Merchants are still using pedestrian passwords that crooks can easily break, security company Trustwave has found.

Of the nearly 630,000 stored passwords that Trustwave obtained during penetration tests in the past two years, its technicians were able to crack more than half in just a few minutes and 92% within 31 days.

Even though adding new information about weak passwords or ongoing malware investigations "gets frustrating" because the same problems facing the financial and payments industries persist, it does not surprise Trustwave researchers, said Karl Sigler, threat intelligence manager for Trustwave.

"For a lot of software or hardware developers, their main concern is availability of the service," Sigler said. "They want to make sure their POS is available and running to accept credit cards, often at the cost of a lot of security controls. It is difficult to implement security and to do it correctly."

As in past research, Trustwave found the most popular password to be "password1" for entry onto a business network site, followed by "Hello123" or simply "password."

Trustwave recommends longer passwords with more characters, rather than shorter ones with letters and numbers. "A longer password that is a phrase not easily figured out is better than a shorter, complex password," Sigler said.

These findings have been added to an online version of the 2014 Trustwave Global Security Report. To accommodate the fast changing nature of security threats, Trustwave is regularly updating its research and making the information available to consumers and payments industry stakeholders on the company's site.

"The criminals stealing data are a constantly moving target," Sigler said. "It no longer made sense for those interested in our research to have to wait a year to see new statistics."

Having access to updated security reporting should be helpful to merchants, said Al Pascual, senior analyst and fraud expert for Javelin Strategy & Research.

"They can see how trends are tracking over time, instead of constantly having to go online to see what is relevant to them, or rely on the trade groups to keep them informed," Pascual said. "This provides one switch to keep them in the know, so there is some value there and it's a smart move on Trustwave's part."

Since the new Payment Card Industry security requirements call for security measures to be embedded in software development lifecycles, there is "some utility" in Trustwave's new approach to sharing research information, said Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.

"The question will be: Is it going to just be more of the same folks who always read that report going online and using it as a resource?" Conroy asked. "Or will Trustwave be able to actually bring in some of those who still don't realize that data security is a problem for all of us?"

In addition, Trustwave researchers have identified a new family of point-of-sale malware that has infected nearly 600 businesses nationwide. In other data in the report, Trustwave said the trend of businesses detecting breaches continues to rise, with 29% of businesses doing so in 2013 compared to only 9% in 2009. Trustwave compiled that data from 691 post-breach forensics investigations conducted in 2013.

The report also indicated e-commerce breaches are increasing, with 54% of all breaches targeting e-commerce sites in 2013, compared to only 9% in 2010. More regions, including the U.S., being in various stages of converting to EMV chip-based cards for card-present transactions fuels the criminals' shift to e-commerce fraud, Trustwave said.

Trustwave is also working on four investigations related to the 600 attacks on businesses in which criminals broke into point of sale systems by using stolen credentials with remote-access software, the company revealed in the new report.

Called Backoff, the malware sits on a POS system, gathers the credit card numbers, encrypts the information and sends it to servers owned by the fraudsters, the report stated.

Additionally, the company is working with law enforcement officials after discovering a control center of eight servers behind what is being called "Magnitude," an exploit kit of Russian origin that has led to thousands of attacks and millions of attempted malware attacks globally.


Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry