Criminals targeting payment card data have a very hefty incentive, suggests the Trustwave 2015 Global Security Report. How much of an incentive? The return on investment in one example is 1,425%.
Released Tuesday, the report quantifies the return on investment for a common type of online fraud, suggesting strategies to counter these thieves might benefit from knowing more about their motivations.
In the example, a criminal buys ransomware software, which locks access to a computer’s data until the user pays a fee. That’s a $3,000 investment.
Then, to load the ransomware onto a PC, the criminal pays $500 for a one-month rental of an exploit kit. Then it costs another $1,800 to drive PC users to Web sites that harbor the infected software. To mask the software from anti-virus programs, the criminal shells out $600. Total investment: $5,900.
The payoff is $90,000 for a 30-day campaign, which assumes 10% of 20,000 consumers end up with infected computers and that 0.5% of them pay a $9,000 ransom, or $300 every day. Total return: 1,425%.
“We’ve always known what drove cybercrime,” Charles Henderson, vice president of managed security testing at Chicago-based Trustwave, tells Digital Transactions News. “But putting an absolute quantification on why they do this is key.”
That’s because one counter strategy to the criminals is viewing their endeavor as driven by a business plan, he says. “It’s basically a matter of upsetting or interrupting the business plan of the criminal,” Henderson says. “In order to do that, you need to understand business, what kinds of profits they make.”
While knowing for some time that criminals had costs, it wasn’t until recently that the data came together to make it more meaningful, Henderson says.
Merchants, and other organizations with payment data to protect, might be able to better understand the roadblocks they can put in place to thwart criminals, Henderson says. They are starting to understand that by putting up barriers to this ill-gotten return on investment they can enhance their resilience to attacks, he says.
Other data from the report, which analyzed 574 data compromises investigated by Trustwave across 15 nations, found that 43% of the attacks involved retail, followed by food and beverage at 13%, and hospitality at 12%. No other industry segments garnered double-digit shares.
Within retail, 27% of the attacks were via point-of-sale technology, while in hospitality that figure was 66%. It’s among food and beverage merchants, however, that criminals really targeted the POS technology, choosing that route for 95% of their attacks.
POS technology remains attractive to criminals because these systems often require remote access to be properly managed. “That remote access is a big problem,” Henderson says. “Very often that’s done in a less-secure fashion.”
What may be changing, especially since the Target Corp. breach was first reported in 2013, is retailers’ attitudes toward securing their POS systems, Henderson says. “Until very recently, you didn’t see merchants take a specific line of security for the POS. The assumption was someone else had already thought of security for that.”