Cybercriminals increasingly target point of sales systems

Trustwave highlights the difference in data-breach activity between North America and the rest of the world

Attackers infect point-of-sale terminals with malware

Attackers infect point-of-sale terminals with malware

The data breach landscape could look very different in the future with the increased adoption of chip-enabled payment cards in North America -- but for now point-of-sale systems account for the majority of breaches there, compared to a tiny minority in other regions of the world.

Hacked point-of-sale (PoS) terminals were responsible for 65 percent of the data compromises investigated by security firm Trustwave last year in North America, compared to only 10 percent in Europe, Middle East and Africa and 11 percent in the Asia and Pacific region. Worldwide, the company investigated 574 breaches, half of them in the U.S.

The difference between PoS breach numbers in North America and other regions is largely due to a payment card standard called EMV (Europay, MasterCard, and Visa), which mandates the use of electronic chips in cards for antifraud protection. These are also called Chip-and-PIN or Chip-and-Signature cards and they have only recently started to be introduced in the U.S. and Canada.

The chip is used to authenticate the cards to EMV-capable card readers. It also makes it extremely hard for attackers to clone the cards even if they steal the data encoded on their magnetic stripes, which is known as track data.

In regions where EMV has been the de facto payment card standard for a long time -- almost a decade in Europe -- fraud has shifted from transactions where cards are physically used to transactions where cards are not present, like those performed online. As a consequence, attackers there are more likely to target e-commerce websites, from which they can extract card information that can be used to perform fraudulent transactions online.

That's not yet the case in the U.S., where card track data and PoS systems remain the primary target, according to Trustwave's 2015 Global Security Report released Tuesday.

While EMV, however, can control fraud, it does not provide complete security, said John Yeo, vice-president at Trustwave. It shifts fraud to transactions in which physical cards are not used, where cybercriminals have fewer options to extract cash. Companies should not assume that with chip-enabled cards the cardholder data is automatically safe and security should be ignored, he said.

Worldwide, compromised point-of-sale (PoS) systems were involved in 40 percent of the breaches investigated by Trustwave, compared to 33 percent in 2013. The only business assets that were even more frequently targeted by attackers last year were e-commerce applications, which accounted for 42 percent of breaches.

Retail (including e-commerce retailers), food and beverage and hospitality businesses suffered the largest number of data breaches, accounting for 68 percent of the cases investigated by Trustwave -- retail 43 percent, food and beverage 13 percent and hospitality 12 percent.

Significant differences between attackers' preference for PoS and e-commerce breaches were also observed across industry sectors, not just regions.

Sixty-four percent of breaches in the retail sector involved the compromise of e-commerce environments, 27 percent point-of-sale systems and 9 percent corporate networks. In the hospitality sector 65 percent of breaches involved PoS environments and 29 percent e-commerce, while in the food and beverages sector 95 percent were PoS and only 5 percent e-commerce.

Overall, e-commerce transaction data like personal identifiable information and cardholder data was compromised in almost half of all breaches and PoS transaction data, or track data, in a third of them. Cybercriminals also stole financial credentials in 12 percent of breaches and proprietary business data in 8 percent.

The most common methods of intrusion used in the incidents analyzed by Trustwave were insecure remote access software or policies and weak passwords. Together, these accounted for 56 percent of all compromises, the distribution being half and half.

For PoS environments in particular these two security failures were responsible for 94 percent of breaches. That's because many PoS terminals are configured for remote administration, either over the Internet or over a corporate network.

Weak input validation, which can lead to SQL and other code injections, together with unpatched vulnerabilities, were the second leading causes of compromises, accounting for 15 percent each. As expected, these were much more common for e-commerce breaches.

When it comes to corporate network compromises, the leading causes were malicious insiders and misconfigurations, accounting for a third each.

Companies are still not doing a good job at quickly identifying and containing breaches, according to Trustwave.

Affected companies identified breaches themselves in only 19 percent of cases. This is a significant decrease from last year's 29 percent.

Regulatory bodies, card brands and merchant banks were responsible for alerting businesses that they suffered a breach in 58 percent of cases. Law enforcement is also increasingly playing a role in this, notifying affected companies of 12 percent of breaches compared to 3 percent last year.

The median number of days from intrusion to detection across all incidents was 86, while from intrusion to containment it was 111. However, the numbers are very different for self-discovered breaches -- only 14.5 days from intrusion to containment. This suggests that it's considerably better for companies to have processes in place that allow them to identify breaches themselves.

The Trustwave report shows that many companies are still struggling with basic security principles like enforcing access controls, implementing strong authentication, patching known vulnerabilities or avoiding common Web coding errors that have been known since the 1990s.

It's generally accepted among security professionals that there's no such thing as 100 percent security and that if a determined and sophisticated attacker wants to get in, he'll eventually find a way. Therefore, companies should strive to make it as hard as possible for attackers to break in, to the point where compromising systems would no longer justify the investment in time and resources for the vast majority of attackers.

Unfortunately, the organizations that do get breached are still getting some of the security fundamentals quite wrong, Yeo said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityfrauddata breachintrusiontrustwaveAccess control and authentication

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments



Victorinox Werks Professional Executive 17 Laptop Case

Learn more >

Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?