Only 27.9% of organizations able to maintain compliance with the PCI DSS

Global organizations continue to put their customers’ cardholder data at risk due to a lack of long term payment security strategy and execution, flags the Verizon report.

maintain compliance PCI DSS

With many companies struggling to retain qualified CISOs or security managers, the lack of long-term security thinking is severely impacting sustained compliance within the Payment Card Industry Data Security Standard (PCI DSS).

Cybercriminals still mostly targeting payment data

Payment data remains one of the most sought after and lucrative targets by cybercriminals with 9 out of 10 data breaches being financially motivated, as highlighted by the report. Within the retail sector alone, 99 percent of security incidents were focused on acquiring payment data for criminal use.

On average only 27.9 percent of global organizations maintained full compliance with the PCI DSS, which was developed to help businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data.

More concerning, this is the third successive year that a decline in compliance has occurred with a 27.5 percentage point drop since compliance peaked in 2016.

“Unfortunately we see many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives. This is unacceptable,” said Sampath Sowmyanarayan, President, Global Enterprise, Verizon Business.

“The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices. This has generated more electronic payment data and consumers trust businesses to safeguard their information.

“Payment security has to be seen as an on-going business priority by all companies that handle any payment data, they have a fundamental responsibility to their customers, suppliers and consumers.”

Few organizations successfully test security systems

Additional findings shine a spotlight on security testing where only 51.9 percent of organizations successfully test security systems and processes as well as unmonitored system access and where approximately two-thirds of all businesses track and monitor access to business critical systems adequately.

In addition, only 70.6 percent of financial institutions maintain essential perimeter security controls.

“This report is a welcome wake-up call to organizations that strong leadership is required to address failures to adequately manage payment security. The Verizon Business report aligns well with Omdia’s view that the alignment of security strategy with organizational strategy is essential for organizations to maintain compliance, in this case with PCI DSS 3.2.1 to provide appropriate levels of payment security.

“It makes clear that long-term data security and compliance combines the responsibilities of a number of roles, including the Chief Information Security Officer, the Chief Risk Officer, and Chief Compliance Officer, which Omdia concurs with,” comments Maxine Holt, senior research director at Omdia.

maintain compliance PCI DSS

Difficulty to maintain PCI DSS compliance impacts all businesses

SMBs were flagged as having their own unique struggles with securing payment data. While smaller businesses generally have less card data to process and store than larger businesses, they have fewer resources and smaller budgets for security, impacting the resources available to maintain compliance with PCI DSS.

Often the measures needed to protect sensitive payment card data are perceived as too time-consuming and costly by these smaller organizations, but as the likelihood of a data breach for SMBs remains high it is imperative that PCI DSS compliance is maintained.

The on-going CISO challenge: Security strategy and compliance

The report also explores the challenges CISOs face in designing, implementing and maintaining an effective and sustainable security strategy, and how these can ultimately contribute to the breakdown of compliance and data security management.

These problems were not found to be technological in nature, but as a result of organizational weaknesses which could be resolved by more mature management skills including creating formalized processes; building a business model for security as well as defining a sound security strategy with operating models and frameworks.

Tracking global cybercrime activity and the impact on the digital economy

A LexisNexis Risk Solutions report tracks global cybercrime activity from January 2020 through June 2020. The period has seen strong transaction volume growth compared to 2019 but an overall decline in global attack volume. This is likely linked to growth in genuine customer activity due to changing consumer habits.

global cybercrime activity

The period has seen strong transaction volume growth compared to 2019 but an overall decline in global attack volume. This is likely linked to growth in genuine customer activity due to changing consumer habits.

The report analyzes data from more than 22.5 billion transactions processed, a 37% growth year over year. Mobile device transactions also continue to rise, with 66% of all transactions coming from mobile devices in the first half of 2020, up from 20% in early 2015.

There’s also an uptick in transactions from new devices and new digital identities. This is attributed to many new-to-digital consumers moving online to procure goods and services that were no longer available in person or harder to access via a physical store, during the pandemic.

Attacks by region

The EMEA region saw lower overall attack rates in comparison to most other global regions from January through June 2020. This is due to a high volume of trusted login transactions across relatively mature mobile apps.

