Hacker Arrest a Sign of the Times
Fraudsters Changing Their Targets, Not Their PracticesThe recent arrest of a Malaysian national charged with hacking his way into the Federal Reserve Bank in Cleveland, Ohio, leaves some of us with the sinking feeling that this war against data breaches, cybercriminals and fraud is far from over - it's just shifting a bit.
Lin Mun Poo's arrest on Oct. 21 wasn't over the top in terms of excitement. He was arrested with hardly any fanfare. But when Secret Service agents seized his heavily encrypted laptop and were able to access the data on it, what they found -- more than 400,000 stolen credit and debit card account numbers -- leaves little room for doubt that the financial services industry has some real work ahead of it.
Authorities say this Malaysian made a career out of stealing, reselling or swapping stolen data. He hacked his way into Fed Comp, a credit union vendor; a defense contractor; and I'm sure we'll find that he's wiggled his way onto other computer networks, too. His hacker days are likely over, and, if tried and convicted, he'll likely join others behind the concrete walls, steel bars and razor wire of a prison to serve his 10 years. But there are questions about what led him to select these targets and how many other hackers are out there flying below the radar of businesses, banks and government contractors.
I recall asking some industry experts back when Albert Gonzalez was sentenced for the Heartland Payment Systems breach if his sentence would be a deterrent for other hackers. The experts' answers stuck in my head.
"Hackers like Gonzalez believe that they are smarter than the authorities are, are able to evade detection and capture, and likely underestimate the likelihood that they will be apprehended," former prosecutor William Taylor told me.
Gartner analyst Avivah Litan also had her doubts about how much of a deterrent Gonzalez' sentence would be. She predicted that smart criminals "will take this as a lesson in scale, so they'll try to stay under the radar and not get carried away with these grand, massive attacks." Remember: Gonzalez and his crew stole 130 million credit and debit card numbers. Poo was only caught with a bit over 400,000.
Security expert Jasbir Anand at ACI Worldwide sees this most recent hack as a sign of the times. He tells me, "Cybercrime that involves hacking into secure databases and stealing information will continue to plague the financial industry. Advanced hacking examples such as these prove that anybody can be a target."
The key seems to lie in the value of the data being stolen. In terms of financial loss, criminals are currently targeting credit and debit card data because the value of the data is easily realized.
The experts' prediction that hackers would likely shift toward more small-scale and targeted attacks in a distributed hacking environment -- vs. a few massive attacks against very large targets -- is apparently coming true. So my question is: How many more hackers are out there that have made the shift to smaller scale attacks? Hundreds? Thousands?
The question of big or small scale attacks aside, the latest news confirms: There is still much work to be done by all of us.