Keep it safe

The price of data security is eternal vigilance, as Nationwide and TK Maxx have found to their cost. And the hackers are getting smarter all the time, warns Ron Condon.

Last Updated: 09 Oct 2013

On Valentine's Day this year, the Nationwide Building Society received a message from the Financial Services Authority. But instead of sending flowers, the FSA slapped a fine of £980,000 on the society and publicly berated it for its lax approach to information security.

In a public statement, the FSA made it clear that the size of the fine was intended to send a warning shot across the bows of the finance industry as a whole, and that poor security would not be tolerated.

Given the severity of the punishment, the incident that sparked it seems harmless, involving as it did the theft of a laptop from the home of a Nationwide employee. The computer contained personal data about customers, but not enough to let a thief steal money from their accounts. But the FSA took the view that any leakage of information should be taken seriously. It noted that Nationwide allowed three weeks to pass before starting an investigation and that its lack of strict procedures left customers potentially exposed to financial crime.

Nationwide has now reviewed procedures and makes sure that all data it holds on laptops is encrypted and thus of no value to a thief. The cost of doing that is about £70 per laptop. Although Nationwide denies it has lost business as a result of the affair, the publicity and embarrassment have hardly done a lot for the brand.

Other companies have suffered rather more. The American retail group TJX (owner of UK discount fashion chain TK Maxx) was recently forced to admit that hackers had found their way into its systems and stolen credit-card details from nearly 46 million customers. It had discovered the unauthorised intrusion in December 2006, but to assist the investigating authorities, didn't go public with details until March this year. The security breach occurred over a 16-month period from July 2005, when details covering transactions dating back to 2002 were stolen from TJX's systems in Watford, England, and Framingham, Massachusetts. Although many of the cards are now out of date, fraudulent transactions are known to have occurred as a result of the stolen data - and the firm admitted that it may never know exactly what data was in some of the stolen files.

The TJX example highlights the dangers of internet-based attacks, often launched by criminal gangs on the far side of the world. And according to Mikko Hypponen, chief technologist for Finnish security company F-Secure, the gangs are getting cleverer. His team spend their lives watching internet traffic and have noticed a growing trend for more targeted attacks aimed at specific companies.

Some of these may be for espionage purposes, perpetrated by rival firms or even foreign governments, and are made to seek out specific information from confidential files. Other attacks are cruder. For instance, a set of fraudsters may send out spam purporting to come from a competing set-up. These so-called 'Joe jobs' are the favourite tool of criminal gangs, says Hypponen. 'We have seen competing underground groups doing this to each other, especially those selling stolen credit cards. They send out fake child porn ads for the competing website to attract the attention of the police and put their rivals out of business.'

This technique is clearly a potential danger for a company doing controversial work, such as oil exploration or animal experimentation. The perpetrators, says Hypponen, 'are just out to damage your reputation and cause inconvenience'. The victims may find it easy to prove that they did not send the e-mails, but by the time they have done so it will be too late, and the culprit will probably be untraceable.

So-called phishing attacks are also growing in number and sophistication. These began as crude e-mails claiming to come from a certain bank, asking the recipient to confirm their account and PIN details, which could then be used fraudulently or sold on. Over time these ruses have become more convincing and cover any online company. Virgin Media was a victim of such an attack in mid-March, for instance.

Hypponen has spotted a new breed of phishing threat called a 'man-in the-middle' attack. One targeted at Amazon is typical. Consumers receive an e-mail asking them to clarify some aspect of their Amazon account. When they click on the link, they go to what appears to be the genuine Amazon site and are asked to enter their user name and password as usual.

The details are kept by the attackers and used to order goods in the victim's name. But the scam doesn't end there. The fraudsters log into the real Amazon site, go to the user's Amazon profile page, download all the information about the customer and create a new page that then asks them to confirm their details.

'It shows your name, street address, the number of purchases you've done. It is very convincing,' says Hypponen. 'It asks you to confirm each item. It shows you your credit-card numbers with all but the last four digits blanked out. It asks you to confirm the last of these credit card numbers in full in order to prove who you are. It is clever reverse psychology to get the user to punch in the data.'

Even so, 80% of data security breaches come from the inside, either by accident (as in the case of Nationwide) or deliberately for financial gain. Says Paul Davie, chief executive at Oxford-based security firm Secerno: 'Most company bosses are much more scared of their own staff than they are of hackers in the Ukraine.' Abuses can range from a council worker looking up their neighbour's credit record or health record to the organised gathering of personal data from call centres. A member of the Strathclyde police recently estimated that one in 10 of Glasgow call centres had been infiltrated by gangs, for instance.

The only way to stop this, says Davie, is to monitor network traffic closely and flag up any deviation from normal behaviour. Secerno's technology allows companies to automate the monitoring process.

Others recommend the widespread use of encryption so that all information stays scrambled except when an authorised person needs to view it. That might not stop the nosey council worker, however, and encryption itself can bring its own administrative problems - supposing you lose the key to the data?

The answer is to have a range of defences and well-motivated staff you can trust to do the right thing. Technology may solve some of the problem, but low-paid call-centre workers in Glasgow and Mumbai with access to customer data can be vulnerable to bribery or coercion. And for the hacker gangs operating in Brazil, China, Russia and Romania, the potential gains are limitless, while the chances of being caught and prosecuted are virtually nil.

Although hundred of millions of euros are being stolen through financial fraud each year, says Hypponen, the crime is under-reported. 'If you get a phishing scam e-mail, are you going to call the cops?' And even if you did, it is unlikely to be investigated, let alone prosecuted, because although the internet is global, legal jurisdictions stop at national boundaries.

And there is another social aspect to the problem. 'If you are a great programmer and happen to be born in California or Europe, you can find a good job. But if you're from rural China, central Russia or the slums of Sao Paolo, what are you going to do?' says Hypponen. 'The internet removes geography. Poor skilful people on the internet will exploit rich, ignorant Westerners. They will steal their credit card numbers and spam them with Viagra ads in order to earn a living for themselves. The internet becomes a great equaliser.'

For an organisation looking to preserve confidence in its services and brand, the web is a dangerous place. As they used to say on Hill Street Blues: 'Let's be careful out there.'

Find this article useful?

Get more great articles like this in your inbox every lunchtime