POS crime pays, bad guys get 1,425% ROI

For some, crime does pay—at least for now. Point-of-sale hackers reap an estimated 1,425 percent return on investment for their exploit kit and ransomware schemes.

Put another way, for an investment of $5,900 for a one-month ransomware campaign, a criminal can profit about $90,000, according to the 2015 Trustwave Global Security Report. The most prevalent exploit kit, found in 25 percent of Trustwave's investigations, is known as "RIG", and can be rented for $150 a week.

The report is based on data collected from 574 data breach forensic investigations conducted by Trustwave in 15 countries during 2014. The company also conducted penetration testing (aka ethical hacking), threat intelligence from Trustwave's five global security operations centers, threat and vulnerability research, and telemetry from security technologies.

Retail was the most compromised industry in 2014, making up 43 percent of Trustwave's investigations, with 64 percent of breaches in e-commerce assets and 27 percent in POS assets. Forty-two percent of investigations were e-commerce breaches, and 40 percent were point-of-sale breaches.

"Some retailers are doing a better job at dedicating resources, time and budget to security, but the industry is still behind," Charles Henderson, VP of managed security testing at Trustwave told FierceRetailIT. "For the past three years, the retail industry has topped our list of most compromised industries. The findings show that many retailers are still not making security a top priority in spite of the string of high profile breaches the industry has witnessed in the past couple years."

As the number of retailers that take proactive security action increases, the retailers who continue with the status quo will face increasingly greater odds of experiencing a compromise. "Attackers are drawn to the path of least resistance and that path will run squarely over retailers who have not made investments in security," Henderson said.

Trustwave encountered more than 15 unique family groups of malware and more than 70 individual variants that targeted POS systems. Twenty-eight percent of the malware encountered was of the memory dumper/memory scraper variety and another 20 percent was remote administration tool (RAT).

"While many retailers recognize malware as a clear danger, they are not increasing their efforts to combat it. Countermeasures such as deploying managed gateway technologies that detect and block malware in real time can provide substantial gains in the defense against malware attacks. Retailers that implement these strategies will most likely see a dramatic decrease in malware incidents," Henderson said.

The biggest issue in security remains weak passwords, the study found. "Password1" was still the most common password, and 39 percent of passwords were eight characters long. The estimated time it took to crack an eight-character password was one day, while the estimated time to crack a 10-character password was 591 days. Of the passwords cracked by Trustwave experts, 15 percent used variations of basic names and places, with the top 2,000 baby names for 2015 being used the most often.

"Weak passwords can lead to bad things," Henderson said. "Time and time again during penetration tests, our experts make use of simple passwords to propagate and escalate access."

However, despite the inherent weaknesses in passwords, they will remain an authentication control for the foreseeable future, so to make them stronger, users need to be educated about secure passwords. "They should be encouraged to avoid the predictable pitfalls we've highlighted in our analysis, choose passwords of 10-character length or more, and inject complexity and randomness into their password choices," he said. 

The transition to EMV chip cards will help cut down on credit card fraud.

"EMV is an anti-fraud tool rather than a security tool. It specifically targets card-present fraud. With EMV's deployment in the U.S., there will likely be a shift to card-not-present attacks (e-commerce compromises)," Henderson said. "In other words, it is likely that e-commerce businesses will increasingly be a target of attacks by criminals hoping to commit card-not-present fraud, or hoping to sell data to those who hope to commit card-not-present fraud." 

Henderson summed up the impact for retailers: "Security in retail is in a state of transition. With the upcoming EMV adoption in the U.S. and the increasing adoption of security technologies and services, retailers who do not make improvements in their security posture will likely be left behind by the rest of the industry."

For more:
-See this Trustwave press release
-See the Trustwave report

Related stories:
Data breaches worry retailers, but only 44% will be ready for EMV
PCI June 30 compliance deadline looms; big fines possible for retailers
Applying lessons learned from EMV-mature markets
Tokenization no POS panacea; retailers need balanced security strategy
Congress proposes easing data breach reporting laws