Cybercriminals are gaining on retailers as hackers use RAM scraping malware to compromise POS systems at retailers at an alarming rate.
RAM scraping by cybercriminals was thought to be on the decline, but recent high profile retail data breaches reveal the weapon is still very much in favor, according to Verizon's "2014 Data Breach Investigations Report." The seventh annual DBIR report analyzed 1,367 confirmed data breaches and more than 63,000 security incidents and boiled it all down to nine solid and identifiable patterns.
Nine out of 10 breaches can be described by nine basic patterns: POS intrusions, Web app attacks, insider misuse, physical theft/loss, miscellaneous errors, crimeware, card skimmers, DoS attacks, cyber espionage and "everything else." In the past three years, POS intrusions have grown to account for 31 percent of all attacks, up from virtually zero in 2010. But denial of service accounts for 33 percent of incidents for retailers and Web app attacks are 10 percent of incidents.
"(2013) may be tagged as the 'year of the retailer breach,' but a more comprehensive assessment of the InfoSec risk environment shows it was a year of transition from geopolitical attacks to large-scale attacks on payment card systems," according to the report.
And when it comes to POS attacks, RAM scrapers are to blame, marking a resurgence in an old method of accessing POS data.
Verizon's top three threats to shopper data include Internet intrusion, as hackers scan open remote access points looking for points of sale. Weak or nonexistent passwords let in criminals with malware. Stolen vendor credentials come in second, also thanks to weak, bad or non-existent passwords. And finally, a compromise at a corporate location.
One of the more startling revelations is the speed with which hackers can get in, get the information and get out before a retailer even notices. "The bad guys seldom need days to get their job done, while the good guys rarely manage to get theirs done in a month of Sundays," noted the report. "Attackers are getting better (and) faster at what they do at a higher rate than defenders are improving their trade. This doesn't scale well, people."
On a positive note, internal fraud discovery now outnumbers external fraud detection for the first time in the report's 10 year history. Law enforcement and unrelated third parties such as CSIRTs and threat researches are rising fast as important early detectors of fraud.
All this comes as blame shifts from banks to retailers. Retailers that don't comply with the new data security mandate will be held liable for customer losses.
-See this Verizon report
Data breaches add up to lost sales
Michaels confirms 3 million affected in data breach, as more shoppers victims of fraud
NRF issues industry-wide directive regarding data security, calls for chip and PIN
Shoppers blame retailers for data breaches, Congress blames Target
Target: Timeline of a data breach