Verizon 2011 Data Breach Investigations Report: Breaches Increased Dramatically While Data Loss Was at All-Time Low

Cyber Criminals Shifting to Smaller, More Opportunistic Attacks; External Attacks, Especially Hacking, on Rise

April 19, 2011

NEW YORK – Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the “Verizon 2011 Data Breach Investigations Report.” These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices.

The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report’s launch in 2008. Yet this year’s report covers approximately 760 data breaches, the largest caseload to date.

According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action.

The report also found that outsiders are responsible for 92 percent of breaches, a significant increase from the 2010 findings. Although the percentage of insider attacks decreased significantly over the previous year (16 percent versus 49 percent), this is largely due to the huge increase in smaller external attacks. As a result, the total number of insider attacks actually remained relatively constant.

Hacking (50 percent) and malware (49 percent) were the most prominent types of attack, with many of those attacks involving weak or stolen credentials and passwords. For the first time, physical attacks — such as compromising ATMs –appeared as one of the three most common ways to steal information, and constituted 29 percent of all cases investigated.

For the second year in a row, the U.S. Secret Service collaborated with Verizon in preparing the report. In addition, the National High Tech Crime Unit of the Netherlands Policy Agency (KLPD) joined the team this year, allowing Verizon to provide more insight into cases originating in Europe. Approximately one-third of Verizon’s cases originated in either Europe or the Asia-Pacific region, reflecting the global nature of data breaches.

“Through our Data Breach Investigations Report series, Verizon continues to provide the industry with a first-hand look at cybercrime around the globe,” said Peter Tippett, Verizon’s vice president of security and industry solutions. “This year, we witnessed highly automated and prolific external attacks, low and slow attacks, intricate internal fraud rings, countrywide device-tampering schemes, cunning social engineering plots and more. And yet, at the end of day, we found once again that the vast majority of breaches can be avoided without extremely difficult, expensive security measures.”

Tippett added: “It is important to remember that data breaches can happen to any business — regardless of size or industry — or consumer, at any place in the world. A good offense remains the best defense. It is imperative to implement essential security measures broadly throughout your security infrastructure, whether that is a small home setup or an expansive enterprise infrastructure.”

U.S. Secret Service Assistant Director A.T. Smith said, “Americans over the past several years have seen the significant impacts data breaches are having on our nation’s financial infrastructure. Today cyber criminals are operating in nearly every civilized nation in the world, exposing Americans’ personal information, either stored or transmitted, to substantial risk.”

Smith added, “By participating in the Verizon 2011 Data Breach Investigations Report, the Secret Service is working closely with our private-sector partners to educate Americans about the threats of cyber criminals. With the help of our Electronic Crimes Task Force partners, such as Verizon, we are studying technologies and trends to prevent and mitigate attacks against critical financial infrastructure.”

The Data Breach Investigation Report (DBIR) series now spans seven years and more than 1,700 breaches involving more than 900 million compromised records, making it the most comprehensive study of its kind.

(NOTE: Additional resources supporting the 2011 Data Breach Investigations Report are available, including high-resolution charts and an audio podcast. B-roll available upon request.)

Key Findings of the 2011 Report

Data from the 2011 report shows that:

  • Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.
  • Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.
  • Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.
  • Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and keylogger functionalities.
  • Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

Recommendations for Enterprises

The 2011 report found again that the prescription for data breaches is to use simple, essential security practices such as:

  • Focus on essential controls. Many enterprises make the mistake of pursuing exceptionally high security in certain areas while almost completely neglecting others. Businesses are much better protected if they implement essential controls across the entire organization without exception.
  • Eliminate unnecessary data. If you do not need it, do not keep it. For data that must be kept, identify, monitor and securely store it.
  • Secure remote access services. Restrict these services to specific IP addresses and networks, minimizing public access to them. Also, ensure that your enterprise is limiting access to sensitive information within the network.
  • Audit user accounts and monitor users with privileged identity. The best approach is to trust users but monitor them through pre-employment screening, limiting user privileges and using separation of duties. Managers should provide direction, as well as supervise employees to ensure they are following security policies and procedures.
  • Monitor and mine event logs. Focus on the obvious issues that logs pick up, not the minutia. Reducing the compromise-to-discovery timeframe from weeks and months to days can pay huge dividends.
  • Be aware of physical security assets. Pay close attention to payment card input devices, such as ATMs and gas pumps, for tampering and manipulation.

