Data thieves are building diversified portfolios, generating varied revenue streams based on the type of consumer credentials they can compromise through their breaches, a new security study says.

“Card data remains the gold standard right now, but we are seeing more breaches that involve data other than cardholder data,” says Chris Pogue, director at Chicago-based security vendor Trustwave.

Hackers can attack a person or company by creatinmg a fake persona on a network and becoming “friends” with people who are friends of the targeted person or company, Pogue says. Such coziness may open doors to sensitive information.

Criminals have other intentions when stealing user data from social network sites or seemingly benign sites on which consumers become members, Pogue says.

People are creatures of habit when it comes to passwords, he notes.

“There is a pretty good possibility that the password you use on social media will be very similar, if not the same, as the user name and password you use in the business world, and on banking and financial sites,” Pogue says.

Because hackers know that, it is not surprising that nearly half of all data thefts in 2013 involved non-payment-card data, a 33% increase in theft of sensitive and confidential information compared with the previous year, according to Trustwave’s 2014 Global Security Report. Nearly 60% of fraud victims came from the U.S., which has more than four times as many victims as the next closest country—the U.K. at 14%.

Trustwave analyzed data from 691 breach investigations it conducted in 24 countries to compile the report. Eighty-five percent of fraudulent exploits detected came through third-party plug-ins such as Java, Adobe Flash, Acrobat and Reader.

E-commerce made up 54% of assets that criminals targeted, while point-of-sale breaches accounted for 33% of Trustwave’s investigations in 2013, the report states.

The U.S. topped the list of “malware hosting” countries with 42% of all malwares residing here, while Russia had 13% and Germany 9%.

A hosting country is an origination point for a malware attack, not necessarily where the criminals actually reside, Pogue says. “An attacker has a way of ‘spoofing’ or hiding where the IP (Internet protocol) address is coming from,” he says. “I can be sitting in Russia, but I can hit a soft target such as a toy manufacturer in the U.S. and launch my attacks from their system.”

The U.S. also remains fertile ground for attacks because it represents “the dominant consumer market and it is still using 43-year-old technology in payment cards with magnetic stripes,” Pogue says.

“Obviously, cardholder data remains a top target, and that will remain the case as long as there is meat on the bone, and there is plenty of mag-stripe data [to steal],” he says.

The U.S. is making the transition to EMV chip-based smart cards over the next few years, with the major card brands setting an October 2015 timeline for a fraud liability shift affecting those not prepared to handle EMV payments.

Even though the delivery of malicious spam through email declineded slightly in 2013, spam still made up 70% of inbound mail, making it difficult for consumers and businesses to avoid.

The top three spam malware subject lines were “Some Important Information Missing,” or “Bank Statement: Please Read” or “Important—Payment Overdue,” the report says.

A person’s lack of discipline in opening email messages combined with using weak passwords remains a major gap in data security, the report says. Twenty-five percent of user names had the same passwords stored for multiple sites.The simple password “123456” remains the most used password, according to Trustwave’s study.

Ten years ago, security experts warned consumers about writing down their passwords on a sticky note and insisted they not tape them to a computer, Pogue says.

“Now, we are begging you to put those passwords on a piece of paper and make them complex enough so you can’t remember them,” he says. “They can’t read that piece of paper in Russia, Romania, China or North Korea, or wherever a hacker may be.”

Two-factor authentication is becoming more critical as an extra layer of defense, he maintains.

“A token, a text message or something else for extra security is needed,” Pogue says. “It has to be something you know, something you have and something you are” to make secure authorizations and keep criminals out of your records, he says.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry