Retail Technology
| Log in | Subscribe
Subscribe | Log in
Retail Technology
Subscribe

Payment cards and systems top targets researched in 2011 Trustwave global security report

Payment cards and systems top targets researched in 2011 Trustwave global security report

 

The Trustwave 2011 Global Security Report unveiled recently revealed the target of cyber attacks has shifted from traditional infrastructure to mobile users and endpoint devices.

 

In a trend consistent with pre-2009 levels, the food and beverage and retail industries shouldered the brunt of data breaches, accounting for 75% of all investigations.

 

Basing results on information gathered from over 200 data breach investigations, 2,300 penetration tests and other security-as-a-service (SaaS) activities conducted for its clients, Trustwave also found 85% of all data at risk of security breaches was payment card related.

 

Tills ring for cyber criminals

 

It also found software point-of-sale (PoS) systems accounted for the majority (75%) of all assets targeted by cyber criminals. These were followed by employee workstations (11%), e-commerce (9%), payment processing (3%) and cash machine systems (2%).

 

The report said that, while the Payment Application Data Security Standard (PA-DSS) mandates that developers of software PoS systems abide by a strict set of security controls, these controls are rarely implemented properly.

 

“Most small businesses investigated in 2010 relied exclusively on a third party for the support of their PoS system,” it continued. “In our experience, many PoS integrators are often not skilled in security best practices, leaving their clients open for attack.”

 

It cited deficiencies in regards to basic security controls, such as the use of default passwords and single-factor remote access solutions discovered through its investigations, for instance. Moreover, in 87% of PoS breach cases, third party integrators used some form of default credentials with either remote access systems or at the operating system layer.

 

It advised that businesses should work with their third party vendors to help ensure non-functional security requirements are part of the implementation and maintenance agreements.

 

It also said that, because in-transit credit card data is usually more recently created than stored data, 66% of investigations found the theft of data in transit.

 

Embedding security systems

 

Robert J. McCullen, chairman and chief executive of Trustwave, stated: "In 2011 and beyond, organisations that approach their initiatives firmly committed to including security as an integrated requirement, and not just as a checkbox, will be most resilient to attack, reduce their risk to compromise, and be able to best protect both sensitive data and reputation."

 

Benjamin Boulnois, regional manager for Europe, Middle East and Africa at DigitalPersona, said the report confirmed that passwords on their own are simply not enough to reduce fraud and theft from insecure PoS systems.

 

“The humble signature lasted as the main authentication factor for hundreds of years before being replaced by chip and PIN, but with fraud and theft costing retailers more than £25 billion a year, it’s clear that this ‘revolution’ in authentication has failed.

 

“That’s why biometric authentication is becoming increasingly widespread and will soon become ubiquitous among retailers that wish to give themselves the greatest possible protection from fraud, while also reassuring their customers that they too are protected from fraud,” added Boulnois.

 

Trustwave will present the reports findings in a webinar, entitled “2011 Global Security Stats and Trends – Europe, Middle East and Africa,” this Wednesday, 9 February 2011 at 11am (GMT).