Points make prizes

Screen Shot 2015-04-02 at 10.55.53If you have been reading the security press you will have noticed that an increasing number of loyalty card schemes are reporting compromise recently, the most recent being British Airways’ frequent flier programme this week.

Taken in isolation, the compromise of a few loyalty card accounts here or there may not seem like a major issue, but if you scratch under the skin about the root cause, net impact, real cost and potential impact to the individual, the individual’s friends and family and potentially the individual’s business data, this trend cannot be ignored.

First of all let us look at The Why? Seemingly inconsequential ‘victimless’ crime; Exploiting compromised loyalty accounts, adds up to real value when scaled up and the gains laundered or fenced through crime gangs via a chain of mules and mule handlers.

This means that compromised credentials for unique usernames (usually email addresses) have a currency – it is a numbers game. The value of this data increases with the vendor’s reputation, meaning that the trend amongst vendors of compromised accounts is to test them against a plethora of online systems (think loyalty schemes, utility companies, email accounts).

What about The How? The proliferation of malware such as Zeus, Vawtrak et al means that the bad guys have been harvesting credentials for one system or another for years now, across millions of infected machines. Although primarily designed to gather online banking credentials, they have collected a huge number of username and password details not directly exploitable for Plan A.

Cut to a secondary market in valid credentials which can be bundled and sold, and ARE being bundled and sold to sophisticated crime gangs who can mobilise and scale resources to test, exploit and monetise the details through any number of techniques, with a relatively low risk of detection, arrest, prosecution or any serious prison time. Given that customers rarely log in to loyalty card systems, detection is very uncertain.

As with all well managed assets, we can rest assured that these details will be tested against the full range of online services available. Furthermore, it is certain that any enterprise portals requiring only username and password will be subject to attack and, if successful, possible handoff to a quite worrying tertiary marketplace.

We would urge our customers to recommend that staff refrain from using their business email addresses for personal online services and furthermore they use different passwords for all online services to which they are registered.

There are online resources, which claim to have databases of known compromised accounts such as: https://haveibeenpwned.com/

(As mentioned in our September 2014 blog), which may be worth checking, should someone smell a rat.

As ever, we recommend that all external access to your resources are subject to two-factor authentication and that you monitor your perimeter for brute force login attempts and access from obfuscated IP addresses such as known rogue proxies or TOR exit nodes, all of which are standard features of ITC’s NetSure360 managed security service.

If you would like to discuss any of these issues with one of our security consultants, please contact us at:020 7517 3900 or email: [email protected]

Happy Easter