An insider on the digital black market, Brian Krebs uncovers major credit card breaches before the big retailers know what hit them. He takes readers along in his book ‘Spam Nation.’
A funny thing happened to Brian Krebs’ new cybercrime expose “Spam Nation” on its way to press: Its publisher got hacked.
Such ironies are all in a day’s work for Krebs, the longtime Washington Post cybercrime reporter turned spam sleuth whose daily blog, KrebsOnSecurity.com, uncovers major credit card breaches before the Targets and Home Depots of the world even know what hit them.
AUTHOR, ‘SPAM NATION’
In his book “Spam Nation,” cybercrime insider and former Washington Post reporter Brian Krebs shows how financial ruin can be just one mouse-click away. As the book’s subtitle puts it, “There is a Threat Lurking Online with the Power to Destroy Your Finances, Steal Your Personal Data and Endanger Your Life.” The book was released Nov. 18, 2014.
In “Spam Nation,” Krebs follows the money trail — a jaw-dropping $40 billion bilked from Americans each year — back to the Russian cyberlords whose robot networks (or “botnets”) sprinkle our inboxes daily with junk emails that prey on the unsuspecting.
One click on that innocent-looking enclosed malware link can allow spammers to take control of your computer, lock you out of email and social media, steal your usernames, passwords and online banking credentials and sell them on the digital black market — $2 apiece for your Overstock.com or Walmart.com login, $8 apiece for your iTunes account, and so on.
While retail card breaches continue to command the headlines, Krebs says forget what’s in your wallet and focus instead on what’s in your email if you really want to protect your financials.
Q: “Spam Nation” may surprise some who haven’t made the connection between the junk mail they delete every morning and the big-box breaches they see on the nightly news. Yet spam is still the bread and butter of cybercrime, right?
A: That’s right; spam remains the single biggest driver of big breaches today. The same cybercrime networks being used in pill (pharmaceutical) spam are also being used to send malware. If we look at some of the biggest data breaches in recent memory — JPMorgan, Target, RSA Security come to mind — they all began with poisoned email.
Q: How do you discover the breaches and break the news before the corporate victims do?
A: When you see a single [black market] carding store start selling millions of cards out onto the market, something big just happened and so it’s time to get to work. Over the last year in particular since the Target breach, I’ve just become sort of the ISAC [information sharing and analysis center] of the small banking industry. The larger banks, by virtue of having their fingers in so many financial pies, tend to understand very quickly when there is a big breach involving one retailer’s or merchant’s cards. The smaller banks usually need to compare notes with other banks, and that’s sort of where I come in. I reach out to banks that I have a relationship with and say, “Hey, it looks like a whole bunch of your cards are for sale in this huge batch that just went online. Here’s how you can go get them. Just FYI, I’ve been really interested in whether you see any patterns.”
Are they forthcoming? Do they trust you? Q:
A: Sure. None of them would talk to me if their bank names showed up in my stories. I just say I’m happy to share information with you about what I’m seeing as long as you’re able to do the same.
Q: The “Replay” credit card fraud you discovered out of Brazil, in which small U.S. banks receive chip-and-PIN card charges despite not having yet issued EMV (Europay, MasterCard and Visa) cards, should win some sort of chutzpah award.
The credit card stuff, everybody gets riled up because everybody’s got a credit card. But everybody has an online and a real world identity, too, and most people can’t be bothered to take two seconds out of their day to make that more secure.
A: Yes, it underscores the fact that switching over to EMV is not like flipping a switch; it’s going to be a process for a lot of financial institutions, especially those that don’t have an international presence. If you’re one of the larger banks, you will already have dealt with this in a bunch of other countries, so you know what to look for, but there are 14,000-plus financial institutions in the United States that are going to be figuring this out for the first time. Anytime you have something new, you’re going to have a learning curve, and that’s what the thieves see as an opportunity here. I think this is actually more of a threat for banks that are in the process of issuing EMV cards. They just have to learn to tell one from the other.
Q: The financial institutions went to great lengths to absorb the full cost of spam. In retrospect, did zero consumer liability backfire by feeding the black market?
A: The more I’ve come to know and understand the credit card industry in the United States, the clearer it is to me that the whole thing was designed so that everybody can point fingers at each other when things go wrong, while the credit card associations — they’re “the house” — just keep making money. For the longest time, there just hasn’t been a whole lot of incentive to change the system.
