Jump to content

Is Your Organization a House of Cards?


steven36

Recommended Posts

Some data breaches get a lot of attention in the news. When a large amount of data is taken from a popular retailer or organization, it makes big news in the media, and law enforcement gets interested. They like to be seen investigating the biggest crimes so everyone thinks they are doing their job. On the other hand, there are many more small thefts occurring for smaller targets.

Actually, a report from IBM shows exactly my point. The number of breaches reported is actually down for 2014. Good news? Well, have a look at the total number of records compromised – it’s taking off like a rocket!

IBM says in the report that anything under 10 million records stolen gets lost in the noise of larger breaches. They aren’t in the news, and there are too many of these smaller breaches for law enforcement to spend much energy on any one of them.

That’s exactly why these “small” breaches are the main source of my income.

Law enforcement is too busy to investigate a small incident if gets too complicated for them. Credit card issuing banks don’t have the bandwidth to deal with all of these cases. They end up spending more money trying to trace the breach back to an individual than it costs them to just pay the unauthorized balances and move on.

Card dumps are a good product to sell. For me they fill the same proofs you probably use in your business:

  • Supply is at its highest, and rising. Use of credit cards is constantly growing. Paper checks are essentially non-existent, and use of cash is becoming less and less. People use credit cards for a cup of coffee these days. If they knew how much they may be giving in exchange for that coffee, they might keep a little cash in their pocket. But they don’t.
  • There is decent demand. At times major breaches will flood the market and drive prices down, but there is always a good market for quality products.
  • The cost to obtain inventory is low, it just takes some time. Some people like crossword puzzles, I like network puzzles.
  • The market value ranges from medium to high. Like any product, it depends on the features. Track 1 data? Track 2 data? CVV2? PIN? Each brings incremental value.
  • The product is non-durable. Like razor blades they can only be used for so long, then customers need a fresh supply.

Do you see my point? It’s like selling chewing gum or truffles. Low cost of goods, profitable, and has a small life-span.

There are a couple of ways for finding credit card data. You could choose a large target and invest a lot of time and effort for a potentially large payoff. The pitfalls of this approach are that you may not succeed due to well-implemented security roadblocks, and you may draw enough attention to be sought out.

Alternately, you can seek some smaller targets with less IT sophistication and take a smaller amount from each. The downside to this strategy is that these small businesses will have only maybe a hundred to a few thousand cards on record. That means you need more targets. The upside is that you can automate much of the process so that each target takes less effort.

I’m going to walk you through a target which is on the big side of small in the spectrum. I need a business which is relatively small, or barely profitable, so they won’t have a budget for IT staff specifically focused on security. I also want a target who will have a lot of data when I get there. It doesn’t take long to think of a slim margin business which operates primarily on credit cards:

Airlines are a house of cards. They are made of credit cards. Their business is almost exclusively credit card based. Their data surely contains some company cards with high limits and less personal traceability. Airlines struggle to make a profit, so I predict they aren’t spending a lot in areas which don’t directly result in selling tickets and flying planes, like IT Security. There are other good target categories as well, like independent medical practices, but I’m going to focus on airlines for now. The medical practices will still be there when I’m ready.

For the next several weeks in this blog I will walk you through a possibly hypothetical attack on a possibly hypothetical airline. I’ll show you how their credit card data will pay my rent and buy my meals for the next months.

What about your business? Do your customers primarily use credit cards? Are you a small to medium sized business? How well are you protecting that data? Your card data is just as valuable as that from a larger target. Someone will be coming for it, maybe soon. Are you well prepared, or a house of cards?

Source

Link to comment
Share on other sites


  • Views 591
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...