/dqc/media/agency_attachments/3bO5lX4bneNNijz3HbB7.jpg)
Follow UsÂ
At the core of all the recent incidences of credit card and cyber frauds lies data theft. The revelation and wide coverage of the issue may be recent, but individuals, corporates and governments across the world have suffered the consequences of data theft for long now. 60% of the organizations responding to the India Fraud Survey 20121, conducted by Ernst & Young India (EY), identified data theft as one of their biggest concerns.
Possible Leakage Points
Fraudsters gain access to data through soft entry or information harvesting point, like a rogue employee, a malicious sub-contractor, or by breaching trusted connections through partner system breaches or through disposed equipment. It will be alarming for individuals and companies alike to learn that their confidential information and data is available for free in the open market.
An interesting market study was conducted by EY's Fraud Investigation & Dispute Services (FIDS) team on used mobile phones and computers. They randomly purchased these devices from the market and online purchasing store and thereafter performed forensic data recovery procedures on each of the computer's hard disks and mobile phones. As suspected, tons of data was identified that was either left undeleted or just deleted using un-secure methods which could easily be cracked by using basic computer forensic procedures.
What was found and what they want?
On an average 700 documents, 700 spreadsheets, 100 presentations and some 50,000 pictures and movies were retrieved from each of the hard drives. These hard drives seemed to have belonged to personal as well as corporate computers that were discarded as obsolete. Typically, fraudsters will scan such devices for customer data like contact details and financial data, including credit card numbers, bank account details and healthcare information. From the corporate data point of view, Intellectual property, formulas, research, software source code and algorithms can also be of great interest to the perpetrator. Trade secrets, pricing information, sales data, marketing information, personnel records and private employee data, system and user credentials such as passwords and certificates can be sourced and misused to a great extent. The potential damage that leakage of such sensitive information can
Impending Damage
Identity fraud - Phone contacts, messages, emails, chat logs, online passwords, ATM and credit card numbers etc. can be misused by fraudsters for not just one time gain but also to cause continual damage by taking over online identities and harassment/extortion to the extreme. Some mobile phones that were found had configured email accounts already logged in. This meant that the owner of the second hand mobile had open access to all emails without having to know the password. Corporate are at a bigger loss if a fraudulent person get their hands on their confidential information.
Financial fraud- Various sensitive documents were found either in PDF format or as scanned images. These documents such as passport copy, PAN card copy, bank statements, and mobile phone records can be misused to carry out dubious KYC
Â
Email takeover- Access to any one email account along with other information can lead to hijacking of other accounts of the same person. This can be achieved in cases where link to reset one email account is sent to another email account. For example, account B is a secondary email for account A. A person has unauthorized access to account B, but is unable to get access to account A. He can use the "Forget Password" facility for account A so that the link to reset password for account A is sent on account B. Once the link is received on account B, the unauthorized person can reset the password for account A thereby getting access to multiple accounts. Such mechanisms can also be used to hijack Internet banking and other accounts.
Location tracking- Many images recovered were found to be photos taken by cell phone camera. Such images contain additional data about these images like GPS coordinates of the location (Geo-tagging) where the picture was taken, records the longitude and latitude of the location where a photograph, make and model of the camera used for taking the image. The location information can reveal house addresses and other sensitive information; taken by use of smart phones, such as the Blackberry and iPhone. Social engineering combined with social profiling and geo-location variables provide easy entry for targeted attacks.
Corporate espionage- The world has seen number of organized/targeted cyber crime to obtain secret or related intellectual property. Targeting not just the corporate but its service providers e.g.: network equipment, token and SSL certificate providers. Once identified, anyone can buy these discarded digital assets which will anyway be meant for sale e.g. disposed network equipment or token. Even service centers become vulnerable point from where information can be stolen if the service center person has partnered with an information thief.
Mode of operation
There are a number of ways in which cyber criminals breach the secure corporate systems.
Through sophisticated internet based malware infection, e.g.: stuxnet and duku created for a specific purpose or target and with a definite lifespan.
Through infected media and appliances
Through external exploitation e.g.: co-Location host exploitation, cloud provider penetration or honeyspot.
Through soft entry or Information harvesting point, e.g.: access through insiders (rogue employee, malicious sub-contractor, funded placement) , by breaching trusted connections (through stolen VPM credentials, partner system breaches) or by gaining access to disposed equipment
Protect the data!
Having known the problem, the mechanism and the potential threats, what matters most is what solution companies have to protect their data. Vigilance towards the channels through which company data can be leaked out is one of the most critical measures that should be adopted. Corporates must employ proactive forensic measures and controls to ensure any digital asset moving out of the company premise for disposal or repairs is forensically treated. An effective implemention data encryption policy to prevent un-authorized access to sensitive information is highly recommended. An overall proactive and informed approach towards prevention of data theft will be necessary to curb this uninhibited crisis.
This article is contributed by Arpinder Singh, partner & national director, Fraud Investigation & Dispute Services (FIDS), Ernst & Young with additional inputs from Amit Jaju, senior manager, Fraud Investigation & Dispute Services (FIDS), Ernst & Young.
(Views expressed in this article are personal to the authors.)
Â