Two days ago
Finextra reported on the 'hacktivist' Reckz0r.
In a nutshell, the hacker claimed initially to have hacked into Visa and Mastercard, and went on to
leak hundreds of account info. No worries though, he is a nice grey hat who just wants to expose security frailties, so no card numbers are shown. Later, he explained that, no, it was some other 79 banks that he broke
into and specifically
Chase was mentioned.
There are a few problems with his story though.
1) Unclean data
The list of accounts included duplicates, for example the same name and mailing address repeated with different email addresses. Names also had upper- and lower- cases. A few are simply gibberish you type when trying to get through an online form as quickly
as possible (isn't "fdsfsa" familiar?). I would like to think that databases of banks or credit card issuers are of higher standards in terms of data quality.
2) 11 accounts from American Express not mentioned
Reckz0r proudly claimed he got to MasterCard and VISA accounts. There are however 11 American Express accounts as well in the file he uploaded. If he did the job, is so proud about it and wants the world to know how insecure they are, I'm sure his
Twitter post would have read "VISA, MasterCard & Amex HACKED".
3) Identical info already showed up in Arabic hackers' site a week before
Probably the most damning evidence. As noted by
ZDNet, the exact same list of accounts had been posted in another hacker website a week ago. I'm not entirely confident the site is safe, hence no link here but you can always go through the ZDNet article. Another hacker OfficialComrade has also
exposed Reckz0r as a fraud. He is essentially a plagiarist. A thief of thieves.
---------------------
The fact that Reckz0r is a fraud and really just assuming others' work as his own, does not take away the gravity of fact that our personal data is in the cloud and consequently highly susceptible to theft. Indeed, sometimes we even
give it away happily. My personal takeaways from this story:
1) Surfer beware
Don't leave your personal / card details with just any site on the internet. Many do not have multi-faceted ways to securely transmit and store your data. Worse, some
purposefully misuse your information. For practical purposes, we just have to trust the big boys (your bank, or Amazon, for example) for now.
2) Not the end of the cyberworld
Don't panic just yet; Reckz0r very likely did not hack the 79 banks he claims to have broken into. And your personal info is not getting hacked into everyday; SSLs, AESes and SHAs can still put up a fight. Having said that, there are still others who have
clearly found a backdoor somewhere to obtain this list, and this is hardly the
only case around.
3) Keeping up with the Joneses in security
Data security on the internet is a constant battle between good and evil. There will never be a silver bullet to protecting data. Should we give up the conveniences of say, internet banking and payment then? Certainly not. Even ATM
fraud is here to stay, and so are ATMs. However, that means the good guys must relentlessly be on the lookout for cyber criminals, and overheads for banks, e-merchants and the likes will only increase.
4) Be skeptical
Don't believe everything you read on the internet.
Wikipedia has given us much hope but probably illusion that information online is second only to the gospel truth, but always read with a critical and inquisitive mind. Wait - do you believe what you just read?