Information leaks: Workstation security
- At the end of 2010, Sovereign Bank, member of the Santander group, had to inform about 50 customers of the possible compromising of their banking data, after having noticed an information leak. On December 12th, the Pentagon Federal Credit Union, which has about one million customers, had to face a relatively similar incident. After one of its network-connected workstations had been hacked, a malicious individual was able to access the company's data base (credit card numbers, addresses, social security numbers, as well as other personal and/or sensitive data). The PenFed's spokesman did not reveal the exact number of concerned customers.
- Some companies do not benefit from the necessary regulatory skills to remedy these situations and decide to erase and reinstall the affected workstations. This process does not allow for further investigations. Sending notifications to the customers can be expensive, but, if these procedures are not completed, or, if the information leak is not mentioned at all, the company's image can be seriously damaged, which could cost even more.
- Information leaks can affect any banking or non banking player. For instance, an SQL injection attack targeted the New York tour agency CitySights NY, and made it possible for the hackers to steal about 110,000 bank card numbers (including their expiration dates, and CVV2s, the cardholders’ names, addresses and e-mail addresses). This attack was performed at the end of September, but was reported one month later. It should be mentioned that PCI-DSS standards do not authorise CVV2s to be stored: “Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere)” (PCI (Payment Card Industry) Data Security Standard, version 2.0, requirement 3.2.1).
Source: CyberSourse - Seventh Annual UK ONLINE FRAUD REPORT 2011 edition
- Let us note that banking details can then be sold by malicious individuals for only a few euros (prices can vary according to the kind of account, the volume of information, etc.). On the Internet, illegal sales of all sorts now flourish. In China, for instance, the auction website Taobao did not object to the putting up for sale of about 50,000 hacked iTunes accounts, their prices vary from 3.5 à 23 euros). The auctions in question will most likely be cancelled once Apple presses charges.