IT Security breaches

D

dewdrop

Registered User
Messages
1,298
Is it possible for outsiders to get details of PIN numbers when these security breaches occur. I assume all they could get would be account numbers and sorting codes which are available on cheques.
 
Generally the information gained in the security breaches is in the form of a database of customers. More often than not it is names, addresses and payment details (e.g. Credit Card).

That's more than enough to do some real harm.

PIN details would only be from a breach at a bank/CC Provider rather than through some of the recent breaches at companies where people have paid for a service, as you don't give your PIN.
 
dewdrop said:
Thanks. What kind of harm could be done?
Click to expand...

Where to start...

It depends on who was behind the breach. A breach of that scale and type is unlikely to be "just kids", so presume it's either organised crime or a group of people who were looking specifically for CC/personal info. Sometimes the breaches are just people showing off and they have no intention of using or selling the information, but better to err on the side of caution as I doubt there was a community of people wanting to take AXA or SuperValu down a peg or two and so this seems very targetted.

A simple option would be to use the info for a series of smallish purchases on ebay etc. When you've info in the hundreds of thousands, that's not insignificant. But they won't be buying old LPs and Star Wars figures, more likely that they're buying from themselves and laundering the money that way.

Another way is to register the accounts at gambling sites and lose the money to yourself, again laundering the money.

And it could be used to produce cloned cards among other things (such as identity theft).

The main thing is that when CC info is used, it tends to be for a series of small payments each time (though this can be several times in a day or week) to escape the obvious sudden big purchase flag. And it is rarely if at all used to go to an atm and clear out the account, it is as described, a series of small purchases to launder the money.

Security companies, CC companies and banks tend to downplay the risk, but there is a significant black market for this information, so somebody is making money off it.

Companies must notify customers of a breach, so if you've been informed, I'd keep regular, daily checks on the account and flag up any fraudulant charges no matter how small.
 
The main reason hackers harvest details are to sell them on - there is a fantastic black market trading system going on in the background (dealing mostly in Bitcoins) where people buy large bunches of data - the more exact the data - the more valuable it is. You also get people trading other commodities (eg passwords for porn sites, credits for online games, online voucher codes etc.)

Data for sale can be anything from userid's & passwords right up to Full CC details with all of the relevant information.

The main problem is that alot of the time people / companies don't really know what types of data they are collecting online & how is is being stored.

I had a situation where I hacked into a Shop using the browser on my mobile phone while sitting out side the shop and harvested over 5000 credit card numbers, CC holder names & addresses and also the 3 digit CCV number - it took about 10 minutes to do - just with my phone. You can imagine the shop keeper's surprise when I showed him, especially as he had been passed as PCI compliant just a few weeks before.

Another situation, I was able to place orders into a shops online system by creating a discount code of 99% and effecting immediate delivery to a fraudulent account of some very expensive software.
Both of these scenario's were at the request of the business owner.

Unfortunately - most companies don't employ the right types of people to validate their systems and they are left wide open to breaches like these.
 
You must log in or register to reply here.
Back
Top