Cybercrime surging: and it's your money they're after

Stuart Corner
Wednesday, 15 April 2009 10:04

Business IT - Technology

Verizon Business said that "Based on the combined findings of nearly 600 breaches involving more than a half-billion compromised records from 2004 to 2008...[we conclude] that simple actions, when done diligently and continually, can reap big benefits." It found that "More criminals breached corporate assets through default credentials than any other single method in 2008."

Gourdie said that lot of organisations were not seeing the complete picture, and astoundingly "67 percent of records compromised in 2008 were records the organisation did not know they were storing: the data that was compromised was not controlled."

Any organisation storing credit card information online is required to meet the Payment Card Industry Data Security Standard (PCI-DSS), but Verizon Business reported that "A staggering 81 percent of affected organisations subject to PCI-DSS had been found non-compliant prior to being breached." And Gourdie said it would be almost impossible for a PCI assessment to detect a security weakness around uncontrolled data.

"19 percent of cases [of breaches investigated by Verizon Business] were from organisations that had passed a PCI assessment, but that would have been done on defined scope. When data is not under effective control, it is very hard in PCI organisations to do a PCI assessment effectively."

And if you think that that your bank or credit card account PIN number is 100 percent secure unless you do something silly, Gourdie has some bad news for you. He told iTWire: "Every PIN breach we investigated was the result of a breach of the back end systems. "

In 2008, Verizon Business witnessed an explosion of attacks targeting PIN data, noting that: "These PIN-based attacks hit the consumer much harder than typical signature-based counterfeit attacks in which a consumer's credit card is compromised. Investigators found that PIN fraud typically leads to cash being withdrawn directly from the consumer's account - whether it is a checking, savings or brokerage account - placing a greater burden on the consumer to prove that transactions are fraudulent."

Equally worrying is the time it takes for large organisation to latch on to the fact that their data systems have been compromised. Gourdie said: "From the time of compromise to discovery is still in the order of months, in over 50 percent of cases."

According to the report, in 69 percent of the cases investigate by Verizon Business, the breach was discovered by third parties. "The ability to detect a data breach when it occurs remains a huge stumbling block for most organisations. Whether the deficiency lies in technology or process, the result is the same. During the last five years, relatively few victims have discovered their own breaches," the report noted.