Verizon: Three breach scenarios to watch for


There is an endless variety of ways hackers can attempt to gain access to retailers’ networks, but a few are particularly common.

In a new study, “Data Breach Digest,” Verizon identifies 18 different data breach scenarios drawn from analyzing more than 1,200 global cases investigated by the Verizon Risk Team in the past three years.

“There is a lot more commonality than most people realize,” said Chris Novak, director of investigative response, Verizon Enterprise Solutions.

Although all the identified scenarios can affect companies in any industry, Novak said that retailers are especially likely to be victimized by three – POS intrusion, peripheral tampering, and SQL injection. Following is a brief overview of each scenario.

POS intrusion
Nicknamed the “leaky boot” by Verizon, POS intrusion involves RAM scraping by malware designed to monitor and extract specific, targeted data from physical memory. Verizon analysis of this type of malware indicates that hackers customize their tools to work in specific environments, such as on application-specific POS servers and terminals.

Typical perpetrators include those seeking financial gain, such as organized criminal networks, as well as independent hacking groups. POS intrusion attacks often originate from foreign locations. Common points of origin include China, Germany, Romania and the Russian Federation.

Retailers often discover POS intrusion attacks through notification by a third-party financial services provider (such as a payment card processor noticing fraudulent transactions on exposed cards) or law enforcement. It typically takes weeks to months to discover a POS intrusion and days to weeks to contain it.

Peripheral tampering
Peripheral tampering involves any tampering or physically manipulation of a hardware device that connects to a computer system. These devices may include Personal Identification Number (PIN) entry devices (PEDs), scanners, printers, etc. Perpetrators associated with altered payment card transaction devices typically involve organized crime groups. These groups may be based in the U.S. but also are often based in overseas locations such as Bulgaria, Romania, Armenia and Brazil.

Discovery of peripheral tampering can be quick, often taking days or even hours. However, because so many devices across so many locations may be compromised, containment may take months.

SQL injection
Also termed as “snakebite” by Verizon, SQL injection attacks, in their most basic form, are methods of abusing an application’s interaction with its back-end database. These attacks leverage non-validated inputs (such as stolen credentials or guessed passwords) to modify existing database queries to achieve unintended results (i.e., the theft of sensitive data) and frequently target Web applications.

Perpetrators may be activists, organized criminals or even state-affiliated individuals. Thus there is no definite pattern of where the attacks originate from. The time it can take to discover and contain SQL injection attacks also varies widely, from hours to months depending on specific circumstances.

To access the full study visit


Leave a Reply

No comments found



Amazon cancelled its plans to build a headquarters in New York City. What do you think?