The cyber space is the battlefield of this century, and the payment industry is among the first victims. A new survey shows the importance of sharing information and practices as the best way to counteract attacks. Sara Perria reports
The payment industry knows more than any other the threat represented by data breaches, with millions of dollars lost to fraud each year.As e-commerce continues to gain momentum and m-payments still fail to convince consumers that smart phones are a secure payment device, the issue becomes increasingly central.
Indeed the starting point of the 2013 Data Breach Investigation Report (DBIR) by Verizon is that nobody is immune from data breach, as all kinds of organisations – from government agencies to iconic consumer brands, internet start ups, to trusted financial institutions – have reported major data breaches in 2013.
This year’s report analyses data from 27 countries, trying to suggest the best practice to limit damaging behaviour.
As often happens, the main discussion revolves around regulation and whether introducing mandatory reporting requirements would help. Public disclosure laws are already in place in 46 US states, and governments around the world are planning to introduce regulation. Needless to say, discussions are taking place in the European Union as well.
The supporters of regulation refer to the crucial issue of timing: compulsory disclosure of breaches would force companies and organisation to make public the accident not after, but while dealing with it.As well as trying to avoid being hacked in the first place, organisations need to be able to spot compromises quickly and minimize the amount of data lost.
Verizon has been producing the Data Breach Investigations Report since 2008. In 2013, the analysis covers more than 47,000 security incidents, 621 confirmed data breaches from the past year and 19 organisations.
The first finding is a definite link between a specific type of industry and the attack motive: the payment industry has to watch both payment cards data, for example, and clients’ personal information. Retailers are targeted precisely to get hold of this information and 25% of breaches occurred in retailers and restaurants, confirming that cards’ data are one of the main triggers of data breaches, although the trend is slowing down. On the rise, instead, are breaches that affect financial institutions, accounting for 37% of the breaches reported. 20% of network intrusions involved manufacturing, transportation, and utilities and another 20% hit information and professional service firms.In terms of size, 38% of breaches impacted larger organisations. While the large majority of breaches are committed by outsiders, 14% of misbehaviour originates inside the organisation.It is worth noting that while half of breaches was completed through some form of hacking, 76% of network intrusions exploited weak or stolen credentials. This is particularly evident when examining the large number of physical ATM skimming incidents.The proportion of breaches incorporating social tactics like phishing is growing.All in all, the majority of breaches result from simpler opportunistic attacks from money-hungry organised criminal groups and 75% of breaches resulted driven by financial motives.More striking is the data related to the amount of time taken to discover the ‘intrusion’: in 66% of cases it took months – if not more – to discover the problem and in 69% of cases it was discovered by external parties.
The report states that, despite the grim picture, the tools to contrast the ‘enemy’ exist and the challenge is learning how to select the right ones: "To that end, we are convinced of the critical importance of ‘knowing your enemy’. If handling payment cards is your business, then there is a narrowly defined set of controls on which you can focus.
"If your IP is a hot commodity, you’ve got your work cut out for you, but knowing the attack patterns (and sharing them) can make that work more fruitful."
The call to share information about attacks stresses that the demographics of the fraud may be one of the most critical and useful components of incident research, as data provides a different perspective compared to "what we hear in the industry", Verizon says.
The list includes the belief that: – there is no one set of best practices that can be applied across industries and organisational sizes; – not all passwords are easily guessable, and we cannot make blanket statements about the web application being the most popular attack vector, and– any attempt to enforce a one size-fits-all approach to securing our assets may result in leaving some organisations under-protected from targeted attacks, while others potentially over-spend on defending against simpler opportunistic attacks.
For example, the survey says, small retailers and restaurants in the Americas should be focusing on the basics because attackers are leveraging poorly configured remote administration services to pull payment data from point of sale systems. But the basics won’t be enough for the finance and insurance industry, which sees its ATMs targeted by skimming campaigns.
And when we peel back that physical attack layer, we see a much higher proportion of attacks in its web applications than all other sectors.When we focus on manufacturing, engineering, consulting, and IT service firms, we see a whole different set of attacks exploiting human weaknesses through targeted social attacks to get multi-functional malware on internal systems.
Verizon stresses the relative low importance of focusing on the location of the attack, since "most attacks can be launched from your mom’s basement".
However, similarities exist among victims from the same region.
For example, POS intrusions in Europe is reported much less frequently than in the Americas and Asia-Pacific regions. This is probably down to payment card technology or sampling bias, or a combination of both.
What is certain is that confirmed data disclosures come from victims in 28 distinct countries, "indicating we are not dealing with a simple localised problem".
When it comes to identifying the author of the fraud, the vast majority of 2012 breaches involve outsiders. The two big reasons for the dominance of external actors are their numerical advantage and greater attack scalability. An organisation will always have more outsiders than insiders, and the Internet connects criminals to a virtually limitless host of potential victims, the report stresses.
Over half of all external breaches tie to organized criminal groups. This reflects the high prevalence of illicit activities associated with threat actors of this ilk, such as spamming, scamming, payment fraud, account takeovers, identity theft, etc.
For professional criminals, the "why" is simple and consistent — money. As economic and social activities continue to go online, criminals will follow in order to exploit the soaring amount of data that can be converted to cash.
State-affiliated groups rise to the number two spot in 2012 Verizon’s report. This is partly due to the lower number of financially motivated cases against small organisations in our data set, that made other trends more evident.
Another factor is the larger set of data sharing partners in this report that widens the population of incidents analysed. The investigation then comprised more espionage cases than any previous year and it may be true that espionage activity is up, but it is also true that better sharing and improved detection capabilities lead to successful detections.
Threat actors engaged in espionage campaigns leave a completely different footprint than those motivated by direct financial gain and they will generally not target payment systems and information, the report states.
The proportion of incidents involving activist groups is on par with the previous report, but the amount of data they stole is down substantially.
In the majority of breaches reported the threat actor’s country of origin was discoverable, and these were distributed across 40 different nations.
The majority of financially motivated incidents involved actors in either the US or Eastern European countries, such as Romania, Bulgaria, and the Russian Federation .
Almost all espionage cases (96%) were attributed to threat actors in China and the remaining 4% were unknown.
The conclusion is that payments still work as a magnet with respect to fraud. The advantage is that now there are plenty of case studies to support antifraud systems and there is a set of best practices that can be applied. With one warning: there is no one-size-fits-all solution and size, budget, business need, have to be borne in mind to counteract attacks effectively.