Deconstructing a Data Breach at BAI Retail Delivery 2013

Retail banking institutions of all sizes are facing the unprecedented risk of attack by cybercriminals from all corners of the globe who are using increasingly sophisticated tactics to steal sensitive company and customer data in addition to large sums of money. This was a key message shared by forensic expert Christopher Novak, a lead investigator on Verizon’s RISK team, at BAI Retail Delivery 2013 in Denver, Colorado on November 7.

In his presentation titled, “Cybercrime: Best Practices for Protecting Customers and Assets in the New Normal”, Novak stressed to banking executives that protecting and safeguarding assets requires constant vigilance through a combination of people and technology tools; company-wide education and awareness; and, mock attack “fire drills” to stay a step ahead of the threat actors who are seeking to harm an institution and its brand. He also urged the audience to never underestimate the tenacity of an attacker.

Sharing data from Verizon’s 2013 Data Breach Investigations Report, which provides a comprehensive view of how cybercrime is changing and how companies and law enforcement agencies around the world are collaborating to mitigate attacks, Novak proceeded to deconstruct the analyzed breaches, citing among other things various attack motives, methods, countries with the highest level of perpetrators and discovery timeframes.

The 2013 Data Breach Investigations Report revealed that top motives for attacks on institutions included financial gain by organized crime rings which came in at fifty-five percent, in addition to state-affiliated activity which comprised twenty-one percent of the analyzed breaches. Thirty percent of the breaches originated from China, with Romania coming in at a close second with twenty-eight percent. In terms of discovery time, “Sixty percent of breaches took months to discover,” according to Novak.

Peppered throughout his presentation were insightful anecdotes of tactics that Novak and his colleagues have recently encountered while investigating attacks on financial institutions. He cited the example of targeted phishing schemes in which the perpetrator – using e-mail addresses that are easy to figure out from a company’s external website – pretends to be the CEO and sends an e-mail to the CFO authorizing a wire transfer to a particular vendor. Because the request is coming from the top, the typical checks and balances are overlooked and the transfer is made — albeit into the wrong hands which then see to it that the funds change hands repeatedly until they are successfully out of a country’s jurisdiction. The result is a money trail that is nearly impossible to track and stolen assets that cannot be recovered.

Novak also shared that distributed denial of service attacks, which the banking industry has borne the brunt of in recent years, are now becoming a diversionary tactic that cybercriminals will stage while they are perpetrating more malicious attacks. He also added that the larger institutions, which are presumed to have the most sophisticated detection and mitigation tools, are often the victim of simpler tactics that may be easily overlooked.

An audience member asked Novak about security and the cloud to which he responded that, “We’ve seen almost no difference between cloud-based and hosted services,” though he did add that the cloud is a relative newcomer on the scene and that not as much data exists yet. Novak also urged audience members to evaluate the security practices of their cloud providers as they would with any third-party vendor.

The Verizon Data Breach Investigations Report has analyzed more than 2,500 security breaches involving more than 1.1 billion compromised records since 2004. The 2013 report can be downloaded at www.verizonenterprise.com/DBIR/2013.