‘Tis the Season for Account Thievin’
Brooklyn born Willie Sutton made a career in crime; robbing banks and jewelry stores often in disguise earning him the nickname “The Actor.” His daring crimes also earned him two life sentences and 105 years in jail. As the story goes, when asked by a reporter why he robbed banks, he coyly replied “because that’s where the money is.” Several years ago, as many of us were cleaning up after the Thanksgiving meal, one of the largest breaches of credit card data in history was getting underway.
In November 2013, criminal actors compromised a major retailer, deftly moving across their networks and targeting systems used to deploy software to the enterprise. Once the appropriate access was acquired, the actors deployed memory scraping tools to thousands of cash registers. These machines, also known as Point of Sale (POS) devices, are computers which have specialized hardware attached to allow the operator to store currency in a hardened drawer, collect credit card information, and to print receipts. The goal of targeting these machines with a memory scraping utility was to capture the account information stored on the magnetic stripes of credit and debit cards. The readers extract the information at the time of purchase, and the computer’s software authorizes and logs the transaction. By examining the memory, the tools deployed by the actor were able to intercept and record the credit card account information. Another utility would then aggregate the stolen information and covertly exfiltrate it to a file transfer protocol (FTP) server where the actors were able to retrieve it for their illicit use. The timing of this event was not a coincidence.
Every year, especially in the United States (where many business still allow magnetic stripes for purchases), holiday spending has a dramatic impact on retailers. In 2015, according to the National Retail Federation (NRF), holiday spending in stores was $626.1 billion with an additional $105 billion in online sales. Referring back to Mr. Sutton’s rationale for robbing banks, it is pretty clear why a major retailer would be targeted at the beginning of the peak holiday shopping season.
Most major retailers make every effort to secure their systems, but this holiday season there are a few things every consumer should do to protect themselves. Much like walking in an unfamiliar part of town, situational awareness is the key to being safe. Here are five tips to ensure financial security during the peak shopping season:
- Do NOT use debit cards to conduct transactions: when a fraudulent charge is identified on a credit card, payment can be deferred until the situation is resolved. If the payment involves a debit card, the money in the account is not replaced until after the resolution.
- When shopping in stores, be wary of magnetic stripe reading devices. In October of 2015 the EMV (Europay, Mastercard, Visa) chip was widely implemented in the United States, thanks to a liability shift that enticed retailers to support the more secure standard. If possible, use the EMV chip on your cards instead of the magnetic stripe, if this is not an option, consider an alternative payment method, such as cash or contactless payment such as Apple Pay, Google Wallet, etc.
- When making online purchases, ensure that you are using a patched system with a current operating system and browser. Similar to memory scraping tools which may be deployed to POS devices, malware can intercept account information by targeting software such as browsers.
- Use different passwords for all of your accounts. Password safe utilities make it possible to create complex and unique passwords for every account and not have to remember them. These utilities can vastly improve online security.
- Closely monitor your account statements, this is especially important during the holiday season when fraudulent transactions might go unnoticed.
Protecting your accounts during this holiday season can mean the difference between being a grinch or staying holly and jolly. Follow these basic security procedures and use common sense to avoid criminal actors out to steal your holiday spirit.
As Vice President of Intelligence, Adam Meyers oversees all intelligence gathering and cyber adversary monitoring for CrowdStrike, the leader in cloud-delivered next-generation endpoint protection, threat intelligence and response services. Falcon Intelligence is part of the CrowdStrike Falcon® Platform, which helps organizations protect against cyber attacks and stop breaches.