There was a turning point some time ago where we were enjoying the benefits of technology without being fully dependent on it, but now there is no turning back."
President Obama’s former cyber security adviser Howard Schmidt sees a fully digitised society where private data mingles freely with the benign, and where developers and organisations prioritise shiny buttons over security. It’s a world – our world – that is full of potential for rich and poor but one that is shielded from destruction by a security gossamer. If that thread breaks, Schmidt fears a dramatic loss in user trust of the internet and a fallout that touches everyone, everywhere.
Our systems aren’t healthy and our trust in them is too great, seemingly fuelled by ignorance of the vulnerabilities and design flaws in our underlying systems that power our favourite apps, devices and services. Credit card theft is rampant and nearly unchecked. Developers build systems with security as an afterthought at best. And privacy, in the words of then Sun Microsystems chief executive Scott McNealy, was "zero".
Fleecing the future
Albert Gonzalez slouched in the lobby nursing a cocktail and a heady buzz of cocaine and Ketamine, transfixed as the receptionist counted piles of $20 bills. It was March 2007 and he had just settled the weekend’s $17,000 bill in cash, of which he and his hacker friends were in no short supply.
A year later, the world would come to understand how a child once described as the troubled leader of a pack of computer nerds amassed tens of millions of payment card numbers to defraud some of America’s biggest retailers to the tune of $200 million. The 28-year-old college dropout had organised a global team of hackers and fraudsters who popped organisations like Barnes & Noble, Sports Authority and T.J. Maxx, plundering piles of cash from their customer’s bank accounts.
Gonzalez won’t leave prison for another 16 years. His legacy is the biggest cybercrime heist in history.
Could Gonzalez be usurped? Movements in the credit card fraud scene (known as carding) point to a definitive yes. The payment systems we rely on everyday are dangerously vulnerable, so that carding is available to almost anyone with basic tech skills and a criminally inclined moral compass. Meanwhile, the tactics and technologies available to exploit them have advanced in leaps and bounds since Gonzalez and his crew plundered America.
Financial fraudsters gorge on a smorgasbord of businesses that process credit cards but lack the knowledge – and often the will – to properly secure transactions. It’s a game of cat and mouse where the mice usually win because our financial security systems move more like elephants than felines.
One tool in the defensive arsenal is the gold chip on your cards known as EMV which upgrades the static authentication on mag stripes to dynamic, making cloning cards difficult, but sluggish adoption in the US – which is the only country in the G20 not running the Europay, MasterCard and Visa security control – has ensured fruitful fraud feeding grounds.
The Nilson Report says the US was responsible for about half of the world’s credit card fraud, despite the fact it processes only a quarter of global transactions, while consultancy AiteGroup estimated in June that 10 cents of every $100 the nation transacted between 2007 and 2014 was due to credit card fraud. The US will add to the estimated 1.6 billion EMV cards currently in circulation as the technology is rolled out over the next four years, but this will only push the mice to easy online feeding grounds.
"As soon as the US will adopt EMV around 2015 to 2017, it will become difficult to steal card data using existing methods like memory scraping," says Slava Gomzin, a techie at US-based Trusteer citing the difficulty in pulling off another Target-style breach in which millions of cards were stolen by RAM scraping malware implanted on Point of Sales (PoS) terminals.
As 2017 nears and easy mag-stripe pickings dry up, Gomzin says thieves will be forced to develop sophisticated means to crack EMV, which have so far only been seen in white hat academia. The transactional security veteran who detailed the failings and solutions to the carding epidemic in a recent book expects attacks to surface against both contact and contactless credit card transactions.
"Today, it does not make sense to invest in EMV exploits because there is a lot of magnetic stripe data still waiting at the US merchants’ point of sale computers," he says. "But I am pretty sure that EMV has a lot vulnerabilities that are not discovered yet, and this is going to be real disaster because EMV is going to be deployed everywhere, worldwide, and there is no technology that would replace it in the short term, besides perhaps crypto-currencies like Bitcoin."
But why attack EMV when there is easier fish to fry? Online transactions – known as card-not-present – aren’t protected by the technology and are already subject to massive levels of fraud, fuelled by a vibrant underground where fraudsters and malware developers mix in a tapestry of Russian, Chinese and English-speaking forums to sell credit cards along with the technology used to steal them.
