Will an increase in retail breaches increase online card fraud?

In last week’s episode of the BBC’s Cybercrimes with Ben Hammersley series (available on the iPlayer till Sunday 16 November and well worth a watch), the moustachioed technologist discussed recent large-scale cyber crimes, including the biggest retail data breach in American history – the data breach that hit retail giant Target last November.

Compared with ‘traditional’ crimes, large-scale cyber attacks are very attractive to cyber criminals: they get greater rewards if successful, and spend less time in prison if caught. In cases of ordinary card fraud, once the crime has been detected, cards are cancelled and criminal opportunities dry up. With the large supply of fresh bank card numbers that criminals can get via a massive data breach, it’s possible to make millions, and all from the comfort of your own home.

We’ve discussed the Target hack on our American blog over the last year, but here’s a quick recap in case you haven’t followed our coverage. Target was hacked through a third-party supplier – its air conditioning contractor, Fazio Mechanical Services. Although there was no reason why Target’s air conditioning supplier should have had access to any sales data in the first place, Target’s network was not segmented properly, so the air con provided a backdoor that the hackers could easily exploit to gain access to the point-of-sale registers in over 1700 Target stores. Then it was just a matter of harvesting as much data as possible before the company took action.

110 million customers lost their card data. And what do the criminals do with harvested data? They spend.

Target is by no means the only organisation to have been hit, however. Many well-known retailers, from eBay to Booking.com, have reported breaches in the last year, and it seems that many other organisations have suffered similar attacks without publicising them. Charlie McMurdie, former head of the Metropolitan Police e-Crime Unit, told the programme:

“We’ve certainly seen that, from law enforcement when we’ve arrested individuals, we actually find evidence of far more attacks and data that’s been stolen from elsewhere from companies that don’t want to come forward and substantiate the actual crime allegations. But a lot of the attacks that happen is [sic] kept under wraps because businesses fear reputational damage if these attacks go into the public domain.”

It’s hardly surprising that banks and retailers feel little urge to publicise the security incidents that affect them. After all, would you continue to trust your bank if it couldn’t secure your information – or your money?

Retailers are condemned by their own reticence. Report a data breach and suffer the consequences; don’t report it and contribute to a culture that effectively promotes cyber crime as the ‘least worst’ option for society. As Mr Hammersley remarks, “Going public about losing private data is almost never in the best interests of business… so the silence of global corporations means that cyber crime pays – until you get caught.” The likelihood is that online fraud will only increase, especially at this busy time of the year when more and more people are doing their Christmas shopping online.

One thing we can be sure of is that it’s unlikely that we’ll have to wait for long before other high-profile and high-volume attacks hit the headlines. The cyber security journalist Brian Krebs told the programme:

“It’s actually pretty remarkable that in the last few months we haven’t heard about another major retail breach… it’s the calm before the storm.”

As more and more breaches hit the headlines – and more and more are unreported – what can you do to protect yourself from attack and its associated costs? How do you know that your information security systems are adequate?

Penetration testing will identify potential vulnerabilities in your infrastructure and web applications, and provide recommendations to improve your network security. IT Governance’s consultant-driven penetration tests combine a range of advanced manual tests by our expert, CREST-accredited penetration testers with a number of automated vulnerability scans, using multiple tools and techniques, to enable you to protect your organisation from malicious attack.

If you order IT Governance’s Combined Infrastructure and Web Application Penetration Test – Level 1 in November, we’ll carry out an email phishing campaign to test your staff’s awareness absolutely free. Protect your systems from attack, see if your staff are susceptible to phishing attacks, and mitigate the vulnerabilities that cyber attacks will exploit. Click here for more information >>

Combined (1)