News : Evolution of E-Crime
"Recent events have shown that the world's financial systems are now prime targets for a new generation of sophisticated attacks"
Dave Marsh, Payment Gateway Security, Mustard.
Catastrophe Theory?
It doesn't seem that long ago that all we really had to worry about in financial systems security were things like patches, viruses, trojans and the odd phishing attack. The controls most financial institutions already had in-place mitigated these known risks quite well.
Two recent incidents in the US, however, have dramatically changed the security landscape and electronic crime (eCrime) has evolved. Firstly, the Heartland Payment Systems, Inc. data breach which came to light in January 2009 which resulted in the loss of potentially millions of customer payment card details. Secondly, the Royal Bank of Scotland (RBS) WorldPay payroll card/ATM breach on November 8th, 2008 which lost over $9 million.
Both these attacks demonstrated a level of organisation and sophistication from the criminal community that has not been seen before. One thing we can be sure of is that with the success of these attacks, more will definitely be on the way.
We need to look at the underlying issues here. Physical crime, such as armed robbery, has a long history and criminals know what it involves:
- high personal risk to the attackers, often physical violence is used
- high probability of being caught
- very high probability of severe penalties if caught
- an ever-decreasing haul - simply less money is physically transferred nowadays
Physical crime also obviously requires a physical presence in the country in which it is perpetrated - which often takes the crime under the jurisdiction of a single police force and a single judiciary system.
Compare this with what a career in eCrime can offer the aspiring criminal:
- very low personal risk, violence is rarely used
- fairly low probability of being caught
- fairly low probability of being prosecuted (even if caught!)
- potentially very high haul
eCrime is often done internationally - criminals know that international policing can be challenging and potentially ineffective. Multiple jurisdictions also complicate the issue - should the crime be prosecuted in the country from which it originated (which may have lost nothing) or from the country under attack? Often there are deliberately many different countries involved in any one eCrime.
What has saved us all in the past, is that professional organised crime has struggled to understand the complexity of modern financial systems. But, the recent Heartland and RBS WorldPay breaches have now proved that this has changed.
What the Heartland and RBS WorldPay attacks demonstrated was an extraordinary level of technical sophistication and organisation. Investigations are still under way - but there are reports of a fraudulent data logging program at Heartland that hid itself in "unallocated" parts of a critical server disk drive. Conventional controls such as Anti-Virus and Anti-Spyware would not detect this attack.
The RBS WorldPay payroll card/ATM attack was also technically sophisticated and well co-ordinated. It is known that the criminals obtained over 1.5 million valid card details, including the associated PINs that could then be used to withdraw cash from ATM's. They used only a small percentage of these cards, around 100, and they orchestrated a synchronised withdrawal of $9 million from 130 ATM's in 49 cities around the world starting just after midnight Eastern Standard Time on November 8th, 2008.
The conclusion that can be drawn from all of this is that we have just witnessed a "step change" in financial fraud capability. If you follow catastrophe theory, we've just seen the characteristic "snap" from one state to another. The global criminal community has finished doing it's homework and now knows how to successfully attack our global financial infrastructure.
To rise to this challenge the world!s financial institutions really need to embrace the new threat model. The traditional controls we have in place and that have served us well over the years need to be closely analysed and verified to ensure that they address this new sophisticated threat.
We need to work together internationally much more effectively - we don't need a world police but we do need much better co-operation and co-ordination between the police forces and security services in different countries in the pursuit of eCrime.
In short we need to work together to make eCrime much less attractive and lucrative for criminals and strengthen the controls of our financial institutions to withstand the new breed of technically and organisationally sophisticated attacks.
The Heartland and RBS WorldPay incidents have demonstrated that organised crime is a lot more organised than we are. It is time for us to ensure that we are not the next victim!