Digital Transformation » Cyber Security » How payment card fraud is feeding the cybercriminal economy

The criminal underworld is notorious for its ability to adapt to new developments in technology at a level most businesses can only dream of, seizing new opportunities and overcoming challenges with constantly evolving tactics.

One of the most visible examples of this struggle is the difficulty in fighting financial cybercrime and fraud. Despite the continued efforts of governments, regulatory bodies and individual businesses to shut down criminal strategies and cut off revenue streams, fraudsters have continued to adapt and flourish.

For example, when EMV chips were added to cards in the United States, there was a small decline in fraud cases involving stolen credit card data in-store – but a huge rise in card not present (CNP) instances where stolen credit card accounts are used online.

The Payment Card Industry Security Standards Council (PCI DSS) was established in 2006 as a direct response to the rising volume of credit card fraud, but both the number and severity of instances has continued to climb.

Overall fraud levels did fall in 2018, but evolving cybercriminal tactics saw certain types of fraud dramatically increase. Recent research found new account fraud in the US grew from $3bn in 2017 to $3.4bn in 2018.

While standards such as PCI DSS have struggled to stem the tide of fraud, following their guidelines is nevertheless one of the best options for any participant of the financial industry supply chain to secure their data and mitigate credit card theft and fraud.

Organisations also need to be armed with a strong understanding of the most prevalent tactics used by cybercriminals, and the cyber risks facing their own operations.

The most popular sources of compromised data

With credit card information being one of the most popular commodities of the cybercriminal economy, attackers have developed a wide range of tactics for accessing and stealing data.

Phishing – Criminals commonly impersonate legitimate and trusted contacts via email, and more rarely over the phone, to trick targets into sharing information including credit card details. The Phishing Activity Trends Report found 33 percent of all phishing attacks targeted the payment industry.

Hardware Skimming – An example of fraud in the physical world, criminals can install Bluetooth-based skimmer devices on to point of sale (POS) devices or ATMs to covertly harvest information. Most customer-facing payment devices are vulnerable, with restaurants and hotels being popular targets.

Data Breaches – While harder to execute individual phishing and hardware skimming attacks, compromising a company’s systems can enable a criminal to steal the details of thousands or even millions of customers at once.

SQL Injection – Many websites are vulnerable to SQL injections, enabling criminals to download large amounts of financial data with relative ease. Exposed application elements including from fields and URLs can be exploited using a variety of commonly available tools such Havij SQLi and sqlmap.py.

Malware Infection – Malware is commonly delivered through phishing emails and via compromised websites. Two of the most prominent threats to payment data are POS malware and network sniffing or keylogging malware. POS malware will scan a device’s active processes and scrape payment data before it is encrypted.

Malware will often be implanted as part of a security breach and can remain undetected for months or even years after the breach is closed. Network sniffing malware analyses network traffic and copies sensitive data including payment details, while keylogging malware records a user’s keystrokes, harvesting information such as names, passwords and financial data.

Unprotected Backups – Backing up data is a primary element of any disaster recovery or business continuity plan, but the ease of backing up through the cloud means workers often create backups without administrator knowledge – potentially leaving them vulnerable to cybercriminals.

Vulnerable Third Parties – Criminals will often attack through suppliers, partners and other third parties. A compromised API, OAuth token, or database key for example can give cybercriminals access to credit card data.

The cybercriminal economy

All data has some value, and cybercriminal groups have developed a vast and sophisticated economy for buying, selling and trading datasets. For example, in January 2019 data breach expert Troy Hunt discovered a database containing over 770 million unique email addresses and 21 million unique passwords.

Because people tend to use the same login email addresses and passwords across multiple sites and services, it’s very easy for criminals to use an algorithm to pair emails with likely password combinations to widen the scope of their attack beyond the company that was originally breached.

Bank logins, credit card data, PayPal credentials, and e-commerce retail credentials are some of the most popular items for sale on the dark web. Selling the information of a cache of stolen cards can easily lead to earnings of hundreds of thousands of pounds.

Protecting financial data from becoming a commodity

The dark web makes it easy for even an inexperienced, relatively non-technical criminal to acquire advanced malware tools and instructions on how to use them. Stealing financial information and committing fraud has never been easier. Unfortunately, most organisations lack the ability to track illicit activity on the dark web and discover if the financial data in their care is being bought and sold by criminals.

Alongside following best practice for managing and securing payment data and other sensitive and important information, investing in the ability to monitor dark web forums and track stolen data can help reduce the threat to companies and their employees and customers. While breaches cannot always be prevented, quickly identifying that data has been stolen will help to mitigate financial and reputation harm and give customers an early warning before their data is abused.

This insight can also be used to help organisations ensure they are only working with suppliers and partners who are able to keep valuable data safe. A single weak link in the supply chain can compromise data across the ecosystem, so visibility into the supply chain can help financial institutions, merchants, and retailers, protect customer information. By understanding how cybercriminals attack and the risks facing their operations and supply chain, organisations can reduce the chances of their data ending up in the cybercriminal economy.