Staying ahead of the hackersAugust 18, 2009: 2:10 PM ET
Justice Department nabs three alleged cyberthiefs, but for corporate America network threats are a persistent problem.
As consumers digest the latest scary headline about credit and debit card theft - this week the Justice Department indicted three men in connection with the largest identity theft case ever to reach America's courts - businesses are scrambling to find ways to protect information against increasingly persistent and brazen cybercriminals.
The men, who include 28 year-old Miami resident Albert Gonzalez, are now are accused of hacking into the computer systems of five companies, including credit-card processing company Heartland Payment Systems Inc., Hannaford Bros. supermarkets, and 7-Eleven to steal more than 130 million credit and debit card numbers.
Gonzalez's name may ring a bell because he has been affiliated with similar cases in the past: he has been tied to other large data theft cases including the theft of more than 40 million credit card numbers from T.J. Maxx parent TJX (TJX) , OfficeMax (OMX), Barnes & Nobles (BN) and other companies last summer as well as the theft of thousands of cards from Dave & Busters in 2007. Gonzalez is currently in jail awaiting trial, according to news reports.
This case may be far more massive than any that have come before it, but unfortunately for both businesses and consumers, it is not unusual in its charges. As data systems become increasingly complex, personal identity theft is virtually exploding.
Kevin Prince, chief technology officer of information security firm Perimeter eSecurity, says the problem is escalating: A 2007 study by the University of Maryland suggests someone - or some system - attempt to compromise an average computer network every 38 seconds. One in three of these attempts are successful. And more than half of the more than 55,000 incidents of wire fraud reported since 1998 have occurred in the last two years, according to a recent Treasury Department report cited by the Wall Street Journal.
A new challenge many companies, retailers, in particular, face today is the proliferation of electronic transactions: Consumers aren't simply buying more things using their computers, they also are transacting business and purchases using smartphones, netbooks and other devices over networks that may or may not be secure.
Companies must step up their efforts to protect their data not just when it resides on their servers, but when it is transferred back and forth to different networks, says Ken Pappas, a security strategist with Top Layer Networks. "A lot of these programs have 20th century defenses in their networks and are depending on firewalls alone to keep data safe," he says, explaining hackers are a sophisticated lot who will pinpoint the weakest link in a security system.
Certainly, that's what Gonzalez and two suspected hackers living outside the United States were accused of doing: they allegedly visited retail stores to scout out weak payment processing systems and then used malicious software called malware to attack computers and steal data as it moved through computer networks.
SophosLabs specializes in protecting businesses from malware. Richard Wang, one of the firm's security experts, suggests businesses can do two things immediately to better insulate themselves from the threat. First, they can give thought to the initial design of their networking system.s And second, businesses must stay atop the myriad patches that come out for the applications their systems rely on.
Also, says Wang, companies need to make sure data is secure at every step of a potential transaction, including the times data are in transit over fiber or wireless networks.
Like SophosLabs and Perimenter, plenty of security outfits have sprung up in the last decade to help companies keep up-to-date, but even many of their analysts suggest that staying ahead of hackers is a bit like playing cat-and-mouse.
Surprisingly, just as businesses are stepping up to the challenge of dealing with cybertheft, consumers have become numb to it, according to Perimeter's Prince. He explains that consumers just call their credit card companies to have the charges rescinded or the cards reissued. "They don't have any personal repercussions so they aren't concerned," he says. "It's sad because it has a really large negative impact on business."