A complete copy of the “Data Breach Investigations Report” is available for download.

About Verizon
Verizon Communications Inc. (NYSE, NASDAQ:VZ), headquartered in New York, is a global leader in delivering broadband and other wireless and wireline communications services to mass market, business, government and wholesale customers. Verizon Wireless operates America’s most reliable wireless network, serving 94.1 million customers nationwide. Verizon also provides converged communications, information and entertainment services over America’s most advanced fiber-optic network, and delivers innovative, seamless business solutions to customers around the world. A Dow 30 company, Verizon employs a diverse workforce of more than 194,000 and last year generated consolidated revenues of $106.6 billion. For more information, visit www.verizon.com.

Former Holy Cross employee convicted of identity theft

A Holy Cross Hospital emergency room clerk was convicted for her crimes as part of an identity theft ring. The employee copied patient records which were subsequently used to open credit card accounts. The US Postal inspection Service was alerted after employees noticed debit card mailings with different names being sent to the same address.  Over 525 pieces of mail addressed to a variety of names were found.  See prior article Identity theft at Holy Cross Hospital and securing payments.
Identity theft crime is rampant in South Florida, and this Fort Lauderdale hospital is not alone with data breach risk exposure. A local county hospital completes the intake process for outpatient procedures with semi-private barriers. I.D. is validated and everything done at the desk …except processing the credit card. The employee walks away out of view to swipe the card. Nearby I later learned is a copier. Does this make sense to you?

I contacted the District CFO to inform of the risk and offer a solution. No reply yet. Whether I hear back or not, I sure hope they fix this problem before they have a data breach too.

 

 

Are you complying with the Red Flags Rule?

The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs — or “red flags” — of identity theft in their day-to-day operations. Below are excerpts that pertain to businesses that probably are not aware they fall under the Red Flags Rule.

What types of businesses and organizations are covered by the Red Flags Rule?

    The Rule applies to both  “financial institutions” and “creditors.” It’s important to look closely at how the Rule defines those terms because they apply to groups that might not typically use those words to describe themselves. Whether your business or organization is a financial institution or creditor isn’t based on the line of work you’re in, but rather on whether your activities fall within the definitions in the law. The Red Flags Rule gives examples of businesses and organizations that probably are covered, but the list isn’t exhaustive. 

    Under the Rule, the definition of “creditor” is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies. The definition also covers businesses or organizations that regularly grant loans, arrange for loans or the extension of credit, or make credit decisions. Examples include finance companies, mortgage brokers, and automobile dealers or retailers that offer financing or collect or process credit applications for third party lenders. In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. For example, a third-party debt collector who regularly renegotiates the terms of a debt would be a creditor under the Rule.

RED FLAG RULE FAQ

Do all creditors and financial institutions need to have a written Identity Theft Prevention Program?

    If you have covered accounts, you must develop and implement a written Program to detect and respond to the red flags of identity theft — taking into consideration the nature of your business and the risks you face — and update your Program periodically. If you don’t have any covered accounts, you don’t need a written Program, but you still need to conduct periodic risk assessments to determine if you’ve acquired any covered accounts through changes to your business.

Only creditors and financial institutions that have “covered accounts” need a Program. Once you’ve determined you’re a creditor or financial institution under the Red Flags Rule, the next step is to figure out if you have any covered accounts. The Rule defines that term as either: 1) consumer accounts designed to permit multiple payments or transactions, or 2) any other account that presents a reasonably foreseeable risk from identity theft.

Am I a creditor under the Rule if I extend credit to other businesses?