Banks and retailers have been saying for years, “Please forestall this pain we’re going to experience when we have to move to EMV,” and Visa and MasterCard have been all too happy to kick the can down the road. Banks say, “Well, look, if these stupid retailers would just get their systems to accept these chip cards, maybe we’d have an incentive to spend the money to ship these chip cards.” And the retailers say, “Well, if these greedy banks would just start issuing chip cards, we’d upgrade our terminals but nobody’s using them so why should we?” This is failure by design.
Q: But it accomplishes its goal, which is to maximize card spending, right?
A: OK, but that doesn’t mean people don’t get really upset when there are these huge breaches involving their card information. That’s been sort of bittersweet for me over the last year. Obviously, having broken so many of these merchant breach stories over the past year has been very positive in terms of my work and career, but I’m impatient for the day when more consumers get more financial literacy and start talking about stuff that really matters. The credit card stuff, everybody gets riled up because everybody’s got a credit card. But everybody has an online and a real world identity, too, and most people can’t be bothered to take two seconds out of their day to make that more secure.
In every nation that has moved to chip-and-PIN … they saw the exact same thing: Fraud doesn’t go away, it just goes somewhere else, and that somewhere else is always online.
Q: “Spam Nation” provides a simple, three-step computer defense plan: If you didn’t search for the program, don’t install it. If you installed it, update it. If you no longer use it, remove it. Why does this seem like so much work for so many?
A: It used to be that when their computer was infected, people would call their grandkid or their son or a nerd friend, and they’d come over and run some programs and maybe get your computer back to where it was. But these days, it’s so much easier to keep your computer from getting taken over than it is to try to fix it after the fact. These days, increasingly, what happens is, a person’s system gets uploaded to “ransomware” (malware that impersonates law enforcement), and unless you’re really good about backing up your stuff, you’re either going to pay to get your stuff back or you’re going to kiss it goodbye forever. Unfortunately, a lot of people have to learn the hard way about an ounce of prevention. And it’s just as much about taking corrective steps as it is about not doing something; saying, “Wait a second. Do I really need to do this? Who says?”
Q: Do you think that chip cards are going to be a game-changer for card fraud?
A: No, because unless retailers are doing other things like end-to-end encryption, all they’re really doing with this is pushing more of the threat online. In every nation that has moved to chip-and-PIN, and we’re the last of the G-20 nations, they saw the exact same thing: Fraud doesn’t go away, it just goes somewhere else, and that somewhere else is always online. The reason for that is simple: If you hack a big-box retailer and they’re doing chip-and-PIN, well, yay. But unless they’re also encrypting that data, the thieves can still steal the card number and expiration date, which still can be used online. So that’s generally what will happen; we’ll see a pretty big uptick in card-not-present fraud.
Q: Your publisher, Sourcebooks, disclosed last month that it had been the target of a credit card breach between mid-April and mid-June. Was there any connection to the pending publication of “Spam Nation?”
I’m like, I don’t care, steal my credit card; it happens three times a year anyway. I’m not terribly concerned about that. I spend more time worrying about ways to protect my identity.
A: Naw. Anyone who is handling credit card data and isn’t outsourcing it to somebody else or encrypting the data within their environment is going to be compromised at one point or another. It’s just too much of a target on their back and the data is worth too much. That goes double for online sellers, and that’s what this was. They were basically using shopping cart software to process cards through their site. So all the bad guys had to do was find a vulnerability in the shopping cart software and then they could hit all of the sites that run that software.
Q: After 19 years on this beat, do you use cards differently than you used to?
A: I’ve never used a debit card. I still use credit cards all over the place. I’m like, I don’t care, steal my credit card; it happens three times a year anyway. I’m not terribly concerned about that. I spend more time worrying about ways to protect my identity. I’ve had all of my personal information posted online more times than I can count. I’ve had people file tax return fraud in my name, try to get new credit. That kind of stuff is more worthy of spending my time on than credit cards.
Q: You write about some pretty tough individuals. Do you ever worry for your physical safety?
A: I would say it has given me a heightened sense of awareness, and that’s about as far as I’ll go.
See related: After the breach: Should you enroll in ID or credit monitoring services? , Obama puts federal might behind chip-and-PIN card security, New industry tools fight credit card fraud