Blog article
See all stories ยป

Lessons from the thieving hacker

Two days ago Finextra reported on the 'hacktivist' Reckz0r.

In a nutshell, the hacker claimed initially to have hacked into Visa and Mastercard, and went on to leak hundreds of account info. No worries though, he is a nice grey hat who just wants to expose security frailties, so no card numbers are shown. Later, he explained that, no, it was some other 79 banks that he broke into and specifically Chase was mentioned

There are a few problems with his story though. 

1) Unclean data

The list of accounts included duplicates, for example the same name and mailing address repeated with different email addresses. Names also had upper- and lower- cases. A few are simply gibberish you type when trying to get through an online form as quickly as possible (isn't "fdsfsa" familiar?). I would like to think that databases of banks or credit card issuers are of higher standards in terms of data quality.

2) 11 accounts from American Express not mentioned

Reckz0r proudly claimed he got to MasterCard and VISA accounts. There are however 11 American Express accounts as well in the file he uploaded. If he did the job, is so proud about it and wants the world to know how insecure they are, I'm sure his Twitter post would have read "VISA, MasterCard & Amex HACKED".

3) Identical info already showed up in Arabic hackers' site a week before

Probably the most damning evidence. As noted by ZDNet, the exact same list of accounts had been posted in another hacker website a week ago. I'm not entirely confident the site is safe, hence no link here but you can always go through the ZDNet article. Another hacker OfficialComrade has also exposed Reckz0r as a fraud. He is essentially a plagiarist. A thief of thieves.

---------------------

The fact that Reckz0r is a fraud and really just assuming others' work as his own, does not take away the gravity of fact that our personal data is in the cloud and consequently highly susceptible to theft. Indeed, sometimes we even give it away happily. My personal takeaways from this story:

1) Surfer beware

Don't leave your personal / card details with just any site on the internet. Many do not have multi-faceted ways to securely transmit and store your data. Worse, some purposefully misuse your information. For practical purposes, we just have to trust the big boys (your bank, or Amazon, for example) for now.

2) Not the end of the cyberworld

Don't panic just yet; Reckz0r very likely did not hack the 79 banks he claims to have broken into. And your personal info is not getting hacked into everyday; SSLs, AESes and SHAs can still put up a fight. Having said that, there are still others who have clearly found a backdoor somewhere to obtain this list, and this is hardly the only case around.

3) Keeping up with the Joneses in security

Data security on the internet is a constant battle between good and evil. There will never be a silver bullet to protecting data. Should we give up the conveniences of say, internet banking and payment then? Certainly not. Even ATM fraud is here to stay, and so are ATMs. However, that means the good guys must relentlessly be on the lookout for cyber criminals, and overheads for banks, e-merchants and the likes will only increase.

4) Be skeptical

Don't believe everything you read on the internet. Wikipedia has given us much hope but probably illusion that information online is second only to the gospel truth, but always read with a critical and inquisitive mind. Wait - do you believe what you just read?

Reckz0r's original tweets
3346

Comments: (0)