In the wake of what federal authorities have called the biggest international carding-crime takedown in history, industry experts say the bust, while positive, won't have any long-term impact on card fraud.
"This is just the tip of the iceberg," says Bill Wansley, a financial fraud and security consultant at Booz Allen Hamilton. "The amount of credit card fraud that is going on is phenomenal."
Still, learning how alleged fraudsters hacked systems and traded in stolen credit- and debit-card numbers can help organizations take steps to protect their customers' and stakeholders' sensitive information.Authorities in the United States and abroad earlier this week arrested 24 suspects linked to underground forums used to sell stolen card information and perpetrate financial fraud. The takedown resulted from a two-year undercover program named Operation Card Shop, an initiative that revolved around collaborative investigations conducted by U.S. authorities and numerous international law-enforcement agencies [see 24 Busted in Int'l Card Fraud Sting].
As part of the investigation, the FBI notified 47 different companies, government entities, and educational institutions about breaches to their networks that exposed card details, as well as other personal and financial information. More than 411,000 credit and debit cards were compromised as a result, and the FBI says it notified multiple institutions and individuals, so that they could take action to respond and protect their accounts. The FBI estimates its timely notification of the card exposures likely prevented more than $205 million in fraud losses.
"The Internet has opened up fabulous ways for doing business and conducting commerce globally, but now we are paying the consequences for not keeping it secure," Wansley says.
How Hackers Get In
Though the FBI declines to discuss exactly how the fraudsters hacked the networks from which they allegedly collected card details, most of the breaches were likely perpetrated through phishing attacks, says George Tubin, a financial fraud expert with online security provider Trusteer.
"It's all malware-driven, and these enterprise, organizational-level, attacks are on the rise," Tubin says. "The enterprise has employees that are using PCs that they take home and get hit with malware. Then they come back to work and connect to the network. And it's easy pickings for hackers, because these companies are just not used to protecting themselves from this sort of thing."
It's a serious problem, and the real answer is ensuring organizations implement tools to detect malware and stop it.
But it's not all malware. Wansley says underground crime sites, like the ones monitored in Card Shop, are too prevalent. Even if authorities could shut them all down, security risks inherent to electronic commerce and the United States' outdated payments infrastructure have opened a door to fraud that can't be closed, much less locked.
Any organization that conducts financial transactions has to change its mindset about payments security. "Just one gap exposes everything and everyone," Wansley says. "It only takes one phishing attack to get in, and these large organizations are being attacked thousands of times a day. Add-on security patches aren't going to protect you."
Reducing Risk: Best Practices
So what best practices can organizations implement to reduce their network risks and protect cardholder data?
Four Keys to Better Security
- Educate Employees. Educating end users about malware threats and how they are used to compromise accounts is critical. And since most malware attacks are waged through socially engineered schemes, such as phishing, employees need to understand how they can better identify schemes, to prevent falling prey to them.
Ben Knieff, who oversees fraud prevention strategy for NICE Actimize, which provides anti-fraud and anti-money-laundering solutions to the financial services and other industries, says end users are the weakest links. Though many have gotten better at spotting phishing e-mails, they're still prone to fall for other socially engineered schemes, such as phone calls or texts that con them into giving out personal details.
- Don't Store Data You Don't Need. A tenet of the Payment Card Industry Data Security Standard is to not store card data. More often than not, when organizations are hacked, the compromised information turns out to be data they didn't need to retain. Outdated point-of-sale software is usually to blame. Organizations need to ensure their systems aren't storing more information than is necessary. "PCI is just one component, and it's only as good as everyone's ability and willingness to conform to it," Knieff says. "Every weak link becomes a target."
- Encrypt. In some cases, maintaining databases of card data and other transactional information and history is necessary. But any relevant transaction or card data must be encrypted. "The earlier that we can encrypt information, the better off we are," Knieff says. "Even if they get through firewalls, criminals can't use data if it's encrypted."
In fact, PCI calls for card details to be encrypted from end to end during the transaction process. Any card data stored in clear text, obviously, violates PCI and is simply a poor security practice.
- Invest in Anti-Fraud Solutions. Investing in tools to detect and prevent malware has to be a priority. "It's just a matter of detecting when it's there and stopping it," Tubin says.
The exposure of card data could be less of a problem in the future, once the United States enhances its card technology and migrates away from the magnetic stripe. The use of chip-based cards, at least where card-present transactions are concerned, could prevent card details from being exposed.
In Europe and other parts of the world, where chip cards that conform to the Europay MasterCard Visa Standard are mandated, card fraud has dropped dramatically. EMV cards use microprocessor chips, rather than mag-stripes, to store data on the card. The chip is deemed more secure, because all data saved on the chip is encrypted. When a card-present transaction is conducted at the point of sale, the merchant never gets card data, so the risk of storing or exposing that data is eliminated.
EMV chips also address concerns some posed by outdated point-of-sale devices themselves, which may not encrypt card data in real-time as a transaction is conducted.
"We're using fundamentally insecure ways to make payments," Knieff says. "We've got data on the mag-stripe, and it's freely and available. We need to encrypt it, so you wouldn't be able to use it for fraud."