最有看点的互联网金融门户

最有看点的互联网金融门户
其他国际资讯

个人数据被盗,你却可能是最后一个知道的

其他国际资讯

个人数据被盗,你却可能是最后一个知道的

6月27日,票务代理公司Ticketmaster UK披露有黑客窃取了公司存储的个人信息和支付数据。公司认为,恶意软件入侵了客户支持类产品,导致了数据泄露。然而,公布这一消息花费的时间可能比预期的要长,其实早在两个多月前,公司就得到了黑客入侵预警。

总部位于伦敦的数字银行Monzo早在4月6日就发现Ticketmaster部分客户帐户存在可疑活动,4月12日Monzo与Ticketmaster会面并披露了调查结果。几天后,尽管Monzo发现Ticketmaster信用卡盗用现象依然存在,但Ticketmaster表示,调查没有发现任何异常。

Ticketmaster发言人在一封电子邮件中表示,"银行或信用卡服务商提醒我们注意可疑活动时,公司就会与代表公司方处理信用卡付款的收款银行彻查此事。公司针对黑客预警开展了调查,但没有证据表明问题源于Ticketmaster。"

这种模式屡见不鲜。2017年9月7日,消费者信贷公司Equifax首次公布数据泄露事件,但实际上公司在7月29日就已经发现了非法访问问题。黑客入侵系统的时间可以追溯到2017年5月,数据泄露事件中约半数美国人的个人数据被窃。

有时候无法即时检测到入侵行为,公众获得通知的时间也会滞后。Shape Security首席技术官Shuman Ghosemajumder表示,当全世界了解Equifax和雅虎公司发生大型数据泄露事件时,影响的用户账户数量高达30亿时,往往已经是数据被盗数月或数年之后了。黑客将盗取的信息用于高频次自动登录请求,即"凭证填充"。

曾在谷歌担任"点击诈骗沙皇"的Ghosemajumder表示,大规模数据泄露事件被公开的数年之前,Shape已经观测到高频次的凭证填充行为,此类行为的激增与后来公开报道的大规模数据泄露行为有关。

当然,无论是通过接管银行账户还是窃取信用卡信息,黑客的目标都是钱。随着诈骗、敲诈勒索等犯罪活动的数字化,网络犯罪的全球影响估值超过4500亿美元。金融公司是这场战斗的关键;2016年,银行IT成本高达3600亿美元,在网络安全方面付出的时间是非金融公司的三倍。

会计师事务所毕马威和行业协会UK Finance 4月报告显示,"网络犯罪分子越来越了解金融系统和其潜在弱点。定向目标攻击的趋势令人担忧,犯罪分子越来越熟悉系统运行知识。"

不过幸运的是,有迹象表明防御攻击方面已有进展。UK Finance数据显示,过去一年,英国整体信用卡消费增长了7%,但是信用卡诈骗损失同比下降了8%,金额为5.66亿英镑(7.45亿美元)。犯罪分子每诈骗3英镑,银行和信用卡公司都设法阻止了其中的2英镑。

虽然Ticketmaster信息泄露规模似乎比雅虎和Equifax小一些,公司表示只有不到5%的客户受到影响,但是重要信息公布滞后的情况却一模一样。虽然该公司提供12个月的免费身份认证监控服务,但经验表明,这可能为时已晚,大部分损失不可避免。

欧盟新出台《通用数据保护条例》(GDPR),可能会开始改变事态,因为条例要求各组织机构应当在发现黑客入侵的72小时内上报数据泄露情况。 但这些规定在实践中如何发挥作用仍有待观察。但是欧盟以外区域仍未出台此类法规,无法保证消费者在个人重要信息被窃取后及时得到通知。

A recent example is Ticketmaster UK, which disclosed on June 27 that personal information and payment data had likely been stolen by hackers. The ticket seller blamed malicious software that had penetrated a customer support product. However, the announcement may have taken longer than it could have: The company was warned of a likely intrusion more than two months earlier.

