Avatar photo

Author Bio ▼

Rob Ratcliff was the Content and Community Manager of IFSEC Global.com. He is a self-confessed everyman in the world of security and fire, keen to learn from the global community of experts who have been a part of IFSEC for 40 years now.
February 22, 2013

Sign up to free email newsletters


Whitepaper: Multi-residential access management – The move to digital

Retail Businesses: Biggest Victims of Cybercrime

Retail businesses are most at risk for cyber attacks, according to John Yeo of online security company Trustwave.

Click here to view Figure 1.

Data from Trustwave’s annual Global Security Report, published on Wednesday, reveals that 45 percent of the company’s investigations have been into data loss and intrusions in retail firms.

This is the first time in the three years since Trustwave began publishing the Global Security Report that retail has topped the list — compiled using data from 450 investigations in the past year carried out by Trustwave’s ethical hacking unit, Spiderlabs.

Retail was closely followed by the food and beverage industry, such as coffee and pizza shops, and the third most common was the hospitality industry, including hotels.

In an exclusive interview with IFSEC Global last week, John Yeo, Head of Spiderlabs in Europe, spoke about the key findings of this year’s report, ahead of the RSA Conference in San Francisco next week.

One of the commonalities across those three is that many of them are franchised or distributed business models.

That’s really interesting from an attacker’s perspective because if they can figure out a way of compromising, let’s say, one hotel property, then they can effectively rinse and repeat to compromise other properties within the same hotel group.

Organised, financially-motivated crime
A massive 80 percent of the attacks were against businesses in the US and Australia, where what John calls a “bricks and mortar compromise” is far more common. This is due to the immaturity of the chip and pin layer of security on payment cards there.

In Europe, where chip and PIN is more mature, cyber attacks tend to focus on e-commerce retailers with algorithms that are seeking one thing: payment card data.

And the criminals seeking this data are, says Yeo, “well organised, well funded, and well resourced.”

Of the 450 investigations, there were just 40 different variants of malware developed by just six groups.

Ninety-six percent of all of the investigations carried out were of the theft of personal data, specifically card data, which can easily be monetised, unlike the theft of intellectual property, which makes up the remaining 4 percent.

A criminal group in country A can perpetrate a cyber attack against an e-commerce site in country B, and then that data can be sold on, and fraud perpetrated in country C, which gives us a whole bunch of problems from a law enforcement perspective.

As a business, we are focused on responding to financially-motivated cybercrime, rather than state, corporate, or hacktivist-type activity. So that is a bias in our data set.

In the last two years of the Global Security Report, two years ago, about 89 percent was focused on personal data, last year 90 percent, this year, 96 percent, so it has been a pretty consistent trend. Payment card data has been for a long time, and remains, very attractive from a hacker’s perspective because of that ease of monetisation.

Who manages your systems?
The Global Security Report also found that there was an increased risk of intrusion in organisations where third party companies were responsible for system administration, with 63 percent of cases involving outsourcing.

We’re not saying outsourcing is bad, or that outsourcing in and of itself introduces security risks, but what we are saying is that many organisations who make bad oursourcing choices end up getting hacked.

There’s a lack of appreciation, and a lack of due diligence, in that outsourcing process, and probably organisations are too focused on the cost-saving implications, and not focusing on what the risk is of a lower level of security.

How do you know if you’ve been hacked?
Yeo continued:

Organisations are really, really bad at self-detecting compromises.

Only about 24 percent of victim organisations that suffered a data breach identified that themselves. The remaining three quarters are reliant on either a regulatory body, law enforcement, a third party, or the public notifying the victim organisation to tell them they’ve suffered a data breach.

Of the organisations that had to be notified, there is, according to John, a large window of time between the original intrusion and containment, with the average length of time that hackers have free rein in a system coming in at 210 days.

“That’s just the average. If we look at the last 5 percent, it was over two years,” Yeo says.

Common point of purchase analysis
Card vendors, such as Mastercard, use a technique called common point of purchase analysis to link incidents of fraud. For instance, John and I both bought a meal at a specific hotel one year ago, and were both victims of card fraud. This common location would be seen in the analysis, and by process of elimination, that hotel identified as the location of the data breach.

It could be only at this point that the organisation with the data breach becomes aware.

The 2013 Global Security Report is available now.

Related Topics

Notify of
Newest Most Voted
Inline Feedbacks
View all comments
February 25, 2013 7:29 am

Good to see that the Chip and Pin (and the rigmorale/moaning we all associated with the initial deployment) have actually yielded good results compared to those who haven’t take the same steps.
Really though, I wonder how much retail are made targets just by their own exposure and profile. The bigger the brand, the bigger the target.

Rob Ratcliff
Rob Ratcliff
February 25, 2013 11:31 am
Reply to  saulsherry

Thanks Saul — I read that as chip pan for some reason — clearly been reading too much of the fire section on this site.
I think the really interseting thing is the fragmented business models were among the most targeted, so hotel chains like Best Western, franchised coffee chains etc. Some of these, as you say, are seriously big brands and the fragmentation may make the intrusion harder to detect overall.

February 26, 2013 12:57 pm
Reply to  Rob Ratcliff

In my view, chip and pin is still considered much secure in most of the cases. Retail businesses are exposed to cybercrime because of huge capital involved and fascination for making easy money. In most parts of the world, people are still not confident using their visa or mastercard for internet transcations. They fear that their credit cards and pin numbers may be hacked by some shrewd hacker thus making them broke in matter of seconds. “Brick and Mortar compromise” is becoming infectious and spreading all across the world at a rapid pace. Infact most retailers are not pedantic about… Read more »

alison diana
alison diana
February 27, 2013 9:34 am

A local credit card crime wave was discovered here in Florida about a year or so ago, after many diners at a Mexican restaurant found themselves victims of identity theft. Local police figured out that they’d all eaten at this particular restaurant, drilling down through patient detection that they’d all used the same server, and finally charging this waiter and an accomplice with identity theft, credit card fraud, and several other crimes. Apparently when he took customers’ credit cards to the register to charge their meals, he made copies (with the assistance of his partner in crime), then sold this… Read more »

Rob Ratcliff
Rob Ratcliff
February 27, 2013 9:42 am
Reply to  alison diana

Amazing story Alison. I’ve heard of law enforcement drilling down all the way back to one particular point of sale, but for it to also be one particular waiter is a new one on me. There’s not much you can do to prevent people doing that is there? (Though you’d have hoped his employers would have noticed)

alison diana
alison diana
February 27, 2013 9:48 am
Reply to  Rob Ratcliff

No, I don’t think there is! I was pretty impressed by the local police department’s work; either that, or it was an amazingly sloppy criminal! Either way (or a combination of both), it was pretty incredible to see the newly created cybercrimes unit work so well, so fast.

September 12, 2016 6:29 am

thanks, I enjoyed this article it is significant.
http://www.muoingontayninh.com/, https://www.youtube.com/watch?v=Bc32DPxK-Gc