The attack patterns in EMEA were also more benign and had less volatility and fewer spikes in attack rates. However, there are some notable exceptions. Desktop transactions conducted from EMEA had a higher attack rate than the global average and automated bot attack volume grew 45% year over year.

The UK originates the highest volume of human-initiated cyberattacks in EMEA, with Germany and France second and third in the region. The UK is also the second largest contributor to global bot attacks behind the U.S.

One example of a UK banking fraud network saw more than $17 million exposed to fraud across 10 financial services organizations. This network alone consisted of 7,800 devices, 5,200 email addresses and 1,000 telephone numbers.

Decline in attack rate

The overall human-initiated attack rate fell through the first half of 2020, showing a 33% decline year over year. The breakdown by sector shows a 23% decline in financial services and a 55% decline in e-commerce attack rates.

Latin America experienced the highest attack rates of all regions globally and realized consistent growth in attack rates from March to June 2020. The attack patterns in North America and EMEA had less volatility and fewer spikes in attack rates from the six-month period observed.

Attack vector global view

Media is the only industry that recorded an overall year over year growth in human-initiated cyberattacks. There was a 3% increase solely across mobile browser transactions.

Globally, automated bots remain a key attack vector in the Digital Identity Network. Financial services organizations experienced a surge in automated bot attacks and continue to experience more bot attacks than any other industry.

Across the customer journey

New account creations see attacks at a higher rate than any other transaction type in the online customer journey. However, the largest volume of attacks targets online payments. Login transactions have seen the biggest drop in attack rate in comparison to other use cases.

Analysis across new customer touchpoints in the online journey is included in this report for the first time, providing additional context on key points of risk such as money transfers and password resets.

global cybercrime activity

During COVID-19

All industries have felt the impact of COVID-19. There are clear peaks and troughs in transaction volumes coinciding with global lockdown periods.

Financial services organizations realized a growth in new-to-digital banking users, a changing geographical footprint from previously well-traveled consumers and a reduction in the number of devices used per customer. There have also been several attacks targeting banks offering COVID-19-related loans.

E-commerce merchants have seen an increase in digital payments and several other key attack typologies that coincide with the lockdown period. These included account takeover attacks using identity spoofing and more first-party chargeback fraud.

Rebekah Moody, director of fraud and identity at LexisNexis Risk Solutions, said: “The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry.”

200% increase in invoice and payment fraud BEC attacks

There has been a 200 percent increase in BEC attacks focused on invoice or payment fraud from April to May 2020, according to Abnormal Security. This sharp rise continues the trend.

payment fraud BEC attacks

Also, according to the report, invoice and payment fraud attacks increased more than 75 percent in the first three months of 2020.

Larger dollar amounts are involved

During invoice and payment fraud BEC attacks, attackers pose as vendors, suppliers or customers in order to steal money using tactics such as initiating fraudulent wire transfers or hijacking vendor conversations to redirect vendor payments. These types of attacks typically involve much larger dollar amounts compared to other types of BEC attacks since they target business to business transactions.

In one example, the Abnormal Security team detected and stopped an attempted invoice fraud targeting a telecommunications provider, preventing more than $700,000 in losses. The attacker impersonated a real vendor and methodically engaged numerous employees over the course of two months, eventually convincing the target to change banking details and redirect the payment of a legitimate invoice of over $700,000 to the attacker’s account before the transaction was prevented.

Increasing number of attacks

An increasing number of these attacks were tracked, both in the number of organizations targeted and the number of attacks received per organization. The research team observed:

  • A 200% increase in the average rate of invoice and payment fraud BEC attacks each week
  • A 36% increase in the number of organizations experiencing these attacks
  • Out of all types of BEC attacks, invoice and payment fraud BEC attacks are increasing in popularity. In April, these types of attacks comprised 14% of all BEC attacks, increasing to 17% in May.

payment fraud BEC attacks

“While all business email compromise attacks can lead to significant financial loss, those focused on invoice and payment fraud can have an even greater financial impact,” said Evan Reiser, CEO and co-founder, Abnormal Security.

