Monday, April 21, 2014
By Danielle Douglas and Craig Timberg
The Washington Post
(Continued from page 1)
A line of Black Friday shoppers wraps around the Target store in South Portland last November, during the time when a cyberattack compromised the credit card data of Target’s customers.
2013 Press Herald File Photo/Derek Davis
Hackers lifted 40 million debit and credit card numbers from Target customers during the holiday season. The company later said thieves also grabbed personal information, including names, home addresses and telephone numbers, of an additional 70 million customers in that attack. Other companies, including craft store Michael’s and hotel-management firm White Lodging Services, have since reported breaches of their computer systems.
‘A RIDICULOUS NUMBER’ COMPROMISED
“I think we’re going to hear a lot about these breaches over the next year,” said Brian Krebs, a cybersecurity journalist who blogs at KrebsOnSecurity.com. “It just looks like some of the guys involved in this activity have compromised a ridiculous number of companies.”
Krebs reported that the Target breach happened after criminals gained access to the company networks through a contractor that was servicing heating and air-conditioning systems at several stores.
Department store Neiman Marcus also was attacked recently. Its senior vice president, Michael Kingston, told lawmakers Tuesday that the company’s antivirus software was virtually useless in defending its computers. The retailer didn’t detect that its credit card systems were being hacked, and the company did not learn of the intrusion until the beginning of January, many months after it began.
His reference to antivirus software drew scoffs from security experts, who compare the protections offered by such programs to a flu shot – capable of staving off infection from wide and unfocused threats but of little value against a serious attacker determined to breach a specific network.
Security experts say companies must install systems that detect and halt intrusions quickly, before massive amounts of personal data can be lost.
“Companies need to be hunting on their networks constantly . . . looking for signs of compromise,” said Shawn Henry, former head of cybercrime for the FBI and now president of Crowdstrike Services, a security company. “If you give people unfettered access for weeks and months and years, they can do a lot of damage.”
The recent conviction of Russian national Aleksandr Andreevich Panin in federal court offers a window into the robust market for malicious software. Panin, the architect of SpyEye malware, sold his virus for as little as $1,000 online through invitation-only forums, prosecutors said.
At least 150 hackers snagged versions of SpyEye between 2009 and 2011, using the virus to set up servers designed to steal money from bank accounts. One customer made more than $3.2 million in six months using the virus. Panin’s code, which automates the theft of user names, passwords and PINs, infected more than 1.4 million computers worldwide.
Although experts predict that retail cyberattacks are likely to increase, the long-term forecast is a matter of debate. Companies may succeed in strengthening their defenses over the next several months, deterring hackers. Or, the surge of stolen credit card information on the market may cause a glut and drop prices to the point at which incentives for new attacks shrink, said Christin, the Carnegie Mellon researcher. “I think there’s going to be market saturation,” he said.