Monzo, a digital bank, says it detected suspicious activity stemming from some Ticketmaster customers’ accounts as far back as April 6. The London-based firm says it met with Ticketmaster to disclose its findings on April 12. A few days later, the ticket seller said its investigation hadn’t turned up anything, even though Monzo was still discovering compromised cards.

“When a bank or credit card provider alerts us to suspicious activity it is always investigated thoroughly with our acquiring bank, which processes card payments on our behalf,” a Ticketmaster spokesman said in an email. “In this case, there was an investigation, but there was no evidence that the issue originated with Ticketmaster.”

This kind of pattern is not unusual. Consumer credit company Equifax first disclosed its data breach on Sept. 7 2017, but says it discovered the unauthorized access on July 29. Personal data for about half of all Americans was compromised in that intrusion, which likely began in May 2017.

Sometimes intrusions aren’t detected immediately, and there can be a delay before the public is informed. When the world at large learns about big breaches like Equifax and Yahoo, which impacted a whopping 3 billion user accounts, it’s usually months or years after the data are stolen, said Shuman Ghosemajumder, chief technology officer at Shape Security. The information gleaned from these hacks is often used for “credential stuffing,” a type of cyber attack that uses purloined information for high-volume automated login requests.

Shape has observed high levels of credential stuffing even years before the large data breaches were made public, said Ghosemajumder, who previously served as “click-fraud czar” at Google. He said these surges were almost certainly linked to large breaches reported publicly much later.

Hackers are, of course, looking for money, whether that’s by taking over bank accounts or stealing credit card details. Cyber crime has a global impact worth more than $450 billion as criminal activities like fraud, blackmail, and extortion go digital. Financial firms are a key part of this struggle; banks, which spent $360 billion on IT costs in 2016, allocate three times as much as non-financial companies to cyber security.

“Cyber criminals are demonstrating a growing knowledge of our financial systems and the potential weaknesses,” according to an April report by accounting firm KPMG and UK Finance, an industry association. “There is a worrying trend towards more targeted attacks, with a growing knowledge of how these systems work.”

Fortunately, there are some signs that progress is being made in disrupting these attacks. In the UK, losses from payment card fraud fell 8% last year, to £566 million ($745 million), according to UK Finance (pdf), even as overall card spending increased 7%. Banks and card companies stopped £2 of every £3 in attempted fraud.

And though the Ticketmaster breach appears smaller than the massive intrusions at Yahoo and Equifax—the company says fewer than 5% of its global customers are affected—the delay in getting important information to consumers is similar. While the company is offering free identity monitoring for 12 months, experience suggests that this may already be too late to prevent most damage.

The EU’s new General Data Protection Regulation (GDPR) may start to change these dynamics, as organizations are required to report data breaches within 72 hours of finding out that they’ve been compromised. But how these rules will play out in practice remains to be seen. People outside of the EU, meanwhile, have fewer such regulations to ensure they’re informed when important information about them has been stolen.


用微信扫描可以分享至好友和朋友圈

扫描二维码或搜索微信号“iweiyangx”
关注未央网官方微信公众号,获取互联网金融领域前沿资讯。

发表评论

发表评论

您的评论提交后会进行审核,审核通过的留言会展示在下方留言区域,请耐心等待。

评论

您的个人信息不会被公开,请放心填写! 标记为的是必填项

取消

栀航 | 未央团队未央编辑团队

24
总文章数

TA还没写个人介绍。。。

FTC、SEC和FBI三方联手审查Facebook“数据门”

Jonathan S... | 猎云网 07-03

英国央行要求金融企业必须接受网络安全压力测试

高旭 | PYMNTS 06-28

阻止赌博成瘾,Starling Bank有新招

高旭 | FINEXTRA 06-13

WhatsApp被曝向第三方分享用户财务数据

Navanwita ... | 36Kr 04-13

调查显示,英国人似乎并不喜欢数字银行创企

Oscar Will... 03-06

版权所有 © 清华大学五道口金融学院互联网金融实验室 | 京ICP备17044750号-1