Alex Stamos, a founding partner of iSEC Partners, gave an overview of how dismal the security is on the Internet. Today's hackers have monetized what was a prank of simply leaving a note saying: We were here! Now, when they break into a site, they steal your credit card information, resell those hundreds of thousands of names to organized crime.
Stamos said today's software is better than it was ten years go before he co-founded iSEC Partners. More companies and application developers are aware that they need a security policy and do some of the basics.
Stamos continually stressed that since the middle 1990's organized crime has been purchasing credit card information and using them in a systematic pattern of purchasing items, disposing of those items, and laundering the proceeds.
Stamos said a major part of the problem is that the old audit trail mentality used in a face-to-face business is an abject failure on the Internet. An example he gave was a health plan that took their convenient prescription pick up system where a care giver or relative could pick up someone's medications and they moved it directly to the web. Then, any hacker who got a prescription number could run a hack for a few thousand of the numbers above and below the original number. They'd have prescription pain pills shipped to anyone nearly anywhere on the planet.
Obviously, if ten people walked into a pharmacy and asked for an invalid prescription number, and were followed by nine more people asking for the next prescription number in the sequence, law enforcement would be called. Anyone was still near the pharmacy who tried that trick would be arrested. However, it is very easy for a hacker to write a few lines of a script and test a site with consecutive numbers until they hit the jackpot.
Stamos says the large credit card companies operate on a sliding scale of loss versus transactions. He said that Visa and Mastercard move more money in a day than the Federal Reserve Bank does - over two trillion dollars per day.
The security community is letting the public down because they have not stepped forward and shown new secure transaction techniques. One of the least used, and most effective procedures, is a point-to-point sending of credit card information.
Instead, it is expedient to continue using the 1980's approach of sending less than 100 bytes with no encryption, because, encrypting the information would require a more powerful and expensive merchants' credit card reader. It would increase the time it took to complete the transaction. Just two seconds multiplied by many hundreds of millions of transactions in a day would slow everything down. Also, the whole transmission and synchronizing software would have to be rewritten. Almost all small merchants use a credit card reader provided to them as a rental, and are charged a small percentage per transaction. Encrypting the whole process would cost everyone involved money and ultimately the consumer would foot the bill.
Stamos says that law enforcement is much better than it was ten years ago in understanding cybercrime. Federal agencies have been motivated by the large Internet sales companies to go after hackers who are located out of country. Law enforcement is very good at setting up a sting operation and patiently waiting for someone to step into their trap. Sometimes it takes three or more years to capture a credit card hacker. Yet, you can find mailing lists where they will openly offer yours and tens of millions of other credit cards to the highest bidder. Stamos Power Point slides are available on the ETech website.
Many Eastern European and Asian countries do not consider cybercrime their priority. An IT professional in an Eastern European country will make $20,000 a year. As a competent hacker they can make $40,000 to $100,000 a month, and most of the time they are not afraid of criminal prosecution.
Stamos ended his talk with the fact the Internet is not a safe place to use your credit card, because of the security failures of retail merchants like TJ Maxx losing 94 million credit card records to a hacker.
Heartland Payment systems, one of the top six companies to handle credit card transactions, was hacked and 100 million plus credit card owners can suddenly get a nasty financial surprise. Even this reporter's very small bank has replaced his credit card because of the Heartland Payment systems hacking, while one of the world's largest banks has said nothing about his other credit card.
The City of New York Police Department 'lost' a back up tape with the total identity of 80,000 present and retired cops. Stamos wondered who bought that information and what did they pay the hacker to get it.
Stamos said that the world recession might make everybody more aware of where their money is going. This includes the big credit card companies and the banks that hold the credit card debit. Until then, you had better read your monthly statement very carefully and think twice if you really want to use the Internet to purchase that next computer toy. X