Debit card info top of hacker wish list

Verizon Business' annual Data Breach Investigations Report is a high-level summary of the 90 data breach incidents the forensic computing group was contracted to investigate in 2008.

While the number of organisations contracting Verizon was stable in 2008 over prior years, the volume of records breached grew to 285 million records - the lion's share of which were attacks on banks and other financial services groups.  

By contrast, there were 230 million records breached in the prior four years combined.

Verizon reported that while only 30 per cent of its 2008 client list was financial services companies, these cases represented 93 per cent of the total compromised records for the year.

In 81 per cent of cases (98 per cent of the total data records breached), the attackers were seeking payment card data, the report said.

The most marked change on prior years was that attackers are attempting to gain access to records that include PIN data, said Mark Goudie, managing principal of Verizon's Investigative Response Team in the Asia Pacific region.

"With payment card [credit card] details, the attacker has to make purchases and transfer those goods into cash," he said. "But with debit card details - the card number, the magnetic stripe information and the PIN together, they can draw cash directly."

Goudie said payment card data is being sold on the black market at bargain basement prices. Whereas they once sold for AU$15 per record, records now regularly trade under 50 cents. A similar report released yesterday by Symantec suggests records may be being sold for as low as 8 cents.

"Like anything, it is a supply and demand market," Goudie said. "At the moment there is an excess supply of card details out there."

Verizon Business believes organised crime was behind 90 per cent of all compromised records in the data breaches it investigated - in a direct correlation with higher attacks on the financial services sector.

Verizon can assume this, Goudie said, when malware used in an attack is similar to malware used in past data breaches that have been attributed to organised crime.

"We also exchange information, when directed by our clients, with law enforcement contacts," he said. "Our information helps them with prosecution; their information helps us offer better protection."

The most common attack methods were hacks that exploited default or shared credentials (default passwords being left on or shared passwords being too freely distributed) or SQL injection (manipulating the databases driving e-commerce and other web sites to reveal back-end information).

In many cases, attackers used a variety of methods - hacking to gain access to systems in the first instance, then planting malware to gather data over time, Goudie said.

Goudie said a "terribly worrying" statistic was that in 69 per cent of cases reported to Verizon, it was a third party that discovered the breach.

In over 50 per cent of cases, the organisation only discovered their security compromised over four weeks after the attack.

Only in six per cent of cases did the organisation's own event monitoring and logging systems discover the problem.

"These are the systems designed to highlight issues before they happen and when they happen," Goudie said.

But he conceded that those organisations that pick up on a potential or current breach are less likely to call Verizon for help, and thus would not appear in the report.

"Either way it's a damning figure," he said.

Verizon said nine out of ten of the data breaches investigated could have been avoided should basic data security procedures been adhered to.

Goudie recommended IT administrators review user accounts - removing default credentials and avoiding giving out shared credentials to staff, contractors and outside partners.

He also recommended investing in application testing and code review for any new system.

He recommended an approach to patch management that looks at all the systems in place rather than just focusing on updating patches as they become available.

"Organisations spend a huge amount of money patching systems," Goudie said. "But none of the breaches we looked at would have been prevented by rushing to apply a patch within days. They wouldn't have been prevented within six months for that matter. There is very little evidence that patching quickly is anywhere near as important as patching thoroughly when it comes to data breaches."