Last year was a rollercoaster for the payments industry. An influx of mobile payment platforms, the start of EMV adoption, and a pack of criminals exploiting all of these uncertainties with a continued string of high profile data breaches has many fraud managers stressed beyond belief trying to manage it all. If it’s any consolation, Trustwave’s Global Security Report confirms that you’re not alone. Follow along as we highlight some of the report’s key insights on attacks, how they’re happening and what data criminals are targeting.
Attack Methods
Since EMV put a big roadblock in the way of mass point of sale compromises, criminals shifted focus to specific industries and platforms. The hospitality industry got hit hard, with Hilton, Trump Hotels, Starwood, Mandarin Oriental and White Lodging all suffering from data breaches in 2015. This has continued well into this year, with Hyatt seeing a breach in the early part of the year, and Trump Hotels investigating a potential second incident of its own.
In many of the cases that Trustwave investigated, criminals gained access to their systems via remote access applications, which are programs that allow access to a computer from a remote location. While this has been a known issue for several years, criminals are still cashing in on the weakness.
Worse yet, the compromised credentials were often those belonging to third parties, continuing the concern around partner and vendor security.
In the e-commerce space, 85% of compromised systems used the Magento open-source platform. There were nearly half a dozen critical vulnerabilities within Magento noted in 2015, and unfortunately, most of the affected systems were not up to date on security patches (some were behind by nearly an entire year).
Industries & Environments Affected
Unsurprisingly, retail businesses accounted for the largest portion of incidents investigated by Trustwave, though the number is down significantly to 23%, from 43% last year. Hospitality and the food & beverage industry round out the top three, with 14% and 10% of attacks, respectively.
This decrease in retail incidents had a big influence on the type of environments affected. While in 2014, point-of-sale terminals accounted for 40% of incidents, in 2015, that number dropped to 22%. E-commerce incidents stayed pretty even year-over-year, which leaves the big new target for criminals - corporate and internal networks, which jumped from 18% in 2014 to 40% in 2015.
When compared to the rest of the world, North America still lags considerably behind other regions in adopting EMV standards, and subsequently lowering the number of point of sale terminal attacks. Europe, the Middle East and Africa (EMEA) is the only other region in the world with a significant amount of POS attacks at 8%, and North America is expected to trend in much lower than the 47% in 2015 in the following years.
Payment Card Data Still the Most Coveted
While criminals sought financial credentials, PII and other proprietary information in their attacks, card data was by and large the most targeted, accounting for 60% of all data exposed. This was split nearly evenly between track (magnetic stripe) data and card-not present (e-commerce) data, though we expect the CNP percentage to increase as EMV shifts criminals online.
We think one of our mass card compromise tool’s biggest advantages is that it is card, device, portfolio and fraud-type agnostic. Sonar can detect card not present fraud just as quickly and efficiently as it detects card present fraud, and functions the same across chip cards, mag stripe cards, or mobile platform purchases. Learn more about how it can help you catch fraudulent spend faster below: