Security

Network Solutions is investigating a breach on its servers that may have led to the theft of credit card data of 573,928 people who made purchases on Web sites hosted by the company.

Networks Solutions notified 4,343 of its nearly 10,000 e-commerce merchant customers on Friday about the breach. It affects 573,928 cardholders whose name, address, and credit card number were exposed between March 12 and June 8, said Susan Wade, a spokeswoman for Network Solutions.

(Credit: Network Solutions)

Mysterious code was discovered in early June on servers hosting e-commerce customer sites during routine maintenance, she said. The company called in a third-party forensics team to help with the investigation, and the team was able to crack some of the code on July 13, determining that it could be related to credit card data, she added.

Credit card transactions were intentionally diverted by an unknown source from certain Network Solutions servers to servers outside, Network Solutions wrote in an e-mail to merchant customers.

"So we notified law enforcement and began the process of notifying our customers," Wade said. "At this point, we don't have a reason to believe that (the data) has been used, but we are working with the credit card companies," nonetheless.

Network Solutions also is paying to have credit-monitoring specialist TransUnion help the merchants notify their customers according to data breach notification laws in effect in certain states. Affected consumers will get 12 months of free credit-monitoring services.

It's unknown how the malicious code got onto the system and where it came from, Wade said.

Merchants and consumers can get more information on the Care and Protect Web site Network Solutions has set up. "We really feel terribly about this," Wade said.

"We store credit card data in an encrypted manner, and we are PCI (Payment Card Industry)-compliant. Unfortunately, any company operating in our business could have become a victim of this type of invasion," the company said on a blog post on the customer information Web site. "In this situation, the unauthorized code appears to have transmitted information about credit card transactions as they were being completed; it did not involve a vulnerability in the way we store data in our systems."

The breach does not affect Network Solutions' other businesses, which include domain registration, e-mail hosting, and online marketing.

CEOs and their senior executives don't see eye to eye on key security issues, according to a new survey.

Many CEOs don't consider their own companies vulnerable to security attacks and are confident in their ability to combat those attacks, says a survey released Wednesday. However, those findings contrast with the opinions of senior executives who report to the CEO. They see their companies as more vulnerable and are not confident they can stop data theft. The survey was sponsored by security company Ounce Labs and conducted by security researcher Ponemon Institute.

The survey sought to determine how aware CEOs and other senior executives are of their own data projection efforts--how effective they are, how they justify the cost of security, and whether they support the goals of the organization.

The survey found that 82 percent of senior executives said their organization has experienced a data breach, with 94 percent saying they've been hit in the last six months. About 53 percent say they're attacked on a daily or even hourly basis.

Only 58 percent of the senior execs are confident in their company's ability to identify and respond to breaches that result in the theft of information. And just 32 percent think their company is rarely attacked.

Among CEOs, 93 percent are confident in their organization's ability to identify and thwart security breaches. And 48 percent said they believe their organizations are rarely attacked.

(Credit: Ounce Labs)

The responsibility for securing a company's data was also a question mark. Among CEOs, 53 percent felt the chief information officer is accountable for data protection, while only 25 percent of other senior executives felt the same way. And whoever is responsible, that person's job is seen as safe. Around 85 percent of executives questioned believe a failure to stop a security attack under their watch would not jeopardize their job.

(Credit: Ounce Labs)

To gather the data, Ponemon Institute questioned 30 CEOs and 183 other top-level executives who report to CEOs, including chief operating officers, division presidents, and chief information officers, over a six-month period ending in June.

This post was updated at 2:16 p.m. PDT with comment from an outside database security software vendor.

Hackers broke into the University of California at Berkeley's health services center computer and potentially stole the personal information of more than 160,000 students, alumni, and others, the university announced Friday.

At particular risk of identity theft are some 97,000 individuals whose Social Security numbers were accessed in the breach, but it's still unclear whether hackers were able to match up those SSNs with individual names, Shelton Waggener, UCB's chief technology officer, said in a press conference Friday afternoon.

(Credit: University of California at Berkeley)

The attackers accessed a public Web site and then bypassed additional secured databases stored on the same server. In addition to SSNs, the databases contained health insurance information and non-treatment medical information, such as immunization records and names of doctors patients had seen. No medical records (i.e. patient diagnoses, treatments, and therapies) were taken, as they are stored in a separate system, emphasized Steve Lustig, associate vice chancellor for health and human services.

