The Green Sheet Online Edition
June 09, 2014 • Issue 14:06:01
Trustwave finds fraud diversifying
Organized fraud apparently mirrors the financial services industry closer than anyone cares to imagine, with an increasing emphasis on diversification. Data security firm Trustwave released its global security report that reveals fraudsters have diversified attacks and increasingly target troves of nonpayment card data.
In the 2014 Trustwave Global Security Report released May 21, the Chicago-based firm reported a rise in the number of data breaches in 2013, compared with 2012, and a branching out of attacks to target sensitive and confidential information, such as financial account credentials, internal communications, personally identifiable information and various types of customer records.
Chris Pogue, Director at Trustwave, explained that in the previous five years, fraudsters were focused on stealing payment card data because it held the highest value on the black market. But times have changed. "I think now we're seeing not so much a decline in payment card data being targeted, but there's an expansion into other data elements," he said. "And what I think that shows is the diversification by attackers, going into different data types."
Pogue believes this shift in data being targeted will result in new avenues on the black market. "What emerging shadow economy are we going to see that will pop up that buys and sells electronic personal health care information, personally identifiable information, industry trade secrets, financial credentials?" he said. "There's going to be a market for all of that, or they wouldn't waste their time on it."
Diverse and growing
Trustwave's report was based on 691 breaches it investigated in 2013, up by 53.6 percent from 2012. Of those breaches (across 24 countries), 45 percent involved nonpayment card data, representing an overall 33 percent increase in that segment and a 22 percent increase specifically in the theft of financial credentials.
Meanwhile, 54 percent of assets targeted in 2013 were in the e-commerce realm, and 33 percent targeted physical, in-store POS systems, Trustwave reported. But those figures are not to suggest that fraudsters are shifting their focus away from hacking into physical terminals, according to Pogue. "I'm definitely not saying a reduction," he said. "They've got their hands firmly fixed in the point of sale world. They know how to do it. They are very good at it. The malware is very advanced, very effective."
Rather, Trustwave's findings suggest that fraudsters are responding to market shifts and even taking into account the eventual transition of the U.S. payments infrastructure to the reportedly more fraud resistant Europay/MasterCard/Visa (EMV) chip card standard. "They are looking to diversify their revenue stream," Pogue said. "So it's a good business decision and a market shift and we have to prepare for it."
Self-detection pays off
Perhaps Trustwave's most alarming pair of statistics is that 71 percent of compromise victims do not detect breaches themselves and that the median number of days from the time of a breach to its detection was 87 days. That means fraudsters typically have almost three months after they breach systems to harvest data undetected – "a tremendous amount of time," Pogue said.
Hackers routinely "go native" with the data they steal, Pogue added, which means they don't exploit the information immediately, but instead blend in using that data as cover. For example, a fraudster could use a user name and password stolen from an individual's personal social media account to probe that person's corporate network.
It is an unfortunate fact that the same credentials are often used for both personal and professional accounts, Pogue said. Trustwave investigations have shown that corporate systems are compromised through the exploitation of user credentials harvested from unrelated accounts.
But Trustwave's report is not all doom and gloom; its analysis showed that companies that self-detected breaches significantly reduced the length of compromises. The median number of days it took a self-detecting organization to contain a breach was one day, Trustwave said, while it took 14 days to contain a breach when it was detected by a third-party vendor.
Pogue said e-commerce businesses are more likely to self detect because they employ programmers and web and content developers who monitor systems carefully and are quicker to detect anomalies that might signify fraudulent activities. But Pogue stressed that, even for large organizations with information technology staffs, the expertise of third-party security firms can help in keeping businesses safe from fraud.
"There's a whole lot of moving parts that only a subject matter expert can bring to the table," he said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.