Just when payment card data seemed somewhat protected by EMV technology, hackers have found yet another way to steal information and gain access to PINs. In this week’s Hacker Tracker, PYMNTS was joined by Alex Cagnoni, CEO of Datablink, who shared some interesting insights on some of the latest news across the cybersecurity landscape.
Old Tools, New Tricks
Despite the growing usage of EMV chip card technology to help safeguard payment card data at the point of sale (POS), cybercriminals are turning to devices called “shimmers” to read card numbers and possibly access a card’s chip and obtain the PIN.
As Datablink CEO Alex Cagnoni pointed out, card cloning devices are not something new; however, with the use of a chip, the attack has become more complex but still quite effective.
Because shimmers are so thin and can easily be hidden inside of an ATM or card reader, they the potential to capture the data when a card’s chip is activated. While they can’t be used to create a chip-based card, they allow enough data to be passed to create dummy magnetic cards that can then be used to perpetrate fraud.
But Cagnoni noted that while a shimmer attack can be successful, it requires a lot of manual work, making its effectiveness limited by the number of actual users of the compromised POS or ATM.
Instead, the new and more significant trend will be an ever-increasing number of online purchase attacks, he noted.
“With today’s ability to hit thousands or even millions of users in a few hours through a phishing attack that infects laptops and smartphones, fraudsters could potentially grab a very large amount of credit card information typed in by users during their next online purchase,” Cagnoni explained.
The bigger and more widespread cyber threat, as opposed to shimmers, may actually be the ability for cybercriminals to use or sell stolen data for fraudulent online purchases that are typically made in groups of small purchases as to go undetected by fraud detection systems.
“Phishing opens up a gigantic world of opportunity for cybercriminals, whereas shimmers may be sly and clever but in a much more localized, smaller manner,” he added.
Identity Fraud On The Rise
According to Javelin Strategy & Research’s 2017 Identity Fraud Study, the number of identity fraud victims rose 16 percent in 2016, marking the highest level since the research firm began tracking the trend in 2003.
Despite efforts by the industry, fraudsters successfully adapted to net 2 million more victims in 2016. What’s more, the amount the bad guys stole rose by close to $1 billion to $16 billion.
The research showed that during 2016 there was a resurgence in existing card fraud, which saw an increase of 40 percent in card-not-present fraud. Cagnoni said this latter growth can be easily explained by the continued adoption of chip cards in the U.S., which has caused attacks to migrate to the weakest link of the chain: the electronic purchases.
It’s expected that the number of account takeover attacks will also continue to grow.
After reaching a low point in 2014, both account takeover incidence and losses rose notably in 2016, with total account takeover losses reaching $2.3 billion, a 61 percent increase from 2015, and incidence reaching 31 percent, the study confirmed.
While other countries are utilizing powerful transaction signing technologies to mitigate those attacks, Cagnoni noted that the U.S. has fallen significantly behind the curve.
One of the Federal Financial Institutions Examination Council’s (FFIEC) recommendations to help prevent account takeover is to use out-of-band verification for transactions. That simply means it is best to use a different channel to verify and confirm transactions, Cagnoni explained.
“But this type of recommendation has not been implemented in the U.S. to the same degree as other countries,” he noted. “A large chunk of U.S. banks opted to more heavily invest in fraud detection technologies, but those technologies either allow fraud to take place undetected or block a legitimate transaction attempt, thus frustrating customers.”
Are Hotels Are A Hacker’s Paradise?
In one of the latest payment card data breaches reported affecting the hotel industry, InterContinental Hotels Group confirmed 12 of its U.S. properties were compromised by a malware attack.
Reuters reported that malware hidden in servers managed to uncover and capture what is known as “track” data — which includes names, card numbers and codes — over a timeframe ranging from August to December 2016. Those cards had been used at food establishments, including restaurants and bars, and did not include cards used at front desks.
Cagnoni pointed out that the attack on the InterContinental Hotels Group may have been more targeted than other credit card breaches, since the attackers might have continued to conduct the attack unnoticed for a large period of time.
“In these types of attacks, fraudsters oftentimes don’t use the collected information right away. They might wait days or even longer — so the fraud is not directly related to the immediate days before, thus making the attack even more durable,” he explained.
Since cards from different users and issuers can be compromised for a longer period of time, it can make it more difficult for a correlation to be made.