hackers

February 18, 2009 - Volume 4, #17

Good Morning:
Sometimes you read stuff and are both horrifyingly shocked and strangely impressed. The news of the ATM attack last November caused some shock waves early this month, when it was first announced. But in reading James Heary's analysis of the event, my blood ran cold. This folks is the future of crime. It's kind of a "clicks and mortar" approach to crime.

Just to revisit the situation, it seems that a global group of criminals compromised the systems of RBS Worldpay and were able to issue 100 payroll cards. These are not credit cards (and thus not subject to the fraud analysis that most credit card transactions would), but rather debit-like cards. So the attackers distribute these 100 "cards" to 49 cities around the world. Every time the money ran out on the card, they would go back into the system and refill it. In the span of 30 minutes are able to get $9 million out of ATM machines That's a pretty good take for 30 minutes of actual "work."

Why was this attack so successful? It seems the bad guys (assuming they are guys) did a couple of things very right.

1. Know the system - The criminals knew that payroll cards have much less scrutiny than a credit card transaction or so it seems. How else could $9 million be pulled from 100 cards in 30 minutes. They also knew that by compromising the issuer's systems, they could refill the cards when the money ran out.
   
2. In and out, no one gets hurt - The magic here wasn't just that the criminals got it done, it's that they stopped after 30 minutes. Given the number of intertwined systems used for the fraud, it was a safe bet that no one would put the pieces together fast enough to stop the attack. But if they tried to do it over 2 or 3 hours, the chances they'd be discovered and law enforcement would be mobilized grew dramatically. These guys got out before they got caught - uncharacteristic behavior from criminals.
   
3. Leverage - Obviously a small group of thieves couldn't pull $9 million out of ATM machines in an hour. So they built an organization (or leveraged an existing one) to magnify the impact of their efforts. The more hands in a scheme, the more likely someone will talk - but the reality is this attack happened so fast and with cards that were not able to be traced, the risk was greatly diminished. And you can assume the folks on the street had no idea what the scheme was to restrict information to those that needed to know it.
   
4. Coordination - Can you imagine the project plan that was needed to coordinate the logistics and pull this off? This is not a band of misfits ripping off the local 7-11 or Circle K. These folks are smart, structured, and brutally effective.

Finally there are a couple of lessons here for all of us paid to protect information.

1. Do not underestimate our adversaries. This is the first and most important lesson. The folks trying to steal our stuff are good and they are getting better. If they see soft spots, they will take advantage of them.
   
2. Question every business process. Clearly these payroll cards are a great convenience to the companies that use them. But every new process has it's risks and it's downsides. We need to make sure we ask lots of questions about fraud vectors PRIOR to the system being rolled out. Yes, I know that is somewhat Utopian (and more than a bit naive), but it's important. It all gets down to credibility (read the P-CSO if you need to learn more about that). It's a little late to be asking about the security of the transaction system after the bad guys have made off with $9 big ones.
   
3. If it smells bad, it probably is. One of the hallmarks of my approach to security is to react faster. Now that applies to everything, not just security and system activity. I find it hard to believe that a $9 million disbursement from ATM machines in a 30 minute period was "normal." We need to look for the anomalies and there is a likelihood that the ATM usage was not normal and could have been flagged.
   
4. Sometimes the bad guys win. Yep, the reality is in this case, there may not have been anything RBS could have done to stop the attack as it's happening. This is not the movies and the good guys don't always win. You can only hope that measures are being taken to make sure this same attack doesn't happen again.

And that brings up my final point, which is about discussion and disclosure. Word is traveling around the grapevine that another credit card processor has been compromised (like Heartland). You have to wonder if Heartland came clean right away and discussed exactly how the attack happened and why it was successful, whether other processors could have taken preventative measures to ensure the same attack vector wouldn't work twice.

Of course, this line of thinking is even more naive than anything else. First of all, there is no way a processor (or anyone else for that matter) can come clean. The Tort vultures will sue them into oblivion if they accept blame and discuss their shortcomings. Secondly, there is a stigma to being the folks that got nailed, so the inclination is to bury the information. But we lose a very important learning experience. Thirdly, the "powers that be" don't want anyone talking because that can impact an "ongoing investigation."

I can see all of these points, but I still think we are making it too easy for the attackers to find a new scheme and replicate it over and over and over again. By sharing a little information, we can stop a lot of fraud. But the system is stacked against this kind of disclosure, so it won't happen - which is too bad.

Have a great day.

Photo credits: “Crime Done Wrong” originally uploaded by 0x0000org 

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com