There was good news and bad news on the cyber security/crime front this week. Yesterday, the U. S. Federal Bureau of Investigation (FBI) announced the arrest of 24 hackers allegedly involved in credit card, bank account and ID theft in a sting operation that spanned 13 countries. Eleven of the individuals were arrested in the U.S. (two are minors), while the remainder were arrested in Bosnia (2), Bulgaria (1), Germany (1), Italy (1), Japan (1), Norway (1), and the United Kingdom (6).
The FBI stated that in June 2010 it set up a phony website for “users to discuss various topics related to carding and to communicate offers to buy, sell, and exchange goods and services related to carding, among other things.” The FBI used the site to gather detailed information on the users which eventually led to the arrests. The press release describes in more detail how the honeypot website worked.
The FBI claims that as part of its operation it “has prevented estimated potential economic losses of more than $205 million, notified credit card providers of over 411,000 compromised credit and debit cards, and notified 47 companies, government entities, and educational institutions of the breach of their networks.”
It may have been coincidence, but yesterday the U.S. Federal Trade Commission (FTC) announced that it had filed a lawsuit “against global hospitality company Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years.”
The FTC states that "these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.”
The FTC alleges that Wyndham, even after a significant security breach in 2008, which was the result of poor security practices (and which the hotel chain kept secret for months), “failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures” which allowed two more data breaches in 2009. It would be interesting to know whether some of the compromised credit card information stolen from Wyndham turned up on the FBI sting website.
One reason that the FTC is suing Wyndham is that it, like a lot of other companies, prominently proclaims in its marketing information to take the care and security of customer data seriously, but apparently really doesn’t. I suspect the FTC is sending out a warning to other companies that their actions better match their public statements about IT security.
Which makes one wonder how the FTC will view the cruise ship company Cunard Line’s admission of a recent data breach involving the personal details of 1,200 of its passengers? According to this story concerning the breach, Cunard’s website states that, “Cunard Line cannot guarantee the security of any information you transmit to us or from our site, and therefore you use our site at your own risk." Does that legally absolve them in any way in case of a data breach?
Maybe some of the lawyers interviewed in this Wall Street Journal article from Monday about lawyers and law offices being hacked can give an opinion.
In one more bit of news on the justice side of the ledger, two members of the group LulzSec pleaded guilty in a UK court on Monday to charges of launching denial of service attacks against and hacking into websites in the US and the UK. Two other LulzSec members who were also arrested have pleaded innocent to similar charges and are awaiting trial.
On the unlawful side of the ledger, the head of the UK Security Service MI5, Jonathan Evans, stated in a speech on UK national security this week that hacking by an unnamed foreign state resulted in a British company losing £800m in revenue, the Independent reported. Evans was quoted as saying the loss “was not just through intellectual property loss but also from commercial disadvantage in contractual negotiations.” Whether this should be considered just a criminal act or something more like a cyber-attack, I’ll leave up to you to decide.
Additionally, EU security researchers have announced in a research report (pdf) that they “found a way to exploit the RSA SecurID 800 token, as well as at least seven other tokens, by leveraging cryptographic flaws in the devices,” this article in Information Week states. Supposedly, the researchers took as little as 13 minutes to crack the token's security. However, RSA responded to the news with a big yawn, stating that while the results are “scientifically interesting, it does not demonstrate a new or useful attack against RSA SecurID 800.” I expect there will be more on this result in the coming weeks.
Further, an article in Computer World today reports that cyber criminals are targeting “high-balance business and consumer bank accounts by using sophisticated fraud automation techniques that can bypass two-factor authentication.” The new attack approach, which netted criminals at least £48 million in attacks against 60 institutions is outlined in a report (pdf) put out by the security companies McAfee and Guardian Analytics.
Finally, Royal Bank of Scotland (RBS) Group customers are already seeing phishing emails trying to get their personal banking details in wake of the computer system meltdown at RBS Group owned banks the past week. According to a story at SkyNews, “One of the emails pretends to be from Stephen Hester, the head of RBS, apologsing for the problems at RBS and says a ‘security upgrade’ requires them to update their information.” The email sends the person to what is described as a realistic site where the person's bank account details are requested, and thereby stolen.
Unfortunately, it is likely that more than one RBS Group customer will fall for the phish, just as an employee of the U.S. Commodity Futures Trading Commission fell for a phishing email last month which led to the possible compromise of personal information on all 700 employees working there. The incident was announced late last week. Maybe the CFTC should start using the phish email training software to try to educate its employees on how to recognize phishing emails.
As I said, a IT security mixed bag this week, and it’s only Wednesday.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.