SEWORKS-blog_banner.png

App Security Insights

High Profile Security Breaches: Finance Industry

Nov 29, 2017 12:45:05 PM / by AppSolid Team

High-Profile-Security-Breaches-Finance-Industry-Blog-IMG.jpg

It seems every time you turn on the news, you hear about another high profile security breach. And yet most people still won’t take even the most basic steps to secure their apps, online accounts, and mobile devices. We always think it won’t happen to us -- until it does. Small businesses and app developers aren’t very different. They’re constantly striving to meet deadlines, pushing themselves to release the latest, greatest apps ahead of their competition.

That means that security can take a hit. Maybe the business plans to fix it later, or doesn’t believe they’ll be a target. Whatever the excuse, one thing is clear: it’s not just small time developers neglecting security. Some of the biggest high profile security breaches have been in the finance industry. The people charged with guarding banks, credit reports, and much more have outsourced the duty to unqualified people, or just refused to do it all together. It’s like leaving the bank open with a sign saying, “Please rob us.” Sooner or later, a hack is inevitable.

So here are the biggest hacks so far -- and what we can learn from them. Don’t be fooled. Though these hacks targeted large firms and international conglomerates, smaller businesses were often swept up in the hacks. These small businesses make ideal targets, since they can’t afford to shell out millions on app and other forms of security. Consider these financial giants a cautionary tale. If it can happen to them, it can most assuredly happen to you.

TRW/Sears: Hacking Before Hacking

sears-blog-img.jpg

Hacking might seem like a very modern invention, but it’s been around for decades. One of the earliest hacks targeted TRW/Sears. In 1984, a criminal got access to a password for TRW Information Systems. This gave the thief access to 90 million people’s credit history.

The file password was posted to an online bulletin board, suggesting that many different thieves may have targeted consumers. An investigation revealed that the password was stolen from a Sears store.

This hacking might seem positively prehistoric, but its lessons are still relevant today: guard your passwords, and certainly don’t write them down somewhere a hacker can find or steal them. Two-factor authentication can provide additional protection when a password is compromised, as can frequent password changes.

Heartland: A Preliminary Warning  

Some of the biggest security breaches have targeted companies you’ve never heard of. One of the earliest garnered plenty of media coverage, but few changes in the security or finance industries.

Heartland had access to tens of millions of credit and debit cards, and in 2008, hackers used this to their advantage. In 2009, the payment processor disclosed that a hack had targeted at least 130 million consumers.

The hack began the year before, when hackers broke into the payment processor’s systems and implanted malware. The surreptitious software went unnoticed for months, allowing hackers to steal a continual stream of data. In the end, the cost of the Heartland hacked totaled well over $100 million dollars.

Heartland was one of the earliest big attacks. This attack made clear that hacks can last for months, and that security systems don’t always catch them. Like most hacking targets, Heartland also earned criticism for failing to prevent the hack, and failing to timely notify authorities. Critics argued that Heartland could have mitigated damages, and that its clients could have taken proactive measures if the giant had let people know about the breach.

It seems no one learned the lesson. Giant businesses continue to delay notifying consumers and authorities of hacks, and novice-level security mistakes keep opening financial businesses to dangerous hacks. Consumers’ lives, finances, and privacy are left hanging in the balance. Some more recent hacks have followed the same pattern.

Equifax

equifax-blog-img.jpg

The Equifax is so recent and so massive that we still don’t really know its scale. It will almost certainly give rise to large class action lawsuits. Yet so far, we’ve seen few signs that it will change anything about the security practices of the finance industry. Yet again we see consumers, developers, businesses, and security experts resolved to do only the bare minimum -- and convinced that the next security breach couldn’t possibly target them.

The Equifax security breach exposed the names, credit information, addresses, and potentially more of nearly 150 million Americans. This data is sufficient to give criminals access to consumer bank accounts, to file fraudulent tax returns, to hijack retirement accounts, and more. Consumer advocates recommended freezing credit in the wake of the attack, but freezing credit won’t protect consumers from every potential consequence of this hack.

We don’t yet know who was responsible. Some speculate that the hack may have been sponsored by a foreign government or terrorist organization. Others counter that criminals of every stripe have plenty of incentive to access consumer data, so it could just be a well-organized group, or even just a highly talented individual.

What we do know is that the hack began with an open source software package called Apache Struts. Analysts say the financial giant could have, and should have, noticed and fixed the security hole well before hackers exploited it. And there’s a lesson here for other industries, too: be careful with any software you use, particularly if it’s not something you’ve built yourself and that is continually updated. Bad actors routinely insert malicious code into seemingly helpful free code. Choose software packages wisely, and carefully check coders’ work.

For some consumers, there may be few options. The Senate voted to eliminate a rule that would have made it easier for consumers to sue Equifax. It’s unclear how or to what extent this change will affect lawsuits or legal settlements.

Equifax is, for now, offering free credit monitoring for a year. Some security experts have expressed frustration with this maneuver, since Equifax has done little to ease consumer fears that their credit monitoring profiles might become the next hacking target. Analysts are already demanding more regulations that penalize companies with lax security protocols.

TJX

In March 2007, TJX -- the parent corporation of brands such as Marshall’s and TJ Maxx -- revealed that a security breach had compromised at least 46 million consumers’ MasterCards. The breach yielded numerous lawsuits by consumers and banks attempting to recoup their losses.

