Though fraud losses in the UK
in the first half of 2009 experienced their biggest fall in years,
security experts warn against complacency. This warning is backed
up by the findings of security firm 7Safe, which show levels of
compliance with the Payment Card Industry Data Security Standard
are exceptionally low.
British payments industry body the
Payments Administration (PA) had good news recently when it
announced that payments fraud losses had recorded their biggest
decline in many years, falling by 23.5 percent to £232.8 million
($370 million) compared with the same period in 2008.
While cloning and skimming of cards saw the
biggest absolute decline in fraud losses (48 percent), the main
driver of the improvement was the largest source of losses, card
not present (CNP) fraud which fell 18.2 percent to £134
While welcome as the improvement may be, Katy
Worobec, the PA’s head of fraud control, pointed out that the fall
in CNP losses may result from fraudsters realising they could do
better by targeting foreign-
issued cards. She said the general weakening of sterling against
major currencies could have played a role in this, as indicated by
a 36 percent increase in fraud committed in the UK on
Whatever the reasons, Worobec warned there is
no room for complacency.
Emphasising this, security forensics
specialist 7Safe noted in its 2010, UK Security Breach
Investigations Report: “It would appear criminals are developing
their skills and techniques more rapidly than security engineers
and enforcement officers.”
Based on analyses of 62 data breach incidents
it investigated over the past 18 months, 7Safe found that in 85
percent of the cases payment card data had been compromised. Of
cases investigated, 85 percent were in the retail sector, 7 percent
in the financial sector and the remainder spread over 10 other
sectors. Where payment cards were at risk, the most common numbers
ranged from 20,000 to 50,000 (34 percent of cases) while 100,000 or
more cards were at risk in 14 percent of cases.
Source of attacks
Identifying the primary source of a
breach is an important aspect of its investigations, noted
While it is not surprising that the vast
majority of data breaches (85 percent) were traced to external
attacks, it is notable that only 2 percent were the result of
Representing the second biggest source of data
breaches, at 18 percent, were business partners, said 7Secure.
The firm emphasised in its study: “This
highlights a concern that is often left from consideration but is
of importance. It is critical that companies recognise the lack of
control they have over business partners.”
7Secure noted that companies need to be aware
that some of the arrangements their partners have with other
external organisations may allow full access to all information
held by the partner, and by transition therefore have access to
information of the original company. This has been seen in more
than one case investigated by 7Safe.
Delving into external attacks, 7Safe found
that predominant vulnerabilities exploited were in poorly written
website applications, and in particular, by way of SQL injection
and malware attacks.
SQL, or structured query language, is a
computer programming code designed to retrieve and manage data on
computer databases. According to Microsoft, SQL injection target
specific internet applications where vulnerabilities and structure
of the underlying database are known or discovered by the attacker.
It was this type of attack that was responsible for the massive
data breach experienced by US payments service provider Heartland
Of the attacks investigated, 7Safe it found
that SQL injection was the source of the compromise in 40 percent,
with an additional 20 percent using SQL injection combined with
another vulnerability such as malware.
7Safe noted: “The SQL injection vulnerability
is a common weakness in many systems as can be seen with 60 percent
of the cases suffering from it leading to the compromise.
“However, it is surprising given the amount of
information known about the attack and ways to prevent it that so
many systems are still susceptible to it.”
7Safe added that an increasing source of
compromise is exploitation through shared web space or web hosting.
The firm noted that dangers of shared hosting environments are as
simple as an attacker compromising one website using malware or SQL
injection, thus having the ability to compromise all websites on
that hosting server.
PCI DSS compliance
The 12 requirements of the Payment
Card Industry Data Security Standard (PCI DSS) are intended to
ensure an extremely high level of card data security. They no doubt
will, if adhered to strictly. Regrettably, 7Safe’s findings
indicate that this is far from the case.
In its investigations 7Safe found that none of
the organisations met all requirements of the PCI DSS. Indeed, in
just over one quarter of the cases, none of the 12 requirements
were met. The maximum number of requirements met by an individual
organisation was only six in about 4 percent of cases.
In addition, none of the organisations that
had satisfied the requirements of PCI DSS approved scan vendor
(ASV) vulnerability scanning were sufficiently protected to prevent
against being compromised by a combination of attacks that such
scanning claims to detect. ASV scanning is an automated task that
does not involve human interpretation of results.
Overall, 7Safe concluded that its analysis
proves that many organisations who declare themselves compliant
with the PCI DSS “are not even close”. Quite simply, stressed
7Safe, the PCI DSS requires very specialist knowledge that is
changing on a daily basis.
7Safe warned: “To expect every e-commerce
merchant to understand all points that information security
requires of them without any [expert] assistance is going to result
in further data security breaches.”