60 Minutes: Swiping Your Card
Do you think twice these days before swiping your credit card or debit card? Your fears are not unfounded. Reports of stolen data are at record highs, and you have probably heard about the data breaches by hackers at huge retailers like Target, Staples, Home Depot, and others. According to 60 Minutes correspondent Bill Whitaker, these thefts operate on two levels. First are the cyber thieves, who actually steal the information. Then there are the cyber criminals, who buy your card information and use it to make fraudulent purchases.
“Nearly every company is vulnerable,” according to FireEye CEO Dave DeWalt. His company is hired to prevent hackers from getting the information they want, or to evict them once they have made their way inside a company’s computer systems. Though it is virtually impossible to protect yourself (just as JPMorgan), DeWalt said that’s not because companies aren’t trying to do their best to protect customers.
He claimed that 97% of companies are experiencing breaches. FireEye shared a map it uses to track attacks on clients, which happen around the clock. Charles Carmakal leads the company’s first responders, and he reported that there are hundreds of thousands of attempted attacks each week around the world, and those are just the ones they know of.
60 Minutes: Weak Passwords in Retail Attacks
According to DeWalt, the average is 229 days between when a company is “infected” and when that is discovered. Investigations have revealed that 80% of cases involve weak passwords, such as the common 123456. DeWalt warned that common passwords are not good enough anymore, and that breaches are inevitable.
“They’re going to get in. But don’t let them access the information that’s really important,” DeWalt said of his philosophy. This pragmatic approach could mean that hackers get away with a handful of credit card numbers, rather than 50 million in one attack.
The 2013 Target attack began when criminals stole login information from a Target vendor. It did not take long for them to access each checkout terminal in almost every store, where they installed software that detected each card swipe. DeWalt said Target had invested heavily in security. But the bad guys are very good, and also incredibly persistent.
60 Minutes: Target 2013 Data Breach
Target was transitioning from an older security system to a product from FireEye, and the story seems to be that the alerts from FireEye were lost like a needle in a haystack. 60 Minutes said that the story of Target’s massive breach was first reported on December 18, 2013, in a story by blogger Brian Krebs.
Krebs said that the Target breach lasted for three weeks, which happened to be during the busy holiday shopping season. He left cameras inside his office, where he monitors the Internet world for signs of trouble, sharing scoops about hacking attacks this year involving at least one dozen retailers.
He said that sometimes the companies find out thanks to tips from the Secret Service or FBI, noting that most instances are detected outside the companies themselves. He said one of the early signs tends to be that a company’s customers’ financial data will go up for sale on the black market.
60 Minutes: Cyber Investigator Brian Krebs
Large batches of stolen credit card numbers, called Dumps, are bought and sold at online exchanges, where Krebs does some of his investigating and reporting. Krebs said he tips off the bank or banks that may be involved, who then work to identify which merchant the customers have in common.
Most cards will sell for $10-50, but that depends on factors such as expiration date and credit limit. Of the 40 million cards seized in the Target case, only about 5% were actually sold, according to Krebs. Thieves seem to have decent customer service, offering refunds if a card you purchased is declined.
Ironically (but probably wisely), customers are not allowed to use credit cards to purchase these stolen credit card numbers. Instead, payments are made via money transfers such as Western Union. The crime syndicates running this big business are often in Russia or Ukraine, where they are out of the reach of the American legal system.
60 Minutes: Sophisticated Cyber Criminals
“These individuals, they make their living—and a very good living, at times—attacking the US financial infrastructure,” said Ed Lowery, head of the Secret Service criminal division. The Secret Service has arrested and convicted 14 people in these cases, but that is a drop in the bucket.
It is not even as technical a process as you might think, according to Lowery. Buyers could come from anywhere in the world. American street gangs may traffic in stolen cards, which are then used to purchase gift cards and resell electronics. Banks have begun reading Brian Krebs’ website to stay in the know about cyber security and potential attacks.
Barry Abramowitz of Connecticut’s Liberty Bank and Linda Swartz from Massachusetts’ Westfield Bank are two of the readers who talked with 60 Minutes. They agreed that they don’t hear much about these cases until Krebs is on top of the story. Beyond that, banks typically rely on alerts from Visa and MasterCard to learn when accounts may have been compromised, though details are often minimal.
60 Minutes: Computer Chip Credit Card of the Future
Swartz suggested that the reason Visa and MasterCard don’t mention which companies may be involved is to avoid placing blame on merchants, and the ensuing bad PR that can result. However, these security issues are also a huge problem at banks.
Stolen credit cards were blamed for $11 billion in fraud in the United States just in 2013, and that does not account for costs involved in card replacement or active monitoring. Banks often end up footing the bill, since customers are not responsible for fraudulent charges.
Mallory Duncan of the National Retail Trade Federation said that magnetic stripe cards, though cutting edge in the mid-20th century, are now too easy to duplicate. He pointed the finger at the cards rather than the merchants. Visa and MasterCard plan to roll out cards incorporating computer chip technology to prevent counterfeiting.
Meanwhile, Google and Apple have rolled out mobile payment systems, helping retailers who want to encrypt data. But we’re at the beginning of a change, and it will be several years and billions of dollars before the game has changed on this.