THE 2015 PAYMENTS THREATSCAPE

2014 was a demanding year in cyber security, with many large, household brands becoming victim of fraudsters; losing both commercial value and importantly customer loyalty.

This year’s BRC Retail Crime Survey revealed that levels of fraud increased by 12% in 2013-14, with 135,814 incidents reported during the year. Together, they account for 37% of the total £603m cost of retail crime.

As forensic investigators, last year was our busiest yet, working with small online e-commerce businesses, to mid-sized distributed retail organisations, through to large issuer and acquirer banks across the UK, South Africa and in the Americas.

Interestingly, not a single case we investigated would have been assessed as PCI DSS Compliant at the time of the breach.

There is a huge variance in the types of organisations that we have assisted.  But having collated the findings, we are seeing the following:

• Definite continued upward trend in use of targeted malware within retail environments.
• Increase in custom/targeted malware within processing and issuing environments.
• SQL Injection remains the most prolific attack vector used against e-Commerce businesses.
• Increase in e-Commerce platform-specific malware.
• Growing use of Web Shells within e-Commerce investigations leading to discrete modifications of the website.

Where is the growth coming from?

While the headlines have been full of high profile businesses falling victim to data compromise, our experience is that the tide is rising across the industry – we have seen a significant rise in the number of cases year on year.  Most of the increase can be found in smaller to mid-sized businesses – predominantly e-Commerce organisations.

January 2015 has been our busiest forensic month – ever.  In January alone, our team has handled over 75% of the number of cases that we handled in 2012 all together.  Comparing January 2015 with January 2014, we find that the number of cases has increased by over 400%.

Who are these businesses?

The vast majority of the organisations that we’re assisting are e-Commerce businesses and these are the issues that they are dealing with:

• SQL Injection – continues to be the most common attack vector for e-Commerce.
• E-Commerce platform code modifications.
• E-Commerce platform-specific malware (Magento, WordPress, Drupal, OS-Commerce).
• Web Shells and backdoors created to provide easy harvesting access.
• Transaction Siphons (code modifications).

In most cases, simple security controls (PCI DSS Compliance) on the websites would have prevented them from being hacked.

An interesting observation is that we have started to see targeted malware being used to attack retail and hospitality integrated Point of Sale systems in the UK, South Africa and the Middle East.  The malware being seen in recent cases is usually a variant of malware seen in the high profile cases in the US (apart from one completely new and exceedingly clever piece of malware found in a UK high street retailer in December).  In addition, the malware operates undetected by the vast majority of commercial anti-virus/anti-malware solutions, making the case for a defence in depth security strategy all the more important.

So what are we to expect in 2015?

With the accelerated rollout of EMV in the US, we are forecasting an increase in the number of US organisations being compromised over the next 12 months as criminals seek to maximize their “swag” from the rapidly decreasing pool of potential magstripe victims.

In parallel, we expect that much of the criminal activity will migrate towards the online world – targeting e-Commerce businesses.  While we’re seeing increasing volumes of purchases made with online businesses (Forrester forecasts a 60% growth in the next year or two) this growth is also highly attractive to criminals looking for easy takings from insecure e-Commerce businesses.

If our experience in January 2015 is anything to go by, this year is going to be considerably more challenging for the e-Commerce world.

What can be done?

Without stating the obvious, the first thing to do would be to implement the controls outlined in the PCI DSS – these are based on best practice and will provide any organization with a well-balanceddefence in depth strategy.

For organisations that do not have the skills onboard to implement the appropriate security controls themselves, we would highly recommend seeking out a specialist partner to support your business.

Help for e-Commerce Businesses

With e-Commerce businesses likely to become the main target, protecting your website will be critical to successfully growing your online business.  We have created a free eBook on our website to help e-Commerce businesses to learn about the key steps to protecting their online business – 6 Expert Tips to Secure Your Website.

Further help for e-Commerce websites – specifically for Magento and WordPress websites can be found at:

Magento  –www.foregenix.com/magento

WordPress – www.foregenix.com/wordpress