Sadly, using bank cards at places such as shops, restaurants and bars (you know, actually spending the money you earned) puts you at serious risk of having your information stolen in data breaches.
This could then lead to your money being stolen via carding and mules.
At least, that’s the case if you’re in the US, or any other region which has been slow to adopt ‘Chip and PIN’ or similar variants of EMV payment card security.
The retail and ‘food and beverage’ sectors are prime targets for hackers, with lots of fresh card data passing through and generally poor security measures in place.
Outsourcing IT security to under-skilled and under-engaged third parties, sloppy password policies and vulnerable outward-facing interfaces make this enticing data easy pickings for the bad guys.
I’ve been ploughing through Trustwave’s annual security report. I’m a bit of a glutton for annual reports, usually pigging out around Christmas time with the feast of year-end summaries.
This epic offering is a little different from my standard diet, and not just thanks to its mid-year arrival. Trustwave is big player in PCI compliance, penetration testing and post-data breach forensic investigation.
So, in and amongst the usual stats on prevalent malware families and spam rates are some juicy morsels from their research into companies which have actually been breached and robbed of their data.
Their figures show that the bulk of companies they have been called in by are in the retail (45%) and food and drink (24%) industries, with ‘hospitality’ a distant third (9%).
Here’s the breakdown from the report:
Of course, there’s room for some sampling error here, as there may be bias in the types of companies which call them in, but those numbers look pretty significant.
Almost all breaches go after customer data, with a pretty equal split between attacks targeting ecommerce and web installations and those which go after point-of-sale or payment processing systems.
Some 63% of issues were put down to third-party support or IT service providers, with 47% of breaches facilitated by inadequately protected remote access systems. Many of these were thanks to default or too-obvious passwords.
In Europe, where EMV has long been the standard for bank cards, point-of-sale (POS) is barely targeted at all.
The chip system makes it too hard to clone usable cards with data harvested at the POS. So the main targets are often small (and thus under-secured) web traders and ‘card not present’ transactions.
The US continues to put off the transition though.
Shifting liability from the banks and card companies to merchants and ATM operators – i.e., putting the pressure on them to switch to more secure systems – is not planned to start there until 2015.
That’s a full decade after Europe and much of the rest of the world – while Canada, Australia and New Zealand are just going through the process now.
It’s bad enough being nervous about handing your card details to unknown websites. We really should be able to feel safe physically swiping our cards in stores and cafes.
EMV may not be perfect, but it’s clearly helped a lot where it’s been implemented.
For now, I think I’ll carry on using cash wherever possible in the US – although of course, that’s not going to help me if the ATM system gets hacked…