In response to news that the Danish railway company DSB was hit with a DDoS attack over the weekend that prevented passengers from purchasing tickets via app, website, ticket machine or at store kiosks, IT security experts commented below.
Paul Bischoff, Privacy Advocate at Comparitech.com:
“The breach at Rail Europe is disconcerting not only because of what information was accessed by hackers, but how that information was accessed. Data breaches typically occur when a hacker gains unauthorized access to a database. In this case, however, the hackers were able to affect the front end of the Rail Europe website with “skimming” malware, meaning customers gave payment and other information directly to the hackers through the website. While the details haven’t been fully disclosed, the fact that this went on for three months shows a clear lack of security by Rail Europe.
Credit card skimming usually refers to the practice of covertly running a person’s physical card through an additional magnetic strip scanner to steal the information off of it. These “skimmers” are often placed on top of existing hardware to make it look though the skimmer is part of the original ATM or point of payment. Rail Europe seems to have adapted that terminology to their own situation.
This also means all or nearly all of customers’ payment information was current and working, making it even more valuable. Rail Europe customers should keep an eye on their accounts for unauthorized activity and immediately change their passwords. Because email addresses and other personal information was leaked, they should also be on the lookout for targeted phishing scams in the months ahead.”
Anthony James, Chief Marketing Officer at Ciphercloud:
At the point of the transaction, many of the cards use the EMV chip and hence are pretty resilient to fraud. But all these attackers want to do is to intercept the numbers so they can use them in transactions where the chip doesn’t come into play. This includes internet transactions, mail order, and telephone orders.”
Ryan Wilk, Vice President of Customer Success at NuData Security:
“Today’s news is a call to action for every entity handling customer payment data and other personally identifiable information.”
Patrick Hunter, Director at One Identity:
A webserver isn’t like someone’s laptop where an employee, uneducated on cybersecurity, might just click on a link and unwittingly install the malware – although this maybe where the journey started. The hackers had to get access to the webservers and then gain sufficient privilege in order to install their malware. Rail Europe didn’t give any detail on the method of attack but it seems they suspect a hacker used an account with privileged rights as they have changed their passwords.
Either way, attacks like this are generally a chain of events. The hacker has to gain access to the network or the webserver directly or via an exploit, then search around for the right accounts in order to get their software in place before finding a method to elevate to that account. If companies used best practice with regards to passwords by regularly changing them, or even better locking them away so that no one actually knows them, then these situations can be avoided. If you have to ask for the password for a particular server every time you wish to access it, and gain some form of permission via a workflow or use two-factor authentication, then it is significantly harder to gain those rights.
Right now, breaches like this are embarrassing at the very least but with the latest revision of GDPR less than two weeks away, organisations should be looking into these simple solutions to keep their stable doors locked.”
Andrew Lloyd, President at Corero Network Security:
“The lessons are clear; transportation companies and other operators of essential services have to invest in proactive cyber-security defenses to ensure that their services can stay online and open for business during a cyber-attack.
“The DDoS attack seen in Denmark this weekend on critical national infrastructure is precisely the type of attack that EU Governments are seeking to protect citizens against with last week’s introduction of the The Network and Information Systems Directive (“NIS”), which defines the security of network and information systems standards that apply to operators of essential services including energy, transportation, health and public drinking water. NIS also defines eye-watering penalty for failure to “take appropriate and proportionate technical and organizational measures to manage risks posed to the security of the network and information systems on which their essential service depends”.
“With the implementation of the EU NIS Directive, the governments in all 28 EU member states now have a $24 million “big stick” to motivate operators to comply.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.