Internet Retailer published an article discussing yesterday's new debit and credit card fraud indictments...and are advising Internet Retailers not to let down their guard. Based on the fact that Albert Gonzalez, a.k.a "Soup Nazi" has been in jail since March of 2008 and the number of SQL attacks has quadrupled since then, I would say that is good advice.
Here's an excerpt from the story...
“You should be just as nervous today as you
were yesterday, because there’s not just one of these guys,” says
Andrew Lauter, chief technology officer of fraud-prevention firm
Accertify LLC. “Everything he knew and learned has probably been
disseminated to another 100,000 bad guys.”
Editor's Note: And they've more than likely improved it with more than lemon since then...
There are several lessons for online retailers in this story, security experts say.
One is that, although the data was stolen by breaching systems in bricks-and-mortar stores, often the card numbers are used to make fraudulent purchases at retailer’s Internet sites, says Michael Petitti, chief marketing officer of payment security firm Trustwave. That’s because the criminal often can complete a web purchase with just a card number, the kind of data this crime ring allegedly stole in large numbers.
It’s also noteworthy, Petitti says, that the way they broke into computer networks involved an attack known as SQL injection, in which the hacker enters into an information field software code that, if not blocked, gives the hacker broad access to data in a computer network. In the case of online retailers, SQL injection attacks often take place on checkout pages where consumers are asked to type in such information as name and address. (and credit/debit card numbers)
However, increasingly hackers are carrying out such attacks on non-payment pages, such as customer support pages of a web site, figuring those pages are not as carefully reviewed by security experts, Petitti says. Even online social network pages that request information can be targeted in a SQL injection attack, he adds. He says the solution is to make sure a qualified security expert reviews any new web site application to make sure it’s not vulnerable to this type of attack.
Another result of this massive fraud is that criminals now often have more information about a consumer—not just card data but in many cases name and address, for instance, says Paul Brock, senior manager of managed services at payment processing and security firm CyberSource Corp. In addition, hackers have become adept at hiding their true Internet address, often by taking over the PCs of unsuspecting consumers.
Thus, a criminal who has card data about a consumer who lives in Los Angeles can take over a computer in that city and make a purchase from an online retailer that appears to be coming from the area where the legitimate cardholder lives, even though the hacker may be in another country.
Read the Entire Story at Internet Retailer.com