6 new threats to payment card data

As the headlines once again flood with the names of new data breach targets — Panera, Saks Fifth Avenue, Delta, etc. — banks and retailers may wonder how fraudsters are overcoming their defenses.

Not all of these threats are a new strain of malware or software vulnerability. Some are older tactics adapted to new targets, such as a partner or a new digital channel. In other cases, the brands overlooked an obvious threat due to overconfidence or excessive skepticism.

Whether the threat stems from technology or human nature, fraudsters are exploiting any opening they can.

This listicle is compiled from reporting by PaymentsSource writers including John Adams, Kate Fitzgerald and David Heun. Click the links in each item to read more.

The breach at Expedia's Orbitz not only jeopardized nearly 880,000 payment cards — it cast a spotlight on the weaknesses all companies expose themselves to when they partner with another brand.

Expedia was quick to issue a mea culpa, but that's likely little comfort to brands like Amextravel.com, the company's consumer travel portal, which partnered with Orbitz on the back end to serve business-travel customers. Amex may have had no hand in the breach, but it definitely took a reputational hit from the customers that it had to notify.

"[This is] more an example of the brand risk associated with relying on third-party providers," said Julie Conroy, a research director at Aite Group.

Expedia said the current Orbitz.com website was not involved — rather, the attack affected an older database that may have been accessed between October and December 2017. Orbitz partner data, booked through external sites such as Amex Travel between between Jan. 1, 2016, and Dec. 22, 2017, may have also been impacted.

The incident demonstrates that merchants face a greater burden to protect data that may be tainted from a prior breach at a third party. Retailers already lose about 8% of their annual revenue to costs associated with fraud, according to Javelin, and more layers of security could cost more.

"While this reinforces the need for all businesses to have a thorough vetting of their partners’ data security controls, the reality is that the cyber-threat landscape is moving so fast that it’s hard for even the large and sophisticated firms to keep pace," Conroy said. "The only data beyond attackers' reach is the data that has been devalued through tokenization and encryption technologies."

It's not enough for researchers to find and report a vulnerability on a retailer website — they must also convince the retailer to take action.

Security researcher Dylan Houlihan received an unexpected response from Panera's director of information security, Mike Gustavison, when he reported a vulnerability on August 2, 2017.

"My team received your emails however it was very suspicious and appeared scam in nature and was therefore ignored," Gustavison wrote in an email Houlihan later posted online.

"The response I received is not appropriate whatsoever," Houlihan wrote in a blog post explaining the interaction. "There is never a reason to begin a conversation like that by being so defensive. I know people send lots of superfluous security reports, because I’ve had to receive them. But I’ve never started the conversation by being antagonistic — this is not an excuse for reacting like that."

Of course, Houlihan was telling the truth, and Panera was forced to confront the issue after security writer Brian Krebs published an article about the incident. Panera at first stated the exposure affected just 10,000 customer records, but Krebs said the figure could be as much as 37 million.

When a retailer is breached, it's common to assume that hackers went after their point of sale systems or some kind of data related to payments, loyalty or sales. But the recent Under Armour breach proves anything is fair game.

Attackers went after MyFitnessPal, a calorie-counting app that Under Armour provides (though the app is not named after Under Armour, the retailer's branding is prominent in the app's interface).

Consumers may not think of MyFitnessPal as something that hackers would even want to target — let alone something that houses sensitive payments data — but Under Armour collects email addresses, passwords, Social Security numbers and driver's license numbers. Fortunately for users, only email addresses, usernames and hashed passwords were accessed in the breach, which affected 150 million accounts.

Organizations handling payments or personal data are increasingly moving to cloud-based technology, and cyber criminals are taking advantage of that transition in finding new attack vectors.

Many organizations are advancing their technological capabilities, but not changing security strategies to reflect the risk, according to new research from cyber security firm Thales.

As many as 94% of organizations say they are using sensitive data through new digital channels in cloud, big data, blockchain or mobile, according to the 2018 Thales Data Threat Report. Up to 91% are working on or using mobile payments. However, 67% of respondents said they have been breached, with 36% saying it occurred in the past year. This was an increase over the 26% that reported a breach for the 2017 report.

Thales conducted online and phone interviews with 1,200 senior executives covering various industries, including retail and financial services, in Germany, Japan, India, the Netherlands, Sweden, South Korea, the U.K. and U.S. The executives had a major influence, or were the sole decision maker, for IT projects within their companies.

These days, many consumers have already experienced account and identity theft and are familiar with the resources available to them. As a result, their details are less valuable to fraudsters, who are not as interested in paying for credentials they can no longer exploit.

The masterminds of the Saks/Lloyds data breach take a new approach that could rekindle the market for stolen credentials. The incident was attributed to the notorious cybercriminal syndicate Joker’s Stash, whose operating model differs from many other card-data fencing operations in that it claims to offer only “fresh” data stolen by syndicate members, rather than simply reselling tranches of data harvested from other criminal gangs.

The Joker’s Stash gang, also known as Fin7, have made a name for themselves selling large quantities of stolen card data on the dark web. They have been linked to card data breaches at Hilton Hotels, Jason’s Deli and Sonic Drive-In.

They also engage in some rather complex approaches to keeping their network of underground sales sites hidden from prying eyes while maintaining ease of use for their “customers”, with users given multiple unique URLs to use to reach the service, each redirecting communications to the real website hidden in the Tor network.

Even though a denial-of-service attack on an e-commerce site is not classified as a breach because data is usually not compromised, the 2018 Verizon Data Breach Investigations Report claims it is a growing menace to merchants who rely solely on their websites.

Of 317 incidents reported in the retail sector last year, 85 were denial-of-service attacks designed to halt business on a site by overloading it with requests or dismantling connections to host servers.

"Those who live by the sword are destined to die by the sword, we're told," the report said. "The retail sector equivalent is that those whose livelihood relies on their website shall die by the website when a DoS attack hits."

In the physical retail world, payment card skimmers remain a concern at POS terminals with 81 incidents reported. Web application attacks at 73 incidents and Crimeware malware at 26 were also prevalent problems in retail.

For all of the incidents, 93% were performed by external threats, the report said, while 7% were perpetrated internally.

Web servers were under attack 156 times and gas pump terminals 66 times, according to the research.