Data thieves are generating various revenue streams based on the type of consumer credentials they can compromise, a new security study says.

"Card data remains the gold standard right now, but we are seeing more breaches that involve data other than cardholder data," says Chris Pogue, director at Chicago-based security vendor Trustwave.

Through various channels, hackers can create a fake persona and become "friends" on various networks with people who are connected to the person or company they really want to attack, Pogue says. Such methods may open doors to sensitive information that the victim thinks is still private.

Social networks are also a target because people are creatures of habit when it comes to passwords, he adds. "There is a pretty good possibility that the password you use on social media will be very similar, if not the same, as the username and password you use in the business world, and on banking and financial sites."

Because hackers know this, it is not surprising that nearly half of all data thefts in 2013 involved non-payment-card data, a 33% increase in theft of sensitive and confidential information compared to the previous year, according to Trustwave's 2014 Global Security Report. Nearly 60% of fraud victims came from the U.S., which has more than four times as many victims as the next closest country of the U.K. at 14%.

Trustwave analyzed data from 691 breach investigations it conducted across 24 countries in compiling the report. Eighty-five percent of fraudulent exploits detected came through third-party plug-ins such as Java, Adobe Flash, Acrobat and Reader.

E-commerce made up 54% of assets that criminals targeted, while point of sale breaches accounted for 33% of Trustwave's investigations in 2013, the report states.

The U.S. topped the list of "malware hosting" countries with 42% of all malwares residing there, while Russia had 13% and Germany 9%.

A hosting country is an origination point for a malware attack, not necessarily where the criminals actually reside, Pogue says.

"An attacker has a way of 'spoofing' or hiding where the IP (Internet protocol) address is coming from," he says. "I can be sitting in Russia, but I can hit a soft target such as a toy manufacturer in the U.S. and launch my attacks from their system."

The U.S. also remains fertile ground for attacks because it represents "the dominant consumer market and it is still using 43-year-old technology in payment cards with magnetic stripes," Pogue says. "Obviously, cardholder data remains a top target, and that will remain the case as long as there is meat on the bone, and there is plenty of mag-stripe data [to steal]."

The U.S. is in the process of migrating to EMV chip-based smart cards over the next few years, with the major card brands setting an October 2015 date for a fraud liability shift affecting those not prepared to handle EMV payments.

Even though the delivery of malicious spam through e-mail dropped slightly in 2013, spam still accounted for 70% of inbound mail, making it difficult for consumers and businesses to avoid.

The top three spam malware subject lines were "Some Important Information Missing," or "Bank Statement: Please Read" or "Important – Payment Overdue," the report says.

People still don't exercise restraint when opening emails, and many still use weak passwords, the report says. Twenty-five percent of usernames had the same passwords for multiple sites. The simple password "123456" remains the most used, according to Trustwave's study.

Ten years ago, security professionals warned consumers about writing down their passwords on a sticky note and insisted they not tape them to a computer, Pogue says. "Now, we are begging you to put those passwords on a piece of paper and make them complex enough so you can't remember them," he says. "They can't read that piece of paper in Russia, Romania, China or North Korea, or wherever a hacker may be."

Two-factor authentication is becoming more critical as an extra layer of defense, Pogue says.

"A token, a text message or something else for extra security is needed," Pogue says. "It has to be something you know, something you have and something you are" to make secure authorizations and keep criminals out of your records, he adds.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry