RSS Alerts

Related Links

Related Stories

  • Heartland takes US$12.6m hit for breach
    Heartland Payment Systems has revealed that it lost US$12.6m as a result of its 2008 data breach, in the same week that it finally regained official Payment Card Industry Data Security standard (PCI DSS) compliance.
  • Washington passes additional data breach measure
    The state of Washington recently enacted a supplemental data breach law intended to protect financial institutions from data breaches that occur as a result of negligence by businesses or card processors, primarily those that do not encrypt card data or fail to comply with PCI DSS rules.
  • QSA system is broken, says Heartland CEO
    In a session titled ‘Enhancing payment security in 2010’, Robert O. Carr, Chairman and CEO or Heartland Payment Systems - the subject of potentially the world’s biggest data security breach earlier this year - declared that the model used by quality security assessors (QSA) is “broken”.
  • Tightening the purse strings on information security
    As the recession continues to chew into information security budgets, and cyber criminals see increased opportunity for looting, CIOs must ensure that defenses remain strong and affordable, even if this means a little bargaining. Stephen Pritchard looks at how organizations can negotiate the rough seas ahead.
  • The PCI Paradox - why PCI DSS isn't preventing data breaches
    PCI DSS has been criticized as being both too prescriptive and too vague. The standard’s effectiveness has come under scrutiny once again as PCI compliant organizations have suffered huge data breaches in recent times. Danny Bradbury looks at the standard to find the root of the problem

News

Firms failing on PCI DSS

10 December 2009

A huge 81% of organizations that are subject to the Payment Card Industry’s Data Security Standard (PCI DSS) were found to be non-compliant prior to a data breach, according to a new study.

But according to telco Verizon Business’ Risk team, which published the findings, a “fairly new” threat in the shape of RAM scrapers is increasingly being used by online thieves to bypass PCI DSS rules requiring credit card data to be encrypted anyway.

The company’s 2009 Data Breach Investigations Report found that 74% of security incidents were the result of external attacks. Such events resulted in a huge 285 million records being compromised over the last year - mainly via online systems.

Only 20% of data breaches were caused by insiders, 32% by business partners and 39% by multiple parties. Some 67% of the incidents occurred because the attacker exploited errors made by the victim, while a further 64% were the result of hacking and 38% of malware.

But in its 2009 Supplemental Report called Anatomy of a Data Breach, Verizon Business also pointed to the rising threat of RAM scrapers.

RAM scrapers work by scouring the volatile random access memory in point-of-sale terminals, which process, store or transmit PINs and other credit card data in unencrypted form. When the program detects such information, it captures it and uploads it to servers that are usually controlled by malicious external sources but sometimes belong to trusted partners.

While the technology has been around for a few years, its usage has now increased to the extent that it came in at number 14 in Verizon’s 15 most common type of security attack. Keylogging and spyware software ranked number one, followed by backdoors and SQL injections.

RAM scrapers are often used in conjunction with other malware such as backdoors and command-and-control programs and have to date mainly been discovered in systems belonging to the retail and hospitality sectors.

 

This article is featured in:
Data Loss Encryption

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water