"Their ID has not been stolen," he added. "Some data has been stolen."

The server breach began on October 9, 2008, and continued through April 9, when a campus computer administrator doing routine maintenance discovered messages left by the attackers. Logs indicate that the hacks originated from overseas, "primarily in the Asian theater," Waggener said, later specifying traces to China.

While campus police and the FBI were immediately notified of the breach, it wasn't until April 21, Waggener said, that officials learned data had been stolen. Since then, the focus of the investigation has been figuring out what was taken and who is at risk. The hackers' specific techniques are still being determined as part of the ongoing criminal investigation, he said.

From the looks of it, however, one outside database security software vendor, Sentrigo CTO Slavik Markovich, suspects an SQL injection, in which a small malicious script is inserted into a database that feeds information to the Web site. Markovich also questions whether the university has appropriate monitoring tools in place to have not noticed the hack for six months, and why it hosted data with different levels of sensitivity on the same server.

The university started notifying the 160,000 people at risk via e-mail and snail mail on Friday. Victims include an assortment of current and former Berkeley students--as well as their parents or spouses, if linked to insurance coverage--who had University Health Services health care coverage or received services. Also included are 3,400 students of Mills College in Oakland, Calif., which contracts with the university for health services.

The university has warned those affected to put a fraud alert on their credit reporting accounts. It has also set up a Web site and hotline to help the victims.

In 2005, a PC was stolen from a Berkeley graduate admission office that held sensitive data on some 98,000 people, stretching back three decades. And the university has dealt with security viruses and the like, Waggener said. But this was the first such server breach.

With this, Waggener said, Berkeley joins a long list of prestigious institutions suffering from such increasingly sophisticated and malicious attacks. "We're defending against attacks from around the world," he said.

Every time I use my credit card online I suffer a momentary feeling of angst, even though I know that it's still safer than handing my card over to an unscrupulous waiter. The impersonal nature of the Internet and the perception that I lose control of my data after I hit "submit" contributes to this lack of sense of security.

Also contributing to this paranoid feeling are all the reports of phishing scams, including IRS and tax-related scams; data breaches at retailers like TJX, where more than 45 million accounts were exposed; and payment processors like RBS WorldPay, where stolen data led to cloned cards and ATM withdrawals last year.

This all got me to wondering exactly how the data gets from my credit card or keyboard ends up as money in the pockets of criminals.

How does the data get stolen from my computer?
There are many ways sensitive data can be pried out of computer users. In a typical social-engineering phishing attack, a consumer opens an e-mail that looks like it was sent by the consumer's bank, Amazon, PayPal, or some other trusted source. With a bogus excuse, such as suggesting there was a security incident and the user needs to verify his or her account details, the e-mail will prompt the recipient to provide username and password via a link to a Web site that looks legitimate but isn't. The consumer enters the information and continues on, not knowing that the data is now being sent to criminals.

In other cases, criminals create fake e-commerce Web sites where consumers provide their credit card information to pay for a product that will never arrive. Attackers also have ways of rendering legitimate Web sites risky by injecting malicious code into the Web sites with cross-site scripting, SQL injection, and clickjacking attacks. Such attacks, typically invisible to the consumer, can be used to steal data that a consumer types in.

Other attacks are accomplished by getting spyware onto a victim's computer. For instance, attackers can distribute a worm via an e-mail attachment that downloads a keystroke logger onto the recipient's computer when it is opened. Attackers also can create programs that exploit unpatched holes in Windows or holes in a browser that haven't been fixed and download keyloggers onto computers. The keyloggers can be written to send data to a remote server every time the computer user types a password or social security number, for example.

If I don't use my credit or debit card on the Internet, how does the data get stolen?
Attackers can steal data by planting a skimming device that reads the magnetic-stripe data from the card when a user slides it through a payment card reader at a register or using a skimmer on an ATM machine combined with a video camera that records the PIN when someone is making a transaction. The magnetic-stripe data includes name, credit card number, and expiration date.

Attackers can steal more people's payment card data at a time by hacking into a retail firm or payment processor's computer network. In the TJX incident, experts believe attackers made their way into the company's system by first gaining access through a wireless regional hub for the company's store controllers, which handle the point-of-sale system. Attackers also can grab unencrypted PINs from bank systems during the authorization process using specially crafted malware that scrapes the data from the memory of the bank's computer, according to Wired. Or attackers can trick a misconfigured hardware security module, which decrypts and re-encrypts PINs as they make their way across various bank networks, into revealing the encryption key.

