Cybercriminals increasingly target point of sales systems

Trustwave highlights the difference in data-breach activity between North America and the rest of the world

Attackers infect point-of-sale terminals with malware

Attackers infect point-of-sale terminals with malware

The data breach landscape could look very different in the future with the increased adoption of chip-enabled payment cards in North America -- but for now point-of-sale systems account for the majority of breaches there, compared to a tiny minority in other regions of the world.

Hacked point-of-sale (PoS) terminals were responsible for 65 percent of the data compromises investigated by security firm Trustwave last year in North America, compared to only 10 percent in Europe, Middle East and Africa and 11 percent in the Asia and Pacific region. Worldwide, the company investigated 574 breaches, half of them in the U.S.

The difference between PoS breach numbers in North America and other regions is largely due to a payment card standard called EMV (Europay, MasterCard, and Visa), which mandates the use of electronic chips in cards for antifraud protection. These are also called Chip-and-PIN or Chip-and-Signature cards and they have only recently started to be introduced in the U.S. and Canada.

The chip is used to authenticate the cards to EMV-capable card readers. It also makes it extremely hard for attackers to clone the cards even if they steal the data encoded on their magnetic stripes, which is known as track data.

In regions where EMV has been the de facto payment card standard for a long time -- almost a decade in Europe -- fraud has shifted from transactions where cards are physically used to transactions where cards are not present, like those performed online. As a consequence, attackers there are more likely to target e-commerce websites, from which they can extract card information that can be used to perform fraudulent transactions online.

That's not yet the case in the U.S., where card track data and PoS systems remain the primary target, according to Trustwave's 2015 Global Security Report released Tuesday.

While EMV, however, can control fraud, it does not provide complete security, said John Yeo, vice-president at Trustwave. It shifts fraud to transactions in which physical cards are not used, where cybercriminals have fewer options to extract cash. Companies should not assume that with chip-enabled cards the cardholder data is automatically safe and security should be ignored, he said.

Worldwide, compromised point-of-sale (PoS) systems were involved in 40 percent of the breaches investigated by Trustwave, compared to 33 percent in 2013. The only business assets that were even more frequently targeted by attackers last year were e-commerce applications, which accounted for 42 percent of breaches.

Retail (including e-commerce retailers), food and beverage and hospitality businesses suffered the largest number of data breaches, accounting for 68 percent of the cases investigated by Trustwave -- retail 43 percent, food and beverage 13 percent and hospitality 12 percent.

Significant differences between attackers' preference for PoS and e-commerce breaches were also observed across industry sectors, not just regions.

Sixty-four percent of breaches in the retail sector involved the compromise of e-commerce environments, 27 percent point-of-sale systems and 9 percent corporate networks. In the hospitality sector 65 percent of breaches involved PoS environments and 29 percent e-commerce, while in the food and beverages sector 95 percent were PoS and only 5 percent e-commerce.

Overall, e-commerce transaction data like personal identifiable information and cardholder data was compromised in almost half of all breaches and PoS transaction data, or track data, in a third of them. Cybercriminals also stole financial credentials in 12 percent of breaches and proprietary business data in 8 percent.

The most common methods of intrusion used in the incidents analyzed by Trustwave were insecure remote access software or policies and weak passwords. Together, these accounted for 56 percent of all compromises, the distribution being half and half.

For PoS environments in particular these two security failures were responsible for 94 percent of breaches. That's because many PoS terminals are configured for remote administration, either over the Internet or over a corporate network.

Weak input validation, which can lead to SQL and other code injections, together with unpatched vulnerabilities, were the second leading causes of compromises, accounting for 15 percent each. As expected, these were much more common for e-commerce breaches.

When it comes to corporate network compromises, the leading causes were malicious insiders and misconfigurations, accounting for a third each.

Companies are still not doing a good job at quickly identifying and containing breaches, according to Trustwave.

Affected companies identified breaches themselves in only 19 percent of cases. This is a significant decrease from last year's 29 percent.

Regulatory bodies, card brands and merchant banks were responsible for alerting businesses that they suffered a breach in 58 percent of cases. Law enforcement is also increasingly playing a role in this, notifying affected companies of 12 percent of breaches compared to 3 percent last year.

The median number of days from intrusion to detection across all incidents was 86, while from intrusion to containment it was 111. However, the numbers are very different for self-discovered breaches -- only 14.5 days from intrusion to containment. This suggests that it's considerably better for companies to have processes in place that allow them to identify breaches themselves.

The Trustwave report shows that many companies are still struggling with basic security principles like enforcing access controls, implementing strong authentication, patching known vulnerabilities or avoiding common Web coding errors that have been known since the 1990s.

It's generally accepted among security professionals that there's no such thing as 100 percent security and that if a determined and sophisticated attacker wants to get in, he'll eventually find a way. Therefore, companies should strive to make it as hard as possible for attackers to break in, to the point where compromising systems would no longer justify the investment in time and resources for the vast majority of attackers.

Unfortunately, the organizations that do get breached are still getting some of the security fundamentals quite wrong, Yeo said.

Join the PC World newsletter!

Error: Please check your email address.

Tags intrusiontrustwavesecuritydata breachAccess control and authenticationfraud

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?