29 August 2016
Find out more

Rising number of SQL injection hack attacks against banks

19 July 2006  |  11448 views  |  0 biometrics - eye

The past three months has seen a dramatic increase in the number of hack attacks attempted against banks, credit unions and utility companies using SQL injection, a type of Web application probe.

Atlanta-based IT security services provider SecureWorks says from January through March, it blocked anywhere from 100 to 200 SQL Injection attacks per day. But as of April that number jumped from 1000 to 4000 to 8000 per day.

SQL Injection is a type of security exploit in which the attacker adds structured query language (SQL) code to a Web form input box to gain access to a form's resources or to make changes to data. Using this technique, hackers can determine the structure and location of key databases and can download the database or compromise the database server.

SecureWorks says the majority of the attacks are coming from outside the US.

Jon Ramsey, CTO, SecureWorks, says although other types of attacks have a higher volume, what makes the SQL Injection exploits concerning is that they often target a particular organisation, unlike a worm which spreads indiscriminately.

"What makes this vulnerability so pervasive is that SQL Injection attacks can prey on all types of Web applications - even those as simple as a monthly loan payment calculator or a 'signup for our customer newsletter' form," says Ramsey. "Depending on the sophistication of the attacker, the online criminal can potentially gain access to a bank or utility company's key customer databases containing social security numbers, account numbers, credit card numbers, e-mail addresses, etc."

SQL injection attacks include the CardSystems security breach last year, where hackers stole 263,000 customer credit card numbers and exposed 40 million more.

More recently Russian hackers broke into a Rhode Island government Web site and stole credit card information from individuals who had done business online with state agencies. The Russian hackers claimed to have stolen 53,000 credit card numbers during the attack in December.

SecureWorks says in order to protect against SQL Injection attack, firms should use "input validation" for any form to ensure that only the type of input that is expected is accepted.

Organisations should also move to protect the Web server on which the Web application is running, the database from which the Web application is retrieving information, and the operating systems upon which the servers, applications and database reside.

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Banks report surge in security attacks

Banks report surge in security attacks

13 June 2006  |  8875 views  |  0 comments
Hack attack hits 300 banks

Hack attack hits 300 banks

02 June 2006  |  10945 views  |  0 comments
US committee approves data security legislation

US committee approves data security legislation

31 March 2006  |  7340 views  |  0 comments
CardSystems settles federal charges

CardSystems settles federal charges

24 February 2006  |  7202 views  |  0 comments
Choicepoint to pay $15m for data breach

Choicepoint to pay $15m for data breach

26 January 2006  |  7553 views  |  0 comments
Scottrade caught up in hack attack

Scottrade caught up in hack attack

29 November 2005  |  9216 views  |  0 comments
Pay By Touch to acquire CardSystems Solutions

Pay By Touch to acquire CardSystems Solutions

17 October 2005  |  8176 views  |  0 comments
Bank security key issue for consumers - EDS

Bank security key issue for consumers - EDS

19 September 2005  |  8030 views  |  0 comments
Visa USA bans CardSystems from handling transactions

Visa USA bans CardSystems from handling transactions

19 July 2005  |  10084 views  |  0 comments
US consumers want companies fined for security breaches

US consumers want companies fined for security breaches

08 July 2005  |  17895 views  |  0 comments

Related blogs

Create a blog about this story (membership required)
Find out moreVisit capgemini.comVisit VocaLink.com

Top topics

Most viewed Most shared
India's Unified Payments Interface goes live with 21 banksIndia's Unified Payments Interface goes li...
8154 views comments | 21 tweets | 24 linkedin
R3 blockchain consortium sheds light on Concord projectR3 blockchain consortium sheds light on Co...
6506 views comments | 14 tweets | 14 linkedin
Cultural change crucial in digital transformationCultural change crucial in digital transfo...
5998 views comments | 10 tweets | 10 linkedin
Mondo becomes MonzoMondo becomes Monzo
5893 views comments | 14 tweets | 8 linkedin
Japanese bank consortium to build new payments network with SBI Ripple AsiaJapanese bank consortium to build new paym...
5530 views comments | 23 tweets | 18 linkedin

Featured job

Find your next job