Advanced Cyberattacks Leave Mark on Data Security in 2012

 Fraud and data security trends can change by the minute, often making it difficult to pinpoint a specific development as a key event during the course of a year.

Not so in 2012.

Those involved in protecting card payment data and customer identification say the successful and ongoing distributed denial of service, or DDoS, attacks on American financial institution websites signal the dawn of a new cyberwar and illustrate a potential risk to payment data.

DDoS attacks are used to knock websites offline by flooding them with more traffic than they were designed to handle.

“These attacks took a technique that had previously been primarily in the purview of hacktivists, and added professional-grade server infrastructure, resulting in attack intensity that was 10 to 20 times greater than the typical DDoS attack,” says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group. “It successfully brought down some of the most fortified financial institution websites.”  

A group calling itself the Izz ad-Din al-Qassam Cyber Fighters, which has claimed credit for many of these attacks, announced earlier this month that it intended to renew its attacks with a focus on U.S. Bancorp, JPMorgan Chase, Bank of America, PNC Financial Services Group and SunTrust.

Two of these banks, U.S. Bank and PNC, were apparently struck again this month. Wells Fargo, which was not among the five banks listed, faced an apparent DDoS attack last week.

“These hacktivists are showing no signs of backing down and, by publicly declaring their targets, are apparently becoming more emboldened,” says Stephen Gates of Corero Network Security.
The line between cybercrime and cyberwarfare is increasingly becoming blurred, and unfortunately will only continue, Conroy says.

The uptick in cyberattacks caused the most stir in a year in which banks and merchants were encouraged to implement as many layers of defense as possible to thwart bad guys.

Avivah Litan, vice president at Gartner Inc., advises that five layers of defense provide the most solid security. She cites software- or hardware-based secure browsing, out-of-band authentication and client device identification as part of the first layer. Other layers include software to analyze how a customer navigates a mobile banking or merchant website, monitoring account behavior and associated transactions, and account behavior across multiple channels.

The year saw yet another major payments breach, as Atlanta-based processor Global Payments Inc. reported in March that a breach of its systems potentially exposed up to 1.5 million payment card accounts, as well as the personal information of certain merchants.

This news led some fraud prevention vendors to proclaim it was time to shift fraud liability to processors, rather than merchants or acquiring banks. 

The payments industry took notice of a breach of up to 6.5 million passwords for the professional social network LinkedIn. Since LinkedIn profiles include a large amount of personal information, experts feared these details could be used to access payment data on other systems.

The Payment Card Industry Security Standards Council continued its role in providing education and guidance on data security in its various forms at the point of sale, or while traveling through payment gateways, through mobile devices or, most recently, in the cloud. In addition, the PCI council established data encryption guidelines for security vendors.

Despite all of the fraud-prevention education and systems available, new security vendor research revealed that most small merchants store unencrypted card payment data.

While data security awareness moves incrementally forward, small merchants remain a critical point of vulnerability, Conroy says.  

“I’ve spoken with fraud execs at acquiring banks who say that in the forensics they perform on small merchant compromises, they often find not one, but two or three pieces of malware, all of which have resulted in data compromise, and each operated by a different cybercrime ring,” she adds.  

Ultimately, the solution to the small merchant problem will be migration of data to a cloud-based environment where no data is left on merchant systems, Conroy says.
But small merchants weren’t alone in security problems, as a breach at Barnes & Noble bookstores in October illustrated that PIN pads in stores remain susceptible to being swapped out by thieves.

New payment systems also proved vulnerable to attack. At the start of the year, a security firm exposed two issues with Google's mobile wallet that could allow attackers to access funds stored in a virtual prepaid card account. 

As for 2013, Conroy says the industry will continue to see a gradual move to cloud-based applications to take advantage of their efficiencies.

“In some cases, as with the migration of merchant data from the local terminal or PC to the cloud, I think we’ll see that the cloud represents a vastly superior security experience,” Conroy says.