This is page 2 of:
Verizon: Retail Data Breaches Typically Discovered By Accident
The cyber thieves are fighting back and their tools are often one step beyond ours. “Investigators found signs of anti-forensics in over one-third of cases in 2008. The most common forms of anti-forensics measures observed in the field are Data Wiping, Data Hiding, and Data Corruption. The prevalence of these among investigations conducted in the last year” was 31 percent using data wiping, 9 percent data hiding and 3 percent opting for data corruption, the report said. “The pervasiveness of Data Wiping, which includes removal and deletion, comes as no surprise. Many commercial off-the-shelf products are available that perform this function (there are many legitimate uses for wiping data) as well as freeware utilities. With respect to Data Hiding, the use of steganography has remained relatively rare and flat year-over-year. On the other hand, the use of encryption for the purposes of Data Hiding has risen by almost 10 percent. Where Data Corruption was observed, it was mostly manifested as log tampering.”
But an even more interesting observation was where most of the anti-forensics efforts happened. “Intuitively, the breaches in which anti-forensics were utilized tended to be larger in size and longer in duration. For many of the smaller ‘smash and grab’ attacks, destroying evidence is simply not worth the effort. Plus, those attacks are often perpetrated by attackers of lower skill who are ignorant of antiforensic measures. In this sense, the use of anti-forensics is progressing beyond its roots as a defensive tactic used to avoid prosecution and is increasingly employed in an offensive capacity to expand and extend the attacker’s ability to compromise data.”
. Breaches were discovered by third parties (processor, bank, card brand, law enforcement, etc.) a whopping 69 percent of the time, with another 24 percent detected by internal mechanisms that accidentally detected the breach. The frequency of perimeter alerts successfully catching, well, someone violating the perimeter, was only 7 percent.
“Employees happening upon breaches during their normal work activities remain a distant second to the combined third-party detection or notification categories, followed closely by unusual system behavior. These two methods, while unplanned, seem to be an organization’s best chance of discovering a breach on their own. That’s hard to believe, but it’s also hard to argue with five years of data that all reveal a similar finding,” the report said. “As with prior years, active measures (referring to those that are specifically designed for detection) taken by the organization detect only a small proportion of breaches. It is clear that breach discovery remained a largely passive endeavor in 2008.”
“On the whole, organizations discovered breaches slightly quicker in 2008. However, lest we confuse ‘quicker’ with ‘quickly,’ this statement needs some additional context. Breaches still go undiscovered and uncontained for weeks or months in 75 percent of cases. It is doubtful that any chief security officer anywhere would call this ‘quick.'”
Said the report: “The relative difficulty of attacks leading to data compromise is not only an excellent indicator of the current threat environment, but also the state of modern security programs. During each case, our investigators assess the details of the attack and classify it according to the following difficulty levels.”
You saw this one coming. Attacks that required “no special skills or resources. The average user could have done it” represented 10 percent of the probed attacks. But add that the 42 percent of attacks that were designated as low-difficulty—”Basic methods, no customization, and/or low resources required. Automated tools and script kiddies”—and it’s clear that most attacks were especially sophisticated. Moderate skill attacks—defined as attacks using “skilled techniques, some customization, and/or significant resources required”—were seen in 31 percent of the incidents and only 17 percent of these attacks against multi-billion-dollar chains involved “advanced skills, significant customization, and/or extensive resources required.”
The copy of the full report is probably worth a read.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
