Study: Cybercriminals shift approach to retail
A new study from Verizon indicates retailers are facing new cyberattack trends.
According to the 2019 Verizon Data Breach Investigations Report (DBIR), 97% of 234 analyzed cyberincidents in the retail industry (139 with confirmed data disclosure) were financially motivated. The remaining 3% were committed for fun or espionage purposes.
One of the biggest developments tracked by the DBIR is a movement away from “card present” attacks on physical card payments. POS compromises represented 6% of retail incidents in 2018, compared to 63% in 2014. The percentage of incidents represented by payment card skimmers fell to 3% from 6% in the same time period.
However, cyberattacks involving web applications comprised 63% of incidents in 2018, compared to 5% in 2014. Privilege misuse increased to 10% of incidents from 3% in the same time period. This shows that hackers are clearly shifting their attention to e-commerce payment applications, as opposed to physical POS or card reader systems located in a store or attached to a gas pump.
Most attacks (81%) involved external actors breaching retailer security systems, as opposed to internal compromises. Payment data was most frequently compromised (64%), followed by credentials (20%), and personal information (16%).
Verizon analysis suggests that EMV regulations requiring chips to authenticate transactions with physical payment cards have diminished the value proposition of card-present fraud for cybercriminals, who are instead targeting e-commerce transactions.
Moving forward, Verizon offers three recommendations for retailers seeking to avoid being victimized by cybercriminals:
1. Code is being injected to capture customer data as they enter it into web forms. Widespread implementation of file integrity software may not be a feasible undertaking, but retailers should consider adding this to their malware defenses on payment sites, in addition to patching OS, and payment application code.
2. Retailers should continue to embrace technologies that make it harder for criminals to steal data from POS terminals, such as methods that utilize a one-time transaction code (EMV, mobile wallets).
3. Rewards programs that can be leveraged for the “points” or for the personal information of a retailer’s customer base are also potential targets.
According to the 2019 Verizon Data Breach Investigations Report (DBIR), 97% of 234 analyzed cyberincidents in the retail industry (139 with confirmed data disclosure) were financially motivated. The remaining 3% were committed for fun or espionage purposes.
One of the biggest developments tracked by the DBIR is a movement away from “card present” attacks on physical card payments. POS compromises represented 6% of retail incidents in 2018, compared to 63% in 2014. The percentage of incidents represented by payment card skimmers fell to 3% from 6% in the same time period.
However, cyberattacks involving web applications comprised 63% of incidents in 2018, compared to 5% in 2014. Privilege misuse increased to 10% of incidents from 3% in the same time period. This shows that hackers are clearly shifting their attention to e-commerce payment applications, as opposed to physical POS or card reader systems located in a store or attached to a gas pump.
Most attacks (81%) involved external actors breaching retailer security systems, as opposed to internal compromises. Payment data was most frequently compromised (64%), followed by credentials (20%), and personal information (16%).
Verizon analysis suggests that EMV regulations requiring chips to authenticate transactions with physical payment cards have diminished the value proposition of card-present fraud for cybercriminals, who are instead targeting e-commerce transactions.
Moving forward, Verizon offers three recommendations for retailers seeking to avoid being victimized by cybercriminals:
1. Code is being injected to capture customer data as they enter it into web forms. Widespread implementation of file integrity software may not be a feasible undertaking, but retailers should consider adding this to their malware defenses on payment sites, in addition to patching OS, and payment application code.
2. Retailers should continue to embrace technologies that make it harder for criminals to steal data from POS terminals, such as methods that utilize a one-time transaction code (EMV, mobile wallets).
3. Rewards programs that can be leveraged for the “points” or for the personal information of a retailer’s customer base are also potential targets.