Macy’s has announced a data breach involving thousands of Macys.com and Bloomingdales.com customer credit card numbers, expiration dates, names and other information.
Adam Doupé, assistant professor of engineering and associate director of Arizona State University’s Center for Cybersecurity and Digital Forensics, is available to discuss the history and evolution of hacking.
Question: How has hacking evolved over time?
Adam: In the late 1990s and early 2000s, when the internet was just growing, hackers would break into a computer system, hack in, and deface popular websites, like The New York Times, for example. You would do this to prove how awesome you were and how great your hacking skills were. Sometimes hackers would advocate for certain causes this way. This was the origin of hacking. It was similar to digital graffiti. People had handles and they would leave their mark.
Q: How did hacking move from tagging websites to stealing consumer information?
A: In the mid- to late-90s, so much of our credit card and financial information began moving online. Social security numbers were online. In the early days, there were very few websites out there with the volume of personal information that we see today stored on websites and servers. So, while our data has increased on these websites, we have seen a corresponding rise in hackers who now have a financial incentive to break into these systems, steal this information, and sell it.
Q: How much money can a hacker make?
A: A lot of money. One of the stories I really like to share with my students is about Albert Gonzales, an American hacker who masterminded Shadowcrew, a hacking group. He led this group and they were responsible for breaking into Dave & Buster’s, T.J. Maxx and Heartland Payment Systems. They claimed that they caused around $200 million worth of damages.
What’s interesting about their case is that there’s a Rolling Stone article about them, and it goes into a story about how the people involved were living this rock ‘n’ roll lifestyle where they would travel the country, blow money on hotels and drugs, have parties and hack into sites to sell credit card numbers for more money. With T.J. Maxx for example, they stole more than 45 million credit and debit numbers, which is insane. And Heartland Payment Systems, one of their targets, was interesting because HPS is a credit card processor. So, once they got in, the group could see information about all of the cards going in through that system.
Q: How much work goes into making money from consumer data?
A: The easiest way to think about this is through the sale of credit cards on the underground economy. What’s fascinating about the underground economy is that people have different roles and specialize in different things. There are people whose specialty is getting money out of credit cards. They need a list of credit cards, the names attached to them, and then they will manufacture credit cards and people will physically go to stores to purchase things with those cards.
What might be shocking is that a credit card number is only worth maybe $1 in this economy. So, not much money alone, and that is because of the difficulty of taking it and turning into actual cash or purchases. So, you’ll also have people who specialize in breaking into companies to get huge volumes of this information. Usually they’ll go through a web application to do this.
Q: Are good hackers always playing catch-up or is there an even playing field?
A: There are “black hat” hackers who are hacking to cause damage. They are typically involved in illegal and unethical activity, and they use hacking to further their personal gain. Then, there are “white hat” hackers who are trying to defend and protect systems. To play defense, you need to know offense, and you need to know what your offense is capable of and what they’re going to do.
Fundamentally, cyber security has this asymmetry between hacker and defender.
A defender’s job is fundamentally harder because all an attacker needs is one possible way in, just one loose brick, so to speak. Building stronger defensive techniques is a very difficult and always evolving challenge.
Q: How complex are major consumer data hacks?
A: If someone is incredibly good at hacking, we may never hear about their breaches. If you are thinking of something like a nation state’s hacking, they aren’t interested in stealing credit card numbers. They may infiltrate systems and be stealthy and quiet about the hack and what they gather.
In cases like T.J. Maxx and Shadowcrew, they had incredibly sophisticated hackers. One way they would steal information was by doing what is called war driving, which is actually driving around near a company to find an insecure Wi-Fi network. By getting onto those networks, they were able to then get into the back end of company systems and exploit them.
In the case of the Equifax hack, a public vulnerability was disclosed in March 2017 and Equifax did not patch their systems to fix that vulnerability. That’s a big risk. You don’t need to be very sophisticated to exploit that.