Over 280 million records compromised last year - vnunet.com

Damning report finds simple steps still being ignored
Phil Muncaster - vnunet.com, 15 Apr 2009

More than 280 million records were compromised in 2008, according to a new Data Breach Investigations Report from global comms and IT provider Verizon Business.

The report was written by the Verizon Business Risk team using first-hand evidence collected from the firm's data breach investigations over 2008.
Advertisement

Three-quarters of breaches resulted from external threats, the report found, while just 20 per cent were caused by insiders. This is despite the message from most security firms that the inside threat is more dangerous than that posed from the outside.

The sheer number of credit card and other details being compromised has driven their price down on the underground economy, forcing criminals into new tactics, explained Matthijs van der Wel, managing principal of forensics at Verizon Business.

The average price for a piece of stolen card information has dropped from around $10 (£6.70) in 2007 to 50 cents (33p) today.

"For the criminals it's becoming less profitable so they're looking for new ways to make money, which means targeting financial institutions much more, looking for richer data," said van der Wel.

"Attackers have to do a lot more work to get their information now. They're intercepting the PINs, which has been theorised before but now we're seeing it. "  To this end, criminals are creating customised 'memory scraping' malware to harvest customer PINs entered at ATMs from banks' servers.

Yet despite the increasingly creative ways some criminals are compromising customer data for sale on the black market, the majority of incidents appear to have been preventable, according to the report. For example, 81 per cent of affected organizations subject to the Payment Card Industry Data Security Standard were found to be non-compliant prior to being breached. 

Editor's Note: HomeATM is PCI 2.0 PED Compliant! 

A software application can never ever be certified because it would be literally impossible to know what malware may lurk in the darkness of each individual PC.  Since a software application would use the PC, the keyboard, or the mouse...as the PIN Entry Device (PED) every single PC would need to be PCI PED certified. 

Since only 24 devices have been 2.0 certified worldwide and only 1 (HomeATM) designed for eCommerce, I would say that a software application being awarded PCI 2.0 PED certification is "impossible."

Some 53 per cent of stolen data records came from organizations using shared or default credentials, and 83 per cent of hacks were considered avoidable through simple or intermediate controls.  Van der Wel recommended firms to check access controls regularly, change default credentials, keep up to date with patches, and test applications for vulnerabilities.  "You need to ask yourself 'Do I need to store this data?'" he said. "Many organisations today are data hungry, but if you don't store the data you'll reduce your risk."