Stay in Touch
Sign up to our newsletter to stay informed about PCI compliance news, and updates regarding new PCI Booking features.
by PCI Booking – October 23rd, 2019
Year on year we continue to see cybercrime incidents increase. In 2019, there was a 54% increase in the number of data breaches. The cost of a data breach are massive: The average in the last year being around $3.92 million per incident.
We have to stop and ask ourselves, why is cyber-crime still so successful? Why has the security industry not been able to stop cyber-criminals in their tracks?
One of the key reasons for the continuing war of one-upmanship we play with cybercriminals is because they use a technique known as ‘social engineering’.
Social engineering is all about manipulating natural human instincts and behavior. When you receive an email that has an urgent offer like, “click now to win!” the email content is attempting to elicit a knee-jerk, instinctive, reaction. Marketing campaigns use this type of technique, and so do cybercriminals.
Social engineering is often behind many of the data breaches and other cyber-attacks, like Distributed Denial of Service (DDoS), we are experiencing. The International Association of Privacy Professionals (IAPP) outlined the situation in a recent blog post which discussed how unintentional human actions are behind most data breaches.
To explain what social engineering is, we can look at two examples. These show the type of tactics used to steal data or install malicious software. Tactics which ultimately lead to financial and personal data theft and subsequent fraud. Data loss can be direct, such as a consumer entering information into a malicious website. Alternatively, a compromised privileged account, such as that of an admin user, can result in database access to large amounts of customer data.
This is perhaps the most well-known way that social engineering is expressed. A phishing email’s ultimate purpose is to either steal data and/or infect a computer with malware; which in turn, can be used to steal data. Typically, phishing emails use tactics such as trust, urgency, ‘Fear of Missing Out’ (FOMO), rewards and offers, and so on. Any trick that gets a recipient to click a link or download an attachment will be used.
For example, a cybercriminal may mockup an email using a popular and trusted brand, such as PayPal. The email will attempt to get the user to click a link or download an attachment using tricks like concern and urgency. For example, “Paypal has closed your account as it has been hacked; click here to re-activate it”. If the recipient clicks on the link in the email, they will be taken to a website that is also branded as PayPal. This website will either be a carrier for malware or will attempt to collect personal information.
Spear phishing is a particularly insidious and difficult to detect version of phishing. Spear phishing emails target specific users and tailor emails to look highly legitimate. The Yahoo breach which exposed over 1 billion accounts, is believed to have started with a spear phishing email.
In 2018, 83% of companies experienced a phishing campaign according to a Proofpoint survey, State of the Phish Report 2019.
Even Google Calendar is being used to steal data. Kaspersky recently detected a scam where data, including financial details, were the target. The scam involved the use of a Google Calendar option used to add event invites to another person’s calendar. On the day of the event, the calendar alert opens. The event contains an ‘exciting’ offer, such as taking a survey to claim a cash reward. The survey has a link which takes the user to a website where they are asked to enter personal details. These details are then sent to the fraudster to be used to perpetrate fraud and/or sell onto other fraudsters.
A survey by KnowB4 found that 97% of malware infections are targeted using social engineering. The popularity of this tactic comes from the fact that social engineering is very successful when it comes to data theft. Social engineering that targets both individuals and corporate accounts, is on the increase. A single focused phishing email can potentially open the door to a billion accounts and all of the data therein. If payment details are contained in an account, this can result in major financial losses. Finance is a common target for phishing scams and retail and eCommerce are amongst the top three industries at risk from phishing.
Fighting back means having the right measures in place. Phishing and other social engineering scams will continue to challenge our organizations. Whilst we can take certain actions, such as training individuals about tell-tale signs of phishing, cybercriminals continue to create ever-more sophisticated social engineering tricks. We always have to keep at least one step ahead of these tactics to protect customer data.
One of the most powerful ways to prevent data breaches that originate from social engineering is to remove the carrot, aka the data. If the data is not stored, there is nothing to steal.
With PCI Booking no payment details are stored on the merchants system. Instead, we tokenize payment card information. It is never stored in cleartext. So, if the worst happens and your organization is breached, hackers won’t get access to any customer payment information.
Social engineering may well be the greatest challenge in the history of cybersecurity. The use of our own behavior as a way to initiate data theft is cunning, to say the least. It may seem an almost impossible task to stop social engineering attacks altogether. This is why we need to use layers of protection to manage cyber-attacks that emanate with our staff and our customers. The use of systems like PCI Booking to remove the need to store data, helps us in the quest to be more secure. Removing the opportunity for cybercrime, by playing cybercriminals at their own game and removing the object of their focus, is a forward step in the fight against fraud and other cybercrimes. We may not be able to change our natural instincts, but we can make sure our data cannot be stolen because it is not there in the first place.