Digital Transactions examines the five most worrying cyberthreats facing payments companies and asks experts what can be done to guard against them.
Hackers are more sophisticated, better funded, better equipped. and more skilled at finding cracks in cybersecurity systems than ever. By adopting advanced technologies such as artificial intelligence, encryption, and botnets to spearhead massive attacks, cybercriminals have leveled the playing field against many of their targets, and tipped it against those that lag behind in the cybersecurity race.
The cost of not being prepared to defend against a cyberattack can be staggering. In 2017, reported cybercrime totaled about $600 billion globally, up from $445 billion in 2014, according to a study by the Washington, D.C.-based Center for Strategic and International Studies and sponsored by Santa Clara, Calif-based security software provider McAfee Inc.
Even more costly is the loss of public trust in a company’s brand after it has been hacked, which can diminish a company’s earnings for years afterward.
“People may forget the details of a cyberattack over time, but not the affected brand,” says Rich Bolstridge, chief strategist for financial services at Akamai Technologies Inc., a Cambridge, Mass.-based content-delivery network and cloud-service provider. “Security is a trust issue with consumers and how good your cybersecurity is affects consumers’ brand perception.”
To help payments companies get their arms around the threats emanating from cyberspace, Digital Transactions asked several cybersecurity experts to rank their five most dire threats and what payment companies can do to strengthen their defenses against them. Based on their comments, here are the five scariest threats facing payment companies today.
- Data Breaches
2017 was a banner year for data breaches, with more than 2.5 billion records stolen or compromised, up 88% from 2016, according to Amsterdam-based Gemalto, a provider of digital security. Among the largest and highest-profile intrusions was the Equifax breach, which the credit-reporting agency said exposed the personal information—including Social Security numbers and driver’s licenses—of more than 146 million consumers.
With so many payments companies handling sensitive consumer and transaction data, a data breach is not a matter of if, but when, says Julie Conroy, research director for Boston-based Aite Group.
Part of what makes breaches so scary is that stolen data remains in the hands of criminals forever, which creates an omnipresent threat that it can be used any time, anywhere years after a breach, security experts say.
In addition, data can be used to create synthetic, or false, identities by piecing together information from multiple consumers. Unlike the theft of someone’s identity, which consumers can usually spot by monitoring their credit reports, the creation of synthetic identities makes it harder to detect fraud because the files are crafted from multiple sources.
For example, a criminal may match the Social Security number of one consumer with the name of another and the address of another and so on until they create an entirely new “person” using legitimate pieces of information. Criminals will then use the identity to request a credit line, often from a subprime lender willing to extend credit to someone with no credit history.
“Once a synthetic identify is validated by a third-party such as a lender, it can be tough to detect the identity as false until it’s too late,” says David Britton, global vice president, industry solutions for fraud and identity, at credit-reporting agency Experian.
Unfortunately, there’s no easy answer when it comes to preventing a data breach. The best course of action, cybersecurity experts say, is to take a layered security approach that includes firewalls, intrusion detection, and prevention systems. Other measures include systems that protect against malware in email links and attachments, secure connections to third-party vendors, and audit vendors to ensure their security systems are up-to-date.
Security experts also recommend encrypting or tokenizing stored data so that if hackers do break in, sensitive data is rendered useless.
Encryption transforms data into a cipher using an algorithm and key. The cipher cannot be unlocked without the key. Tokenization randomly generates an alphanumeric code that replaces a credit card or account number, which can only be read by the party with the key to reverse-engineer the code.
“There needs to be a layered approach to cybersecurity, not just within the network, but for all connections in and out of the network to keep criminals at bay,” says Experian’s Britton. “The aim is to make criminals have to jump through so many layers of security, they move on to a target that is not as well defended.”
- Application Updates
Arguably one of the biggest blind spots in cybersecurity is the failure to promptly update applications and test for the unforeseen holes an update can create, security experts say.
When it comes to patching and updating, some companies don’t always take prompt action, preferring instead to implement the fix when there is a drop-off in performance or reliability or a new security threat requires them to do so.
Reasons for putting off patches or updates stem from concerns over the cost, time, and the complexity of implementation and that they are seemingly never-ending.
Payments companies, however, need to remember that an outdated application, middleware, or operating system immediately becomes weakened from a security standpoint, making it a target for hackers.
“It can be tough to identify every application or piece of middleware that needs updating because there can be so many,” says Joe Nocera, principal, financial-services industry practices for London-based PricewaterhouseCoopers. “Updates, patching, and security go hand-in-hand.”
Recommended tips for staying on top of patches and updates include inventorying all applications and middleware and tracking when they were last modified. Reducing the number of the number of platforms can also streamline maintenance by reducing the number of different applications used, Nocera says.
