48% of e-tailers hit by financial information loss

Research just published claims that online merchants and financial service providers have become the two biggest sources of stolen banking information.

Card fraud: accusing fingers being pointed
Card fraud: accusing fingers being pointed

According to the Kaspersky Lab research, 48 percent of e-commerce/online retail businesses and 41 percent of financial services organisations have reported loses of financial information due to cybercriminal activity.

The problem, says the report, is that targeted attacks, application vulnerabilities and forms of cyberattacks are all contributing factors to the loss suffered by almost half of the businesses in these sectors. Coming in the wake of a litany of online retailers hit by card credential data losses - which stated with the Target breach of late last year - many might say the report is stating the obvious.

However, delving into the report reveals that the least-common step taken by both financial service providers and e-commerce/online retailers following a data breach was to provide free or discounted versions of premium Internet security software to their customers.

So how bad is the problem?


The analysis notes that one in every five (20 percent) of respondents reported that their company had lost intellectual property - this was two percentage points higher than last year's initial research.

The percentage of those who indicated that a data breach had led to the loss of data about payments from corporate accounts, meanwhile, changed only slightly (11 compared to 10 per cent in 2013).

In seven percent of cases, says the 2014 report, third parties were able to get their hands on the data required to access those accounts.

It's not all doom and gloom with the analysis, however, as the report notes that organisations are developing a better understanding of what is behind existing data security risks - and how to protect themselves against specific risks, rather than the broader idea of malware in general.

Because of the issues raised in the report, Kaspersky Lab says that installing good antivirus software is now a must when it comes to protecting company workstations.

But equally important, it adds, is the use of good security software for monitoring and promptly patching vulnerabilities - providing protection against DDoS attacks and targeted attacks, as well as protection for corporate mobile devices, among other things.

On top of this, the report concludes that security software does not mean much without effective security policies in the organisation,

"In order to prevent accidental leaks, companies need to boost the level of data security awareness among employees. In particular, this means building a stronger understanding of working with and handling corporate information stored on mobile devices. Security policies setting out an employee's responsibilities and accountability when it comes to the disclosure of confidential information is yet another action that can considerably boost the level of corporate data security," notes the analysis.

Whilst the conclusions from Kaspersky's report are valid enough, given the company's vested interest in promoting use of anti-virus software, a key question is whether the underlying data is also valid. Keith Bird, managing director with fellow security vendor Check Point, confirms the analysis.

"Attacks against big-name retailers and financial firms have stepped up over the past year, because the data they hold is a goldmine for hackers," he said.

"However, our 2014 Security Report found that the incidence of PCI (Payment Card Industry) data loss events from these types of organisation reduced slightly to 33 percent, compared with 36 percent in 2012.

"So as the attacks increase, security awareness is growing too, to try and close the gaps that hackers exploit. Defences are getting stronger," he explained.

According to independent security researcher Brian Krebs - who has been researching retailer card fraud in some depth, as well as monitoring the data for sale on so-called carder forums - the Home Depot card breach of last week is just one of many attacks.

The thieves who are perpetrating card fraud, he says, are capitalising on the wealth of card information stolen from Home Depot customers and being sold in cybercrime shops online.

"Those same crooks also are taking advantage of weak authentication methods in the automated phone systems that many banks use to allow customers to reset the PINs on their cards," he says.

Krebs goes on to quote Avivah Litan, a fraud analyst with Gartner, as saying that some of the world's largest banks have begun moving away from so-called knowledge-based authentication for their voice response systems and over to more robust technologies - such as voice biometrics and phone printing.