Editor's Note: CSP spoke to an FBI division chief as part of its extensive, two-part look at credit-card issues. See July's CSP magazine cover story on data security and watch for the September cover featureon the impact of credit-card fees on retailers.
WASHINGTON, D.C. -- Data thieves today come armed with an extensive line of guerilla tactics, including bot nets or networks of compromised computers that continually scan for system vulnerabilities, according to Trent Teyema, an FBI division chief for the agency's computer-intrusion [image-nocss] unit.
Teyema, who recently spoke at a loss-prevention event for the Washington, D.C.-based National Retail Federation, told CSP Daily News that once a bot net or any other hacking scheme breaks into a company's database, thieves can sell the data, make fraudulent purchases themselves or even turn around and ransom the information back to the victims.
Some companies would pay so they don't have to tell the public they've been compromised, Teyema said. But having a history of [caving in] to the extortion makes that company a bigger target.
Data thieves employ tactics such as overloading a computer's buffer with data, forcing it to either shut down or allow access to an unauthorized user. That bot or compromised computer then becomes a pawn in a bot net. With such a network of computers-turned-bad, the lead hacker or bot herder can continuously scan Internet protocol addresses, automatically and relentlessly looking for vulnerabilities.
There's a myth that a hacker is someone working hard to get into a system, he said. It's all automated. And if a company is not patching [vulnerabilities] fast enough, there may be an opening for even a small period of time [that can allow for entry]. Sometimes the hacker's program will get in and automatically patch the flaw behind it.
Once inside, hackers can gain administrator-level access, creating their own bogus passwords and entering any part of a company's system.
The ease of operating over the Internet has attracted everyone from loose-knit gangs here in the United States to organized crime from overseas, Teyema said, sometimes selling data outright for a dollar per credit-card number or devising schemes where they fraudulently buy and ship merchandise.
If their systems are compromised, one of the best things retailers can do is to contact their local FBI offices, Teyema said, since the agency has squads set up to address cyber crime. Think of it as a national neighborhood watch, he said, providing the group's website at www.infragard.net.
We can give you threat alerts and reports on what to look for. Besides, it helps to know who to contact before something happens.