There seems to be story after story of late of hackers getting into supposedly secure networks and stealing credit card numbers. I’m not technologically illiterate, but I really have difficult wrapping my head around how this happens.
With a all the firewalls, and passwords and various methods there are to guard data how does someone with an outside internet connection burrow into a super secure network and make off with these databases? The regularity with which this happens makes it seem almost like a trivial exercise for these hackers.
Why are these supposedly super secure networks so easy to compromise?
I don’t think it’s so much that they’re easy but rather that the payoff for success is so big. Highly motivated hackers can get into almost anything given sufficient time and resources, and getting a big list of of credit card numbers is a big, quick return on investment.
I am an IT guy but not particularly knowledgeable about security. But just as for physical security, a lock designed by one smart guy can be picked by another smart guy with a lot to be gained. Cybersecurity is an arms race. I think once we have quantum computer encryption you might be able to reliably secure data.
In addition to this, the larger retailers and banks have a lot of access points into their data, for legitimate users, partners, etc. They spend a lot of money on protection, but when you have that many access points, it is easier for one of them to fail. Sometimes that failure is not a system failure, but a people failure (losing laptops, bad password security, etc.)
And then you have inside jobs. I could pull down 10 million credit card numbers, with their associated names, tomorrow if I wanted to, and send them to my personal email. I won’t do it, because:
A) I am too honest
B) I am not smart enough to evade the surveillance (I’m a business analyst, not an IT guy). I could do it tomorrow, but I would likely be arrested the day after that.
At our company, we have a few hundred people who have the same access as I do (or more). You get enough people, and you are going to find someone less honest and more smart than me.
The encryption method is irrelevant in this case. If you need to encrypt and store credit card numbers, then you also need to decrypt them. Which means the key has to be stored where it can be accessed by the systems and people who need to do that. And if the key is stored, it can be stolen.
For the OP: it’s not (usually) that their systems are easy to compromise. It’s that there is a truly staggering volume of attacks by many clever attackers. And it only takes a single successful attack.
Correct for all the answers so far. I work in IT too. The only thing is even slightly different in the past is that records are centralized so a single successful attack can compromise millions of records. The older models before computer databases became ubiquitous were even less secure. The chance for a security breach was much more likely but fewer people were impacted so it didn’t make the national news.
Hackers and thieves are not a new phenomenon at all. To this day, you are still less secure handing your credit card to a waiter at a restaurant to have it processed behind the scenes yet most people never question that.
The companies I consult for have extreme security measures in place to the point where it hinders my job if I can’t get into something I need to see. It goes through multiple levels of review even for routine matters which can take hours or days. However, someone has to be able to see everything otherwise those systems could never be implemented or troubleshooted.
There is no easy solution to this problem. Social engineering is still the easiest way to gain access to whatever anyone wants to see (that means you trick individual people into giving you information rather than exploiting some odd software defect). It is more of a people and education problem than anything and efforts in that direction have been greatly increased in recent years.
Two basic possibilities:
[ul]
[li]Systems administrators who are too busy / lazy / negligent in ensuring their systems are up to date with security, software updates, etc., all of the time without exception, and the systems logs are carefully annotated and updated as well.[/li][li]Users who don’t follow the required directions with choosing passwords and/or take the required social engineering precautions all of the time without exception.[/li][/ul]
Hackers and crackers to these systems exploit known human and system weaknesses. Many maybe be super-smart, but reality says they are just good knowing how to exploit human weaknesses.
I agree with Shagnasty that social engineering is still the easiest way to break into computer networks. I’m an Oracle database administrator and security is a big issue. We do quarterly critical patch updates (CPU) on both the databases and operating systems to fix bugs and security issues. We sometimes get zero day patches that we need to apply immediately. Then we have extensive checklists of security issues to check frequently.
All of this takes a lot of time and effort. I’ve seen some places where this time and effort isn’t taken either due to manning issues, budget constraints, or just plain bad management. In one place they hadn’t installed a CPU in over a year. That means they are vulnerable to well known exploits. Another still had many of the default passwords unchanged. Then there’s a lot of the passwords on a post-it note suck on the monitor going around.
Where I work someone broke into our facility and stole a bunch of hard drives out of our developers’ computers! Then a couple of months later one of our users had a key logger installed on their PC and someone was able to hack into their account. Note: It’s not a good day when the FBI beats you to the office. Fortunately other security measures, such as frequent password changes and limited user roles, minimized the damage for us.
Databases and networks are very complicated and there are holes to be found and exploited. There are people out there motivated by money or political needs to crack into such systems. It’s a war of sorts and it isn’t going to be over for a long, long time.
It’s not usually the case of burrowing in, but sneaking in via social engineering then carefully burrowing out. You search social sites like LinkedIn and find people like Clark Cello that may have legitimate access. You craft a forged email that looks like it’s coming from someone internally with an attractive looking attachment. Clark opens the attachment and gets compromised by a zero-day vulnerability. The trojan uses Clark’s legitimate access to grab the data. The next step is to disguise it via encryption or other means so that it can be sent out without being picked up by the DLP (Data Loss Prevention) systems.
This type of attach is what is know in the industry as an ATP, Advanced Persistent Threat.
Hackers go after anything - you just hear about the big ones. I read an article about a “replacement” keypad for a gas pump, to steal PIN numbers and credit cards, thin as a piece of cardboard - from one gas pump. Come abck every week or two to download the data. So they will steal 100 cards at a time or 1,000,000 - just the million will more likely make the news.
It only takes one stupid mistake to open the door to hackers - one key user who accidentally leaves his list of passwords in his phone, or uses 12345678 as his password… or one guy willing to sell access.