- Apr 13, 2013
- 3,151
I feel that it is a fairly safe assumption that any reading this post on MT is both computer knowledgeable and Security conscious. And among those security related concerns is the importance of keeping Credit Card transactions over the Net secure. To this end, many have implemented various strategies from anti-keyloggers to anti-URL spoofing techniques to virtual desktops with or without Linux environments all to prevent the BlackHats from accessing Credit Card data.
Although the above listed techniques (if implemented and used correctly) are effective, it is essential that one note that any sales transaction requires two parties: a Buyer (you) who is security conscious and well protected, as well as a Seller who may not be as concerned. A case in point (and the reason for this diatribe) is the potential massive breach at Home Depot that was reported on yesterday:
http://malwaretips.com/threads/home-depot-breach.32768/
http://malwaretips.com/threads/home-depot-breach.32768/
For those who may not be aware, Home Depot is one of the largest retailers in the world, with current sales estimates for 2014 of over 83 billion USD. With such massive annual sales volumes, one would think the security for these transactions would be a priority, especially as the company would be able to learn from previous breaches and adjust their security accordingly. Basically one would think that such a Corporation would at least take as much care with user data as you take, Dear Reader. But you would be sadly mistaken.
So far, nothing specific about this breach is forthcoming from the company other than “We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate.” However the grape-vine has been active and a few things are coming to the surface. As with most previous malware breaches, a custom written malware file was sent to Corporate (usually as an email with attachment), the malware was run and proceeded to infect the system. This malware took advantage of antiquated Windows XP based Point-of-Sale devices (CC read via magnetic strips) and subsequent data harvests send off to BlackHat Land. It should be mentioned that current conjecture has this malware infection initiating about last April (Oh God- around 5 months!).
It may come as a surprise that that security routines implemented by Corporate IT did not catch either the malware itself or the malicious routines, but it really shouldn't be. Just as in the massive Target breach last year, Home Depot relies upon one of the most popular Enterprise security packages around (don't ask) which in turn relies on detection via either definition or in the wild prevalence, as well as Outbound Firewall alerts of data transmission.
The lack of usefulness of this traditional approach to malware detection is readily evident. Custom made malware targeting a single victim will neither be detected by definition (as it has never been seen before), nor will a "Community" approach work as being targeted it won't spread to others. The Outbound alerts will certainly happen, but as the stolen data packages are transmitted intermittently and not continuously such alerts are buried in the logs that such a massive organization generates.
So what has the initial reaction of Home Depot been? "Customers were assured that if a breach is confirmed they will not be responsible for any possible fraudulent charges. The company added, “The financial institution that issued your card or Home Depot are responsible for those charges.” The company will offer free identity protection services to impacted customers and recommends customers monitor financial accounts for unusual activity." (Above quote shamelessly lifted from Forbes). They've also reduced there quarterly earnings from 0.90/share to 0.80/share, the cost of mitigating damages.
The cost of better security would have been much less and would have avoided the breach, but why bother? The customers are only peasants and will have to be satisfied with what they are given.
Although the above listed techniques (if implemented and used correctly) are effective, it is essential that one note that any sales transaction requires two parties: a Buyer (you) who is security conscious and well protected, as well as a Seller who may not be as concerned. A case in point (and the reason for this diatribe) is the potential massive breach at Home Depot that was reported on yesterday:
http://malwaretips.com/threads/home-depot-breach.32768/
http://malwaretips.com/threads/home-depot-breach.32768/
For those who may not be aware, Home Depot is one of the largest retailers in the world, with current sales estimates for 2014 of over 83 billion USD. With such massive annual sales volumes, one would think the security for these transactions would be a priority, especially as the company would be able to learn from previous breaches and adjust their security accordingly. Basically one would think that such a Corporation would at least take as much care with user data as you take, Dear Reader. But you would be sadly mistaken.
So far, nothing specific about this breach is forthcoming from the company other than “We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate.” However the grape-vine has been active and a few things are coming to the surface. As with most previous malware breaches, a custom written malware file was sent to Corporate (usually as an email with attachment), the malware was run and proceeded to infect the system. This malware took advantage of antiquated Windows XP based Point-of-Sale devices (CC read via magnetic strips) and subsequent data harvests send off to BlackHat Land. It should be mentioned that current conjecture has this malware infection initiating about last April (Oh God- around 5 months!).
It may come as a surprise that that security routines implemented by Corporate IT did not catch either the malware itself or the malicious routines, but it really shouldn't be. Just as in the massive Target breach last year, Home Depot relies upon one of the most popular Enterprise security packages around (don't ask) which in turn relies on detection via either definition or in the wild prevalence, as well as Outbound Firewall alerts of data transmission.
The lack of usefulness of this traditional approach to malware detection is readily evident. Custom made malware targeting a single victim will neither be detected by definition (as it has never been seen before), nor will a "Community" approach work as being targeted it won't spread to others. The Outbound alerts will certainly happen, but as the stolen data packages are transmitted intermittently and not continuously such alerts are buried in the logs that such a massive organization generates.
So what has the initial reaction of Home Depot been? "Customers were assured that if a breach is confirmed they will not be responsible for any possible fraudulent charges. The company added, “The financial institution that issued your card or Home Depot are responsible for those charges.” The company will offer free identity protection services to impacted customers and recommends customers monitor financial accounts for unusual activity." (Above quote shamelessly lifted from Forbes). They've also reduced there quarterly earnings from 0.90/share to 0.80/share, the cost of mitigating damages.
The cost of better security would have been much less and would have avoided the breach, but why bother? The customers are only peasants and will have to be satisfied with what they are given.
