Page 12 - GS140601
P. 12
News
Trustwave finds Rather, Trustwave's findings suggest that fraudsters are
responding to market shifts and even taking into account
fraud diversifying the eventual transition of the U.S. payments infrastructure
to the reportedly more fraud resistant Europay/
MasterCard/Visa (EMV) chip card standard. "They are
looking to diversify their revenue stream," Pogue said. "So
rganized fraud apparently mirrors the finan- it's a good business decision and a market shift and we
cial services industry closer than anyone cares have to prepare for it."
to imagine, with an increasing emphasis on
O diversification. Data security firm Trustwave Self-detection pays off
released its global security report that reveals fraudsters Perhaps Trustwave's most alarming pair of statistics is that
have diversified attacks and increasingly target troves of 71 percent of compromise victims do not detect breaches
nonpayment card data. themselves and that the median number of days from the
time of a breach to its detection was 87 days. That means
In the 2014 Trustwave Global Security Report released May fraudsters typically have almost three months after they
21, the Chicago-based firm reported a rise in the number breach systems to harvest data undetected – "a tremendous
of data breaches in 2013, compared with 2012, and a amount of time," Pogue said.
branching out of attacks to target sensitive and confidential
information, such as financial account credentials, internal Hackers routinely "go native" with the data they steal,
communications, personally identifiable information and Pogue added, which means they don't exploit the
various types of customer records. information immediately, but instead blend in using that
data as cover. For example, a fraudster could use a user
Chris Pogue, Director at Trustwave, explained that in the name and password stolen from an individual's personal
previous five years, fraudsters were focused on stealing social media account to probe that person's corporate
payment card data because it held the highest value on network.
the black market. But times have changed. "I think now
we're seeing not so much a decline in payment card data It is an unfortunate fact that the same credentials are often
being targeted, but there's an expansion into other data used for both personal and professional accounts, Pogue
elements," he said. "And what I think that shows is the said. Trustwave investigations have shown that corporate
diversification by attackers, going into different data systems are compromised through the exploitation of user
types." credentials harvested from unrelated accounts.
Pogue believes this shift in data being targeted will result But Trustwave's report is not all doom and gloom; its
in new avenues on the black market. "What emerging analysis showed that companies that self-detected
shadow economy are we going to see that will pop up that breaches significantly reduced the length of compromises.
buys and sells electronic personal health care information, The median number of days it took a self-detecting
personally identifiable information, industry trade organization to contain a breach was one day, Trustwave
secrets, financial credentials?" he said. "There's going to said, while it took 14 days to contain a breach when it was
be a market for all of that, or they wouldn't waste their detected by a third-party vendor.
time on it."
Diverse and growing Pogue said e-commerce businesses are more likely to
self detect because they employ programmers and web
Trustwave's report was based on 691 breaches it investigated and content developers who monitor systems carefully
in 2013, up by 53.6 percent from 2012. Of those breaches and are quicker to detect anomalies that might signify
(across 24 countries), 45 percent involved nonpayment fraudulent activities. But Pogue stressed that, even for
card data, representing an overall 33 percent increase in large organizations with information technology staffs,
that segment and a 22 percent increase specifically in the the expertise of third-party security firms can help in
theft of financial credentials. keeping businesses safe from fraud.
Meanwhile, 54 percent of assets targeted in 2013 were in "There's a whole lot of moving parts that only a subject
the e-commerce realm, and 33 percent targeted physical, matter expert can bring to the table," he said.
in-store POS systems, Trustwave reported. But those
figures are not to suggest that fraudsters are shifting Perhaps Trustwave's most alarming
their focus away from hacking into physical terminals,
according to Pogue. "I'm definitely not saying a reduction," pair of statistics is that 71 percent
he said. "They've got their hands firmly fixed in the point of compromise victims do not detect
of sale world. They know how to do it. They are very good breaches themselves and that the
at it. The malware is very advanced, very effective."
median number of days from the time of a
breach to its detection was 87 days.
