A few days ago Target revealed that they’d been hacked—beginning before Thanksgiving and ending December 15th. 40 million credit and debit cards were compromised: names, numbers and expiration dates. The name of the store now seems prescient.
Earlier incidences of large-scale data theft have happened repeatedly. In 2007, the company (TJX) that processes purchases at TJ Maxx, Homegoods and other discount retail chains lost the data on 90 million cards. Another heist was revealed this July when criminal charges were revealed against a group that cracked a similar company that processes the cards sales for J.C. Penny, 7-Eleven, NASDAQ, Dow Jones, JetBlue TJX Cos., BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority and the Dave & Busters restaurant chain, the Maine-based supermarket chain Hannaford Brothers and Heartland Payment Systems Inc., a New Jersey-based processor of credit and debit cards
160 million cards were involved in that heist. These hacks were pulled off by a group of thieves led by Albert “Soupnazi” Gonzalez—a guy who was a paid U.S. government informant, paid 75k a year, but I guess he couldn’t help himself. (A great story, told in full here.)
That same group also hit:
Carrefour S.A.: 2007, 2 million card numbers
Commidea Ltd.: 2008, 30 million card numbers
Euronet: 2010, 2 million card numbers
Visa, Inc.: 2011, 800,000 card numbers
Discover Financial Services: 500,000 Diners card numbers
Last year, thieves hacked into the Global Payments system (a company that processes credit card purchases for a large group of stores) and got 1.5 million credit card files. Adobe recently sent out a warning that their credit card files had been compromised. How many were those? 150 million is one estimate, but the company admits to 38 million. Ever buy Creative Suite or download a PDF reader? Diapers.com and Soap.com were hacked, as well.
What is one supposed to do? Yeah, I know—check for unauthorized purchases and shred documents—but realistically? Stop using credit cards? AND debit cards.
The Adobe break-in news was revealed by Brian Krebs, the same guy that revealed the Target breach. He blogs on security issues. It’s a pretty amazing site and he has some proposed remedies for some of these emerging trends—like the problem involving government and corporations giving big bucks to malware creators and other folks who will reveal hidden breaches (for a price) and then these states and businesses stockpile that zero-day info, but don’t always fix the holes as they want to store them like missiles in silos to use as weapons. As a possible partial solution, Krebs wonders if software developers should be made more responsible for the products they sell. At present they aren’t responsible for ANY of the consequences of their buggy work.
If we add those numbers of compromised cards up—and for sure there are more than what I’ve mentioned, but for sure there might also be some overlap too—we’re in the neighborhood of 300 million U.S. credit cards. The U.S. population is 317 million! Is there something I am missing? Has the entire country been hacked? Or at least some major percentage of the country? Granted, some of us have more than one card, but still—we’re getting there. The Department of Justice says that 10% of folks in the U.S. have been victims of credit card theft. Really, that’s all? Given the above number I sort of don’t believe them. You can still have your physical card for it to be “stolen.” 10%? 300 million is just 10%? Really?
I also ask myself if 300 million people have been affected why isn’t everyone up in arms about this? One would expect out of those 300 million a lot of folks would wake up to see their bank accounts drained or maybe some sudden charges like purchases of luxury goods in Kiev. Is that not happening? If it is I’m not aware of it. A wild guess, but maybe the hackers don’t distribute the data, but sell the card data back to the banks, companies and services they stole it from? Sort of a ransom that no one needs to know about. The thieves would make millions—guaranteed, no worries about selling the card info. to dodgy folks on the dark market—and the companies would stay in business and everything goes on as normal. Just a theory.
The other possibility I wonder about is if the thieves might have found a way to skim just the tiniest bit from all those accounts—maybe $10 a day, something many people wouldn’t notice. Multiply that by the number of cards and it’s a huge haul. The catch is that this light charging of accounts would have to not show up as a purchase in St. Petersburg or something like that.
Much cybercrime, of the non-NSA and corporate variety, emanates from Russia or the former Soviet Bloc: Ukraine, etc. Russia turns a blind eye to the activities of these folks operating within their sphere of influence, as long as they don’t hack the Russian government, Russian corporations or citizens. I foresee the major split in East/West relations getting even wider than it already is.
Misha Glenny wrote some wonderful books on this subject. (McMafia, Dark Market) He got to know a lot of the cybercriminals in the East and elsewhere, and his books read like thrillers, as he meets the hackers who, begin to fall from power due to ongoing investigations and stings. But others rise to replace them—it’s just too easy and irresistible.
What can be done?
Some cybersafety measures are a little drastic. Some countries are severing themselves from the global Internet completely. Iran, for one, a victim of cyberattacks emanating from the U.S. and Israel, sees this severance as a way of not becoming infected and being hacked. The entire country will be restricted to access via a huge intranet network that would not be connected to the global Internet. North Korea has an intranet called Kwangmyong (which means “bright”) and China has a large network of “netizens”—which include Weibo and Baidu, their own versions of Twitter and Google. It may keep their data safe, but it is obviously also a way of making sure their citizens only see what they’re allowed to see. Security = control—and this power inevitably leads to abuse.
Besides, many of these break-ins were done locally—by parking a vehicle with an antenna in the parking lot of a big box store, for example. So even if one has severed oneself from the global network, thieves operating locally could still break in.
Here’s an easy first step: Get rid of the easily-skimmable magnetic stripes on our cards. Replace them with the chips that are now common in Europe. Turns out the chip version is more secure, so why haven’t we all moved to that technology in the U.S.? Because of the expense of upgrading all payment processing machines? Talk about misguided logic!
Basically this reinforces my thought that the Internet is simply not secure, cannot be made secure, wasn’t designed to be secure and so the whole idea of global finances running on the internet might therefore be a misguided idea. Maybe I’m totally wrong, and good cryptography is what we need to implement, but reading the news about these guys—as well as the NSA—makes me think there’s always a back door or a way to break a wall. Maybe the internet is good as a place to flow ideas, but not to store data that needs to be secure or to keep social, political, military or personal stuff that might be damaging.
What does that mean for music as an online business—not so good, eh?
To be continued…