Consumers who have been lulled in to a false sense of security over credit card fraud could be in for a rude awaking. That was the message delivered at Visa’s Global Security Summit held in Washington, D.C., on Wednesday.
Disclosure last week of a serious data theft involving some of the nation’s largest data brokers hovered over the conference, and some experts suggested it signals a new wave of sophisticated identity theft. A gang of criminals had long-term access to Social Security Numbers, dates of birth and a treasure trove of other non-financial information stored by Lexis Nexis and about a dozen other data brokers, security expert Brian Krebs reported last week. The data was often used to defeat so-called Knowledge Based Authentication, in which banks and other institutions ask personal questions to verify identities.
The incident shows that criminals trying to steal money from banks are using more sophisticated methods now, said Kurt Baumgartner, a security expert with Kaspersky Labs.
“The new angle is that the attackers are going in through the side door,” he said. “Now, instead of attacking just the payment processors, attackers are focusing on data brokers …The processors are locked down, so attackers are shifting focus to other sources of information.”
Criminals armed with full dossiers of data on victims — or with a resource to get whatever data point they need — have an easier time committing account takeovers.
Combing the Cloud
Byron Acohido, author of Zero Day Threat and a cybercrime reporter at USA Today, said increased dependence on Cloud services has made life easier for criminals.
“What (firms) are doing is storing the information all in one place, putting it on servers and therefore (exposing it),” he said. “Now we learn the bad guys have had their fingers in the pie the whole time.”
Criminals armed with information such as date of birth and past addresses can do much more than make credit purchases in a victim’s name. Most consumers are unprepared to deal with the consequences of such a more severe bout of ID theft, Acohido said.
“The payments industry has done a good job in terms of consumers and (stolen) credit cards and making them whole, and there are regulations to protect them,” Acohido said.
“But people don’t realize what happens if the bad guys take out a loan in your name of get a passport in your name, then you are stuck. There’s very little protection, or regulation, to help. And I think we’re going to see that happen more.”
The development concerns FBI agent Donald Good, who said most consumers are unaware of all the information that data brokers have.
“What all that translates into for most folks is money,” he said. “A lot of times we all forget how much information on us is out there.”
The three spoke on a panel called Cyber Crime: Addressing Global Trafficking of Financial Data, at Visa’s annual global summit on security. The discussion covered a wide range of topics, but it circled back to the data broker heist several times.
In a larger sense, the audience — almost entirely fraud analysts at brand-name banks — expressed concern about placing continued trust in the Cloud. One questioner called the Cloud “a one-stop shop for criminals.”
Baumgartner put it more gently, admitting that the Cloud does “aggregate the information a little better for the attackers.”
There were also concerns expressed about fast adoption of mobile phone payments, with Acohido warning that all threats consumers encountered on their PCs are quickly being re-written by criminals for use attacking smartphones.
But ultimately Good said that consumers and employees tend to be their own worst enemy when they spend time online.
“Still, the most common method of compromise is via email, people clicking on a link in email that they shouldn’t, even with all the education that is out there,” Good said.