Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Bank data breach revelation re-inforces need for multi-layered security

Imperva : 18 January, 2010  (Technical Article)
After Suffolk County Bank allowed the credentials of over 8000 customers to fall into the wrong hands, Imperva comments on the increased risk of such losses as hackers target credentials as being more valuable than card data
Reports that the Suffolk County Bank - a subsidiary of Suffolk Bancorp, the US financial institution - had its banking servers hacked last November were met with astonishment at Imperva.

According to Amichai Shulman, the data security specialist's chief technology officer, what is amazing about the case is not just the fact that the bank has taken until now to reveal that around 10 per cent of its customers' credentials were compromised, but that the data was stored as plain text.

'This confirms our observations in our recent end-of-year analysis, in which we predicted that 2010 will be year of hackers going after people's credentials, since they have become a saleable - as well as usable - commodity on the Internet,' he said.

'The main reason for credentials being more valuable than credit card details is that, whilst cards are usually invalidated a short time after they have been fraudulently used, people regularly use the same credentials on multiple systems,' he added.

As a result, the Imperva CTO says, it's a lot more difficult for a large number of Internet users to `lock down' their electronic identities, as they have to change their passwords on multiple systems.

A much better strategy, he went on to say, is for organisations to start using multiple layers of security - including strong passwording and firewall-protecting their databases from prying eyes.

In this case, Shulman explained, it is clear the hackers realised that bank user credentials have a much higher community value that, say, payment card information as, once a hacker can log in with a user's credentials, s/he has access to their accounts and perform as many transactions as they wish.

'What I find astonishing about this hack is that you would think that a banking application would undergo much more stress testing than most and, as a result, the storage of user credentials in plain text would have been spotted and remediated early on in the system development process,' he said.

'Although the full modus operandi for this banking hack has yet to be revealed, but given that the server was accessed and 8,378 credentials were stolen, I would assume the attacker gained access using an SQL injection approach,' he added.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo