As the retail world’s center of gravity shifts to the cloud, payment card fraud has followed suit. According to Verizon’s retail vulnerabilities study, attacks against e-commerce applications are by far the leading cause of retail data breaches. This trend mirrors similar outcomes in other industries, like food service. A complimentary Verizon study finds remote attacks against food service operators on the rise, as well.
In both industries, the swing to card-not-present (CNP) fraud has been sudden and swift. Verizon’s data shows an utter collapse in retail point-of-sale (POS) attacks as a share of total breaches in the past six years — from roughly 80% in 2014 to less than 10% in 2019. Web application attacks have filled the void, rising from less than 10% in 2014 to about 50% in 2019. In food service, point-of-sale attacks declined from a roughly 90% share to a sub-20% share.
Customers’ expectations haven’t kept up. According to a survey by Money Crashers, a personal finance publication, 52% of consumers aren’t concerned with the security of the payment apps they use every day. Just 30% have held off on downloading a payment app over security concerns.
Attackers Are Hitting Their Marks
Consumers’ cavalier attitudes persist despite persuasive evidence that hackers hungry for payment card information and sensitive personal data — names, addresses, ID numbers, security questions and answers — are getting better at hitting their marks. Since the beginning of 2018, remote attacks have affected a major U.S. department store chain, a popular fast-food operator, and a leading online-only clothing retailer.
And those are just the attacks that hit the news.
Why and how are attackers getting better at what they do? In many cases, it’s because victims unwittingly give them a hand. For example, Verizon’s retail vulnerabilities study found retailers (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Anastasios Arampatzis. Read the original post at: https://www.tripwire.com/state-of-security/regulatory-compliance/pci/card-not-present-fraud/