In light of the news that Mastercard, WorldPay and Amex were among the payment processors who took part in a ‘cyber war game’, in a bid to test their systems amid rising IT security threats, please see below comment David Emm, Prinicpal Security Reeacher at Kasperky Lab.
David Emm, Prinicpal Security Reeacher at Kasperky Lab:
“It’s interesting to see that payment processors are actively testing their systems to see how prepared they are for a cyber-attack. In today’s digital age, online fraud is a very real threat. With almost every area of our daily lives now online, fraudsters are using a host of sophisticated and varied cyber-threats to target victims, and make them drop their guard. There are a variety of different types of credit card fraud; from combining cold-calling with phishing emails to targeted attacks that are being initiated through payment system endpoints and through the exploitation of customers’ credentials and confidential data.
Since the introduction of EMV (chip cards), theft by duplicated credit cards has dramatically reduced with more fraud shifting online. There are still some attempts at card duplication of course, but as more countries have moved to chip cards, this is a high effort attack for lower returns. The volume of cards that can be compromised is likely lower than in a cyber-based attack, plus using a physically copied card attracts more risk of being caught as someone may notice the card looks fake. We are also seeing cybercriminals shifting their focus to account-based attacks. While account takeover fraud is by no means new, fraudsters are increasingly focusing their efforts on this attack type – it can be more profitable as they can trade on the customer’s good reputation, plus the availability of customer data and credentials is higher than ever – thanks to the continued success of data breaches and social engineering attacks.
Cybercriminals are always looking for an ‘angle’, i.e. something that might increase the likelihood that they will get a return on their investment. No sector can consider itself protected and must regularly review its security procedures. Specific measures will always vary depending on the organisation and the role of an employee, however, the core elements should remain the same. Examine the possible risks and evaluate how an individual and the potential to be manipulated can become a risk for business. This process should also review physical security and look at how to protect sensitive corporate data. Fraud prevention efforts are often focused on stopping fraudulent transactions, but more impact could and should be made in reducing fraud – cybersecurity and fraud need to continue to converge with better communication across internal teams to identify attempted attacks sooner e.g. identify and take action as soon as there is an unusual access attempt.”