While patching and updating is primarily the responsibility of the end user, some vendors will implement upgrades for their customers. But this practice has opened a door for criminals to pose as technicians from a vendor sent to install a patch, says Robert Siciliano, a Boston-based data-security expert. Merchants are a frequent target of this scam, which includes installing software in a point-of-sale device that is programmed to capture transaction data.
“The criminals know the vendors, who their customers are, and go to great lengths to impersonate the vendor,” says Siciliano. “The way to combat this is to make managers and staff aware of the threat and stay on top of maintenance schedules.”
Finally, when making a patch or upgrade, security experts recommend that systemwide security testing be performed to identify any vulnerabilities that may have inadvertently occurred throughout the platform as a result.
“Patches can cause unexpected breaks in the defenses, so security testing post installation is necessary,” says Akamai’s Bolstridge.
- Distributed Denial of Service Attacks (DDoS)
DDoS attacks, which attempt to overwhelm a Web site with traffic from multiple sources, are nothing new, but they remain scary nonetheless. What keeps DDoS attacks near the top of the list of threats is that the size of the attacks, i.e. the amount of data being pushed by criminals to a target site, is increasing, making them much harder to fend off. Volume pushed in an attack can be as much as one terabyte per second, security experts say.
Even scarier is that attacks can be initiated through a growing array of Internet-enabled devices.
The culprit enabling higher rates of attack and more types of devices to launch an attack is botnets, networks of private devices controlled by criminals without the owners’ knowledge. Criminals have remotely commandeered such Internet-enabled devices as cameras and video recorders to launch DDoS attacks, security experts say.
Key to withstanding a DDoS attack is having the scale to handle huge spikes in traffic and applications in place that deflect junk traffic away from the network.
“A layered security approach with a cloud-based server that can quickly scale are the keys to avoid being overwhelmed by a DDoS attack,” says Bolstridge. “The size of attacks will only continue to increase, which is why payment companies always need to be ready to fend them off.”
- Phishing Attacks
Consumers aren’t the only targets of phishing attacks. Criminals will use them to infiltrate companies by sending employees emails containing malware that, when opened, launches sniffer programs that track employee user names and passwords. Armed with those credentials, criminals can then begin snooping for back doors into areas containing sensitive data.
What makes phishing attacks a deep cause for concern is that they have often been the first step to data breaches in recent years (a phishing attack spearheaded the 2013 Target data breach, for example), and how easily they can dupe employees and consumers, security experts say.
Phishing emails look like correspondence from a trusted source, such as the human-resources department or even a consumer’s bank. The message is crafted to encourage the recipient to click on a malicious link embedded in the body of the email or to launch malware once the message is opened.
While companies can implement such tools as spam filters and device-authentication applications to spot phishing emails pushed by botnets, the most effective protection against phishing boils down to ongoing employee education about how to tell legitimate emails from suspect ones, and to report questionable emails to the appropriate manager, security experts say.
- Insider Threats
Disgruntled employees remain a serious threat to any company’s cybersecurity because they may either launch an attack on their own accord or be vulnerable to the lure of financial gain dangled by criminals looking for an insider accomplice.
“This is a tough threat for IT managers to get their arms around because it is not easy to spot a rogue employee when it comes to the handling of data,” says Aite’s Conroy.
Analytics that track employee behavior are an effective solution that can tip IT managers off to employees attempting to access data not pertinent to their job, but can cost hundreds of thousands of dollars or more to implement. “That’s not always an easy expense to justify until the problem can be quantified,” Conroy says.
Less costly safeguards include: limiting employee access to sensitive data; prohibiting access to sensitive data by devices not issued at work; and charting employee behavioral changes at work, such as whether an employee starts regularly working late into the night or is the first to enter the building.
“The feeling of being alone creates a psychological comfort for inside attackers because they think no one else is around to observe their devious behavior,” says Nocera of PriceWaterhouseCoopers.
With so many security threats lurking, it’s no wonder that many IT managers have trouble sleeping at night. The best antidote, regardless of the threat, is constant due diligence. By staying current with the best practices to thwart an attack, payment companies can narrow the gap between protection and vulnerability.
“The more unpredictability in changing and adding deterrents, the stronger your defenses,” says Gideon Samid, the “Security Notes” columnist for Digital Transactions and chief technology officer for Bitmint, a Washington D.C.-based cryptocurrency provider. “Hackers base their attacks on the size of the security-predictability gap.”
Cybercrime: Estimated Daily Activity
80 billion Malicious scans
300,000 New malware
33,000 Phishing attacks
4,000 Ransomware attacks
780,000 Records lost to hacking
The Five Cyberthreats That Keep IT Managers up at Night
Application Patching/ Updates
Distributed Denial of Service Attacks