Credit card details are more likely to be stolen from eateries or small merchants than online, report says
Gillian Shaw
Sun
Credit-card information is the treasure of choice for today’s hackers and in the past year they have stepped up attacks that are draining hundreds of millions of dollars from corporations and individuals, according to BT Counterpane’s 2006 Attack Trends Report and 2007-2008 Crystal Ball forecast.
And while consumers worry about using their credit cards online, the reality is they face a greater risk when they use their cards at a restaurant or other brick-and-mortar merchant, says another report by AmbironTrustWave, a Chicago-based security company that conducts security audits for merchants.
Restaurants were found to offer a particularly lucrative trolling ground for credit-card fraudsters. An AmbironTrustWave review of security breaches over the past 18 months found that 62 per cent came from the food service industry.
“It was always assumed the greatest risk was ecommerce websites, whereas nowadays we are seeing more risk with merchants that don’t necessarily have an ecommerce website, but they may be connected to the Web,” said Mike Petitti, senior vice-president with AmbironTrustWave. “Largely, when we see a lot of breach cases at very small merchants, it has typically to do with the tools they are using or the third parties they are working with — the tools such as the point-of-sale application or the point-of-sale terminal.
“A merchant may say, ‘I have a very unsophisticated environment, I don’t have a website,’ and they may feel immune to the hacker out there surfing the Net, but the reality is they are just as vulnerable if not more vulnerable, than a major ecommerce website.”
Restaurants’ credit-card customers aren’t the only ones at risk. Debit-card users can also be targeted by data thieves, as evidenced by last month’s incident at a Delta McDonald’s.
A debit-card machine was reported stolen from the McDonald’s Express in Scottsdale Centre’s food court. Delta Police spokeswoman Const. Sharlene Brooks said that its investigators believed there were “in excess of 100 victims” after a number of people reported money had been withdrawn from their accounts.
McDonald’s Canada said at the time there was “no confirmation of the source of this potential breach” and “until all the facts are determined, we would caution anyone from jumping to conclusions.”
McDonald’s Canada later issued a new statement saying: “We regret the inconvenience caused by this situation and encourage anyone who has concerns to contact their financial institution.”
BT Counterpane is reporting an upsurge in attacks.
“Over the past two years — and especially in the last 12 months — we estimate, based on real-world experience, that financially motivated criminal attacks have risen fivefold and have resulted in the loss of millions of data records worldwide relating to individuals, hundreds of millions of dollars in direct financial losses, and many billions more in indirect losses in areas such as reputation and remediation,” Doug Howard, chief operating officer and Bruce Schneier, chief technology officer of BTO Counterpane, said in their Attack Trends report.
The thieves may be motivated by other goals, but primarily they are seeking credit-card information and other data that’s key to the identify-theft business.
“While corporate trade secrets are an occasional target, the primary target of choice is credit- card information and personal data that can be used to commit identity theft,” Howard and Schneier said, adding that the ease of gaining access to the information can determine the targets.
The proliferation of fraud shows the perpetrators are ready to steal the information wherever they can find it.
“In a typical security breach at a restaurant, an attacker will steal cardholder information for approximately 40,000 cards — a far great number than just a typical skimming incident,” AmbironTrustWave said in its restaurant report. “And the individuals involved in these types of thefts are more than just rogue waiters.
“In many instances these attackers work for a larger international organization that uses the stolen information to create counterfeit credit cards.”
Doug Howard at Counterpane said there is no doubt the smaller operations are putting fewer resources into the protection of their assets.
“I would argue that big companies should be able to apply more security because they have more money to apply to it. The worst position to be in is a single restaurant that keeps all the credit card information locally.”
Skimming, or the practice of using a skimming device to record the information on the magnetic strip on a credit card, is still going on even though more sophisticated criminals opt for the larger volume returns that come with hacking into databases.
Michael D’Sa, senior manager, data security and investigations at Visa Canada, said criminals will pay restaurant employees to skim the cards or even go as far as taking restaurant jobs themselves to gain access to the information.
“Some of these skimming incidents are more domestic criminal groups,” said D’Sa. “It is still worth their while because they can pull in 200 accounts in a day.”
Howard points out the impact can go beyond the immediate financial loss, affecting the targeted company’s relationship with both the credit-card companies and consumers.
“One of the things we’ve seen overall is an increased attitude towards the retailers that they are not doing a good job,” said Howard. He said while the merchants could be hit with fines, the more effective consequence is the potential loss of the credit- card business.
“That is definitely the bat they (credit-card companies) hit them over the head with — ‘I won’t let you do transactions any more,'” said Howard.
D’Sa said that while Visa prefers to educate and inform merchants to help them safeguard against credit-card fraud, he said the company will act if a merchant or restaurant is failing to protect cardholder information.
“If there are incidents where we find merchants, restaurants, even processors — anybody who is in gross violation of our security requirements — we have the right to terminate their ability to accept or process Visa transactions,” he said. “In the past we have invoked that right.
“That is the ultimate penalty.”
Consumers can also be unforgiving. Howard cited a study that found 40 per cent of consumers surveyed said they might discontinue a relationship with a vendor if their credit card was compromised by that company. Another 20 per cent said they had already stopped doing business with a company over that.
The credit-card industry has introduced a new chip technology in an effort to thwart credit card fraud. Trials of the chip cards are under way in Canada with full roll-out expected to be complete by 2010. Instead of swiping a card with a magnetic strip, card holders will have a card with a computer chip embedded in it and they will have to enter a personal identification number at the point of sale.
While the chip cards won’t prevent criminals using stolen identity information from obtaining new credit cards, D’Sa said the technology does address the largest category of credit-card fraud, which is counterfeiting.
“The data is encrypted on the chip so it is virtually impossible to copy,” he said.
The new technology also addresses the lost and stolen card category, which accounts for 14 per cent of the losses. Card users will have to know a PIN, just as with a debit card, so someone using a stolen card won’t simply be able to try faking a signature to get a card accepted.
© The Vancouver Sun 2007
