Payment card data remains a top target for criminals, but personally identifiable information, such as birth dates and addresses, is growing in favor among them, finds the 2014 edition of the Trustwave Global Security Report.
Based on an analysis of 691 data-breach investigations conducted in 2013 by Chicago-based security-services provider Trustwave, the report shows that 45% of data thefts in 2013 involved non-payment card data, spurred by a 33% increase in the theft of sensitive financial information, internal communications and other types of customer records. There also was a 22% increase in the theft of financial account credentials.
While demand for payment data, such as the card number and expiration date, remains strong, criminals also find other types of data lucrative, says Karl Sigler, Trustwave threat intelligence manager.
“If there is a legitimate business that makes money from information, then the criminals will also be interested in that data to sell for a profit,” Sigler says. “If you can map a data point to a legitimate business you can map it to a criminal enterprise. Anything from trade secrets to financial credentials to internal communications to personally identifiable information to other various types of customer records are profitable in some capacity.”
Case in point, eBay Inc. today says it sustained an attack on a database containing passwords and other non-financial information, and asked all of its users to change their passwords. EBay says it has 145 million active buyers. Data from eBay’s PayPal subsidiary were not affected, eBay says.
Criminals are casting wider nets to see what comes up, Sigler says. “Often it\'s payment card data, but also caught up in that net are user credentials, confidential documents, address books, data useful for identity theft, extortion, etc. Most data has some value attached and it's just a matter for criminals to parse it out and find a buyer.”
The data, quite simply, provide another way to take over accounts and get money, says data-security researcher Avivah Litan at Stamford, Conn.-based Gartner Inc. “It’s easier to take over an account when you have personally identifiable information or other personal attributes,” Litan says. Criminals can use this information to fake their way into an account by answering questions either online or via a call center, for example. “This reflects the changing nature of fraud attacks,” she says.
As for payment data, Trustwave says 36% of the breaches it investigated in 2013 involved card data stolen from e-commerce sites and 19% from breaches made at the point of sale.
Online sites were high on criminals’ lists last year, with e-commerce comprising 54% of targets, Trustwave says. A couple of factors influence that, Sigler says.
“We see two trends among criminals depending on where the victims are located. In Europe, where EMV [chip-and-PIN] technology is widely used, more criminals are switching their tactics to target e-commerce sites. EMV technology adds another layer of security because customers must swipe their cards and type in a passcode.”
EMV, also known as Europay-MasterCard-Visa, chip cards are meant to thwart counterfeit card fraud but do not address e-commerce transactions.
“This type of two-factor authentication makes it more difficult for criminals to break in and therefore they are shifting to target card-not-present businesses,” Sigler says. “However, in the United States, consumers widely use magnetic-stripe technology so criminals continue to target brick-and-mortar businesses.”
What this means for businesses is that any customer information they store, whether it’s payment data or other types, could be targeted by criminals, Litan says. “You have to assume criminals will steal it,” she says. “They keep going to the point of least resistance.”
This entails looking beyond the payment system to secure the data, she says. “You need to look at call centers, mobile computing and interactive voice-response systems. You can’t just look at e-commerce or the point of sale.”