If one thing is clear from Verizon’s recently published 2009 Data Breach Investigations Report it is that cyber crime has taken on a frightening level of maturity. This is the second year that Verizon has published data from the breach investigation work they perform for their clients. Because they only report on the specific customers they work for, comparing year-over-year results may not be statistically relevant. But the report is the most comprehensive analysis of trends in methods of attacks; and for that reason is worth delving in to.
Most data breach reports include what is, frankly, spurious data. A lost or stolen laptop or even a dossier of top secret information left on a commuter train seat has less to do with an increase in threats than it does with reporting requirements derived from various legislative actions. While these reports do drive home the expense, loss of reputation, and compliance requirements associated with good data protection they do not shed the same light on methodologies that Verizon does.
The most dramatic revelation is that the market value of stolen credit card data has plunged. The market is saturated with credit card data stolen from large payment processors and retailers. From prices in the $10-$12 per record range values have dropped to $.50. To understand how credit card data is used by criminal organizations look at how stolen credit card information from the infamous TJX data breach was monetized. Criminals in Florida used magnetic strip encoding machines to put the info on fake credit cards they manufactured. The account information would not even match the names embossed on the cards. They would then go to local Wal-Mart stores and purchase $400 in gift cards. One zealous “carder” bought $18,000 of gift cards from several Wal-Mart stores in one day. They would then exchange the gift cards for jewelry and electronics at other stores. Police estimate they stole $8 million in this manner.
Carding operations rely on a steady supply of stolen data and Verizon’s report indicates there is no shortage of stolen credit card records. But if cyber thieves can no longer get a good price for their goods what will they turn to next? Verizon’s report says the present target is PINs. In other words, thieves are stealing the data that allows criminals to create ATM cards and thus drain money directly from accounts. While Verizon cannot reveal the names of their customers the most dramatic use of stolen PINs ever was when data stolen from RBS WorldPay, an Atlanta based payment processor and card issuer. These PINs were used to forge ATM cards that were then used to withdraw $9 million from 130 ATMs in 49 cities around the world in a single day in November of 2008.
Insiders vs. Outsiders
One surprising result from Verizon’s research was that the majority of data thefts were perpetrated by outside attackers: 74%. This is counter to the oft quoted statements of security pundits. It may have been true, before the rise of the cyber crime economy of today, that insiders were responsible for most breaches but thanks to the continuing success of data thieves, that is no longer the case. Or rather, while theft of identities are from the outside, the insider is still going to be the culprit in cases of stolen customer lists, processes, and designs. The vast majority (91%) of the stolen records in 2008 can be attributed to organized crime according to the report. So far arrests have been made in fifteen of the ninety cases that Verizon has been involved in.