Hackers develop 'memory-scraping malware' to steal PINs

More personal data records were breached last year than the previous four years combined, thanks to increased hacker activity rather than insider threats.

Verizon's second annual Data Breach Investigations Report also found that the financial services sector accounted for 93 percent of all such record compromises during 2008. The study is based on an analysis of data involving 285 million compromised records from 90 confirmed breaches, 90 per cent of which are blamed on the activities of cybercriminals.

Because the survey is based on actual cases of confirmed data breaches, rather than responses to surveys or questionnaires, it provides a much more revealing insight into cybercrime trends.

Most of the breaches (74 per cent) investigated were caused by external sources, while 32 per cent were linked to business partners. Only one in five (20 per cent) were attributed to insiders, a finding that runs against conventional wisdom in security circles. Some breaches were caused by more than one source, hence the overall figure adds up to more than 100 per cent.

The study also found that the majority of breaches resulted from a combination of events rather than a single security mistake. Two in three breaches were blamed on hackers. Typically, miscreants exploited vulnerabilities to install malware onto systems for later retrieval.

Two in three breaches (69 per cent) were discovered by third parties. Nearly all the records compromised (99 per cent) last year came from internet-connected systems, either servers or applications. The finding put concerns about mobile devices and portable media in context, the SANS Institute's Internet Storm Centre notes.

Much has been made of the fact that some organisations who achieved compliance with the credit card industry's PCI-DSS standard wound up becoming the target of some of the highest profile hacking attacks. However, Verizon's study found that 81 per cent of organisations hit by security breached subject to PCI-DSS had been found to be non-compliant prior to the attack.

PIN down

Verizon reports that attacks targeting PIN data "exploded" last year.

These PIN-based attacks hit the consumer much harder than typical signature-based counterfeit attacks in which a consumer's credit card is compromised. Investigators found that PIN fraud typically leads to cash being withdrawn directly from the consumer's account - whether it is a checking, savings or brokerage account - placing a greater burden on the consumer to prove that transactions are fraudulent.

The higher monetary value commanded by PIN data has spawned a cycle of innovation in attack methodologies. Criminals have re-engineered their processes and developed new tools, such as memory-scraping malware, to steal this valuable commodity.

Bryan Sartin, director of investigative response for Verizon Business, told Wired.com that these attacks involved assaults on both unencrypted data held on insecure systems and encrypted data.

"We're seeing entirely new attacks that a year ago were thought to be only academically possible," Sartin said. "What we see now is people going right to the source... and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks."

Hardware security modules, which act as a form of switch for encrypted data within bank networks, are under active attack. "Essentially, the thief tricks the HSM into providing the encryption key," Sartin explained. "This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device."

The class of attack has been understood in academic circles for some years (researchers at Cambridge and in Israel have published papers on it) but Verizon's detailed study is the first evidence that it's been used in anger.

Green cross code

Verizon analysts found - as they did in the firm's previous study, which covered 230 million compromised records from 2004 to 2007 - that nearly nine out of 10 breaches were avoidable with basic security precautions.

The survey concludes with a series of common-sense recommendations on how to guard against attack - such as patching, regular auditing and robust password security - explained in greater depth in the complete report (PDF) and in a summary here. ®