By David Dorf-Oracle on Aug 06, 2014
Here we go again. This time a Russian cyber gang has stolen 1.2 billion user records from various sites across the world. The New York Times was able to verify the authenticity of claims made by Hold Security, the company that uncovered the theft. Its becoming really hard to thwart these hackers from overseas. As I explained in a previous post, its just a matter of time before your site is breached, so we all must hope for the best but plan for the worst.
To put things into perspective, take a look at the chart below. If have to wonder if retailers stand a chance when even high-tech companies can't protect their own systems.
You will find more statistics at Statista
When systems are compromised, hackers monetize in three basic ways:
Banking -- This is where ATM theft, wire fraud, and identity theft come into play, and the payoffs are big. Using "mules" around the world, they coordinate simultaneous attacks to withdraw as much money as possible. I've had friends have their identity stolen, and its a mess.
Social -- The least sophisticated area is spamming using stolen email, Twitter, and Facebook accounts. They get paid for referrals like a typical marketing company.
Retail -- There are online stores where criminals can purchase bundles of stolen credit card "dumps," and they can even buy insurance to help guarantee the cards are still active. Then they buy goods and either return them for cash, sell them on eBay, or ship them overseas to be sold.
Aside: My favorite scam to steal from a retailer doesn't involve cyber crime at all. A guy in Florida stole over $300,000 in merchandise from Apple using social engineering. When the clerk swiped his card for a purchase it would be declined. He then would call the bank, but instead of actually talking to the bank, he would just tell the clerk the bank fixed the problem and the offline authorization code is "873538". The clerk would override the system as if an authorization by phone had been done (remember the old days before the internet?). Enjoy your new Mac and have a nice day. Go to next Apple store. Repeat.
Target's Christmas data breach costs them $148M, which is only .2% of yearly sales, but it cost the jobs of several executives and continues to create bad publicity. I imagine it costs banks a bundle to replace all the stolen cards as well. The numbers just keep getting bigger.
Unfortunately, many of these hackers are protected inside their countries because, frankly, they bring in lots of money. The US is left to wait for them to slip up and travel outside the country before they can be arrested. It has the feel of a cyber mafia with plenty of palms being greased.
PCI guidelines help. New EMV chip cards will help. More sophisticated firewalls, encryption, and computer forensics should help. But vigilance is required throughout the system, of which retailers are just one part.