The move to chip-and-PIN technology in the United States last year was supposed to be a security win, making in-store transactions more reliable and resistant to fraud. But the adoption rate for the technology hasn’t been as high as expected, and experts and analysts say that criminals are simply shifting their focus to other tactics such as online fraud and credential theft.
Chip-and-PIN is designed to be a more secure alternative to simply swiping a card at a terminal and maybe signing a receipt. Cards that have chips are inserted into the payment terminal and perform a cryptographic operation that validates the card and then the consumer enters a PIN for authentication. In traditional card transactions, the payment terminal simply reads the card information from the magnetic stripe, so having the card is almost always enough to conduct fraudulent transactions.
“Our notions of defense need to adapt to this change.”
But not all retailers have rolled out chip-capable terminals and even those that have don’t always have them set up to accept chip cards. And some terminals give consumers the choice of swiping or inserting their cards, which negates the extra security of chip-and-PIN. While retailers deal with the transition to chip-and-PIN, attackers are continuing to steal and sell a huge volume of traditional card data. A recent report from FireEye found that attackers tied to one financial-crime ring they call FIN6 are selling tens of millions of stolen cards online.
“For instance, in one FIN6-linked breach the vendor was advertising nearly than 20 million cards. These cards were predominantly from the United States and selling for an average of $21. So the total return for the shop — if all the data was sold at full price — could have been about $400 million,” the report said.
Once the rollout of chip-and-PIN reaches a critical mass, the techniques that attackers use to steal traditional card data won’t be as useful. The memory scraping point-of-sale malware that is used by many of these groups to gather card data will be neutralized in most cases, and so attackers are moving to online fraud more and more. Research analysts at Juniper Research in the U.K. say that they expect online retail fraud to hit $25.6 billion annually in the next four years, as criminals look for ways to cash out on stolen card data without having to worry about chip-and-PIN.
Another key avenue for cyber criminals is the theft of credentials, be they for email, banking, or corporate networks. This technique has been used by attackers for decades, and has never really fallen out of favor, but it becomes even more important as security defenses improve. Getting access to valid credentials for a target service or network is always a better option than exploiting a vulnerability, as it doesn’t raise alarms and is more reliable.
Authentication is one of the older problems in security, and it’s never totally been solved. Attackers know how to bypass most authentication systems, and defending against the theft of valid credentials makes the problem even more difficult for security teams.
“Our notions of defense need to adapt to this change. First, organizations need to beef up their authentication systems. There are lots of tricks that help here: two-factor authentication, one-time passwords, physical tokens, smartphone-based authentication, and so on. None of these is foolproof, but they all make credential stealing harder,” security expert Bruce Schneier said in an essay on credential theft.
“Second, organizations need to invest in breach detection and — most importantly — incident response. Credential-stealing attacks tend to bypass traditional IT security software. But attacks are complex and multi-step. Being able to detect them in process, and to respond quickly and effectively enough to kick attackers out and restore security, is essential to resilient network security today.”