Butch Cassidy and the hacking kids
The information security implications of change
The recent media interest surrounding the heist of several million pounds worth of money from cashpoints across the globe highlights the fact that, with the connectivity introduced by the internet age, the definitions of national boundaries have changed beyond recognition.
Information security has often been considered as the afterthought in many organisations. The primary concerns of cost efficient systems that suit the functional requirements of the end-user are all too often prioritised, while the technical hardening and resilience to potential threat vectors are passed down the line, and considered as the final piece of the jigsaw serving little more than lip service to the notion of security due to tight budgets.
A number of recent high profile breaches highlight various facets of this issue; although in reality the majority of these weaknesses stem from an underlying human precondition towards minimal effort. The headlines provide striking news stories; however the underlying weaknesses are default and weak user credentials.
The string of cash withdrawals across the globe has taken a fundamentally different approach and casts suspicion against the security model of offshoring potentially sensitive data, while raising the political spectre of responsibility in the global economy.
While credit card security has improved significantly in recent years, the security of debit cards has lagged behind. Media interest focuses on credit, and debt, over accounts that are tied to physical account balances.
While investigations are on-going; the true detail of the break-ins will remain unclear, and subject to speculation. However, it is clear that sensitive account information for a number of accounts was held offshore. While this detail may not have included the entire card details, a number of critical components for these were exposed, including account balance information for pre-paid debit cards.
In reality, these weaknesses are liable to be similar in nature to their more publicised neighbours, where the human weakness allows cracks to appear in the outer security layers. The introduction of multi-national boundaries introduces issues such as language and process priorities that can provide skilled individuals the opportunities to social engineer themselves into privileged positions.
These cracks can then be utilised in order to gain access to underlying infrastructure. With even the tightest of security hardening, access by ‘legitimate' users into an environment will be allowed.
However, this heist has hit the headlines because the unnamed perpetrators took the process one step further: by enrolling a number of operatives across the globe, they were able to change the ‘back room hacker' stereotypical attack into a physical theft of millions of dollars, and bypassed many of the underlying bank security measures that were put in place.
The use of technological warfare, combined with the age old art of card cloning, provided the means for significant number of withdrawals in a targeted and coordinated fashion. Significant and inherent weaknesses in the ATM processes, and account security measures were unearthed, which will have caused the many card companies sleepless nights as they rush to react to the media spotlight.
It must be noted that the majority of countries where the fraud was targeted continued to utilise the card magnetic stripe as the primary means of card security, while nations such as the UK, where chip and pin technology is used extensively, have been targeted less.
Technological advances such as this will have reduced a number of the lowest hanging fruit for such an operation. However, the underlying weaknesses still exist, and should not be overlooked.
For many, such a news article provides a wake-up call. Where once the world of the ‘hacker' was considered a minor consideration for many in the private sector; either the domain of the bedroom teenager, or the James Bond style spy, the real implications for many will have been realised. This is physical money, and is a global issue.
Many current initiatives, such as the PCI security standard and Barclays Risk Reduction Programme, aim to raise awareness of the hardening of systems involved in the processing of card data and provide reassurances against the underlying processing methods.
Such programmes provide markers that can be used as part of a broader education and awareness that can be adopted by companies in order to integrate a solid understanding of security, both from the board level down, and from the ground level up.
Sam Raynor is a consultant at Information Risk Management