[ISN] Credit card hacking not hard

From: InfoSec News (isn@private)
Date: Tue Jun 21 2005 - 23:44:11 PDT


http://www.madison.com/wsj/home/biz/index.php?ntid=44402&ntpid=2

Brian Bergstein 
AP technology writer
6/21/05

The numbers involved in the latest high-stakes cybercrime are
astonishing: Burrowing into a payment-processing company's computers,
a hacker apparently stole data on 200,000 credit and debit accounts
and had access to 40 million.

But that doesn't make the techniques required to pull off such a heist
all that unusual.

Security researchers say the murky online community of credit card
thieves is increasingly sophisticated at exploiting weaknesses in
financial networks.

And even lesser mischief- makers, often derided as mere "script
kiddies," can pick from a bundle of easily available tools that let
them cut and paste the programming code needed to carry out attacks -
without even understanding how it works.

"I'd say a script kiddie could do this," said Jim Stickley, chief
technical officer for TraceSecurity. "I don't think it would be
difficult at all."

Little has been publicly revealed about the attack on CardSystems
Solutions, an Atlanta-based company that ferries card transactions
between merchants and banks. The FBI and the company have been silent
about details of the hack.

Asked Tuesday whether one of the company's 115 employees could have
been involved, Bill Reeves, CardSystems' senior vice president of
marketing, said the company would not "rule anything in or out at this
point."

Even so, enough is known so computer security experts can make
educated guesses.

When the breach was announced Friday, MasterCard said someone had
installed a virus-like program on CardSystems' network. CardSystems
later acknowledged that the compromised data had been inappropriately
stored for "research purposes" rather than deleted after transactions
had ended.

If that "research" had involved transferring data into less-secure
parts of CardSystems' network - perhaps, say, so CardSystems
programmers could run tests on real credit card records - outsiders
who routinely probe systems for soft spots could have discovered the
files.

"In this day and age you have hundreds of attacks on every single
Internet connection every single day," said Jonathan Rosenoer,
director of risk and compliance solutions in IBM Corp.'s financial
services practice.

Once a weakness is found, how can it be exploited?

Stickley offered one simple scenario: Someone could send a CardSystems
employee an e- mail linking to a phony online greeting card. The link
would produce the expected dancing dog or other jolly scene but in the
background, a "Trojan horse" program would take root on the computer
and prepare to relay information to an outsider.

Because the program would enter through communications ports commonly
left open for Web browsing, the attack would not be picked up by
intrustion-detection software or blocked by a firewall.

Robert Richardson, editorial director of the San Francisco- based
Computer Security Institute, suspects the CardSystems hacker had to
get into a database server rather than just an average
Internet-connected computer.

For that, "you'd need to be a notch above script kiddie," he said.  
Even so, he added, more and more automated tools now exist to unleash
Trojan horses and other means of busting into complex systems.  
"They're moving up that food chain pretty fast."

Tom Kelly, a former credit- fraud investigator for the Postal Service
and Citigroup, said the CardSystems hack appears to be the work of a
sophisticated ring that knew precisely what kind of file to grab.

"Maybe they hack all kinds of different things and they just got
lucky, but I think it's surprising," said Kelly, senior investigator
at Stroz Friedberg, a computer forensics firm.

"Can anybody - you and your friends - sit down, and if you're real
computer savvy, get into this system? I don't think so. If you did it
24/7 and it was your job, I would say probably."

Copyright © 2005 Wisconsin State Journal



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com 



This archive was generated by hypermail 2.1.3 : Tue Jun 21 2005 - 23:55:04 PDT