Online security experts note a shift from mass attacks to targeted infiltrations of banks, businesses, restaurants and retailers.
It’s a sad fact of modern American consumer life. Every time we swipe a piece of plastic at a gas station, grocery store or anywhere else, we’re vulnerable to virtual pickpockets.
Increasingly, credit and debit card numbers have become commodities sold by cyberthieves who harvest them from banks, businesses, restaurants and retailers.
“The sophistication of these attacks is unprecedented,” said G. Mark Hardy, president of National Security Corp., a Tampa, Fla.-based cybersecurity consulting firm.
Last year, targeted attacks on businesses jumped 42 percent, according to security software firm Symantec. Attacks spiked 31 percent among companies with fewer than 250 employees.
In recent years, restaurants, grocery stores and even the city of Sacramento, Calif., have had their computer systems hacked or compromised.
It’s part of a shift from mass attacks by computer viruses, worms and other cyberthreats to more pinpointed, targeted infiltrations, say online security experts. The attackers, often located overseas, “find this method more effective because it allows them to fly under the radar and avoid drawing widespread attention to their malware,” Brian Burch, vice president of consumer and small business marketing at Symantec, said in an e-mail.
Small businesses are easier targets
Small businesses are frequently targeted because they often lack adequate security practices, said Burch. Additionally, because small firms often partner with bigger organizations, cybercriminals “sometimes use them to gain access to a larger company.”
That reality hit the Raley’s grocery chain earlier this month when it said it had been the victim of a cyberattack targeting customers’ credit and debit card numbers. Raley’s spokesman John Segale said forensic computer experts arrived “within hours” of the company being alerted to a possible security breach on May 30, and continue to investigate. The West Sacramento-based grocery chain also said it reported the incident to the FBI.
In an e-mail, FBI spokeswoman Gina Swankie said the Sacramento office was aware of the Raley’s incident but could neither confirm nor deny that a formal investigation is underway.
For some Raley’s shoppers, the cyberattack was unnerving.
Longtime customer Pat Hoschler got a call June 3 from her financial institution, Schools Federal Credit Union, telling her that a suspicious $95 charge was made on her card in Atlanta. A second charge, for $125, was stopped by the credit union before it went through, she said.
The experience has made her nervous about swiping her debit card again.
“It gives me the creeps to think someone might be using my name and [debit] card information. I worry about it. I may not use my debit card anymore,” said Hoschler, who said she uses her debit card for Raley’s purchases several times a week.
Typically, the thieves who steal the data from retailers and other targets aren’t the ones who use it to rack up fraudulent charges. “There’s an underground ecosystem for the sale, transfer, purchase and exchange of stolen credit card and debit card information,” said security expert Hardy.
Investigations, arrests and convictions of cybercriminals are continual. Earlier this month, federal prosecutors in New Jersey announced charges against eight members of an alleged international ring that hacked into the computers of major financial institutions and the U.S. military payroll service, attempting to steal at least $15 million from customer accounts.
In April, a Russian cybercrook was sentenced in Washington, D.C., to more than seven years in federal prison for trafficking in stolen credit and debit cards. When arrested, he was in possession of more than 2.5 million stolen credit and debit card numbers, according to the FBI.