Krebs: Most Firms Fail to Take Simple Cybersecurity Measures
October 5, 2015
Talking to a group of CIOs and other IT executives, the author of Krebs on Security website and the book Spam Nation said there is a big "PR gap" between the perception and reality of cybercrime. "The light at the end of the tunnel isn't a way out," he said. "It's an oncoming train."
In particular, he said that the bad guys have done a better job of sharing information than CIOs; even older versions of reports like the Verizon Data Breach Investigations Report often do a good job of explaining how systems were breached, with information that remains relevant. In many of the recent hacks, he said, a simple perusal of the security logs would have alerted the companies that they had a problem.
Krebs spent most of his time talking about attacks on credit card information, mostly focusing on malware aimed at Point-of-Sale (POS) systems. He talked about how over the past two years, the bad guys have not only improved their attacks on such systems, but made the underground markets for buying and selling credit card information more sophisticated and "customer friendly."
In many cases, street gangs are turning to credit card fraud as a quick way of turning a $10 to $20 investment into $800 to $1,000. Not only was this profitable, he said, but it's inherently less dangerous and risky than dealing drugs, and is often seen as a "victimless" crime because the account holders are typically not liable for the charges.
Krebs noted problems such as how many POS systems have Web browsers, and how this is very common vector of attack. He said the transition to chip-and-pin credit cards is not to going solve the problem, citing how in other countries, that transition has led to an increase in e-commerce fraud, new account fraud, and account takeovers.
A lot of this comes down to identity and privacy, and he noted that a lot of people's unchanging personal information (such as addresses and Social Security numbers) is now available. He said that when it comes to computer systems, they could be secure, fast, or easy to use: pick two. Most people have chosen not to focus on security, he said. As a result, there are lots of places on the Web to find out personal information on people, and he called on the government to adopt stricter privacy rules, such as used in most other countries.