It is hard to pick up a tech publication without finding a story about another security breach that has compromised credit card information. According to Identity Theft Resource Center there were 167 data breaches in the first three months of this year. At least 8.3 million records containing sensitive information were potentially compromised in the same time period.
One Recent Event: Data from 4 Million credit cards stolen. Recently, Hannaford announced what security experts call a sophisticated attack on their computer network that resulted in the theft of credit and debit card account information.
When we think of credit card data theft and fraud you don’t think about terrorism — but that is indeed the case. Al Qaeda is a skilled practitioner at using the Internet for a multitude of reasons. According to FBI Director Robert Mueller, “The Internet has been used by the likes of Al Qaeda to recruit, to train, to communicate.” The arrest of Al Qaeda’s top cyber terrorist provided hard evidence of their use of stolen credit card data for funding. In one case, terrorist groups use the stolen credit card information to purchase $3 million of materials to carry out terrorist attacks. Al Qaeda’s top cyber terrorist 23 year old Younes Tsouli (online name — Irhaby007), recently admitted conspiring to defraud banks, credit card companies and charge card companies.
For additional information about terrorist cyber attack capabilities you may want to download this CRS Report to Congress titled: Terrorist Capabilities for Cyber Attack.
Overview and Policy Issues:
The game has changed! Information security as it relates to sensitive data, like credit card information, has now risen because of the link to terrorist financing. Imagine the psychological impact if you were to find your credit card was used to finance a terrorist attack that resulted in the death of innocent civilians. Imagine the damage to a corporation’s brand and possible backlash from their customers. Significant improvement in all aspects of security is needed to cut off this funding source.
I guess that explains all those charges on my account for Semtex, track suits, and shower shoes.
Nice, demophilus.…
When you say “Hannaford”, I take it you’re referring to this.…
“Hannaford Breach May Presage ’08 Trend“
http://blog.washingtonpost.com/securityfix/2008/03/hannaford_breach_may_presage_0.html
“While the payment card industry standards require retailers to encrypt payment data when it traverses public networks, that requirement does not necessarily apply to a company’s own internal, non-public networks, Sartin said.
“I would say a trend we’re seeing hitting a lot of retailers right now is that these organizations can be [compliant with the credit card industry security standards] and still have customer data stolen,” Sartin said. “The data in transit is allowed to traverse private links and internal infrastructure without being encrypted, and the attackers are taking advantage of that.“
Sartin declined to say whether this dynamic was at work in the Hannaford case (his company had been retained by a party involved in the breach). But he noted that Cybertrust has found with a number of very recent compromises that attackers have seized control over the very terminals that control cash registers or point-of-sale systems within a retail store, or the server through which all registers connect to pass transaction data out across the Internet to the store’s payment processor.“
Whether it’s the cause or not, I think Encrypted LANs (NICs with Crypto ASICs) should be the standard practice and not an exception. The above story is also probably just another push towards a Dynamic Credit Card Model.
Regarding “Al Qaeda’s top cyber terrorist 23 year old Younes Tsouli”. According to the Washington Post article, he was basically a web admin who “stole via phishing scams and the distribution of Trojan horses”. The wording leads me to believe that he didn’t even write the Trojan apps, but instead just used off-the-shelf code.
As for “The game has changed!… Imagine the psychological impact…Imagine the damage to a corporation’s brand”. I have to disagree. Theft has funded criminal organizations & murder since before civilization, how is this any different? Unless somebody gets a bill for a suicide bombing, or a specific entity was intentionally financing terrorism… people probably won’t even notice. Heck, the 9/11 plotters utilized basic U.S. banking services, and with the exception of United Airlines (who are still in business) I don’t recall any other brands.
“Al Qaeda funded the hijackers in the United States by three primary and unexceptional means: (1) wire or bank-to-bank transfers from overseas to the United States, (2) the physical transportation of cash or traveler
To Camp — Finally someone who gets it. Security for our systems cannot be piecemeal and must go end to end. Encryption is one way to increase the security of our networks and our data. I am not sure you knew this but, criminal enterprises have been established to sell software exploits, trojans, viruses and other malware to anyone who want them. They have become the new arm dealers. While the government is laser focused on their systems and DoD capabilities, we will not really make a big difference in security until businesses are made to increase their security.
Thanks for reading the article and your posting
Coleman is a propagandist who sells himself for $5,000 a gig, currently for doing “cyberscare” but eventually for anything that might be profitable for HIM.
This has little to do with Defense or Technology, thus doesn’t belong on this ever deteriorating blog, and a lot to do with hyping his business.
If some 23 year old geek confessed (under torture?!) to be the “mastermind” of Al Qaeda’s internet operation I certainly have no fear for the world to be taken over by those.
b YOU JUST DON’T GET IT! Until you protect the massive systems used in business and the sensitive data they collect and store the country is at risk. Read “UnRestricted Warfare” it will help you understand our enemy. Oh by the way, I retired from Netscape and donate about 70% of my time to helping other deal with strategic technology issues. Just for the record.
All anyone has to do is read the news and you will see just how exposed our information systems are currently. I guess “b” can’t read! Symantec just announced internet threats rose over 400% in 2007 from 2006 numbers. We really need to address this!
I keep waiting for one of these data breaches to catalyze a good ol’ American class-action lawsuit which ruins a major company and thereby scare everyone else into behaving responsibly, but so far it hasn’t happened.
Just as an FYI, I got a phone call advertising a 6.5% interest rate for my credit card. Interestingly, it did not say which credit card, i.e. bank and card company. The caller ID revealed that the call originated from a Middle Eastern country, Bahrain.
I’m convinced it was a credit card scam. Was it terrorist related? I don’t know, but I wouldn’t be surprised.
I attended the RSA conference and wanted to say that U.S. Secretary of Homeland Security Michael Chertoff said almost word for word what you have been saying on here since you two began this blog. I think he is listening so both of you keep it up!
THANK YOU FOR YOUR EFFORTS
b,
You’re just a big fat meanie!
yeah…cyberscare or “pump my…budget” ?