The UK Cards association recently reported a 19% decline in card fraud in 2009, the first decrease since 2006.
However, that bit of good news was tempered by a continued increase in phishing attacks and a general consensus that cybercriminals have moved on to richer targets, like online bank accounts.
For the reduction in card fraud, the report credited “chip and PIN” technology (which likely has had a substantial effect in the UK) and the online programs Securecode by Mastercard and Verified by Visa, which have yet to really demonstrate their efficacy (and it’s notable that the latter was even itself targeted by a phishing scam in late 2009).
It’s interesting to juxtapose this survey with the news out of Russia of the arrest of three hackers alleged to have led a daring US$9M heist at RBS Worldpay in late 2008. In the exploitation of an “advanced persistent threat,” these hackers conducted surveillance on the RBS Worldpay network, subverted the encryption scheme for issuing payroll debit cards, and used a network of “cashers” with cloned cards to hit ATMs in 280 cities for over US$9M in less than 12 hours, all while monitoring the cashers’ activity to ensure they would receive their proper cut.
The leaders of the group were once associated with the multifaceted cybercriminals of the Russian Business Network, but had evidently moved on to more daring, targeted, and lucrative attack channels.
This provides further evidence for a particularly notable turning point in the evolution of professional cybercrime: it is no longer a scale game in which carders sell large quantities of credit card data online for ever-diminishing prices. Now, professional cybercrime increasingly resembles robberies like the Lufthansa heist. Organised criminal professionals now spend substantial amounts of time surreptitiously studying and defeating a variety of security measures before going after large sums of cash in a highly coordinated final stage that takes hours or even minutes to execute.
From the point of view of the information security executive, solving the problem is more complex than ever. In order to detect the RBS Worldpay hackers, the security organization would have needed to assemble clues from traditional network security events, like IDS alerts, firewall logs, and system/application vulnerability data (the hackers are suspected to have entered the network via SQL injection or custom malware), with application logs and transaction data (the hackers managed to raise the maximum balance for the cloned debit cards and access large numbers of account numbers and PINs to enable the massive withdrawals).
This is of course a classic use case for correlation technologies, like SIEM. However, most financial institutions have one group (or sometimes several) using fraud detection technologies and an entirely separate group doing IT security monitoring with a different platform, making it unlikely that all the relevant data would ever be available for one system to correlate.
In the RBS Worldpay example, the fraud was not detected until days after the attack, when the cash was long gone. Financial institutions will have to change the way their security and fraud departments are organised as well as the tools they use in order to keep pace with the likes of the RBS Worldpay hackers.