French President Nicolas Sarkozy is the latest high-profile victim of a personal account intrusion.
Last month, criminals got hold of Sarkozy’s bank account login information and stole small sums of money, first reported by French newspaper, Le Journal du Dimanche.
Sarkozy reported the theft to French police and an investigation is underway, French Secretary of State for Consumer Affairs Luc Chatel recently told French radio.
Chatel said there has been a nine percent increase in the rise of internet banking security breaches this year in France. Reports did not indicate how thieves cracked Sarkozy’s account but officials said they may not have realized who they were targeting.
“Perhaps by taking small amounts, the crooks wished to ensure the validity of the stolen information and wished to verify the victim’s lack of concern,” Francois Paget, threat researcher at McAfee, wrote in a recent McAfee Avert Labs blog post.
Paget said Sarkozy’s login details may have been obtained through “carding” and could have been purchased as part of a “dump” list in the underground market.
Attackers can use a number of methods to steal credentials, one of which is attacking web applications through SQL injections, Ryan Barnett, director of application security for Breach Security, told SCMagazineUS.com Monday. They can also break in to users’ accounts through poorly built user login pages, banker trojans or cross-site request forgery exploits.
“It is critical that you have taken care of cross-site scripting vulnerabilities in your own website,” Barnett said. “Any website could potentially be vulnerable to this.”
Every organization — not just banks — need to get more disciplined about testing their own sites, Mike Rothman, senior vice president of strategy at risk management firm eIQnetworks, told SCMagazineUS.com Monday.
“It makes sense for high-profile websites to invest in people and tools and have a strong discipline for testing,” Rothman said.
One of the reasons users continue to be vulnerable to this type of identity theft is because stronger user validation is needed in most internet and wireless applications, Glenn Veach, chief technology officer of authentication company, 2factor, told SCMagazineUS.com in an email Monday.
“The challenge with many internet and wireless services is the lack of sound authentication of account owners,” Veach said.
Rothman said it’s also important for banks to educate users to monitor their accounts for suspicious activity and periodically change passwords.
To further protect themselves, while banking, users should never surf other sites while logged into financial sites, Slavik Markovich, founder and CTO of database security company Sentrigo, told SCMagazineUS.com.