inherent to electronic commerce and the United States' outdated payments infrastructure have opened a door to fraud that can't be closed, much less locked.

Any organization that conducts financial transactions has to change its mindset about payments security. "Just one gap exposes everything and everyone," Wansley says. "It only takes one phishing attack to get in, and these large organizations are being attacked thousands of times a day. Add-on security patches aren't going to protect you."

Reducing Risk: Best Practices

So what best practices can organizations implement to reduce their network risks and protect cardholder data?

Four Keys to Better Security

  • Educate Employees. Educating end users about malware threats and how they are used to compromise accounts is critical. And since most malware attacks are waged through socially engineered schemes, such as phishing, employees need to understand how they can better identify schemes, to prevent falling prey to them.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Ruling: GCHQ-NSA Data Sharing Illegal

In a landmark decision, a British tribunal ruled that a U.K. intelligence agency broke the law by...

Latest Tweets and Mentions

ARTICLE Ruling: GCHQ-NSA Data Sharing Illegal

In a landmark decision, a British tribunal ruled that a U.K. intelligence agency broke the law by...

The ISMG Network