Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

The 2015 Payments Threatscape

Published by Gbaf News

Posted on March 11, 2015

4 min read

Last updated: January 22, 2026

Add as preferred source on Google

cloundhdr

2014 was a demanding year in cyber security, with many large, household brands becoming victim of fraudsters; losing both commercial value and importantly customer loyalty.

This year’s BRC Retail Crime Survey revealed that levels of fraud increased by 12% in 2013-14, with 135,814 incidents reported during the year. Together, they account for 37% of the total £603m cost of retail crime.

As forensic investigators, last year was our busiest yet, working with small online e-commerce businesses, to mid-sized distributed retail organisations, through to large issuer and acquirer banks across the UK, South Africa and in the Americas.

Interestingly, not a single case we investigated would have been assessed as PCI DSS Compliant at the time of the breach.

There is a huge variance in the types of organisations that we have assisted. But having collated the findings, we are seeing the following:

Definite continued upward trend in use of targeted malware within retail environments.
Increase in custom/targeted malware within processing and issuing environments.
SQL Injection remains the most prolific attack vector used against e-Commerce businesses.
Increase in e-Commerce platform-specific malware.
Growing use of Web Shells within e-Commerce investigations leading to discrete modifications of the website.

Where is the growth coming from?

While the headlines have been full of high profile businesses falling victim to data compromise, our experience is that the tide is rising across the industry – we have seen a significant rise in the number of cases year on year. Most of the increase can be found in smaller to mid-sized businesses – predominantly e-Commerce organisations.

January 2015 has been our busiest forensic month – ever. In January alone, our team has handled over 75% of the number of cases that we handled in 2012 all together. Comparing January 2015 with January 2014, we find that the number of cases has increased by over 400%.

Who are these businesses?

The vast majority of the organisations that we’re assisting are e-Commerce businesses and these are the issues that they are dealing with:

SQL Injection – continues to be the most common attack vector for e-Commerce.
E-Commerce platform code modifications.
E-Commerce platform-specific malware (Magento, WordPress, Drupal, OS-Commerce).
Web Shells and backdoors created to provide easy harvesting access.
Transaction Siphons (code modifications).

In most cases, simple security controls (PCI DSS Compliance) on the websites would have prevented them from being hacked.

An interesting observation is that we have started to see targeted malware being used to attack retail and hospitality integrated Point of Sale systems in the UK, South Africa and the Middle East. The malware being seen in recent cases is usually a variant of malware seen in the high profile cases in the US (apart from one completely new and exceedingly clever piece of malware found in a UK high street retailer in December). In addition, the malware operates undetected by the vast majority of commercial anti-virus/anti-malware solutions, making the case for a defence in depth security strategy all the more important.

So what are we to expect in 2015?

With the accelerated rollout of EMV in the US, we are forecasting an increase in the number of US organisations being compromised over the next 12 months as criminals seek to maximize their “swag” from the rapidly decreasing pool of potential magstripe victims.

In parallel, we expect that much of the criminal activity will migrate towards the online world – targeting e-Commerce businesses. While we’re seeing increasing volumes of purchases made with online businesses (Forrester forecasts a 60% growth in the next year or two) this growth is also highly attractive to criminals looking for easy takings from insecure e-Commerce businesses.

If our experience in January 2015 is anything to go by, this year is going to be considerably more challenging for the e-Commerce world.

What can be done?

Without stating the obvious, the first thing to do would be to implement the controls outlined in the PCI DSS – these are based on best practice and will provide any organization with a well-balanceddefence in depth strategy.

For organisations that do not have the skills onboard to implement the appropriate security controls themselves, we would highly recommend seeking out a specialist partner to support your business.

Help for e-Commerce Businesses

With e-Commerce businesses likely to become the main target, protecting your website will be critical to successfully growing your online business. We have created a free eBook on our website to help e-Commerce businesses to learn about the key steps to protecting their online business – 6 Expert Tips to Secure Your Website.

Further help for e-Commerce websites – specifically for Magento and WordPress websites can be found at:

Magento –www.foregenix.com/magento

WordPress – www.foregenix.com/wordpress