Exclusive Q & A: expert hacker speaks about security threats following Carphone Warehouse cyber attack


Cyber criminals may have stolen up to 2.4 million Carphone customers’ bank details in the attack on August 5.

Following the Carphone Warehouse cyber attack where 2.4 million customers’ personal details were feared to have been stolen by cyber criminals, an expert hacker spoke anonymously to Mobile News about the security threats firms face and what companies can do to protect customers’ data. 

How do you think the hackers infiltrated the Carphone database?

The hack most likely happened via SQL Injection, an attack which is over a decade old. It is when you add extra information into a web URL parameter and that information may be processed by the database, and if so can be exploited to leverage the database and operating system.

There are free tools available that can pretty much automate a full attack from spidering a set of domains to extracting all the data from the databases.

Looking at the mobiles.co.uk IP address we can do a thing called a reverse DNS lookup, which shows how many websites are hosted on one IP address. We can see there are many linked and all on the ‘hacked/compromised’ list are on it.

I would guess that they were using a shared database across their sites and if the attacker(s) had gotten in via SQL Injection they may have also taken advantage of poor database permissions / poor isolation between each site.

What are the most common techniques and how difficult is this to do?

You might have people in countries that do not respect international law or have poor political ties with the target’s country of operations – so they don’t care why it’s important to you, or why they shouldn’t be doing it.
They may be attacking you from across the street but going via the TOR network (anonymous internet traffic network). For SQL Injections I would say SQLMap is the most powerful tool – if there is a vulnerability identified it’s really easy to take full advantage of it with this tool.

If it was beyond SQL Injection, we would see private emails and possibly source code to applications written by the company or ‘juicy secrets’ like what happened with Sony.

What can businesses do to defend against attacks?

Regular penetration testing against old and new internet facing systems, in-house or external security contact if you cannot afford a full time security consultant and you are a small company. Also, try to understand that when a website is finished (as in ‘gone live’) it doesn’t stop there, you have to have a resource that will constantly scrutinise your security practices. You’ll probably find them annoying but they are vital to keeping you on your toes, challenging acceptable risk and also making it difficult for hackers.

How susceptible are most businesses to this kind of attack from your experience?

Everyone is a target. If there is something to be taken, someone might want it. If that’s not the case they might just compromise your systems to use them as a proxy to attack other systems. There are lots of scenarios to why you should practice good defence, but unfortunately it costs money. Companies may think ‘it never used to cost money’ but that’s just because they have been doing it wrong, and winging it until they get breached.

Some Tips:

• Ensure your developers know what OWASP is and encourage them to do security testing/ penetration testing before the security experts do it for you – ideally, before you go live.

• If you don’t have a security team then rent one. Consider Bugcrowd, get the good guy hackers to iron out your exploitable bugs (for reward or status).

• PCI-DSS (Payment Card Industry Data Security Standard) is to protect businesses from heavy fines, it’s not an in-depth security assessment, it’s more a casual tyre kick, so if you have to be PCI-DSS compliant don’t assume it’s a super awesome security assessment. It isn’t.