12
Trustwave finds Rather, Trustwave's findings suggest that fraudsters are
responding to market shifts and even taking into account
fraud diversifying the eventual transition of the U.S. payments infrastructure
to the reportedly more fraud resistant Europay/
MasterCard/Visa (EMV) chip card standard. "They are
looking to diversify their revenue stream," Pogue said. "So
rganized fraud apparently mirrors the finan- it's a good business decision and a market shift and we
cial services industry closer than anyone cares have to prepare for it."
to imagine, with an increasing emphasis on
O diversification. Data security firm Trustwave Self-detection pays off
released its global security report that reveals fraudsters Perhaps Trustwave's most alarming pair of statistics is that
have diversified attacks and increasingly target troves of 71 percent of compromise victims do not detect breaches
nonpayment card data. themselves and that the median number of days from the
time of a breach to its detection was 87 days. That means
In the 2014 Trustwave Global Security Report released May fraudsters typically have almost three months after they
21, the Chicago-based firm reported a rise in the number breach systems to harvest data undetected – "a tremendous
of data breaches in 2013, compared with 2012, and a amount of time," Pogue said.
branching out of attacks to target sensitive and confidential
information, such as financial account credentials, internal Hackers routinely "go native" with the data they steal,
communications, personally identifiable information and Pogue added, which means they don't exploit the
various types of customer records. information immediately, but instead blend in using that
data as cover. For example, a fraudster could use a user
Chris Pogue, Director at Trustwave, explained that in the name and password stolen from an individual's personal
previous five years, fraudsters were focused on stealing social media account to probe that person's corporate
payment card data because it held the highest value on network.
the black market. But times have changed. "I think now
we're seeing not so much a decline in payment card data It is an unfortunate fact that the same credentials are often
being targeted, but there's an expansion into other data used for both personal and professional accounts, Pogue
elements," he said. "And what I think that shows is the said. Trustwave investigations have shown that corporate
diversification by attackers, going into different data systems are compromised through the exploitation of user
types." credentials harvested from unrelated accounts.
Pogue believes this shift in data being targeted will result But Trustwave's report is not all doom and gloom; its
in new avenues on the black market. "What emerging analysis showed that companies that self-detected
shadow economy are we going to see that will pop up that breaches significantly reduced the length of compromises.
buys and sells electronic personal health care information, The median number of days it took a self-detecting
personally identifiable information, industry trade organization to contain a breach was one day, Trustwave
secrets, financial credentials?" he said. "There's going to said, while it took 14 days to contain a breach when it was
be a market for all of that, or they wouldn't waste their detected by a third-party vendor.
time on it."
Diverse and growing Pogue said e-commerce businesses are more likely to
self detect because they employ programmers and web
Trustwave's report was based on 691 breaches it investigated and content developers who monitor systems carefully
in 2013, up by 53.6 percent from 2012. Of those breaches and are quicker to detect anomalies that might signify
(across 24 countries), 45 percent involved nonpayment fraudulent activities. But Pogue stressed that, even for
card data, representing an overall 33 percent increase in large organizations with information technology staffs,
that segment and a 22 percent increase specifically in the the expertise of third-party security firms can help in
theft of financial credentials. keeping businesses safe from fraud.
Meanwhile, 54 percent of assets targeted in 2013 were in "There's a whole lot of moving parts that only a subject
the e-commerce realm, and 33 percent targeted physical, matter expert can bring to the table," he said.
in-store POS systems, Trustwave reported. But those
figures are not to suggest that fraudsters are shifting Perhaps Trustwave's most alarming
their focus away from hacking into physical terminals,
according to Pogue. "I'm definitely not saying a reduction," pair of statistics is that 71 percent
he said. "They've got their hands firmly fixed in the point of compromise victims do not detect
of sale world. They know how to do it. They are very good breaches themselves and that the
at it. The malware is very advanced, very effective."
median number of days from the time of a
breach to its detection was 87 days.
12
