Paying for goods and services over the Internet in a variety of ways, from directly keying-in card details on ecommerce sites, to using online wallets, to paying with your phone, is more consumer friendly than ever.
But while these trends change the face of the payments industry and the way we buy, they are tracked by a dark shadow of cybercrime, card fraud and identity theft.
There are three major reasons why e-commerce companies keep getting hit hard.
POS Malware. Point of Sale (POS) malware is one of the most detrimental issues for online, and even brick-and- mortar retailers, today. While this threat grabbed the most attention in 2013 with the Target breach, and in 2014 with breaches like Home Depot, Dairy Queen, UPS and Staples, it is by no means new.
The first real POS malware started out as a sort of RAM-scraping malware that was built by cybercrime gangs from Russia and Romania between 2010 and 2012. By scraping data from payment servers, these malicious codes were able to pick up cards' track 1 and 2 data, and information used to process card payments, allowing their operators to write the data onto cloned cards and use them in fraudulent purchases.
Along the way, POS malware evolved into code like Dexter, which became wildly popular in underground crime venues online, and had cybercriminals hunting for executable files of other Trojans like Alina, vSkimmer, Soraya, BlackPOS and JackPOS, and the latest discovery in the domain — LusyPOS.
Infection methods include drive-by-download where employees do not know or see the infection happening, compromising a central update resource of the POS system, or even by rogue insiders who agree to load malware directly to the right machine via a removable drive.
Clearly, retailers' security measures are not stopping the more targeted and elusive breed of attacks, and unless new ways are implemented to deal with unknown or mutated malicious code, POS malware and its makers will celebrate yet another year of the breach in 2015.
Phishing. Another classic threat plaguing the payments industry is as rampant as it is simple: phishing. Fake pages that look like a bank's/issuer's/retailer's login zone, served to unsuspecting consumers either via email or SMS, appear to come from their trusted providers but instead seek to reap login data, card information, and personal details like social security numbers, date of birth, and contact details. The stolen card data feeds the underground cybercrime economy with steady streams of information that criminals use for payment fraud.
In November 2014, researchers at EMC reported a 76% hike in phishing attacks within one month, totaling over 61,000 cases — an all too familiar seasonal trend that happens around the holidays. Phishing plays on inherent human gullibility, abusing emotions and trust; these factors that have kept it at the top of the online threats list since 1996.
Compliance — or the Lack Thereof. The lack of proper adherence to regulatory compliance is another principal concern in the payments industry. Although schemes like PCI DSS have been put in place to help merchants implement basic security and best practices, all too many are found non-compliant in the wake of a breach, even when it comes to very well-known brands.
Most compliance issues touch on data: encryption, keeping stored data secure, and detecting/addressing anomalies like exfiltration or leakage as close as possible to the moment they begin. While compliance cannot solve all security threats spawned by sophisticated hackers and malware authors, it is basic practice that should be followed at all times. Being fully compliant can mean foiling an attack that would otherwise end in disaster to the brand and its customers.
As we move through the next year, considering the crime trends that affected the payment industry in the past three years, it is clear that compliance must be implemented more vigorously.
Adding more advanced security to regulatory requirements can really help retailers become more resilient in the face of growing sophistication of threats and the determination of those perpetrating them.
Mark Gazit is CEO of ThetaRay.