23 August 2014
Find out more

Rising number of SQL injection hack attacks against banks

19 July 2006  |  10981 views  |  0 biometrics - eye

The past three months has seen a dramatic increase in the number of hack attacks attempted against banks, credit unions and utility companies using SQL injection, a type of Web application probe.

Atlanta-based IT security services provider SecureWorks says from January through March, it blocked anywhere from 100 to 200 SQL Injection attacks per day. But as of April that number jumped from 1000 to 4000 to 8000 per day.

SQL Injection is a type of security exploit in which the attacker adds structured query language (SQL) code to a Web form input box to gain access to a form's resources or to make changes to data. Using this technique, hackers can determine the structure and location of key databases and can download the database or compromise the database server.

SecureWorks says the majority of the attacks are coming from outside the US.

Jon Ramsey, CTO, SecureWorks, says although other types of attacks have a higher volume, what makes the SQL Injection exploits concerning is that they often target a particular organisation, unlike a worm which spreads indiscriminately.

"What makes this vulnerability so pervasive is that SQL Injection attacks can prey on all types of Web applications - even those as simple as a monthly loan payment calculator or a 'signup for our customer newsletter' form," says Ramsey. "Depending on the sophistication of the attacker, the online criminal can potentially gain access to a bank or utility company's key customer databases containing social security numbers, account numbers, credit card numbers, e-mail addresses, etc."

SQL injection attacks include the CardSystems security breach last year, where hackers stole 263,000 customer credit card numbers and exposed 40 million more.

More recently Russian hackers broke into a Rhode Island government Web site and stole credit card information from individuals who had done business online with state agencies. The Russian hackers claimed to have stolen 53,000 credit card numbers during the attack in December.

SecureWorks says in order to protect against SQL Injection attack, firms should use "input validation" for any form to ensure that only the type of input that is expected is accepted.

Organisations should also move to protect the Web server on which the Web application is running, the database from which the Web application is retrieving information, and the operating systems upon which the servers, applications and database reside.

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Related blogs

Create a blog about this story (membership required)

Related stories

13 June, 2006
02 June, 2006
31 March, 2006
24 February, 2006
26 January, 2006
29 November, 2005
17 October, 2005
19 September, 2005
19 July, 2005
08 July, 2005
24 June, 2005
20 June, 2005
Find out more

Featured job

Competitive (base, bonus, benefits)
London, UK

Find your next job