Brian Krebs, author of security blog Krebs on Security, gives a blow-by-blow account of a new data breach at Bebe in which hackers were able to steal credit card information from customers who made purchases between November 8 and November 26 – the prime holiday shopping period leading up to Black Friday.
Few media outlets actually break down what happens when someone's credit card information is stolen after a retailer data breach. The average user is still astonishingly clueless about what actually causes identity theft and how IT professionals and banks work together to prevent it.
Krebs' analysis has inspired us to offer our own detailed account of…
- What goes into a data breach.
- How companies get attacked.
- Why breaches happen without anyone noticing.
No doubt, many of your clients are worried (and confused) about their cyber security. We'll explain how the Bebe data breach occurred with a step-by-step analysis you can show your clients to demonstrate how identity theft and prevention works.
Why Retailers Can Be the Last to Know about a Data Breach
As you read the description of this typical retailer data breach, one thing should stick out: a flurry of activity happens without the breached company aware that they've been attacked. Let's take a closer look at events that occurred before Bebe even knew there had been a data breach:
- Hackers install malware onto POS system. Bebe is still investigating the breach and whoever is responsible, but educated guesses can be made. Often, hackers first sneak in by hacking another company the retailer contracts with. For instance, Target's hackers infiltrated the air-conditioning company that serviced its corporate headquarters. Hackers can target any contractor who has network access and use that foothold to get inside the company firewall.
- Hackers steal data. Once inside the retailer's security, malware finds the company's POS systems. As consumers swipe their cards at the register, the malware copies data produced by the card's magnetic strip. The malware accumulates data (sometimes months' worth) and routes it through a series of servers, disguising it on the way, so that hackers can download it without being traced.
- Hackers sell stolen credit card data to identity thieves. It's a common misconception that hackers actually commit identity theft themselves. After downloading credit card information from Bebe's stores, hackers sell the data on underground sites frequented by fraudsters. Hackers post thousands of credit card numbers online and thieves can buy them for $5 - $20 apiece. These sites even index the stolen card information by zip code so thieves can find cards that work in their area.
- When new credit card data is posted, banks and security researchers take notice. The Tor network is a hidden, anonymous part of the Internet, which is only available to users who have specialized browsers. Tor is a hotspot for people looking to buy stolen credit card data, drugs, and other illegal items. But security researchers also monitor Tor. When they see a batch of new credit cards posted for sale, researchers know that criminals have attacked a major retailer. In Bebe's case, one bank had its research team purchase a few credit cards when they were posted online in December. The bank looked at which accounts were compromised and noticed that those accounts all had one thing in common: purchases made at Bebe stores in November.
- Banks, security researchers, and law enforcement agencies inform the retailer they've been hacked. Yep, many retailers won't notice when they've been hacked. After banks discover fraudulent charges or security researchers snoop around on underground sites, they'll contact the business they suspect was hacked and deliver the bad news.
Takeaways from the Bebe Data Breach
In many ways, this is still just the beginning of a data breach story. Now that Bebe knows it's been hacked, it'll begin an extensive process of repairing IT, rebuilding its reputation, and upgrading its POS system.
What can we learn from this breach? By looking at the underground world of cyber crime and security research, we can learn three things:
- Data breaches are becoming big business for hackers. Anonymous underground sites on Tor make it easy for hackers to sell payment card information, malware, and botnets.
- Retail security is often outdated. Payment card processors sometimes don't encrypt data and make it easier for malware to steal plain-text card data.
- Third-party liability is a major cause of data breaches. Malware only has to penetrate your client's weakest layer of security. Often, that's a third party that has network access or an individual user who might fall for a phishing scheme.
For more resources for educating your clients about data security, see TechInsurance's Small Business Guide to Identity Theft Prevention and Data Security.