Forty-one million stolen credit cards is just the beginning
Federal prosecutors have charged 11 people with stealing 41 million credit cards, obtained by wardriving. (Read news story here.) The criminals drove around and scanned wireless networks for vulnerabilities, then installed sniffers that stole credit card information. Was this kind of attack inevitable? I believe it was.
Actually, not only do I think it was inevitable, but I also think the attack was not as severe as I had expected. First of all, attackers really do not have to go through the effort of actually being physically present in the neighborhood they want to scan and attack. It is enough to make their intended victims visit a corrupted web page, which can be distributed by spam or advertisement. (Read how this works here.) But the sophisticated attacker can do even better -- he can let already infected machines try to infect the machines in their neighborhood. The infection spreads geographically, and spreads like a wildfire in dense neighborhoods. A detailed analysis in my recent book shows that several US Metropolitan areas would be likely to suffer exponential spreads. Now, that is bad news.
But things could get worse. Is stealing credit card numbers the worst we can expect attackers to do? I do not think so. Remember, the machines an attacker would corrupt are routers. They carry all your traffic. Yes, much of it is encrypted. But why is that? It is because many companies use SSL. Often, they send you HTML code that lets you perform an SSL post or otherwise start an SSL connection.
But what if the router, which is on the path between the web service and your machine, modifies the HTML your computer receives? What if the HTML is modified to perform two posts: the expected SSL protected post, and one that goes straight to the attacker? (See an upcoming paper by Myers and Stamm for how this could work.) It would be the death of SSL for most practical purposes.
So, yes, 41 million stolen credit cards is bad. But not nearly as bad as we will have to expect if we do not fix the underlying vulnerabilities that allow this to happen.
Related reading:
- Eleven indicted in massive ID theft scheme
- ID theft ring attacked retailers on multiple levels
- Wardriving: Wikipedia definition
- Drive-By Pharming: How Clicking on a Link Can Cost You Dearly
- Crimeware: Understanding New Attacks and Defenses
Drive-By Pharming in the Wild
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
It could be a lot worse if
It could be a lot worse if malware were to move from across the a city in this fashion. The number of unsecured home networks is mind boggling and a large task to fix. Most people that use home wireless networks, do not know how to secure their wireless router/switch and in some instances do they care. As with users in the corporate world the main place to start is educating the home user in the benefits of network security. In the long run I believe that Mr. Jakobson shows the tip of the ice berg on this subject. Which is a very scary thought.Technology Fraud
People credit cards are stolen more often than most people realize. That is why credit card processing companies have to take extra steps to innovate and prevent this sort of thing.replica bags
Women like jewelry replica bags as men like cars ,yet ,they are more crazy .They also like cloths ,but don't as much as replica handbags .Jewelry give more confident to them ,that why jewelry industries are so lucrative .