Court documents suggest that TJX initially underestimated the number of consumers affected, with nearly 100 million consumer financial accounts compromised. At the time, the hack was the largest in history

UniCredit

Italy’s largest bank, UniCredit, was the target of a hack initially thought to compromise about 400,000 consumer accounts. That might seem like a small figure by comparison to the hundreds of millions affected by American hacks. However, the hack is part of a larger attempt to target numerous European financial institutions.

The bank said it immediately secured the holes that led to the breach. The hack was initially detected while the bank’s security and development wing conducted routine security sweeps. Now the banking giant has pledged to upgrade its infrastructure and improve security.

This hack stands in contrast to the fallout surrounding many American hacks. UniCredit immediately earned praise for its handling of the hack. The small number of accounts detected might be a direct result of the banking giant’s frequent security checks. The fact that UniCredit immediately closed the hole further stymied hackers, potentially protecting thousands of consumers. There’s a lesson here: hacking might not be fully preventable, but massive security breaches are. Businesses must regularly check security, patch holes, and promptly report security breaches to affected consumers.

Target

taget-blog-img.jpg

It all began with a phishing attack. The target security breach quickly morphed into one of the most infamous security breaches of all time. It required no special technical expertise, either. Instead, a phishing email tricked an employee of Fazio Mechanical into giving up a password. This then allowed a password-stealing bot to target Fazio computers, gaining access to login information for target’s internal network. From there, hackers could take over target servers. They spent more than two weeks gathering credit card and other financial data, which they then put up for sale on the black market.

Target was roundly criticized for failing to promptly report the brief, for not taking proactive measures to mitigate its effects, and for minimizing the number of consumers affected. The retail giant eventually hired a new security team, but not before losing millions of dollars. The retailer remains synonymous with major hacks, at least in part because it marked the first time a CEO was fired for a credit card security breach.

In the end, Target paid hundreds of millions in various lawsuits and settlements. But its security measures appear to have worked, because it has not been the victim of a major hack since then.

So what can businesses learn from the target breach? Plenty. App developers often focus on protecting against hackers, but hacking isn’t the only avenue into a network. Simple behavioral engineering through phishing and other well-known scams is a simple way to take down a business, even with little to know technical know-how.

Target is also a cautionary tale to businesses with many partners. Every partner with which a business works -- payment processors, third party vendors -- is another point of entry to the business. So even if the business itself practices good security, it might not be totally secure. The more people your business depends on, the more you need to lock up your data. Consider how a breach of one of your partners might affect your business, and plan accordingly.

JP Morgan Chase

In 2014, a hack on JP Morgan Chase targeted 76 million families and seven small businesses. Hackers gained access to consumer contact information, as well as an avalanche of sensitive financial data.

The hack began when hackers were able to gain root access to more than 90 of the financial giant’s servers. This allowed access to virtually every bank function, including transferring money and closing accounts. This was one of the few hacks in which law enforcement was actually able to find a suspect. Four hackers pled guilty to two dozen counts, and admitted to netting at least $100 million from money laundering, fraud, and other crimes. The hackers admitted also to hacking several other financial institutions and financial websites. Some of these hacks had not yet been disclosed or discovered, reviewing the broad -- and often undetected -- scope of the hacking problem.

The JP Morgan Chase hack hammers home the importance of server side protections. Fail to secure your servers, and watch helplessly as hackers take over much of your business.

Home Depot

home-depot-blog-img.jpg

In 2014, more than 56 million consumers were the victims of a massive Home Depot security breach. The hack began with malware installed on Home Depot’s point of sale (POS) servers. The malware went unnoticed for at least five months, allowing hackers to gather data on millions of consumers. Analysts initially speculated that the Home Depot breach might be related to the Target breach, but an investigation put this rumor to rest.

Immediately following the breach, Home Depot shelled out $62 million to mitigate damages, but lawsuits and other consumer actions have greatly increased the price tag.

As with other ongoing breaches, the Home Depot breach reveals that hackers can gain access to a system and wreak havoc for months without detection. It remains unclear what Home Depot should have done to stop the hack, but the retailer has reportedly turned to tokenization. This method for managing payments replaces sensitive financial data with unique symbolic identifiers that make it much more difficult to breach data.

Learn More -- and Prepare for the Next Attack

Preventing security breaches isn’t just about technical expertise. You must also understand the psychology of hackers, as well as those they target. A number of psychological barriers prevent consumers from adopting sound security measures. Businesses, too, may believe that they won’t be the next victim. Good security, then, means working around these psychological barriers.

Stop asking if you’ll be a target, and begin asking when. With millions of hacking attempts each year, and thousands more successful breaches, every business, every app, and every consumer is a potential target. Changing your security mindset to accept this reality can revolutionize the way you do things -- and protect consumers, financial data, and your good reputation.

We can teach you how to protect yourself before you become the next target. And if you’re ready to secure your apps once and for all, contact us to learn what we can do for you. AppSolid’s industry leading security protocols offer binary cloud-based security that lock your apps up in a virtual fortress.

The-Developers-Guide-To-Mobile-App-Security

Topics: Cyber Breach

Written by AppSolid Team