Privacy key to minimise cybercrime risks

The recent – and largest – cyber attack ever on a state government in the US shows that attacks on third-party credentials, that can be used in identity theft frauds, are becoming more and more commonplace.

Jan 4, 2013
By Paul Jacques
Pete O’Doherty

The recent – and largest – cyber attack ever on a state government in the US shows that attacks on third-party credentials, that can be used in identity theft frauds, are becoming more and more commonplace.

The problem, says Andy Kemshall, chief technology officer at SecurEnvoy, is that public sector organisations in the US have a lot of identity information on citizens in their database, including payment card details.

“US credentials such as the person’s social security number, name, address and payment card details, are pure gold when it comes to identity theft information, which has now become a global cybercriminal commodity business,” he said.

“The South Carolina state computer system hack is notable for the volume of data – 3.6 million social security numbers and 387,000 credit plus debit card credentials – that was stolen and which can be used by cybercriminals to create cloned payment cards and apply for credit plus bank accounts in the victim’s name.”

Even with a conservative $3 rate per card information set, that means the cybercriminals could grab more than a million dollars for selling on the credentials stolen in this data theft, Mr Kemshall explained.

More than anything, he says, this highlights the immense profits that can be derived from a short period targeting and hacking a public sector computer system, after conducting reconnaissance using an automated set of hacking tools to probe likely IP addresses on the internet.

Coming against the backdrop of the NHS having lost 1.8 million sets of patient records in the past year (Source: Daily Telegraph – http://bit.ly/YY5YzZ), he believes there is a big question mark over the security of government systems, which could be targeted in a similar fashion to what is happening in the US.

The NHS, he adds, has come in for understandable criticism for its data losses over the years, as have several councils, but given the fact that the Government – at both local and national levels – is short of money in these straightened times, IT professionals in the public sector clearly do not have the security resources that are available to the private sector.

Given the widespread ownership of mobile phones, Mr Kemshall says there is a strong argument to harnessing the mobile as a means of authentication when accessing data on a public sector computer system.

This is what security experts call tokenless two-factor authentication (2FA) and secures an IT interaction with ‘something you have’ (the handset) and ‘something you know’ (the challenge authentication data) across an easy-to-use system (the mobile network), he explained.

“Implementing tokenless 2FA using a mobile [device] is a very easy and low-cost way of securing access to large data repositories in the public sector, both with employees and members of the public, where appropriate. This contrasts with the relative insecurity of conventional ID/password credential-based systems,” said Mr Kemshall.

“We call this BYOT – Bring Your Own Token – and means that organisations gain access to a secure authentication methodology without all the expense and administration involved with hardware tokens, but still retaining all the convenience and security.”

Related News

Copyright © 2024 Police Professional