The front page of today's Wall Street Journal headlines the arrest of three individuals who allegedly stole 130 million credit and debit card numbers, causing hundreds of millions of dollars in losses. No details were provided about how they were able to penetrate networks at Fortune 500 companies in order to steal data and install "back doors" to enable further data thefts in the future. And this isn't the last we will see of this type of fraud. The article warns of increasing financial security threats:
Wire fraud, conducted in cyberspace because wire transfers now use networks that connect to the Internet, has exploded in recent years. The Treasury Department recently reported that of the more than 55,000 incidents of wire fraud since 1998, more than half of them occurred in the past two years.
"The financial sector may be more secure than most, but it's hemorrhaging," said Tom Kellermann, a former cybersecurity official with the World Bank who is now a vice president with Core Security Technologies, a cybersecurity company. "For too long a time they have not paid enough respect to the sophistication and organization of the underground economy."
A companion article "What Consumers Should Know About the Breach" suggests "spending five to 10 minutes per day looking on-line at bank and credit card accounts". What fun! Who has time for such activity on a daily basis? And if your PC has been compromised with a keylogger then you could be giving the bad guys access to your accounts.
Several banks offer notification via email and otherwise about account activity. That is worth checking into.
Why is the situation getting worse?
- The first reason is that the hardware and the operating systems powering the Internet can never be made secure due to their architectures. They are based upon designs that predate the Internet. It's a vulnerability - exploit - patch cycle that never ends. This is a fundamental problem although architectures exist today that are much stronger.
- The second reason is that there is money to be made and a lot of low hanging fruit to exploit for the hackers.
- The third and obvious reason is that anyone in the world can be a hacker and can reach you through the Internet. So the list of possible attackers is huge.
- Lastly, there is no authentication of who is who on the Internet or for email. This makes introducing malware through email or malicious web sites possible. DNSSEC will take care of this shortcoming but most of the market still believes it is complicated and expensive. That will change over the next year as infrastructure providers implement DNSSEC.
Until we address Internet infrastructure shortcomings we will be stuck checking our accounts frequently.
Comments