“Even when an organization has established best-in-class security, third-parties represent a weak link. As these types of attacks continue to climb, it’s more important than ever for companies to implement technology that detects and stops them.”

PCI SSC updates standard for payment devices to protect cardholder data

The PCI Security Standards Council has updated the standard for payment devices to enable stronger protections for cardholder data.

pts poi standard

Meeting the accelerating changes of payment device technology

The PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements 6.0 enhances security controls to defend against physical tampering and the insertion of malware that can compromise card data during payment transactions.

Updates are designed to meet the accelerating changes of payment device technology, while providing protections against criminals who continue to develop new ways to steal payment card data.

“Payment technology is advancing at a rapid pace,” says Emma Sutcliffe, SVP, Standards Officer at PCI SSC. “The changes to this standard will facilitate design flexibility for payment devices while advancing the standard to help mitigate the evolving threat environment.”

Protecting PINs

Established to protect PINs and the cardholder data stored on the card (on magnetic stripe or the chip of an EMV card) or used in conjunction with a mobile device, PTS POI Version 6.0 reorganizes the requirements and introduces changes that include:

  • Restructuring modules into Physical and Logical, Integration, Communications and Interfaces, and Life Cycle to reflect the diversity of devices supported under the standard and the application of requirements based upon their individual characteristics and functionalities.
  • Limiting firmware approval timeframes to three years to help ensure ongoing protection against evolving vulnerabilities.
  • Requiring devices that accept EMV enabled cards to support Elliptic Curve Cryptography (ECC) to help facilitate the EMV migration to a more robust level of cryptography.
  • Enhancing support for the acceptance of magnetic stripe cards in mobile payments using solutions that follow the Software-Based PIN Entry on COTS (SPoC) Standard.

“Feedback from our global stakeholders, along with changes in payments, technology and security is driving the changes to this standard,” said Troy Leach, SVP at PCI SSC. “It’s with participation from the payments industry that the Council is able to produce standards that are relevant and enhance global payment card security.”

Magecart attackers hit Claire’s, Intersport web shops

Magecart attackers have compromised web shops belonging to large retail chains Claire’s and Intersport and equipped them with payment card skimmers.

Magecart Claire's Intersport

Claire’s

The compromise of Claire’s online store and that of its sister brand Icing has been flagged by Sansec researchers.

The skimmer was served from a domain made to look like it might belong to the company (claires-assets.com), and it was added to the two online stores between April 25th and 30th.

“The malware was added to the (otherwise legitimate) app.min.js file. This file is hosted on the store servers, so there is no “Supply Chain Attack” involved, and attackers have actually gained write access to the store code,” the researchers pointed out.

“The skimmer attaches to the submit button of the checkout form. Upon clicking, the full ‘Demandware Checkout Form’ is grabbed, serialized and base64 encoded. A temporary image is added to the DOM with the __preloader identifier. The image is located on the server as controlled by the attacker. Because all of the customer submitted data is appended to the image address, the attacker now has received the full payload. Immediately, the image element is removed.”

How the attackers managed to compromise the web shops is still unknown, but they started planning the attack a month before actually executing it. In fact, they registered the malicious domain a day after Claire’s announced that they will be temporarily close all of their brick and mortar stores due to COVID-19.

Intersport

ESET researchers have pointed out the compromise of Intersport’s web store and said that the company fixed the issue within several hours of ESET letting them know.

Sansec researchers say that an initial hack happened on Apr 30th and then another one on May 14th:

Only the localized Intersport web shops serving customers from the Balkans region have been compromised.

What now?

It is still unknown how long the skimmers went unnoticed.

None of the compromised web shops sport a prominent notification about the breach and payment card info theft. Claire’s notified the payment card networks and law enforcement, and let’s hope they will contact affected customers directly once they determine the extent of the compromise and theft.

Companies should have protections in place to notice this and other types of breaches soon after they happen, but unfortunately many don’t.

If you’re paying for your purchases with payment cards – whether online or in physical stores – you should regularly check your account statements for unauthorized charges and report them quickly.

Is the stress of card fraud worth the digital convenience?

