London: Commenting on reports that the payment card data of 1,440 customers of a US firm have been sold on a searchable ‘carder forum’ for $3.50 each, Lieberman Software says this is a classic case of why privileged identity management is needed to secure private customer data on corporate networks.
Philip Lieberman, President and CEO of the privileged identity management specialist said that the newswire report – which details how a European hacker broke into a US firm and downloaded the payment card numbers and security codes of 1,440 customers –shows how easily cybercriminals can access this kind of private data.
“Once the privileged accounts that control access to computers and applications are properly secured, even after a hacker breaches a corporate network it can be almost impossible for him to get control of this sort of private data,” Lieberman said.
“The fact that an individual hacker quickly generated over $5,000 from the crime shows how lucrative customer payment card data can be in criminal hands. The hacker may have sold the credentials at $3.50 each, but these stolen card numbers are almost certain to create vastly greater losses for payment processors and merchants,” he added.
Lieberman went on to say that locking down this kind of private data – by securing the privileged identities present on every computer, application and network appliance – is exactly what his firm’s technology helps customers to achieve.
Unfortunately, he explained, not all firms handling payment card data have the capability to manage potentially thousands of privileged identities present on their networks. As a result, criminal sites like www.CVV2s.in are flourishing - allowing thieves to buy private data just as easily a buying a music track on a shopping portal.
The fact that the criminal websites offer the ability to search by bank identification number - and so select cards from institutions known to have weak security - highlights how specialised this form of cybercrime has become.
The only piece of good news is that a growing number of card issuers are implementing needed safeguards for online purchases – such as the use of multi-factor authentication card readers and 3D-Secure passwords. But the reality, says Lieberman, is that too many issuers have been too slow to adopt this technology.
“Add in the fact that 3D-Secure is not implemented on all sites, especially those operated by smaller firms, and it’s clear the cybercriminals are exploiting a gap in the market. And that gap exists because of lax security on the part of the companies that accept cardholder payments,” he said.
“Had the victim organization used PIM - privileged identity management – to secure its payment card data, this information would almost certainly not have been accessible to criminals. In this case the stolen customer data represents 1,440 more reasons to look at using PIM technology on corporate networks,” he said.