Caution, Skepticism Follow News of Russian Password Mega-Heist

Financial institutions are on alert but also taking a wait-and-see approach following news that a gang of Russian hackers have amassed 1.2 billion sets of user names and passwords.

Companies are monitoring more closely for instances of fraudsters exploiting their customers' data in the wake of the heist. Often, cybercriminals will commit fraud by guessing or stealing login credentials to masquerade as legitimate customers. The cybercrime calls attention to the weakness of the password and serves as a reminder for banks to better educate their customers on the importance of regularly updating their login details. However, the incident is being taken with a grain of salt based on the limited information available so far.

The biggest risks for financial institutions are likely to come from spamming and spear phishing, said Jeff Johnson, senior vice president of information technology at Baxter Credit Union in Vernon Hills, Ill.

If the hackers have e-mail addresses, they can start "spear phishing" consumers or financial institution employees with authentic-seeming fake emails to gain further access, said Johnson, who is also a member of the executive committee for the Credit Union National Association's Technology Council.

Another concern is the hackers' ability to use those e-mail addresses to send out malware that harnesses a large number of computers for malicious purposes, he said.

The pilfered records, associated with about 500 million unique e-mail addresses, were discovered by Hold Security LLC, a Milwaukee-based company that sells information security and risk management services. The findings were based on seven months of research, though the company didn't give a time period for the theft or name any websites that were hacked.

The latest cache of user names and passwords was extracted from websites using a network of compromised computers known as a botnet, according to an Aug. 5 announcement from Hold Security.

The "list includes many leaders in virtually all industries across the world, as well as" small or personal websites, according to Hold Security.

But some are skeptical about the gravity of the situation. Although Hold Security said the hackers gained access to the largest known cache of stolen personal information, not all the records were current, and the company couldn't say if financial accounts were linked.

Also, user names and passwords are less valuable than credit card data and Social Security numbers, said Peter Toren, a partner in the Washington-based law firm Weisbrod Matteis & Copley Plc.

"People should step back and question what kind of accounts are we talking about," said Toren, who served as an attorney for the Department of Justice's computer crime and intellectual property section from 1992 to 1999. "Do I really care if they find out what kind of music I listen to?"

Consider the source, advised Robert Reh, chief information officer at Nassau Financial Federal Credit Union and another member of the CUNA Technology Council's executive committee.

Hold Security "sent this out obviously for their own reasons — to get interest in their services... And when they announced it they also announced that they would notify the websites that were affected by this that this info was gleaned from, but only if you sign up for their breach notification services that start at $120 per year," Reh said.

Alex Holden, the founder and chief information security officer of Hold Security, said it made the announcement as a public service.

"We have been collecting information to help our customers stay more secure," he said. "We found that it was such a great impact to society that we decided to make a public statement."

This attack is a bit different than some of the other breaches seen in recent months such as those at Michaels Stores or Target because consumers haven't been directly targeted, Johnson said.

When retail shops are hit, for example, "we know the cards that have the potential to get fraudulently used in the future," he said.

"This is a little more generic, and I think this one's going to be a little bit more 'connect the dots over time,' as opposed to 'you've got these 10,000 cards that we know were in the list of cards that were compromised,'" Johnson said.

Despite those concerns, however, Baxter isn't planning to take any immediate action beyond closely monitoring the situation, he said.

If Baxter begins to get questions from members — whether via its website, call center, e-mails or Facebook page — then it might change its strategy, Johnson said.

Serious criminals, often in Eastern Europe, steal payment card numbers. The theft of at least 40 million such numbers from Target last year was one of their biggest hauls.

The bigger threat is that the Russian hackers could use whatever information they obtained to build profiles of people, which can be sold on the underground Internet market or used to obtain fake driver's licenses or passports, Toren said. Caveats aside, the threat should be taken seriously, he said.

This could, in fact, be another wake-up call for financial institutions, Reh said.

"This is not something new," he said. "You should already have [processes and procedures] in place for something like this... There are hackers out there that we need to be aware of and protect our institutions from."

The attack also raises doubts about password security, said Reh, who pointed out that though passwords aren't going away anytime soon, events such as this one indicate the need for stricter security protocols.

"Obviously technology has changed over the past few years with the introduction of smartphones and mobile devices, especially with cameras that can be used for facial recognition or fingerprints," he said.

Although widespread use of biometrics may still be a few years off, breaches such as this one can and should help push the use of that technology forward, Reh said.

The hackers operated from central Russia near the border with Kazakhstan, Holden said. He declined to provide exact details about their location or identities in order to not jeopardize potential law enforcement operations.

Although the claim by Holden has to be verified, the details and scope of the attack aren't surprising, according to JD Sherry, vice president for technology and solutions at security firm Trend Micro.

"The Eastern European shadow economy is stocked with treasure troves of data as well as national security assets in the form of elite hackers," he wrote in an e-mail. "It is plausible that a single syndicate has cornered the market and compromised over a billion credentials over an extended period of time."

Cybercrime costs the global economy as much as $575 billion a year and remains a growth industry with attacks on banks, retailers and energy companies that will worsen, according to a report published in June by the Washington-based Center for Strategic and International Studies and sponsored by network security company McAfee Inc. of Santa Clara, Calif.

Financial institutions and credit card companies are quick to cancel cards that they know are stolen, and they have developed advanced algorithms for detecting fraud before charges hit victims' accounts.

The hackers could rent their lists to spammers, though few people open spam e-mails or even see them anymore.

Effective filtering blocks 299 out of every 300 spam messages, according to The Spamhaus Project, an anti-spam nonprofit based in Geneva and London.

— Bloomberg News contributed to this report

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER