Point-of-sale integrators, help desks, and other computer-related service providers for businesses, look out—the hackers are after you.
The new Global Security Report 2018 from Chicago-based Trustwave says service providers were involved in 9.5% of the 700-plus data compromises the firm investigated in 2017. In 2016, service providers played a role in fewer that 1% of Trustwave’s investigations, says Brian Hussey, vice president of cyber threat detection and response.
“Last year [2016], it was negligible,” says Hussey. Trustwave is one of the biggest providers of security investigations and data-protection technology to card-accepting merchants and other businesses.
On one level, the allure of service providers to cyberthieves is obvious. A successful hack into a provider’s network could enable hackers to worm their way into payment and other databases of all of the provider’s clients, which can number in the hundreds, Hussey notes. This new focus on service providers also comes in a rapidly changing data-security environment that includes EMV chip card payments that have made POS card fraud harder to commit.
EMV “definitely contributes to less and less of the POS attacks,” Hussey says. He adds that shrinking numbers of merchants that accept only magnetic-stripe cards are increasingly juicy targets for hackers. Non-EMV merchants should “expect to be heavily, heavily attacked in the next year,” he says.
Trustwave found that payment card data remains No. 1 in the eyes of hackers, accounting for 40% of the targeted information, broken down into 22% from mag-stripe track data originating with POS transactions and 18% from e-commerce. Some 11% of incidents targeted cash, mostly originating from compromises of account-management systems at financial institutions, Trustwave said.
Even with EMV, more than a decade of PCI security rules, and the increasing availability of tokenization and data-encryption services, 69% of the cases Trustwave investigated involved track data stored in plain text, the report says.
The reasons for that are varied. A merchant’s new database system might be advertised as encrypting sensitive information, but a hacker may discover it doesn’t, Hussey notes. “Even if it’s not intentional, it could be the fault of programming,” he says. “There’s all kind of scenarios.”
What’s more, Trustwave found that 100% of the Web-based applications it examined last year had vulnerabilities, with a median of 11 each. Some 86% of those vulnerabilities allowed hackers to monitor traffic going back and forth within the application, further compromising security, Hussey says.
Retailers accounted for 17% of the compromises Trustwave investigated, more than any other industry. Next were financial and insurance companies, 13%, followed by the hospitality industry, 12%.
Data compromises detected internally in 2017 most often were discovered on the same day of intrusion. Those detected by an external party, however, had a median spread of 83 days between intrusion and discovery, up from 65 days in 2016, Trustwave found.
The report does have some good news, particularly regarding spam. Junk emails accounted for 87% of the incoming email Trustwave monitored in 2009, but with the exception of 2016 spam has declined every year since and currently represents just over 39% of emails, the report says. Many spam emails, however, still contain malware or links to hacker-controlled Web sites.