Posted on Apr 24, 2019
Security and compliance often appear to go hand-in-hand these days. Problematically, many companies start with compliance then reverse-engineer security in a nearly futile attempt to protect data. In the payment card industry, the Payment Card Industry Security Standards Council (PCI SSC) established PCI Data Security Standard (PCI DSS) which sets the “gold standard” for compliance. Meanwhile, despite meeting the compliance standard, cardholder data (CD) remains a primary target for cybercriminals. By understanding the seedy underbelly known as the Dark Web and the way Cybercrime-as-a-Service (CaaS) works, merchants and payment card processors can better secure CD.
The statistics indicate that while overall fraud decreased in 2018, evolved threat methodologies continue to undermine merchants and vendors’ attempted data security.
Thus, while merchants, vendors, and payment card processors attempt to protect cardholder data, they continue to find themselves at the mercy of cybercriminals.
Cardholder data is defined as the primary account number (PAN) in conjunction with either the cardholder name, expiration date, and/or service code. Considered personally identifiable information (PII), the data that cybercriminals extract from breaches can allow them to create fraudulent accounts, engage in fraudulent purchases, or steal identities.
To obtain PII and CD, cybercriminals can use in-person or digital strategies.
Hardware skimming requires an individual to have physical access to a device. Whether an ATM or a point-of-service (POS) terminal, the person needs to be able to insert a Bluetooth enabled device.
These strategies include SQL injections, malware infections, unprotected backups, and vulnerable third parties.
Browsers like Chrome, Firefox, and Safari access the layer of internet data that traditional search engines such as Google, Bing, and Yahoo access. These browsers and search engines use indexes to find information.
To access the dark web, users need specific browsers that can overcome the limitations of traditional browsers and search engines. These specialized browsers incorporate encryption and multiple server locations to maintain anonymity primarily because users can search for illicit information such as historical medical records or forums trading in illegal information.
PII and CD remain valuable underground commodities because they are low cost and high impact. According to Privacy Australia, different information levels have different values:
The different types of information bought and sold on the Dark Web can enable different levels of fraud. CVV, the three-digit code on the back of a credit card, allows the cybercriminal to access funds or buy items for resale later. Meanwhile, online payment login information often links to bank accounts or social media accounts which can enable cybercriminals to not only engage in fraudulent purchases, but identity theft and other login/password information as well.
As CaaS becomes more popular, cybercriminals no longer need to be highly technical. On the Dark Web, cybercriminals can purchase tools that simplify data breach attacks.
For example, account checkers are software that can be purchased on the Dark Web to validate a username. Meanwhile, phishing kits are a downloadable tool that contains prebuild code so that cybercriminals can more easily deploy an attack. Additional tools include merchant checkers, automated attack scripts, and leaked shop scripts.
Dark web forums and social websites act as brokerages for sales of credentials. Cybercriminals know which forums to seek out, build their reputations, and share their wares. Although downloading dark web browsers may be easier in 2019, the 2018 article “Plug and Prey? Measuring the Commoditization of Cybercrime via Online Anonymous Markets” explains “Commoditization allows these entrepreneurs to substitute specialized technical knowledge with “knowing what to buy” - that is, outsourcing parts of the criminal value chain.” The dark web provides criminals with the connectivity of the surface web and the anonymity of the back room.
SecurityScorecard not only monitors for financial crime malware but also tracks dark web forums and websites to monitor for leaked credentials - both customers and employees. One of the thirteen factors used in our security ratings is “hacker chatter.” A lower score for that factor sheds light on the dark web conversations about an organization.
For financial institutions, merchants, and retailers, visibility into the supply chain can protect customer information. A single weak link in the supply chain can compromise data across the ecosystem. Thus, the valuable insights from SecurityScorecard’s platform not only protect data security among business partners but provide assurance to customers as well.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.