A recent article in CNN Money titled “Cybercrime: A secret underground economy” discussed the existence of organized crime in cyber-crime and how organized crime has turned cyber-crime into a multi-million dollar a year industry. The article provided some great insight into the black market of cyber-crime. The fact is, most of the organized crime has turned to cybercrime as the next generation of how they make money.
By stealing information and cloning cards with it they drive a massive fraud machine that easily enters the billions of dollars each year. What used to be an exercise in if or how a botnet or worm could be created to steal data and grab the types of information they need, is now a dedicated business which evolves with new techniques and methods almost daily. Make no mistake; botnets are designed to make money, nothing more.
It's no longer about causing someone online-pain or hitting back a company, it's about getting the information they need to conduct their operations and turn a profit. Many of the comments left by readers indicated they feel it is people acting irresponsibly or to use their words, “as morons” which cause the breaches to be successful in the first place. While educating employees is a crucial part of keeping an organization's network secure, I don't believe it is employee negligence which is to blame for the success of this underground economy. This type of breach goes way beyond an individuals or consumers ability to solve – it goes to the core of technology, the way information is stored and what is done to secure cardholder data in the first place. Every credit card company has a fraud and identity theft department. These departments were created to help individuals who are victims of identity theft. Often these victims had their card lost or stolen, or their information was stolen by an individual who wasn't working on a mass scale.
These departments are exactly what victims of this type of identity theft require, but these departments are ill-equipped to handle the theft of thousands or even millions of credit card numbers from a single breach. To add to the complexity, the breaches rarely if ever occur at the credit card company's network. Instead, the cyber-criminals are able to hack the retailer or other vendor to steal the credit card numbers of their customers. So what do we do? Technologies such as the chip-pin technology coming out that seeks to apply an entry code when you use your credit card at a store may protect individuals have this card (unless of course they are shopping online but that is a different post all together) who but they do little to deter hackers.
On the type of scale that hackers are acquiring card numbers even if 10% of all the card numbers they obtain are unusable it is a small enough to deter the criminal efforts as they will still have millions of numbers at their disposal which can be used. PCI regulations are a step in the right direction for protecting small and medium sized business. Though it is slightly generalized, the updates and refinements to specifications and requirements will help to make this type of activity harder. While PCI and other regulations may help SMBs design more secure networks one other solutions for stopping breaches were mass amounts of customer data is stolen would be to centralize and consolidate information. Currently, vendors, often times small to medium sized businesses who traditionally do not have the resources to secure their networks as well as larger enterprises (like credit card companies), are required to save customer data for seven years.
This is where cyber-criminals obtain the credit card information – from the vendors. Instead of requiring the companies to save this information on their individual networks it may be more advantageous for all involved if the information was only stored at the credit card company. Credit card companies already collect and save this information, making vendors' information redundant. If we remove this redundancy we could make it more difficult for hackers to get this data. This approach would absolve vendors from having to hold all this data, but also avoid having to police them all individually with regulations ensuring it is done correctly. Since hackers are targeting the vendors not the credit card companies just think of how many breaches can be avoided if this method was in place. Some may argue that the cyber-criminals will shift their tactics and dedicate their time hacking the credit card companies' networks – and they may be right. But this goes against how hackers work in the first place.
They do not target individual companies, instead they create programs that look for any network weakness and then exploit it, regardless of network size or the value of information available. They can always use the small network they hacked to get into a larger network eventually. However, the lure of millions of credit card numbers and the potential profit they could make may result in a complete paradigm shift when it comes to cyber-crime. That is why all networks (small and large) should use network security technologies to make it more difficult (and in many cases) impossible to access the network through botnets, viruses, worms, spyware or other malicious code.
The original article/video can be found at Shift in how we store data may protect credit card information better