What do the criminals do with the data when they get it?
Cybercriminals tend to have specialties. The data thieves, also called "harvesters," sell it to brokers who either use the data themselves, hire others to do the leg work to withdraw the money, or sell it to others via IRC channels, private peer-to-peer networks, carder sites, and other organized underground marketplaces.

Often, the data is sold with a money-back guarantee in the event that the cards are found to have been reported as stolen or if the data is incorrect. Brokers have a number of ways of verifying cards. They can break into an e-commerce Web site and process small transactions on the card with a payment processor to see if the transactions go through. Or they can use the card data to make a $1 donation to a charity.

Once the data is verified, the criminals can turn it into cash by either moving the money from the victim's account to an account they control, wiring themselves the money, creating counterfeit checks, or even just withdrawing small amounts (under $50) on a regular basis that may not get noticed by the cardholder.

Many of the criminals are located outside of the data's country of origin and will need to be able to either transfer funds or make international purchases without alerting the authorities. To do this, criminals have elaborate schemes using middlemen, also known as "drops." For instance, criminals will advertise work-from-home jobs in the U.S over the Internet and by e-mail. The drop is merely asked to provide a local address or bank account and when money or goods arrive, they are instructed to transfer it on to a foreign address. The criminal then takes over the bank or credit card account for which data was stolen, and changes the address or bank account to that of the middleman.

"The countries where re-shipping happens include Nigeria, where you can't easily buy consumer goods. This is a way for them to get goods," said Dave Ostertag, global investigations manager at Verizon Business who used to be a chief investigator at Discover Card. "This fraud stocks the shelves of a store in another country."

An estimated 70 percent of the online identity fraud activity is related to organized crime, Ostertag said. In the U.S., street gangs can make more money off mortgage fraud than they can selling drugs, he added.

The criminals also can make blank plastic cards that are encoded with the stolen magnetic-stripe data. Often, cards are produced in one country and shipped back to the country where the account is located. The cards then can be used by "runners" to make withdrawals from ATM machines if the PIN codes are known.

Criminals have been known to use private databases to get more complete information on victims, such as address, date of birth, and even social security number. For instance, the U.S. Postal Service says someone accessed LexisNexis and Investigative Professionals databases without authorization and used personally identifiable information from there to obtain fraudulent credit cards.

Screenshot of price list for stolen credit card numbers and available balance amounts discovered on the Web by McAfee Avert Labs.

(Credit: McAfee Avert Labs)

How much is the data worth?
There is so much stolen magnetic-stripe data available on the underground markets that prices for it have dropped from between $10 and $16 per record in mid-2007 to less than 50 cents per record today, according to the 2009 Data Breach Investigations Report (PDF) from Verizon Business. Those price tags go up when the PIN is available and cash can be withdrawn directly from a victim's account.

The value of a card is determined by a combination of factors. Cards from the U.S. and Europe fetch higher prices, as do cards with more available credit or balance, those with additional information such as PIN or home address, and those that have been verified.

Credit card data can range in price from 6 cents for bulk quantities to $30, while bank account credentials range from $10 to $1,000, according to a Symantec Internet Security Threat Report released last month. Most of the stolen credit card data for sale is from the U.S., the report found.

Is the consumer liable for any fraudulent charges?
While credit card fraud typically has a zero-liability policy for consumers, the burden of proving fraud is on the consumer when it involves a debit card.

How big a problem is online identity fraud?
The latest Consumer Reports survey found that over the past two years 1 out of 13 Americans provided personal data to phishers, 1 in 12 had serious problems with spyware, 1 in 7 lost money to online fraud or had computer virus problems, and about 1.7 million were victims of identity fraud, the San Francisco Chronicle reported on Monday.

A report from Javelin Research (PDF) places the number of identity fraud victims in the U.S. at 10 million in 2008. Identity fraud rose 22 percent last year from the year before to the highest level since 2004, the report said. Meanwhile, online theft and data breaches each represented 11 percent of the known identity fraud incidents, compared to 43 percent for lost or stolen wallets and 19 percent that occurred during a transaction.

