“Payment card data can be quickly and easily stolen, transported and sold,” says Ron Dormido, Senior Consultant for the Investigative Response Unit, Verizon Investigative Services. “Because of the relative ease with which this data can be transmitted, the underground market can get a great ROI from their endeavors.” The hitch is that 80 percent of these crimes are preventable.
Dormido’s statistic was taken from the 2011 Data Breach Investigations Report. Verizon began these studies in 2008 to get more insight into data breaches. Dormido says that prior to the Verizon report, most studies were biased or based on surveys. The Verizon reports are based on actual investigations. In 2011, the report is based on investigations of 700 data breaches across 28 countries. In 2011, Verizon worked with US Secret Services and the Dutch High Tech Crime Unit.
According to Dormido, in 2008, one of the most ground breaking pieces of information to be learned from the investigations was the fact that the vast majority of data breaches are external. “Until then, most organizations believed that data breaches originated from the inside. In 2011, 92 percent of the breaches were external, and 65 percent were from Eastern Europe,” he said.
Probably one of the largest, most well-known data breaches in the US was led by master hacker Albert Gonzalez. According to TIME, Gonzalez was indicted in 2009 for the alleged theft of 130 million credit-card numbers. He was later convicted and sentenced to 20 years in prison “for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers.” In a later article by Wired, his sentence was called the lengthiest ever imposed in the US for hacking or identity-theft.
Gonzalez’ computer crimes seem especially heinous because he’d been given a second chance: In 2003, Gonzalez was arrested in New Jersey while working “for the underground, 4,000-member website Shadowcrew.com, on which hackers swapped stolen credit-card information.” After his arrest, Gonzalez became an informant for the Secret Service for which he collected a $75,000 a year salary – while at the same time, he was operating his new criminal enterprise “Operation Get Rich or Die Tryin.”
In his new enterprise, Gonzalez and his partners hacked into retailers’ computers and installed malware so that they could steal credit card holder’s information. This operation is a data breach on a grand scale, but Dormido says that there are many smaller data breach techniques (According to the Verizon report, smaller breaches are more common.) and other ways to compromise credit or debit card data.
“Carders are groups whose sole purpose is to create false credit cards,” Dormido said. “’Bad’ guys compromise the authentication environment whether through skimming, phishing, smishing or malware attacks, and send the data to bad guys in Eastern Europe.”
But, in 2010, authentication credentials accounted for 45 percent of incidents. “Stolen credentials can be used to further an attack by gaining privileged and persistent access into the victim’s environment….That authentication credentials represent such a low proportion of records shouldn’t be surprising; a lot of damage can be done with just one valid account in the wrong hands.”
Take a look at another powerful chart from Dormido’s presentation; it is located on page 54 of the Verizon research. Dormido says, “Thirty-three percent of the time, it only takes minutes from the time that the bad guy gets a ‘point of entry’ before data ‘compromise.’ Conversely, in 49 percent of the cases, it takes weeks from the time the data breach has been discovered until it is contained.”
In the Verizon report, organizations were alerted to the data breach in 46 percent of the cases by third-party fraud detection systems, in 30 percent of the cases they were alerted by law enforcement and in 6 percent of the cases they were alerted by the affected customers or partners. Dormido’s advice given the information in the report:
“Putting in a proactive monitoring system is a huge takeaway.”
Download this free white paper about how to achieve a better monitoring of fraudulent activities and more accurate customer behavior profiles through a multilayered approach.