Criminals target the data merchants hold
Retailers and restaurants accounted for 24% of compromised data last year, a new study says.
Article Courtesy of: Paul Demery – Chief Technology Editor
Retailers face numerous threats to confidential consumer data that criminals can use for online and offline criminal activities, Verizon Enterprise Solutions says in a new report compiled from dozens of international sources.
The study notes that 24% of the 621 breaches—which include criminals using various hacking techniques, malicious software downloaded via e-mail and accessing networks with log-in credentials stolen from authorized network users—last year affected multi-channel retailers and restaurants, second as a group only to financial organizations, at 37%.
Financial organizations’ high percentage is largely because of ATMs. ATMs account for the most common asset used to steal data because criminals can grab it without breaking into a computer network, the report says. Such ATM data theft uses what’s known as ATM skimming techniques, which use software that criminals install in ATM card swipe mechanisms to capture account numbers; ATM skimming also uses hidden cameras to record the personal identification number that a consumers enters on the ATM keypad, Verizon says.
However, for data compromised through network intrusions, retailers account for the largest percentage of breaches, at 21.7%, followed by manufacturers at 12.2%, the report says.
The “Verizon 2013 Data Breach Investigative Report” is based on data compiled from 18 government and independent organizations from several countries, including the U.S. National Cybersecurity and Communications Integration Center, the U.S. Secret Service and the U.S. arm of business consultancy Deloitte Development LLC.
Criminals often attack store point-of-sale systems as a way to either infiltrate a retailer’s computer network or to steal account data right at the store checkout counter, says Suzanne Widup, senior analyst on the risk management team at Verizon Enterprise Solutions, which provides security services and consulting.
With some retailers deploying web-based point-of-sale systems, criminals search for ways to infiltrate them—either to directly access customer account databases or to install malware, such as key-logging software designed to capture account data as it is displayed on a computer screen. “Anything that has an IP address is a target,” she says.
Verizon notes that this is adding to other forms of infiltrating POS system data, such as by hacking into wireless networks that retailers use to transfer POS data from checkout terminals to back-office servers. Verizon advises that retailers need to ensure that POS networks, as well as all company computer networks and wireless networks, are routinely patched with updated security software to thwart potential breaches.
Once criminals find a way to breach a particular type of POS system, they’ll often look for other retailers with the same system to attack, she says. After they steal data, criminals typically sell it to other criminals or use it to make fraudulent online transactions, she says.