Report Reveals Financial Cybercrime Ecosystem and Outlines Payment Card Fraud Areas of Compromise
New York, NY - April 24, 2019 – SecurityScorecard, the leader in security ratings, today released a new report titled Payment Card Fraud & the Financial Crime Ecosystem. SecurityScorecard’s threat intelligence team analyzed Dark Web marketplaces, forums and other vehicles for acquiring payment card data and identified a variety of methods cyber criminals employ to steal cardholder data from financial services institutions, merchants and others.
Despite the increase in compliance requirements, fraud and security incidents continue to occur with growing frequency. In fact, Dark Web marketplaces continue to keep pace with attempted mitigations that the financial industry puts in place. Just as merchants and payment processors use third-party vendors to enable business operations, the underground marketplace relies on a network of third party vendors to enable business operations. As a result, the entire financial services ecosystem is wrought with countless forms of payment card fraud risks.
“The underground ecosystem works similarly to legitimate businesses, even though it services semi-organized criminal groups,” said Alex Heid, Chief Research Officer, SecurityScorecard. “In addition to stealing cardholder data, cybercriminals are tasked with monetizing the data within this criminal ecosystem. Much like legitimate business, the success of these endeavors is based on reputation and previous experiences. Financial services organizations need to have a solid understanding of this underground ecosystem to create a comprehensive strategy for protecting cardholder data and minimizing institutional losses that originate from fraud.”
Sample of Sources of Compromised Data:
- Hardware Skimming: Hardware skimming occurs when criminals install Bluetooth-based “skimmers” on point of sale (POS) devices or ATMs.
- Hacked & Leaked Databases: Cybercriminals target enterprise databases that store payment data through a variety of techniques. In addition to finding unprotected database servers on the public internet, hackers also leverage SQL injection attacks against vulnerable web applications to siphon sensitive data.
- POS Malware: For brick and mortar merchants, post-exploitation network sniffing malware is oftentimes leveraged to extract data being swiped by customers on point-of-sale workstations.
- WebApp Malware: For e-commerce merchants that do not handle payment data, attackers have been observed injecting arbitrary code into checkout forms that will store/transmit the submitted data back to the attacker. This means even if an e-commerce shop is not storing card data, if their website is hacked, an attacker can log all data being input by the customer into checkout forms.
Headquartered in the heart of New York City, SecurityScorecard's vision is to create a new language for measuring and communicating security risk. The company was founded in late 2013 by Dr. Aleksandr Yampolskiy and Sam Kassoumeh, two former cybersecurity practitioners who had served, respectively, as Chief Information Security Officer and Head of Security and Compliance. With cloud solutions becoming an increasingly integral part of the security technology stack Yampolskiy and Kassoumeh recognized the need to address third- and fourth-party risk as well as better understand the security capabilities of their business partners. Since its founding, the company has grown dramatically and now counts hundreds of leading brands as customers. SecurityScorecard is backed by leading venture capital investors including Sequoia Capital, GV, NGP Capital, Evolution Equity Partners, Boldstart Ventures, AXA Venture Partners among others. For more information, visit securityscorecard.com.