With a growing portion of consumers having now fallen victim to card fraud, anxiety about the security of our digital accounts is spiking, according to a survey by Marqeta.

card fraud

The survey talked to 4,000 consumers across the United States and the United Kingdom about consumer attitudes toward card fraud in an increasingly digital economy.

According to the survey, card fraud has had a pervasive, repeat impact on a large number of American and UK consumers, an issue of skyrocketing importance with the digital economy providing a crucial lifeline to the many millions of people currently sheltering-in-place:

  • 46 percent of US consumers surveyed had fallen victim to card fraud in the past, with 20 percent of consumers hit inside the last 12 months.
  • A sizable portion of US consumers had been repeated prey for fraudsters: 16 percent had been impacted twice, while 10 percent were hit three (or more) times.
  • Each fraudulent transaction had a sizable average ticket price: 33 percent of Americans who were victims said more than $500 was charged to their accounts.

Consumers prefer digital security over convenience

While increasingly common, consumers were reluctant to accept fraud as a fair cost for their increasingly online existences: 69 percent said the stress of card fraud wasn’t a fair trade-off for digital conveniences, while 59 percent said that they didn’t see it as a built-in part of the modern economy.

An overwhelming majority of people surveyed – 87 percent – said they would be happy for online transactions to take longer to complete if their information was better protected.

“Our new survey shows that being a victim of fraud is not an unusual experience for consumers today. There’s an almost fifty-fifty chance you have been impacted, with a growing number of people hit multiple times. With consumers forced to do business almost entirely online throughout COVID-19 quarantines, we are all even more vulnerable.

“Consumers are putting financial services providers on watch. They don’t see convenience at the point of sale as being worth it if they’re not being protected,” said Vidya Peters, CMO at Marqeta.

Card fraud causing growing concerns

The growing threat of card fraud, with people either impacted or likely knowing someone who has, is becoming a major point of anxiety for consumers: 55 percent of US consumers said they worried regularly about card fraud, with 21 percent of people saying they worried about security every time they entered their details online.

Despite this, consumers admitted to complacency, which plays a big part in giving fraudsters the jump. More than half of all fraudulent transactions (52 percent) reported in the survey took place within half an hour of a card going missing, but less than a third of consumers (29 percent) said they noticed immediately when their card was stolen, and less than half (42 percent) canceled their cards right away. Fifty-two percent of consumers surveyed said that they could do a better job in protecting their card information.

“There’s a real catch-22 inherent in consumer behavior today, that presents an opportunity for banking and payments innovators. There’s a rising tide of anxiety about being a victim of card fraud, but yet a complacency and lack of awareness of how to protect yourself,” Peters continued.

“Given the new possibilities brought about by modern card issuing platforms today, there’s a chance to create digital-first product experiences that consumers love while providing the strongest fraud prevention controls possible.”

Pandemic driving global e-commerce growth, but fraud is on the increase too

The COVID-19 crisis is driving the global growth of e-commerce sales, with millions of consumers worldwide in quarantine shopping for goods, services and entertainment online.

e-commerce increased fraud

Transaction volumes in most retail sectors have seen a 74 percent rise in March compared to the same period last year, while online gaming has seen a staggering increase of 97 percent, according to analysis by ACI Worldwide of hundreds of millions of transactions from global online retailers.

“During these unprecedented and uncertain times with millions now at home, many consumers are going online to purchase products or services,” said Debbie Guerra, executive vice president, ACI Worldwide.

“Quarantine has changed lives for all of us, with consumers buying electronics and furniture—to support work, communication, school and entertainment—as well as items such as home goods and DIY products.”

However, fraud is on the increase too, the research shows, as fraudsters are using the surge in online activity to target unsuspecting consumers and merchants.

Merchants are starting to experience dramatic increases in COVID-19-related phishing activities, with stolen credentials released into the e-commerce payments chain, as well as increased friendly fraud activities.

“Fraudulent attempts are on the rise, and consumers must be vigilant as fraudsters are using the current situation to obtain and use their financial data and information,” continued Guerra.

