OpRobinHood And His NOT So Merry (Anonymous) Men...

The hacking groups TeaMp0isoN and Anonymous have been busy over the last week, with their latest Operation "OpRobinHood" -

"Operation Robin Hood is going to return the money to those who have been cheated by our system and most importantly to those hurt by our banks. Operation Robin Hood will take credit cards and donate to the 99% as well as various charities around the globe. The banks will be forced to reimburse the people there money back."

The first National bank of Long Island was attacked last week, and then over the weekend, the BCD credit union in the UK was also targeted- http://legionnet.wordpress.com/2011/12/03/842/. Anonymous's attack vector of choice is not really that sophisticated, it is just SQL injection, still if banks are not going to sanitize dangerous characters (like " ' ") and validate user input then Anonymous will have easy pickings.

At first glance to the uninitiated the TeaMp0isoN and Anonymous statement will look like they are robbing from the rich and giving to the poor: "Operation Robin Hood will take credit cards and donate to the 99% as well as various charities around the globe."

What they are really saying is that - we will steal your credit cards details and defraud banks (and in the process make your life hell for a few days), in fact it is highly unlikely that the charities would even receive anything at all, as the banks would most likely issue a chargeback to recover the funds.

While consumers who have had their credit card information stolen and used, will not be out of pocket, they will still have the inconveniences of canceling their cards and filling in fraud declaration forms to reclaim their money.

This is compounded more by being close to Christmas and usually the busiest retail period of the year. For those who have experienced credit card fraud will understand the embarrassment, outrage and shock, when you go to pay for a gift or the work Christmas drinks and your card gets declined or rejected.

Should banks be worried with the latest Anonymous and TeaMp0isoN "stunt"? Yes they should, but more so from loss of brand damage, embarrassment and potential liabilities than from OpRobinHood itself. Batten down the hatches, we will see more statements from TeaMp0isoN and Anonymous before the New Year is out, with more financial institutes attacked.

I would recommend starting off with the OWASP SQL injection cheat sheet and reviewing any external applications for SQL injection vulnerabilities, because it is there that Robin Hood's arrow will strike...