Payment data breaches: from Point of Sales system attacks to website attacks

Quick Read

A number of technology shifts are pushing hackers to steal credit card data from websites instead of point-of-sale systems. According to industry studies, over 60% of retail data breaches in 2018 were due to website hacks. Enterprises, especially retailers, should be building self-defending websites that can protect their website against credit card and credential theft.

Use of Chip Technology

Until recently, hackers were focused on stealing credit card data stored in the magnetic stripes of our cards (this data is called a "dump" in fraudster lingo.) Hackers typically did this by getting malware to execute on point-of-sale systems. This malware would read the credit card data stored in the magnetic stripe and send it to the hacker's server. Hackers would then sell these dumps on the dark web to fraudsters, who would in turn clone physical copies of credit cards in order to perpetrate fraud in physical stores. The key point to remember is that clones made from dumps did not have your CVV2 data, and could only be used in physical stores, not online.

The advent of chip-based technology in cards forced fraudsters to change their methods. Today, over 60% of point-of-sale systems in the US support chip based cards and chip technology has also made it much harder to clone cards. In other words, "dumps" are no longer as useful.

Instead, fraudsters started demanding credit card data that can be used to make online purchases. This data, in contrast to a dump, is called "CVV" in fraudster lingo. CVV includes cardholder name, address, credit card number, expiration and the CVV2 (3 digits on the back of the card). The increasing demand for CVVs from fraudsters led to a corresponding increase in the price for CVVs in the dark web.

As a result of all this, hackers have shifted their attention to stealing CVVs.

Hackers have adjusted their tactics

2018 was the first year in which we saw the impact of this shift. In 2018, we saw a significant push by hacker groups like Magecart to skim online credit card data from websites, and there signs that the threat from groups like Magecart is only growing. Hackers attacked websites through multiple angles - sometimes hacking into a website directly, sometimes via "supply chain attacks" (e.g., Shopper Approved).

The 2019 Verizon Breach Report illustrates how this shift has accelerated in the last 2 years. Almost 50% of payment data breaches are now happening due to website hacks. In fact, according to the report, 63% of breaches in the retail sector (88 out of a total 139 reported) happened due to attacks on web applications. Worringly, out of 92 incidents, 88 led to breaches.

What is the solution?

As Tala has blogged earlier, website architectures have changed significantly in the last few years - traditional approaches in protecting simply don't work.

Retailers must build self-protecting controls into their websites, including Content Security Policy (CSP), Subresource Integrity (SRI) and others that are widely supported by browsers. These security controls allow e-Commerce vendors to protect their sensitive customer data from Magecart and other supply chain attacks and also have a real-time alerting mechanism that lets them know when customer data is being skimmed from their websites.

Message me if you want to learn about how Tala can help you convert your existing website into a self-protecting one, in minutes.