“BriansClub,” one of the largest underground stores for buying stolen credit card data, has itself been hacked. The data stolen from “BriansClub” encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone.
All of the card data stolen from BriansClub was shared with multiple sources who work closely with financial institutions. Was it stolen, or liberated? This was a sting by the good guys. Just as legit businesses can be at risk from their 3rd party suppliers, so can the bad guys.
Whether you’re running a global enterprise, a startup, small business or a shop for stolen data there are several truths in cybersecurity. First, the attackers define the rules of the attack and the best you can do is defend against their actions. Second, the only data ever taken is data available for the taking. When designing your data collection and storage procedures, it’s critical to look at all data operations through the lens of what would happen if there was absolutely nothing preventing your biggest competitor or worst enemy from downloading that data. Is all the data appropriately encrypted? Are all access attempts audited? Is modification controlled? For these questions, and many more, the next question becomes one of “How” and it’s how you approach these questions and their answers which distinguishes a successful cybersecurity initiative from one likely to make the news for the wrong reasons.
There is no honour among thieves. Defence requires that defenders make no mistakes. It’s a game of diligence and process, and men and women being ready to respond at the drop of a hat. The asymmetry of cyber conflict is undeniable, and while cybercriminals and nation state attackers probe for holes at their leisure, it’s important to remember that the tables can be turned. Predator can become prey when they are successful enough.
The equation for cyber attackers is red in tooth and claw. It is as ruthless and merciless as it is anonymous and uncaring. If you are a successful cyber criminal who amasses enough wealth, don’t fall in the trap of thinking your success is because of you inherent brilliance or skill. Realise that you have to build a defensive game to match your offensive prowess or you too will see your wealth stolen by the next predator of the cyber jungle.
Today, cybercriminals are not immune from being hacked themselves. Sadly, most of these “internal” incidents further exacerbate situation for the victims who will likely find their PII or stolen cards being exposed even to bigger number of unauthorized third parties. The presumed value for law enforcement agencies, when the data about illicit traders becomes public, is likewise questionable given that most of the readers know how to use chained VPNs and proxies. With the upcoming introduction of dynamic CVV, credit card theft business will likely vaporize. However, cybercriminals are already fully equipped to shift their attention to crypto wallets and other low-hanging fruits.