Key findings

Online retailer sectors with rising transaction volumes in March 2020 compared to the previous year include:

  • Home products and furnishings: +97 percent, DIY products: +136 percent, Garden essentials: +163 percent, Electronics: +26.6 percent, Telco: +18.6 percent

Online retail sectors with declining transaction volumes in the same period:

  • Ticketing: -60 percent, Travel: -44 percent, Online dating: -8.9 percent

Fraud trends

  • Average fraudulent attempted purchase value increased by $36 in March, driven by electronic and retail goods; this corresponds to a fraudulent attempted transactional value increase by 13 percent.
  • Fraudulent attempted transactional volume decreased by 8 percent, driven by increase of fraudulent attempt purchase value.

“Long term, we and others in the industry predict that the shift in consumer behavior—opting for online purchases—is likely to outlast the crisis,” concluded Guerra.

“The industry is well ahead of the curve in adapting payment methods and ways to combat fraud in response to the changing behaviors and expectations of consumers, which are now being expedited by the lockdown.”

Tips for consumers to protect identity and personal information

  • Beware of online requests for personal information. Coronavirus-themed emails seeking personal information are likely to be phishing scams. Legitimate government agencies won’t ask for that information. Delete the email.
  • Check the email address or link. Inspect a link by hovering the mouse button over the URL to see where it leads. Sometimes, it’s obvious the web address is not legitimate. But keep in mind phishers can create links that closely resemble legitimate addresses. Delete the email.
  • Watch for spelling and grammatical mistakes. If an email includes spelling, punctuation and grammar errors, it’s likely a sign of a phishing email. Delete the email.
  • Look for generic greetings. Phishing emails are unlikely to use a person’s name. Greetings like “Dear sir or madam” often signal an email is not legitimate.
  • Avoid emails that insist acting now. Phishing emails often try to create a sense of urgency or demand immediate action. Delete the email.

Tips for merchants to maintain security and deliver to customers

Maintain security and deliver a great customer experience, as consumer purchasing behavior—both genuine and fraudulent—has changed.

  • For example: Express shipment and Buy-Online Pickup In-Store delivery methods in the last two weeks have tripled, making transaction decision speed and accuracy critical.
  • Use customer profiling and time-on-file techniques to maintain the customer experience for valued customers and ensure good transactions are still accepted.

Expect an increase in friendly fraud chargebacks as a result of growing financial difficulties among consumers. Friendly fraud occurs when a cardholder receives goods, but denies making a purchase, or a family member makes a purchase without cardholder approval.

  • Monitor systems and update as necessary. Business intelligence tools and real-time monitoring lead to immediate decisions and responses. Employ rapid access to fraud intelligence to inform rules changes in real time.
  • Engage frequently with web and mobile site security management. Give these teams the tools, techniques and procedures to detect, contain and mitigate botnets. And considering the presence of both good and bad bots, put business policies in place to address this issue with clarity for both teams.

Online payment fraud attempts see 73% increase

Online payment fraud attempts increased by 73 percent in 2019, according to a report from Sift.

Additional findings in the report reveal that cybercriminals are using mobile devices more than desktops or laptops to commit payment fraud. In fact, though Windows is the top single operating system for fraudsters, iOS and Android combine to make up more than half of attempted fraudulent transactions.

online payment fraud attempts

And while, unsurprisingly, the number one most targeted industry vertical in 2019 was physical e-commerce, business services, digital e-commerce, education, and on-demand services all fell within the top ten fraudiest verticals.

New ways to pay, new ways to steal

The most common payment type associated with fraud? Not credit cards. In fact, credit cards were beaten out by promotions/coupons, cryptocurrency, digital wallets, and even “pay with cash” options that are popular with some on-demand services.

Fraudsters swing for the fences

Rather than trying to avoid detection with smaller purchases, fraudsters look for larger scores, with fraudulent order values reaching three times the price of legitimate purchases on average.

Trying to game the system

The largest attempted purchase on Sift’s platform in 2019 was for a video game power-up sold on an online marketplace. The attempted payment was $1 million, and though obviously fraudulent, demonstrates some of the new methods bad actors are employing in order to steal from businesses.

online payment fraud attempts

Summer is the holiday shopping season for fraudsters

Fraudsters don’t wait until the winter holidays to kick their scams into high gear. Rather, payment fraud attempts peak during the summer months.