Payment card breaches represented 80 percent of the 90 reported breaches last year, and payment card data represented 98 percent of all records compromised, according to the report from Verizon Business.

Between January and December 2008, consumer complaint database Consumer Sentinel Network received more than 1.2 million consumer complaints, according to a report released by the U.S. Federal Trade Commission (PDF) in February. Of those, 52 percent were fraud complaints and 26 percent related specifically to identity theft.

Complaints of online crime hit a record high last year and total dollar loss linked to online fraud was $265 million, according to a report released in March by The Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center. The third most common fraud complaint was credit or debit card fraud, representing 9 percent, preceded by non-delivery of merchandise or payment at 33 percent, and Internet auction fraud, representing more than 25 percent.

What can consumers do to protect themselves?
To protect against online identity fraud, consumers (who use Windows) should sign up for regular automatic Microsoft software updates, use the latest browser versions with enhanced security features, and keep their antivirus and other security software up-to-date. To avoid phishing and other malicious sites when Web surfing, there are a number of programs, including McAfee Site Advisor and AVG LinkScanner.

McAfee also recently launched the McAfee Cybercrime Response Unit, where people can go if they suspect they have become a victim of cybercrime or identity fraud. The site has a free Windows-based scanner that can give an indication of how likely the consumer is to have been victimized, as well as specific steps to take in the case of identity fraud. These include changing account passwords and PINs, placing a fraud alert on credit reports, and reporting the crime to authorities.

The FTC's Identity Theft Site, the Identity Theft Resource Center, and The Privacy Rights Clearinghouse's Identity Theft Victim's Guide have more information.

More records were breached in 2008 than in the previous four years combined as a result of a few large breaches involving payment cards, according to a report released on Wednesday.

Last year, 295 million records were compromised and there were 90 confirmed breaches, the Verizon Business 2009 Data Breach Investigations Report (PDF) found.

The top five breaches accounted for 93 percent of total records compromised and as a percentage of caseload, 80 percent were payment card breaches while payment card data represented 98 percent of all records compromised last year.

PIN data was increasingly targeted in 2008 in attacks in which magnetic-stripe data and PIN data was used for identity fraud. For example, criminals used the data to make ATM withdrawals from victim's accounts.

PIN data stolen in a breach at payment processor RBS WorldPay was used to clone cards and withdraw millions of dollars from victim bank accounts last year. Meanwhile, payment processor Heartland had a huge data breach of its own last year that it reported in January and there have been reports of another breach at an unidentified institution.

More than three-fourths of organizations suffering payment card breaches were found to be not compliant with PCI data security standards or had never been audited. The typical organization had met less than a third of the requirements in the standards, the report found.

This chart shows threat categories by percent of breaches (black) and records (red).

(Credit: Verizon)

Of the total breaches, 75 percent came from external sources, 39 percent involved multiple parties, 32 percent involved business partners and in 20 percent of the cases insiders were implicated. Three-fourths of the breaches were undiscovered and uncontained for weeks or months.

As far as types of breaches, 64 percent resulted from malicious hacking, 38 percent used malware, 22 percent involved privileged misuse, and 9 percent used physical attacks such as equipment theft or tampering.

In about four of 10 hacking-related breaches, an attacker gained unauthorized access to the victim via one of the many types of remote access and management software, typically provisioned to third-parties for remote administration.

During 2008, malware was involved in more than one-third of the cases investigated and contributed to nine out of 10 of all records breached.

"Malware is now an essential component to nearly all large-scale data breach scenarios," the report said. "Hacking gets the criminal in the door, but malware gets him the data."

As we await the 60-day federal cybersecurity review from Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils , there is something else that could be done. It seems to me that the federal government could take another related action to help protect the private information of U.S. citizens while reducing the cost of doing so. In my humble opinion, it is time to create a single federal data breach disclosure law. I believe this action would:

1. Simplify the maze of current state legislation. As of the end of December, 44 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted security breach notification legislation. While most of these laws are modeled on the original California legislation (SB-1386) that took effect in 2003, there are subtle differences in terms of deadlines for notifications, definitions, and civil penalties. Massachusetts and Nevada have gone the furthest so far by mandating that private data be encrypted in certain circumstances. Obviously, this creates a legislative mess that could be streamlined by one central federal regulation.

