The data breach landscape could look very different in the future with the increased adoption of chip-enabled payment cards in North America—but for now point-of-sale systems account for the majority of breaches there, compared to a tiny minority in other regions of the world.
Hacked point-of-sale (PoS) terminals were responsible for 65 percent of the data compromises investigated by security firm Trustwave last year in North America, compared to only 10 percent in Europe, Middle East and Africa and 11 percent in the Asia and Pacific region. Worldwide, the company investigated 574 breaches, half of them in the U.S.
The difference between PoS breach numbers in North America and other regions is largely due to a payment card standard called EMV (Europay, MasterCard, and Visa), which mandates the use of electronic chips in cards for antifraud protection. These are also called Chip-and-PIN or Chip-and-Signature cards and they have only recently started to be introduced in the U.S. and Canada.
The chip is used to authenticate the cards to EMV-capable card readers. It also makes it extremely hard for attackers to clone the cards even if they steal the data encoded on their magnetic stripes, which is known as track data.
In regions where EMV has been the de facto payment card standard for a long time—almost a decade in Europe—fraud has shifted from transactions where cards are physically used to transactions where cards are not present, like those performed online. As a consequence, attackers there are more likely to target e-commerce websites, from which they can extract card information that can be used to perform fraudulent transactions online.
That’s not yet the case in the U.S., where card track data and PoS systems remain the primary target, according to Trustwave’s 2015 Global Security Report released Tuesday.
While EMV, however, can control fraud, it does not provide complete security, said John Yeo, vice-president at Trustwave. It shifts fraud to transactions in which physical cards are not used, where cybercriminals have fewer options to extract cash. Companies should not assume that with chip-enabled cards the cardholder data is automatically safe and security should be ignored, he said.
Worldwide, compromised point-of-sale (PoS) systems were involved in 40 percent of the breaches investigated by Trustwave, compared to 33 percent in 2013. The only business assets that were even more frequently targeted by attackers last year were e-commerce applications, which accounted for 42 percent of breaches.
Retail (including e-commerce retailers), food and beverage and hospitality businesses suffered the largest number of data breaches, accounting for 68 percent of the cases investigated by Trustwave—retail 43 percent, food and beverage 13 percent and hospitality 12 percent.
Significant differences between attackers’ preference for PoS and e-commerce breaches were also observed across industry sectors, not just regions.
Sixty-four percent of breaches in the retail sector involved the compromise of e-commerce environments, 27 percent point-of-sale systems and 9 percent corporate networks. In the hospitality sector 65 percent of breaches involved PoS environments and 29 percent e-commerce, while in the food and beverages sector 95 percent were PoS and only 5 percent e-commerce.
Overall, e-commerce transaction data like personal identifiable information and cardholder data was compromised in almost half of all breaches and PoS transaction data, or track data, in a third of them. Cybercriminals also stole financial credentials in 12 percent of breaches and proprietary business data in 8 percent.
The most common methods of intrusion used in the incidents analyzed by Trustwave were insecure remote access software or policies and weak passwords. Together, these accounted for 56 percent of all compromises, the distribution being half and half.
For PoS environments in particular these two security failures were responsible for 94 percent of breaches. That’s because many PoS terminals are configured for remote administration, either over the Internet or over a corporate network.
Weak input validation, which can lead to SQL and other code injections, together with unpatched vulnerabilities, were the second leading causes of compromises, accounting for 15 percent each. As expected, these were much more common for e-commerce breaches.
When it comes to corporate network compromises, the leading causes were malicious insiders and misconfigurations, accounting for a third each.
Companies are still not doing a good job at quickly identifying and containing breaches, according to Trustwave.
Affected companies identified breaches themselves in only 19 percent of cases. This is a significant decrease from last year’s 29 percent.
Regulatory bodies, card brands and merchant banks were responsible for alerting businesses that they suffered a breach in 58 percent of cases. Law enforcement is also increasingly playing a role in this, notifying affected companies of 12 percent of breaches compared to 3 percent last year.
The median number of days from intrusion to detection across all incidents was 86, while from intrusion to containment it was 111. However, the numbers are very different for self-discovered breaches—only 14.5 days from intrusion to containment. This suggests that it’s considerably better for companies to have processes in place that allow them to identify breaches themselves.
The Trustwave report shows that many companies are still struggling with basic security principles like enforcing access controls, implementing strong authentication, patching known vulnerabilities or avoiding common Web coding errors that have been known since the 1990s.
It’s generally accepted among security professionals that there’s no such thing as 100 percent security and that if a determined and sophisticated attacker wants to get in, he’ll eventually find a way. Therefore, companies should strive to make it as hard as possible for attackers to break in, to the point where compromising systems would no longer justify the investment in time and resources for the vast majority of attackers.
Unfortunately, the organizations that do get breached are still getting some of the security fundamentals quite wrong, Yeo said.