Working on the weekend

Saturdays had the highest instances of payment fraud attempts of any day of the week.

More authentication and identity tech needed with fraud expected to increase

The proliferation of real-time payments platforms, including person-to-person (P2P) transfers and mobile payment platforms across Asia Pacific, has increased fraud losses for the majority of banks.

identity tech

FICO recently conducted a survey with banks in the region and found that 4 out of 5 (78 percent) have seen their fraud losses increase.

Further to this, almost a quarter (22 percent) say that fraud will rise significantly in the next 12 months, with an additional 58 percent saying they expect a moderate rise in fraud.

“While the convenience of real-time payments is great news for customers, increasingly, banks have zero time to clear a transaction or payment. AI can’t slow down the clock, but it can help create systems that are radically quicker to recognize a transaction that smells likely to be fraudulent,” said Dan McConaghy, president of FICO in Asia Pacific.

“Banks will need to move beyond passwords and OTPs and add biometrics, device telemetry and customer behavior analytics to keep up with the changing payments landscape.”

Authentication and identity tech

When asked which identity and authentication strategies they used, the majority of APAC banks have a strategy of multi-factor authentication (84 percent). They increasingly use a wide range of authentication methods including: biometrics (64 percent), normal passwords (62 percent) and in last place behavioral authentication (38 percent).

Interestingly, nearly half of the respondents (46 percent) are currently only using 1 or 2 of these strategies, potentially leaving them more exposed to attack vectors such as identity theft, account takeovers, cyberattacks.

“Why try to crack a safe when you can walk in the front door?” explained McConaghy.

“Criminals are trying to fool banks into thinking they are new customers or stealing account access by tricking people into making security mistakes or giving away sensitive information. When they are successful, criminals are making use of real-time payments to move funds quickly through a maze of global accounts.”

The survey bore this out with 40 percent of banks naming social engineering as the number one fraud concern when it comes to real-time payments. Account takeovers were ranked second, with false accounts and money mules also rated as problems.

New forms of biometric, multi-factor and behavioral technologies allow banks to stop payments being made, even if an account appears to be using the correct but stolen password or entering the right, but intercepted, one-time-password.

“Beyond this type of account take over, we also have authorized push payment fraud, such as when a customer is tricked into paying what they think is a legitimate invoice like a fake school bill or payment to a tradesperson,” said McConaghy.

“This type of social engineering is harder to stop but better KYC, link analysis to find money mule accounts and behavioral analytics to flag new accounts for a regular payee, are all examples of how to tackle it.”

Mitigating criminal behavior

Further to stopping fraud in real-time payment platforms, crimes such as drug trafficking, human smuggling, tax evasion and terrorism finance are also attracted to the irrevocable nature of instant payments.

The lack of visibility between jurisdictions has seen regulators encouraging banks to move quickly in this cross-border payments space to ensure payments are compliant and secure.

In terms of mitigating this criminal behavior, more than 90 percent of APAC banks surveyed thought that convergence between their fraud and compliance functions would be helpful in defending transactions on real-time payments platforms.

“We estimate that there is about an 80 percent overlap in software functionality between legacy fraud and anti-money laundering systems,” added McConaghy.

“To tackle fraud and money laundering schemes that exploit real-time money movement you need to leverage all the available technologies, automate as much as you can and introduce models that can identify outlier transactions and customer behavior so your teams can spend their time investigating the riskiest of the red flags.”

As the online shopping season begins, consumers worry about cybercrime

A majority of U.S. consumers plan to do most of their holiday shopping online for the first time ever, yet a survey from F-Secure finds that most internet users remain concerned about their exposure to cybercrime. Major consumer trends The survey of shoppers highlighted 3 major trends among American consumers: Bank account hacking and data breaches are the biggest worries on the web. 62% are either worried or extremely worried about a hacker taking over … More

The post As the online shopping season begins, consumers worry about cybercrime appeared first on Help Net Security.

