While most consumers worry about their credit card or debit card numbers or other valuable data being stolen from their home computers or leaked via a data breach at their banks, a new report shows that the vast majority of attacks that harvest this sensitive data actually target weak software on point-of-sale devices at retail locations.
The data shows that 75 percent of the more than 220 breach investigations done by Trustwave’s SpiderLabs unit last year involved an attack that targeted POS software. These systems, which are the first link in the long chain of payment processing, tend to be the softest targets for attackers interested in gathering large amounts of payment card data quickly. Many POS systems are proprietary systems that are set up either by the vendor or a third-party consultant and may not be well understood by the customer’s IT staff.
“For instance, our investigations often uncover deficiencies in regards to basic security controls, such as the use of default passwords and single-factor remote access solutions. In 87% of POS breach cases, third party integrators used some form of default credentials with either remote access systems or at the operating systems layer. Businesses should work with their third party vendors to help ensure non-functional security requirements are part of the implementation and maintenance agreements,” the SpiderLabs Global Security Report 2011 says.
By comparison, just nine percent of the breaches that the company investigated involved e-commerce sites. One of the reasons that attackers may not be targeting these sites as often as POS systems and other systems is that they usually only yield card numbers and perhaps expiration dates. That information can be used for fraudulent transactions on other e-commerce sites or over the phone, but can’t be used for in-person purchases, limiting the usefulness of it.
“But when magnetic strip data is not available criminals are limited to card-not-present fraud; they can only use the data they obtain from e-commerce attacks against other e-commerce or card-not-present businesses. E-commerce is most often not the primary target in large-scale payment fraud — the data just isn’t as valuable,” the report says.
One of the more interesting data points in the report, which covers calendar year 2010, is the revelation that, in the investigations initiated by card companies such as Visa or American Express, the breach was discovered an average of 156 days after it actually occurred in the first place. By contrast, organizations that discovered compromises themselves did so an average of 28 days after the attack.
“Our analysis reveals that, on average, a lapse of 156 days occurred between an initial breach and detection of that incident. In other words, a system was infiltrated almost six months prior to detection of the incident,” the report concludes. “Analysis demonstrates that those entities capable of discovering an incident themselves did so within a much shorter timeframe than entities who relied on others to identify the breach. In contrast, those entities that exclusively relied on a third party for detection, or just didn’t detect the problem until a regulatory body did, could take up to five times longer to detect the breach. We have found that organizations with mature information security programs that include employee awareness training, regardless of size, are the most successful at detecting a breach.”