Imperva identifies 8,378 reasons for better banking security
According to Amichai Shulman, the data security specialist's chief technology officer, what is amazing about the case is not just the fact that the bank has taken until now to reveal that around 10 per cent of its customers' credentials were compromised, but that the data was stored as plain text.
"This confirms our observations in our recent endofyear analysis, in which we predicted that 2010 will be year of hackers going after people's credentials, since they have become a saleable - as well as usable - commodity on the Internet," he said.
"The main reason for credentials being more valuable than credit card details is that, whilst cards are usually invalidated a short time after they have been fraudulently used, people regularly use the same credentials on multiple systems," he added.
As a result, the Imperva CTO says, it's a lot more difficult for a large number of Internet users to 'lock down' their electronic identities, as they have to change their passwords on multiple systems.
A much better strategy, he went on to say, is for organisations to start using multiple layers of security - including strong passwording and firewallprotecting their databases from prying eyes.
In this case, Shulman explained, it is clear the hackers realised that bank user credentials have a much higher community value that, say, payment card information as, once a hacker can log in with a user's credentials, s/he has access to their accounts and perform as many transactions as they wish.
"What I find astonishing about this hack is that you would think that a banking application would undergo much more stress testing than most and, as a result, the storage of user credentials in plain text would have been spotted and remediated early on in the system development process," he said.
"Although the full modus operandi for this banking hack has yet to be revealed, but given that the server was accessed and 8,378 credentials were stolen, I would assume the attacker gained access using an SQL injection approach," he added.
For more on Imperva: http://www.imperva.com
Press releases you might also be interested in
Weitere Informationen zum Thema "Sicherheit":
Meldepflichten gibt es nicht nur bei der DSGVO
Viele Unternehmen haben bisher Schwierigkeiten damit, die verschärften Meldepflichten nach Datenschutz-Grundverordnung umzusetzen. Große Probleme bereitet Vielen dabei, dass die Meldung der Datenpanne innerhalb von 72 Stunden bei der zuständigen Aufsichtsbehörde erfolgen soll. Dabei sind dies nicht die einzigen Meldepflichten, mit denen sich Unternehmen beschäftigen müssen.Weiterlesen