Racing against time: Cyber thieves and Chip technology

Being aware that the new credit card chip technology being adopted by U.S. retailers closes a lucrative window of opportunity to hack accounts and steal data, cyber-thieves are having a race against time.

“We’ve actually seen a number of discussions, in some cybercrime communities, where they’re reacting to that and saying, ‘OK, we have a limited number of opportunities to continue these attacks and we need to take the maximum advantage,”’ says John Miller, director of ThreatScape Cyber Crime at iSIGHT Partners, which was acquired by FireEye Inc. in January.

Last year, retailers were asked to join banks and payment processors in switching to chip readers by 1^st October or face liability for some fraudulent charges that occur in their stores. Yet most payment terminals fail to read the new technology and demand for devices and services outnumbers supply. Also, even with the chip technology coming into more widespread use, companies remain vulnerable to malware that lets hackers break into their networks, FireEye said in a report released Wednesday.

FireEye, a malware and network threat protection systems provider, tracked a cybercrime group it calls "FIN6." The report says that the group steals credit card numbers from the retail and hospitality industries and delivers the digits to an online "underground card shop."

Malware such as GRABNEW, which captures login credentials, can come as an e-mail attachment, FireEye said. FIN6 either sends that malware or pays others for the credentials.

After getting into a company’s network, it then uses software vulnerabilities to move around and locate card numbers. According to the report, one FIN6-linked case resulted in 20 million cards, mostly from the U.S., in the online shop, selling for about $21 each.

FireEye said it couldn’t confirm where the group is located but said it parallels activity typically seen from cybercrime groups in Eastern Europe.

The report mentions that data breaches in 2013 at retailers included Target Corp. and Michaels Cos. which exposed credit and debit card data of millions of customers. Hackers installed malware in Target’s security and payments system designed to steal every credit card used at the company’s U.S. stores. Other major breaches in the past few years include hacks of Home Depot Inc., JPMorgan Chase & Co., auction site EBay Inc. and health insurer Anthem Inc.

Networks including Visa and MasterCard Inc. began calling for a migration to chips, which have been used in Europe since the 1990s, to head off counterfeit cards. The underlying technology -- called EMV for founders Europay, Master Card and Visa -- generates new codes for each transaction. The codes on magnetic stripes are permanent and can be copied and stored by hackers for later use.