Verizon: Retail Data Breaches Typically Discovered By Accident
Written by Evan SchumanIn its annual report of retail data breach statistics, the forensic analysis group at Verizon Business details a series of stats that essentially verify what most retail IT execs already knew. This year is no exception, with evidence of breaches that are discovered by accident when they’re discovered at all, successful attacks that used remarkably little sophistication and PCI holes galore.
But there’s something about seeing these conventional wisdoms substantiated with statistics that is comforting, along the lines of “Hey! We were right. But we’re also royally screwed.” With that in mind, some of the more delicious details from this new report, which was published Wednesday (April 15).
This shouldn’t surprise anyone, but how closely the non-compliance aligns with difficulty level is intriguing. PCI requirements 3 (protect stored data), 6 (develop and maintain secure systems and applications) and 10 (track and monitor all access to network resources and cardholder data) were the least complied with, coming in respectively at 11 percent, 5 percent and 5 percent.
“When one considers the prevalence of unnecessary and/or unknown data stores, frequency of SQL injection attacks, and lengthy compromise-to-discovery periods discussed extensively in this (and our last) report, this finding is hardly surprising,” the report said. “This trio of deficiencies factored heavily into many of the largest breaches investigated by our team over the past five years. Unfortunately, these statistics—and those discussed earlier regarding the low utilization of discovery and detective controls—suggest that attacks exploiting these areas will continue to be a challenge for the foreseeable future.”
Even more frightening are some of the requirements that fared better. For example, “Do not use vendor-supplied defaults for system passwords and other security parameters” fared the second-highest—which is great—but it was observed by only 49 percent of breached merchants. Yes, that means that most of the chains (51 percent) were still using vendor defaults. *sigh*
The most compliant requirement—”Encrypt transmission of cardholder data and sensitive information across public networks”—was mastered by 68 percent. That means that roughly one-third (32 percent in this case) of the breached merchants had been sending cardholder data in the clear over the Internet. Five percent or ten percent would be bad enough, but a full third? Something’s very wrong out there.
More than 75 percent “of organizations suffering payment card breaches within our caseload were found not compliant with PCI DSS or had never been audited. This status was not determined by our Investigative Response team but rather by the victim’s attestation or Qualified Security Assessor (QSA).”
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
