Criminals Increase Targeting Personal Data in Payments, Banking Systems
In 2017, criminals will increasingly target consumers’ personally identifiable information data in the payments ecosystem and at financial institutions, according to the Palo Alto, Calif.-based Hewlett Packard Enterprise security experts.
“Retailers are gathering a lot of sensitive information about their customers, but all too often this data is not adequately protected,” George Rice, senior director, payments, HPE Data Security, said. He added, consumers should understand that businesses capture various meta data on every payment made; some explicit (i.e. e-commerce purchases that require name, address, phone number) and some passive (i.e. geo-location like GPS coordinates, IP address, mobile device ID, behavioral information). “Since much of this meta data is categorized as PII, it is often not protected due to uneven government regulation of PII data protection. The European Union has progressively attempted to address this issue through the passing of the General Data Protection Regulation, which some experts believe is a harbinger for similar regulation around the world in the future.”
Other Rice predictions:
- Malware will continue as the tool of choice for retail data thieves in 2017, because store level systems are insecure and vulnerable to attack. “Store level systems are designed to be open to allow for legitimate and regular updates of the applications they run. However, this creates vulnerabilities for malware to get into these environments and steal sensitive data covertly.” Once in criminal's hands, stolen data may be quickly, easily and inexpensively monetized through fraudulent transactions in e-commerce and other non-EMV transaction environments.
- Consumers will have increased privacy concerns around payments as organizations continue to innovate. “While payments innovation often enhances the customer experience and makes payment transactions as easy as clicking a button on your mobile phone, it also leverages passive consumer information, such as geo-location data, IP address, etc., which heightens privacy and security concerns,” Rice pointed out. The conveniences of modern technologies such as mobile devices, wearables, and connected cars often capture and emit PII in addition to payment information without the user even knowing. Organizations will need increased focus on protecting PII in addition to payment card industry data, and may look to trusted techniques like end-to-end encryption to safeguard the capture and use of sensitive data.
- Retail adoption of tokenization will expand, and businesses will increasingly enable consumers to use tokens to initiate payment transactions to avoid exposing stored payment card values. Rice added, “New standards are being introduced around pre-deploying tokens to be used instead of actual card account numbers, which will provide increased security for stored PCI data. Also, tokenization is a foundational technology for card-not-present payment strategies such as ‘card-on-file,’ which allows consumers to make new purchases automatically without needing to re-enter any payment information.”
Another HPE expert thinks we will see an increase in the number of reported attacks on banking services and financial system breaches in 2017. “Following several reports of major successful attacks on SWIFT electronic transaction systems in 2016, we expect to hear a lot more about similar breaches as banks discover more attacks and realize that sharing details about them is the responsible thing to do,” Chip Witt, senior product manager, Threat Intelligence, HPE Security Research, which focuses on financial institutions, said.
SWIFT, the provider of a network that moves hundreds of billions of dollars daily worldwide, said hackers used malware to target bank funds in multiple cyberattacks.
During one attack in February 2016, hackers used the SWIFT messaging system of Bangladesh's central bank systems to submit 35 payment requests to the Federal Reserve Bank of New York, transferring $101 million to bogus accounts in the Philippines’ Rizal Commercial Banking Corporation and a Sri Lanka-based financial institution. The New York Fed became suspicious and denied 30 of the requests, but not before the release of $81 million to a foreign exchange broker.