More personal data records were breached last year than the previous four years combined, thanks to increased hacker activity rather than insider threats. Verizon's second annual Data Breach Investigations Report also found that the financial services sector accounted for 93 percent of all such record compromises during 2008. …
It's interesting but much like police conviction statistics versus british crime survey it should be taken in context
"Because the survey is based on actual cases of confirmed data breaches."
What is the likeliness that external breaches are more likely to be detected then internal breaches? Due to security systems and logs I'd wager it is easier to detect and trace an external breach (malware/directed attacks on systems via firewalls and web services) as opposed to internal data breaches where a user copies your source code onto a usb key and walks off.
But the information is food for thought, and the information about pin stealing points out that criminal elements are far more advanced then many like to believe.
Profit or Cost ?
The black hats count security studies as PROFIT centres so as long as company accountants class IT security as COST centres then this will go on and on.
So, these numbers are based on *reported* cases. Now, how likely are discoveries of internal tamperings to be reported? At least with external thefts you can blame that horrid Hacker and (these days) get public sympathy. But if it turned out you hired someone who turned out to be a felon...
Can someone define 'memory-scraping malware'?
Never heard the term before, and a google search just comes up with basically this article. As near as I can tell, Verizon invented the term for this report.
Do you really think the banks give a shit if hackers take 3bn a year? NO they bloody dont, but they do care they have to replace it.
When i was new and first used the internet i asked the immortal question - how to protect myself online, and was quickly told - by not connecting to it.
when i was studying in the 80's it was common practice to have 1 machine with internet access - back then it was modem attached, and everything else could not even take a disk from that machine the entire network did not connect to that one machine, nothing passed to or from it.
A group of extremely fast typists took data from it, and manually fed it into the network servers, and vice versa.
Four of them could handle 3m transactions a week. which was as much data as the hayes could send / recieve.
They were later replaced by boxes, specially built that took raw data, and converted it, electronic switches that could not be exploited without physically changing the layout of the board, and reprogramming by moving electronics. It did not process anything it simply took a stream of data of one source, and outputted it formatted to the other source, and as it was encrypted the servers would not run it.
Thats how it used to be done, either manually or with very basic electronics, today with all the speed/ extras that does not work, but it can and should be re-introduced to banking, there is no reason why the atm system for banks should be anywhere near the internet, and the call back etc technology scrapped. The machines should be electronically tagged to only call 1 number, if the number changes rebuild the board.
Then pin theives couldnt go online and hack into weak links because there would be no connection, and they couldnt dial into a weak point as the machines dont have modems,
@AC: Memory scraping
There is software available that logs users activity on their machine . file copying , creating etc ..
So IT security can , if they suspect someone of stealing internal data , check logs and find out exactly what has been copied , where & when ...
More & more firms are using this type of software ...