Insider Threat Management

60 Minutes Brings Credit Card Theft to the National Spotlight

Brian Krebs determines affected banks by monitoring credit card dumps onlineData breaches are inevitable and they are growing rapidly, in terms of frequency and severity. That was the key takeaway from last night’s 60 Minutes special on cyber security.

Bill Whitaker reported on the alarming amount of data breaches that have occurred this year – as many as 97% of all businesses have experienced a breach. The report highlighted some of the problems surrounding cybersecurity in the credit card industry.

With high profile breaches involving stolen credit card information at Target, Michael’s, P.F. Chang’sHome Depot and others in 2014, it was only a matter of time before this subject hit the national spotlight.

Whitaker interviewed various members of the cybersecurity community – in today’s post, we want to highlight some of the key takeaways in greater detail. When you have time, we strongly recommend you watch the video in its entirety.

What happens to information after it is taken?

Among those interviewed was our friend Brian Krebs from Krebsonsecurity.com, one of the leading sources for breaking data breach stories. One of the ways he discovers breaches is by searching the marketplaces hackers use to sell breached data.

Crime syndicates in countries such as Russia and the Ukraine have set up online shopping websites where criminals can buy and sell stolen credit card information. Professional cyber criminals sell credit card dumps; big batches of stolen cards. Common criminals and street gangs buy the stolen cards and make fraudulent purchases.

In the case of Target, 40 million credit cards were stolen in the 3 week breach. However, only about 5% of those cards were sold – the information of 2 million customers was compromised. For cyber criminals selling the cards at $20 each, this means $40 Million was gained from the hack. For banks, the amount lost depended on how many fraudulent purchases were made with the stolen cards. Last year in total, credit card theft cost banks $11 Billion in fraudulent purchases in the US.

Can companies reduce their chances of being breached?

The fact that hackers have such a sophisticated method of selling stolen credit cards makes it even more important todetect a breach immediately and stop the bleeding before any further damage can be done. Unfortunately, DeWalt states that data breaches go undetected in a company’s system for an average of 229 days! This makes it even more likely that a hacker will find sensitive or valuable information, successfully get it out of the company’s network, and sell it or use it fraudulently.

According to Barry Abramowitz, CIO of Liberty Bank in Connecticut, it is difficult for banks to detect when their client’s cards are being used fraudulently. Even though the theft of card data is usually the fault of the retailer, the banks are the ones who end up paying for any charges made.

Credit card companies and retailers must do everything they can to prevent these new types of cyber threats. Credit card companies are already introducing computer chips into their cards to make it harder to counterfeit. New mobile payment methods also attempt to reduce the amount of sensitive data transferred in a transaction. Companies must understand that at some point a breach will happen to them. Their responsibility is to be prepared to stop the attack and prevent their customer’s information from leaking out.

In reference to what companies can do to combat inevitable data breaches, the story stated, “They are going to get in, but, don’t let them access the information that is really important.  Don’t let them get back out with information.  Detect it sooner.  Respond sooner, and ultimately, that exposure is very small.”

How does your company prevent cyber criminals from making off with your sensitive information? Click here to learn more about mitigating user based risks to ensure your enterprise data is protected with ObserveIT’s new EMA report.

Subscribe to the Proofpoint Blog