Dec 28, 2012

Business Networks at Risk from Cybercriminals

While 2011 was seen as a success for cybercriminals worldwide, it seems 2012 may be no different as nearly 71 percent of merchants store unencrypted payment card data on their business network, according to SecurityMetrics’ second annual Payment Card Threat Report. Unfortunately, only one quarter of a percent (.24 percent) of card data storage on corporate systems declined between 2011 and 2012. Industries that accounted for over half (55 percent) of the total unencrypted payment data storage among businesses included the financial, hospitality and retail industry. “Hackers proactively search for unencrypted card data because it takes less effort to steal,” said Director of Security Assessment, Gary Glover in a company release. “Whether a business stores unencrypted card data because of an improperly configured payment application, or because employees handle data improperly, storing card data without encryption is against industry regulation.” Of the 2,754 businesses surveyed by SecurityMetrics’ Payment Card Industry Forensic Investigators, the majority said they had no idea they were storing credit cards on their business network. According to the report, many businesses do not realize payment card data may be stored behind the scenes of their computer systems – leaving data unprotected, and easily accessible for cyber criminals to steal. In fact, 10.53 percent of merchants unknowingly store magnetic strip track data on their network, essential for the illegal reproduction of credit and debit cards, as stated in the report. Additional findings uncovered from the first-time payment card data discovery scans include:

Total Gigs scanned: 143,579
Total files scanned: 457,048,456
Total cards found: 315,639,164
Max cards found in single scan: 91,657,934

Primary account numbers from all major card brands (Visa, MasterCard, American Express, Discovery and JCB) are among the most common type of data found on business networks. Depending on the card type, card origination and the laws of supply and demand, harvested payment card details can be purchased for an average of $2 per card. According to SecurityMetrics, crimeware toolkits, pre-crafted hacking software, are readily available to criminals and can be found online on illegal “carding” forums where buyers must undergo a series of screenings to participate. As a result, worldwide credit card fraud amounts to $5.5 billion. “Countless lives are thrown into financial turmoil because of these websites, with a few simple clicks, thousands of stolen credit card numbers can be bought or sold to fraudsters anywhere in the world,” said U.S. Attorney Neil H. MacBride. Nevertheless, as more data is stolen from business networks, the more fines and penalties they (companies) risk. Unless changes are made to delete and prevent unencrypted data, cyber criminals will continue to hack and confiscate payment card data. According to the report, ways in which businesses can prevent unencrypted payment card data storage is by creating map pathways of payment card data on their network, employ a card data discovery tool, create effective policies and securely delete sensitive files.