2. Protect the unprotected. In the six years since California started the trend toward data breach notification legislation, Alabama, Kentucky, Mississippi, New Mexico, and South Dakota have no such laws in place or have laws that haven't taken effect. I'm not sure why this is but citizens in these states deserve the same type of protection we others have.

3. Extend the definition of private data into other areas. Aside from state data notification laws, many large organizations must still comply with the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, etc. There must be a way to broaden the definition of private data and consolidate private data security and breach notification legislation like the European Union has. The cost of compliance could go down precipitously if organizations were not obligated to perform the same basic tasks and audits numerous times.

If we are truly looking for ways to improve electronic data security and reduce cost and overhead, this seems like a good plan to me. I know my argument is simple and I'd be glad to learn more as to whether this logic makes sense. Please let me know if my instincts are correct or whether I've missed some important issues.

In just two weeks, the annual RSA Conference takes place in San Francisco. What can we expect as the "hot topics" at this annual security love fest? I'm sure there will be plenty of buzz about securing virtual servers and cloud computing infrastructure, but this topic will likely focus on blue sky vision describing the safeguards we will need in 2012 or so. Rather than this hyperbole, I am looking forward to discussions focused on the marriage of identity and security.

Haven't these two areas been linked forever? Well, yes and no. Security folks think of identity in terms of authentication issues like password management, role-based access controls, or biometrics. But other aspects of identity like user provisioning, fine-grained entitlement management, and single sign-on usually live elsewhere in IT. When network access was restricted to internal employees, this division made sense, but identity and security can no longer remain apart. The marriage of these two IT disciplines will take place for a simple reason--identity and security must work together to enable modern business processes.

Identity is all about who gets access to applications and data so in theory, strong identity skills let organizations get users more productive sooner than the competition. Think of identity management as the magical formula to unleash Metcalf's Law. More users come with a cost, however--a greater number of security threats from hackers, malicious code attacks, and data breaches. Thus IT executives must balance their ability to let users into the network with proportional safeguards to keep bad things from happening.

Call it social networking, the consumerization of IT, Web 2.0, or any other market-speak term you want. To me, it is all about information sharing, collaboration, and business process improvement. IT must create an environment where users can access what they need and come and go as they please as long as they add business value while they are around. Public and private sector organizations headed down this path had better have their identity yin and security yang working together in harmony or they will either hold back the business or greatly increase security risk.

BERKELEY, Calif.--Six years after California enacted the country's first data breach notification law, many state residents have received letters warning them that their data was exposed by a breach but usually they don't know how or how long, experts said at a privacy conference on Friday.

That would change with the passage of a measure proposed by California State Sen. Joe Simitian, who authored the country's first bill requiring companies to notify customers when a breach has occurred that exposes their data.

Senate Bill 20 would require that notification letters to consumers have a standard set of information such as information about the timing and circumstances of the breach.

It would also require that a state entity be notified at the same time so that law enforcement, lawmakers, and researchers "can spot larger trends and don't have to rely on what they read in the newspaper," Simitian said in a luncheon address at the Security Breach Notification Symposium in Berkeley.

... Read more

Another U.S. payment processor has suffered a database breach that exposed credit card and debit card information, according to several credit unions. The name of the payment processor has not been released and it is unclear how many consumers are affected.

Blog site DataBreaches.net has been tracking the reports here and here.

Community Bankers Association said in a statement on its site two weeks ago that Visa announced that an unnamed processor reported a data breach and that the name of the processor was being withheld pending completing of a forensic investigation.

The breach appears to have affected fewer account holders than were affected by a breach reported by Heartland Payment Systems last month, but represents a "significant number nonetheless," the statement said. "According to VISA officials, the breach affected all card brands. Evidence indicates that the account number, PAN and expiration dates were stolen."

The Tuscaloosa Virginia Credit Union posted a statement on its site that said malicious software was placed on the processor's system but there is no evidence that accounts were viewed or data taken by hackers.

The Pennsylvania Credit Union Association also issued a statement, as did the Alabama Credit Union, which said it was limiting Visa ATM and debit card purchases to $99 per day as a result of the breach.

Credit card and debit card users are encouraged to monitor their statements carefully.

The incident is the latest in a string of breaches at payment processors, including one at RBS WorldPay last year that enabled scammers to clone cards and withdraw millions of dollars from bank accounts.