    Yes, you’re a creditor whether you have consumer or business customers.
    It depends. If you’re a creditor with only business-to-business accounts, you have to assess whether those accounts pose a reasonably foreseeable risk from identity theft. If they do, they’re “covered accounts” under the Rule.

Do I have covered accounts if I’m a business creditor?

Are you covered by the Red Flags Rule? Download the PDF Fighting Fraud with the Red Flags Rule: A How-To Guide for Business to:

By identifying red flags in advance, you’ll be better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into a costly episode of identity theft. Take advantage of other resources on this site to educate your employees and colleagues about complying with the Red Flags Rule.

Fighting Fraud with the Red Flags Rule: A How-To Guide for Businesses PDF All About Red Flags Video Do-It-Yourself Template for Businesses at Low Risk PDF

Verifone speaks out about Square mobile payment security

Verifone’s CEO email blasted notices about the Square mobile payment lack of security this week, even creating a web site to futher describe the issue. Basically Square users can turn phones into card skimmers.

“The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes,” states CEO Douglas G. Bergeron. Further, “A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.”

Consumers need to beware who they are doing business with as mobile payments grow. If you don’t know the person or the company, avoid giving your card information out. Just like at the store, consumers don’t know who a merchant is processing with so it boils down to trust.

Acceptable alternate solutions we offer are PAYware Mobile, RoamData, and our own CenPOS mobile solution.  CenPOS mobile eliminates fraud by both users and devices:

  1. Admin can shut down any user remotely, immediately disabling the employees’ ability to process any transactions.
  2. The swipe device encrypts at the point of magnetic reader.
  3. Coming soon: swipe device encryption key to  CenPOS platform. Lost or stolen card readers will be useless outside CenPOS.

3D Merchant offers mobile payment services to CenPOS clients and also merchants processing at least $1,000,000 annually.

 

How can a merchant block cloned credit cards?

What can a merchant do to prevent losses resulting from the booming black market of identity theft rings buying and selling personal credit card information? The retail card present and ecommerce or MOTO transactions require different preventative measures to block cloned cards.

In the retail environment, the top method is for the cashier to re-enter the last 4 digits. This is a check to make sure the magnetic strip data matches the imprint on the front of the card. Scammers don’t make thousands of unique cards each with matching customer data. They typically are programming the magnetic strip data only.

A skilled con artist may try to get a cashier to key enter the transaction with some story about a problem with the mag strip, before the cashier even swipes the card. Don’t be fooled. Cashiers should never take the customers word for it. They should always swipe first. If the strip is bad, the machine will prompt to re-swipe. This is a critical decision point! If the strip really is bad, what preventative measures do you have in place to protect your company?

  • This is a key entered face to face transaction. The signed receipt must be presented to prevent a future chargeback. Can you find them when you need them?
  • Do you allow all cashiers to key enter any transactions? How would you know if someone key entered a $5000 transaction? Are you comfortable with that?

In the card not present environment, the top method is to verify CVV also known as the security code. Cloned cards do not have matching security codes because that is not data they can obtain. Address verification may be required to prevent chargeback’s. MOTO and ecommerce requirements do have some variances.

Do you want an alert if a transaction over a certain dollar amount, say $500, is key entered? Do you want to check for address, but only require it for transactions over a certain amount? With our universal hosted payment processing solution, there are hundreds of ways for merchants to manage risk parameters, including setting automated alerts.

A critical difference in our system for retailers is LOGICAL INTELLIGENCE. If the cashier has been given privileges to key enter transactions, then the system will automatically switch from prompting for the last 4 digits to prompting for the zip code. The merchant can control the maximum amount the cashier is allowed to key enter, and whether they want email alerts sent to management. If signature capture terminals are in place, the customer is prompted for the signature, which can be readily retrieved in the event of a chargeback dispute. (Note- all these parameters are controlled by the merchant. For example, if you don’t want to prompt for the last 4 digits, you don’t have to.)

Want to find out more? Read the CenPOS overview and request information.