Fraudsters are turning their attention to e-commerce sites, continuing to improve the malware they use to find and harvest payment card data, and sensing opportunity in mobile devices, according to the latest annual data-breach report by Trustwave Holdings Inc.
Chicago-based Trustwave, a leading data-forensics investigator and security vendor, based its report on 450 data breaches it investigated last year around the world. Hackers targeted payment card data in 98% of the breaches studied, continuing credit and debit cards’ plight as the main object of their affection. For the first time, e-commerce sites edged out point-of-sale systems, 48% versus 47%, as targeted assets. The other breaches involved data centers and corporate infrastructure, 4%, and ATMs, 1%.
Hackers’ targets vary across the world based on what’s available and what’s vulnerable. Some 73% of the breach victims were U.S.-based. “We’ve got the most retailers … we’re the commerce capital of the world,” says Christopher Pogue, director of digital forensics and incident response at Trustwave’s SpiderLabs unit. He adds that many hackers are based in former Soviet Bloc countries that don’t have extradition treaties with the U.S., making it very difficult for American authorities to prosecute hackers there. Attacks originated from 29 countries, but Romania accounted for 34% of them to take over from 2011’s leader, Russia.
The U.S. also is the last major bastion of the magnetic-stripe credit and debit card, which is more vulnerable to counterfeiting than the EMV (Europay-MasterCard-Visa) chip cards now common in much of the world. Trustwave says that some countries and regions, notably Europe, the Middle East and Africa (EMEA), have made gains in reducing POS fraud because of the introduction of EMV cards. Hackers typically sell the card data they steal to other criminals who make counterfeit cards. If the data are harder to steal from stores using EMV terminals, thieves will turn their attention to e-commerce sites or merchants still accepting mag-stripe cards at the point of sale.
“EMV has vastly reduced the value of data available to attackers compromising POS systems,” the report says. “For almost all cards issued in the [EMEA] region, it is not possible to produce a valid mag-stripe using EMV data. The net effect is that the small number of POS compromises in EMEA are heavily concentrated on merchants who process more mag-stripe transactions, typically hotels and premium retailers that attract international cardholders with non-EMV cards.”
Some 45% of Trustwave’s investigations involved retailers, who with a 15% increase in breaches reclaimed the No. 1 spot as the most-hacked merchant category from 2011’s leader, the food-and-beverage industry, which accounted for 24% of the breaches last year. Retailer and restaurant breaches in recent years have run fairly closely, and Pogue doesn’t see any trend in the latest numbers.
“They’re kind of populated with the same point-of-sale systems,” Pogue says. “It’s the same stuff, it’s the same hardware.”
The vast majority of breached merchants, 80% to 85%, were small ones, known in industry lingo as Level 4 merchants. These merchants typically do not have dedicated security departments and often outsource the operation of their data-processing systems to third parties. Sixty-three percent of breach victims used a third party for system administration while 37% handled such tasks themselves.
As it has reported in every previous study, Trustwave says easily guessed default passwords or other preventable security lapses played roles in many data breaches last year. Trustwave analyzed 3 million user passwords and found that 50% of businesses are still using easily guessed passwords, the most common being “Password1” because it often meets the minimum standard for an acceptable password.
Meanwhile, Trustwave noted that the malicious software, or malware, that hackers often use to find, collect, and export data made incremental improvements even though no fearsome new strain burst onto the scene last year. (Trustwave’s report documented about 40 variations used by six criminal groups.)
For example, new malware technology exploits so-called Dynamic Linked Libraries, which are chunks of reusable code that computers use to perform many different functions, including keyboard input and memory usage, says Pogue. Malware also is getting better at hiding itself in computer systems, and at hiding data. Some 25% of the data in Trustwave’s breaches were encrypted, and the average time from breach to detection rose to 210 days, 35 days longer than in 2011.
Trustwave also says the incidence of mobile malware exploded by 400% in 2012. None of the mobile-malware cases Trustwave investigated compromised payment card data, Pogue says, but hackers seem unlikely to resist going after smart phones and tablet computers as more merchants employ such devices to accept payment cards. “You’re going to have an obvious target,” says Pogue. “Mobile malware is going to get more complex, it’s going to get more sophisticated.”