The most audacious fraudsters are making millions here by exploiting both complex and simple security lapses in businesses systems and user devices. Target stores were plundered after memory-scraping wares were installed to sniff out the only part of the transaction it hadn’t encrypted, while dozens of IGA stores were stung thanks to unpatched PoS software in what was Australia’s largest known credit card fleecing. And every day browsers are injected and keyloggers installed to siphon customer bank details from their compromised machines.
The introduction of EMV in the US will not only draw attempts to exploit it, but may push more crims into the ever-growing online marketplace where tricking and trapping users is all but child’s play.
If carding is the crime, software vulnerabilities are the bullets that load the gun. And there are more bullets available to bad guys than ever; the number of reported holes spackled across our digital fabric jumped from 5,291 in 2012 to 6,787 last year, according to the latest Symantec statistics. Of these, 16 percent granted attackers access to sensitive data or the ability to hack web visitors while any one of the flaws could be found in a staggering 77 percent of websites scanned by the company.
The most prevalent vulnerabilities were also the most persistent, but the mud hasn’t yet stuck. Cross-site scripting flaws have remained at the top of security infamy lists since the early 1990s, leading some including the European Commission in 2009 to call for software developers to be fined for leaving vulnerabilities and backdoors in their code, and a UK House of Lords committee to do the same years earlier.
"It’s a lot of the same serious vulnerabilities that would allow sensitive information being extracted from websites," says Wade Alcorn, Sydney-based Asia-Pacific general manager of NCC Group. "There are critical vulnerabilities that are over 14 years old now, and we’ve been trying to get it fixed since then."
Attacks leveraging code vulnerabilities range from vandalism to lucrative theft to government wiretapping. Vandalism – or web defacements – are so common as to border on the absurd; in a single day chosen randomly in July, one prolific and enduring Turkish group named Iskorpitx defaced more than 300 Australian websites. And these were just a handful of what amounts to hundreds of thousands of sites that are vandalised by the group each year, totalling untold millions by other groups operating across the wider internet.
But the same holes that allow a defacer to replace webpages with their logos also allow attackers to siphon valuable data from corporations or break an individual user’s apps – indeed many defacers take the opportunity to implant backdoors in valuable sites. Security experts pin the problem on a handful of prevailing issues, notably the increasing complexity of modern-day code, a lack of awareness in the developer community and poor managerial support for security.
The saying goes, the larger the software, the larger the attack surface. "The biggest challenge we have in security is to be able to handle the sheer volumes of data and the number of systems," Symantec principal systems engineer Nick Savvides says. "People struggle having to address all of the different components in an environment, where data sits, how people access things – it’s a really complex problem and one of the biggest parts is the sheer scale of things now."
Alcorn has spent more than a decade educating developers on the need to build more secure code and how to do it. He says those who are willing to learn about security employ it in their work and says he, along with Savvides and Schmidt a member of the Software Assurance Forum for Excellence in Code (SAFECODE), is optimistic that the message will stick and two decade-old bugs around today will eventually be consigned to the past.
A matter of trust
What security experts fear the most from security failings is a loss of trust in technology. "A catastrophic technology failure would wipe out society as it has developed in the digital age," Schmidt says when asked of a worst-case dystopian-style future. "I don’t think many people would have the knowledge to rebuild our systems as opposed to creating enhancements."
For Savvides, security failures represent a dilution of trust, but he is an eternal optimist who says the kinks will be ironed out along with the current privacy mess where data is haphazardly collected, stored and accessed. "The ideal situation is one where I can transact online, safely and securely, where I am dealing with the person I believe I’m dealing with on the other end, where the business knows it’s me and where the information I hand over is handled in a manner I believe is appropriate," he says.
With trust, says Alcorn, opportunities from the boom of the internet-of-things where everything from power plants to the kitchen sink were being networked could be realised. He sees "massive benefit and opportunity" from the revolution. "If we get this right, it will help the world enormously, from the elderly to the disabled; provided the technology can be trusted."
"It’s (enterprise software) synonymous with bloat and bugs and above all, it’s really, really expensive."