Saturday, October 4, 2014
Large data breaches enable sophisticated profiling making cybercitizens vulnerable to frauds
JP Morgan reported that 76 million households and 8 million small businesses were exposed in a data breach. The firm in a SEC filing disclosed that user contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised. The immediate impact of the breach on cybercitizens may be limited given that the bank also stated that there was is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack.
What remain unexplained is the rationale behind the cyber breach and the value that cyber criminals would extract from it. Banks invest large amounts of money on security. JP Morgan would have done no less. This gives us a clue as to how determined and sophisticated the cybercriminal ring was. Cybercriminals operate for financial gain and apparently invested a lot of money to penetrate the bank. What we do not know is whether they successfully completed the acquisition of the data they wanted before they were found out, and if so, it would be apparent that the extracted data was valuable to them.
I wrote in a previous blog “Beware, your email id and possibly your password is with atleast one organized cyber-criminal gang” on how the large scale aggregation of personal data in large banks, egovernance services and popular service provider’s makes them juicy targets for cybercriminals and offensive nation state actors.
In my opinion, the real value behind large data breaches is the enrichment of underground criminal data bases which profile cybercitizens. Such databases, built by accumulating personal data stolen from multiple breaches allow the execution of fraudulent attacks in a manner designed to bypass security mechanisms and existing methods of fraud detection. The pairing of information from two of the recent big US breaches, at JP Morgan (bank) and Target (retailer) would tie together a user’s credit card information with their home address thereby allowing cybercriminals using cloned credit cards to mimic buying behavior which allows their fraudulent use to go undetected for a longer-time or even provide sufficient information to answer user verification questions for call center services. While companies notify stolen data mandated by law they may exclude details of other stolen data which may allow cybercriminals to contextualize each user – for example data on their financial status based on products subscribed.
Once a critical mass of user data is acquired, enriching the database by linking it with self-disclosed data found on social media is a simply task for criminal call centers. In the coming years these mature databases when used with sophisticated algorithms (which guess passwords for example), will be used to defeat existing security mechanism for password resets and fraud alerts creating a major challenge for the security of our online infrastructure.