Merchants must find ways to balance security with a seamless customer experience

69% of U.S. merchants reported that significant amount of company time and expense is dedicated to dealing with payment fraud, in a survey by American Express. Balance security with a streamlined customer experience Nearly eight-in-ten U.S. merchant respondents (77%) reported that their companies experienced some type of fraud over the course of being in business, and their efforts to manage security are impacting their businesses’ bottom lines. At the same time, the survey found that … More

The post Merchants must find ways to balance security with a seamless customer experience appeared first on Help Net Security.

Cybercriminals targeting e-commerce website vulnerabilities this holiday season

Expect unprecedented levels of online data theft this holiday season due to a lack of deployed client-side security measures.

data theft holiday season

Disturbing lack of security measures

Tala Security highlights the widespread vulnerability resulting from integrations that enable and enhance website functionality. These integrations, which exist on nearly every modern website operating today, allow attackers to target PII and payment information.

98% of the Alexa 1000 websites were found to be lacking security measures capable of preventing attacks. In related warnings, both the FBI and the PCI Council cautioned that hackers are targeting online credit card information.

“Online merchants and website owners must recognize the critical need for client-side security. The fundamental driver of online commerce — consumer trust — is at stake as attackers target widespread client-side vulnerabilities to steal credentials, credit card numbers, financial data and other PII,” said Aanand Krishnan, CEO and co-founder of Tala Security.

data theft holiday season

Key findings from the survey

  • Only 2% of Alexa 1000 sites have implemented effective controls to prevent personal, financial and credential theft.
  • User form data sent, captured on forms available on 98% of websites, is exposed to 10 times more domains than intended by the website owner. This creates a massive opportunity for data theft from attackers.
  • The average website relies on 31 third-party integrations, which provide nearly two-thirds of the content customers view on their browsers. This content is delivered via client-side connections that lack effective security controls.
  • Most consumers will be surprised to learn that only one-third of the content rendering on their browser is owned, created and served by the owner of the website. The remaining two-thirds is served via client-side connections that lack effective security.
  • Although 27% of website owners attempt to deploy security measures, only 2% succeed in deploying effective policies capable of preventing client-side attacks.

Risky behavior exposes consumers to seasonal security scares

In advance of the peak shopping season, a study from PCI Pal shows that millions of Americans continue to over-indulge in risky behaviors – both online and on the phone, leaving themselves open to seasonal security scares. While 49% of Americans have reportedly been the victims of cybercrime, the study concludes that fears of fraud have not done enough to significantly change consumer behaviors. The data identified the seven seasonal security ‘sins’ more likely to … More

The post Risky behavior exposes consumers to seasonal security scares appeared first on Help Net Security.

Trusted certificates make phishing websites appear valid

There has been a rampant growth of look-alike domains, which are often used to steal sensitive data from online shoppers. Venafi analyzed suspicious domains targeting 20 major retailers in the U.S., U.K., France, Germany and Australia and found over 100,000 look-alike domains that use valid TLS certificates to appear safe and trusted. According to the research, growth in the number of look-alike domains has more than doubled since 2018, outpacing legitimate domains by nearly four … More

The post Trusted certificates make phishing websites appear valid appeared first on Help Net Security.

Do your infosec habits make you vulnerable to fraud?

A third of Americans have been a victim of information fraud or identity theft. Despite notable data breaches in 2019, when asked if they update or change passwords/PINs after a company they do business with suffers a data breach, more than a quarter (28%) say only sometimes and nearly one in 10 (9%) say they don’t update their passwords at all, according to a Shred-it survey. Safeguarding sensitive data Four in ten (41%) Americans who … More

The post Do your infosec habits make you vulnerable to fraud? appeared first on Help Net Security.

Evaluating cyber risk during the holiday season

Fears of data loss, identity theft and fraud are leaving American consumers on edge this holiday season, and they’re prepared to hold their financial institution responsible for the damages. This is according to a new study released by Terbium Labs, which found that 68 percent of shoppers would hold their bank at least partly responsible for fraudulent activity, regardless of how the compromise occurred. The blame game Americans are on high alert heading into the … More

The post Evaluating cyber risk during the holiday season appeared first on Help Net Security.