12 February 2016

Rising number of SQL injection hack attacks against banks

19 July 2006  |  11323 views  |  0 biometrics - eye

The past three months has seen a dramatic increase in the number of hack attacks attempted against banks, credit unions and utility companies using SQL injection, a type of Web application probe.

Atlanta-based IT security services provider SecureWorks says from January through March, it blocked anywhere from 100 to 200 SQL Injection attacks per day. But as of April that number jumped from 1000 to 4000 to 8000 per day.

SQL Injection is a type of security exploit in which the attacker adds structured query language (SQL) code to a Web form input box to gain access to a form's resources or to make changes to data. Using this technique, hackers can determine the structure and location of key databases and can download the database or compromise the database server.

SecureWorks says the majority of the attacks are coming from outside the US.

Jon Ramsey, CTO, SecureWorks, says although other types of attacks have a higher volume, what makes the SQL Injection exploits concerning is that they often target a particular organisation, unlike a worm which spreads indiscriminately.

"What makes this vulnerability so pervasive is that SQL Injection attacks can prey on all types of Web applications - even those as simple as a monthly loan payment calculator or a 'signup for our customer newsletter' form," says Ramsey. "Depending on the sophistication of the attacker, the online criminal can potentially gain access to a bank or utility company's key customer databases containing social security numbers, account numbers, credit card numbers, e-mail addresses, etc."

SQL injection attacks include the CardSystems security breach last year, where hackers stole 263,000 customer credit card numbers and exposed 40 million more.

More recently Russian hackers broke into a Rhode Island government Web site and stole credit card information from individuals who had done business online with state agencies. The Russian hackers claimed to have stolen 53,000 credit card numbers during the attack in December.

SecureWorks says in order to protect against SQL Injection attack, firms should use "input validation" for any form to ensure that only the type of input that is expected is accepted.

Organisations should also move to protect the Web server on which the Web application is running, the database from which the Web application is retrieving information, and the operating systems upon which the servers, applications and database reside.

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board, sign up now.

Related blogs

Create a blog about this story (membership required)

Related stories

13 June, 2006
02 June, 2006
31 March, 2006
24 February, 2006
26 January, 2006
29 November, 2005
17 October, 2005
19 September, 2005
19 July, 2005
08 July, 2005
24 June, 2005
20 June, 2005
Your browser is unable to support Flash files.

Top topics

Most viewed Most shared
UK sets out open banking API framework
14077 views comments | 97 tweets | 87 linkedin
European mobile banking service Pocopay go...
8041 views comments | 25 tweets | 14 linkedin
Deutsche Bank calls for co-operation with...
7451 views comments | 27 tweets | 30 linkedin
How to accelerate your fintech startup
7198 views comments | 33 tweets | 9 linkedin
Wearable payments startup Fit Pay secures...
6549 views comments | 26 tweets | 9 linkedin

Featured job

up to £95K base, £190K OTE, benefits
London, UK

Find your next job