Reports that the Suffolk County Bank – a subsidiary of Suffolk Bancorp, the US financial institution – had its banking servers hacked last November were met with astonishment.
According to Imperva CTO Amichai Shulman, what is amazing about the case is not just the fact that the bank has taken until now to reveal that around 10 per cent of its customers’ credentials were compromised, but that the data was stored as plain text.
“This confirms our observations in our recent end-of-year analysis, in which we predicted that 2010 will be year of hackers going after people’s credentials, since they have become a saleable – as well as usable – commodity on the Internet,” he said.
“The main reason for credentials being more valuable than credit card details is that, whilst cards are usually invalidated a short time after they have been fraudulently used, people regularly use the same credentials on multiple systems,” he added.
As a result, it’s a lot more difficult for a large number of Internet users to lock down their electronic identities, as they have to change their passwords on multiple systems.
A much better strategy, he went on to say, is for organizations to start using multiple layers of security – including strong passwording and firewall-protecting their databases from prying eyes.
In this case, Shulman explained, it is clear the hackers realized that bank user credentials have a much higher community value that, say, payment card information as, once a hacker can log in with a user’s credentials, s/he has access to their accounts and perform as many transactions as they wish.
“What I find astonishing about this hack is that you would think that a banking application would undergo much more stress testing than most and, as a result, the storage of user credentials in plain text would have been spotted and remediated early on in the system development process,” he said.
“Although the full modus operandi for this banking hack has yet to be revealed, but given that the server was accessed and 8,378 credentials were stolen, I would assume the attacker gained access using an SQL injection approach,” he added.