Forty-one million stolen credit cards is just the beginning
Federal prosecutors have charged 11 people with stealing 41 million credit cards, obtained by wardriving. (Read news story here.) The criminals drove around and scanned wireless networks for vulnerabilities, then installed sniffers that stole credit card information. Was this kind of attack inevitable? I believe it was.
Actually, not only do I think it was inevitable, but I also think the attack was not as severe as I had expected. First of all, attackers really do not have to go through the effort of actually being physically present in the neighborhood they want to scan and attack. It is enough to make their intended victims visit a corrupted web page, which can be distributed by spam or advertisement. (Read how this works here.) But the sophisticated attacker can do even better – he can let already infected machines try to infect the machines in their neighborhood. The infection spreads geographically, and spreads like a wildfire in dense neighborhoods. A detailed analysis in my recent book shows that several US Metropolitan areas would be likely to suffer exponential spreads. Now, that is bad news.
But things could get worse. Is stealing credit card numbers the worst we can expect attackers to do? I do not think so. Remember, the machines an attacker would corrupt are routers. They carry all your traffic. Yes, much of it is encrypted. But why is that? It is because many companies use SSL. Often, they send you HTML code that lets you perform an SSL post or otherwise start an SSL connection.
But what if the router, which is on the path between the web service and your machine, modifies the HTML your computer receives? What if the HTML is modified to perform two posts: the expected SSL protected post, and one that goes straight to the attacker? (See an upcoming paper by Myers and Stamm for how this could work.) It would be the death of SSL for most practical purposes.
So, yes, 41 million stolen credit cards is bad. But not nearly as bad as we will have to expect if we do not fix the underlying vulnerabilities that allow this to happen.
Related reading:
pasmith
Kindle news: pricing, business models and ... source code?
mulderjoe
Cell phone gaming: In search of good mobile games
jfruh
The guts of the iPhone 3GS
Enter your caption for this week's cartoon! The winner will receive a $25 Amazon gift card. Go now!
Essential JavaFX
Get started building rich Web apps quickly with an introduction to the power of JavaFX key features -- scene node graphs, nodes as components, the coordinate system, layout options, colors and gradients, custom classes with inheritance, animation, binding, and event handlers.Enter now!
The Nomadic Developer
Consulting can be hugely rewarding, but it's easy to fail if you are unprepared. To succeed, you need a mentor who knows the lay of the land. Aaron Erickson is your mentor, and this is your guidebook. Enter now!
It could be a lot worse if
It could be a lot worse if malware were to move from across the a city in this fashion. The number of unsecured home networks is mind boggling and a large task to fix. Most people that use home wireless networks, do not know how to secure their wireless router/switch and in some instances do they care. As with users in the corporate world the main place to start is educating the home user in the benefits of network security. In the long run I believe that Mr. Jakobson shows the tip of the ice berg on this subject. Which is a very scary thought.Technology Fraud
People credit cards are stolen more often than most people realize. That is why credit card processing companies have to take extra steps to innovate and prevent this sort of thing.