Though the Target and Neiman Marcus breaches late last year have received significant attention, a new report out by Verizon suggests the security emphasis should be on smaller entities that are most vulnerable. And most of the recent attacks appear to be coming from Eastern Europe.
By Jeffrey Green (@epaymentsguy)
This was the week when Verizon released its latest Data Breach Investigations Report, a highly respected document first published in 2008.
In total last year, there were 1,367 confirmed data breaches and 63,437 security incidents, according to the report. And 2013, Verizon said, “may be remembered as the ‘year of the retailer breach,’ but a comprehensive assessment suggests it was the year of transition from geopolitical attacks to large-scale attacks on payment card systems.”
This year, rather than organizing the document around the actors, actions timelines and other factors, Verizon created sections around common incident patterns derived from the breach data itself.
It’s within each of the patterns Verizon gets into the actors causing the breaches, the actions they used, assets targeted, the timelines in which they took place and recommendation to combat them. According to the 2014 report, the industries most commonly affected by point-of-sale intrusions are of no surprise: restaurants, hotels, grocery stores, and other brick-and-mortar retailers.
Recent highly publicized breaches of several large retailers have brought POS compromises to the forefront, the report notes. “But at the risk of getting all security-hipster on you – we’ve been talking about this for years,” the report’s authors note. “In fact, this is the main cause of the large dip in 2012 seen in many of the “over time” charts in this report. We were writing about RAM scrapers before anyone heard of them, and we’re quite frankly not all that into them anymore because they’ve sold out and gone mainstream.”
Jokes aside, the authors note, breaches largely remain a small and midsize business issue. Focusing too much on outliers and headlines can reflect cognitive bias, they say.
“For instance, some may be surprised that the number of POS attacks in 2012 and 2013 is substantially lower than the number recorded in 2010 and 2011 (despite having 10 times more contributors in the latter years),” the report states. “From an attack-pattern standpoint, the most simplistic narrative is as follows: compromise the POS device, install malware to collect magnetic-stripe data in process, retrieve data, and cash in. All of these attacks share financial gain as a motive, and most can be conclusively attributed (and the rest most likely as well) to organized criminal groups operating out of Eastern Europe.”
Such groups are very efficient at what they do, Verizon’s report notes, using casual, somewhat jovial language: “They eat POSs like yours for breakfast, then wash ‘em down with a shot of vodka. While the majority of these cases look very much alike, the steps taken to compromise the point-of-sale environment offer some interesting variations.”
Indeed, hackers in 2013 were particularly invested in Web application attacks, cyber-espionage and point-of-sale intrusions. Finance suffered the most at the hands of cyber-criminals and was the victim of 465 separate reported breach incidents, according to the report.
The report also showed that, while targets are getting better at detecting breaches, attackers are also getting much faster at deploying them.
“A lot of attackers simply look for vulnerable victims on the Internet and deploy automated attacks,” Paul Pratley, an investigations manager with the RISK Team at Verizon, told PC World. “Often it will take seconds to minutes before a network is compromised, but it can take a really long time for an organization to discover it—weeks to months or even a year, he said. “That’s something we’d really like to see change.”
On the upside, the report also showed that organizations were more likely to find breaches themselves instead of being informed by third parties.
Retailer costs up
The National Retail Federation recently announced how it told a congressional panel that the retail industry is committed to safeguarding and protecting consumer data and information from cybercriminals and hackers, according to Apparel.
“Retailers make significant investments every year in order to protect [consumer] data,” Tom Litchford, federation vice president for retail technologies, testified. “Collectively, retailers spend billions of dollars annually to safeguard data and fight fraud, as well as hundreds of millions annually on [credit card security] compliance.”
He described how there is support for immediately transitioning away from fraud-prone credit cards that utilize magnetic-stripe and signature, to more advanced and secure cards that incorporate a computer chip and PIN.
“Chip-and-PIN technology dramatically reduces the value of any stolen ‘breached’ data for in-store purchases because the payment card data is essentially rendered worthless to criminals,” Litchford said. “The failure of U.S. card networks and banks to adopt such a system in the United States is one reason why cyberattacks on brick-and-mortar retailers have increased.”
What Litchford didn’t mention was that relatively few merchants are ready to accept EMV chip-and-PIN cards.
Heartbleed concerns continue
Hackers reportedly are taking advantage of the Heartbleed situation, which involves a security flaw in the Open SSL data-encryption library used by two-thirds of the Internet’s websites. Customers’ session tokens remain vulnerable, allowing hackers to masquerade as a legitimate authenticated user, according to one security expert.
“[With] an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated,” Christopher Glyer, a technical director at Mandiant, noted on the company’s blog.
Organizations running or had recently run vulnerable versions of remote access software should identify vulnerable spots and upgrade security as soon as possible, implement network intrusion detection signatures, and create VPN logs, he said.
Google boosts wallet security
Google reportedly is trying to make its Google Wallet less attractive to phone thieves by enhancing security measures. The Minneapolis Star Tribune reports that the updated software requires the user to verify personal information for every transaction.
“A thief would need to know your personal identification number, provided that you’ve set the phone to require re-entering the PIN a certain number of minutes after it was last used,” a company representative said.
The original Google Wallet service was designed to make purchases in retail stores much easier. A phone equipped with an NFC chip would be tapped on a retailer’s NFC reader. The reader would then use the NFC’s short-range radio waves to scan the financial information stored in the phone’s Google Wallet software and complete the transaction.
In order to make an online purchase, the user would then have to enter his name, address, birthday and the last four digits of a Social Security number in order to use the device.
Phone print-scan issues continue
As many people already know, Apple incorporated the iTouch fingerprint scanner into the iPhone 5s, and Samsung later released the Galaxy S5 with a similar fingerprint scanner. Both, however, have proven to be vulnerable, as Apple’s scanner was hacked into within a week of its release, and now Samsung’s fingerprint scanner reportedly was similarly hacked by Germans with wood glue within a week of its release date.
Undaunted by the setback, Samsung recently filed patent requests that imply it is investigating a much more complex use of fingerprinting technology. The principle innovation is a scan that requires multiple finger inputs, such as a left and right hand scan.
Samsung partnered with PayPal for including a fingerprint-based authentication system utilizing FIDO Ready technologies in the Galaxy S5. Now, Samsung has joined the FIDO (Fast Identity Online) Alliance and was appointed a representative to the alliance’s board.
FIDO is supporting a full range of authentication technologies, including fingerprint and iris scanners, voice and facial recognition, as well as enhancing trusted platform modules, USB security tokens, embedded secure elements, smart cards, Bluetooth Low Energy and Near Field Communication.