By Andrew Fulwood, Information Security Technician
As vast numbers of new devices connect to the internet every day, so do a group of nefarious ne’er-do-wells… fraudsters. The underground culture of hackers and thieves grows larger and larger as technology advances, while cyberthreats continue to come from every angle. And as the amount of data that lives online presses upward, cybercriminals are only becoming more acclimated to stealing sensitive data.
Securityweek.com argues that with “a rich ecosystem that provides supporting infrastructure, malware and money services, even less sophisticated actors can turn a profit… We’ve seen an influx of extremely professional online tutorials designed to educate bad actors on the latest fraud tactics and tools; complete with webinars, instructors and reading material.”
You read that right—not only is it possible for cybercriminals to take classes on how to steal credit card information, but it is also becoming more feasible to do so because of an underlying “rich ecosystem” that provides them with everything they need! It’s quite a scary scene to imagine that with so many things working in the favor of fraudsters, it’s almost as if credit card data is being wrapped up in a bow and placed out in the open to be stolen.
To help boost your awareness of the many tactics of these hackers, we’ve put together a list of some of the most common ways hackers steal data and have highlighted the measures that you and your company can take to prevent these types of attacks.
Phishing is a technique that hackers use to obtain your personal information. They do this by posing as a credible source or trusted partner, usually in an email that provides some sort of link or call-to-action to get you to click on it. The term phishing got its name for a reason: the homophone of the word “fishing” resembles the same theme: tossing out bait in hopes to catch a ‘victim’.
Spear Phishing is the most common and most successful form of phishing and accounts for roughly 90% of all phishing scams. Spear phishing is almost identical to phishing except that it is aimed specifically at one target—hence the ‘spear’. To prevent your own workers from falling victim to a phishing scam, it is crucial that employees are properly educated and trained on how to spot these tricks so that they can avoid clicking on an email that leads to a data breach and results in your company’s name in the news headlines.
Malware (Malicious Software), a popular form of cybercrime for hackers, is an umbrella term used to describe software that acts against the operator of the computer. Other terms that fall under this category include spyware, ransomware and trojan horses.
Ransomware is a rather self-explanatory version of malware: malicious software that warns the victim that his or her information will be either stolen or made public unless a ransom is paid. Usually the payment comes in the form of a difficult-to-trace online cryptocurrency such as Bitcoin or Ukash. This is like phishing in that a masked trojan horse is used to trick the victim into opening/downloading the attachment, leading to their data being held for ransom. Preventative steps, like updating security software regularly, are crucial in regard to patching up vulnerabilities. As The Hartford put it in their Small Biz Ahead blog, “To prevent a malware attack, install and use antivirus and anti-spyware software on all company devices and be sure your employees are on the lookout for suspicious links.”
Insider threats account for almost half of all data breaches to small and mid-size businesses according to the Ponemon report. Often, it is because of an innocent mistake which causes a leak rather than malicious behavior. Most employees lack data security awareness and don’t understand how hackers operate. The Hartford Small Biz blog advises, “Employee education is one of the most important things you can do to lower the potential of data theft. Offer mandatory awareness training on the security risks employees face every day. Social Engineering is a growing threat for small businesses whereby hackers pose as a trusted source in need of confidential data. Confirm the legitimacy of the source before giving out confidential information, never open attachments from people they don’t know and avoid suspicious links in emails, websites and online ads.”
An SQL injection attack is a code-based attack on an application. The attack aims to exploit vulnerabilities in the security of said application with malicious coding. If successful, the hacker will gain the access to tamper with data, change or void financial transactions, false identify, destroy the data completely or even dictate the entire database server. To make sure that this form of attack doesn’t affect your business, vulnerability assessments must take place regularly. In an IT Business Edge article, Perimeter CTO Kevin Prince argues a frequency of once a week.
Lastly, there is the online form of eavesdropping: Man-in-the-middle attack (MITM). An MITM attack involves a hacker intercepting messages from two parties and then altering the communication in some way, while the two parties still believe they are engaged with a trustworthy and legitimate source. There are two main ways to defend against this form of cybercrime: tamper detection and authentication. Authentication requires some form of credentials which result in at least a degree of certainty as to who you are communicating with. Tamper detection will not defend you from an MITM attack, but rather it will simply acknowledge that the message received may have been altered. In addition, password reuse is a habit that must be avoided in order to minimize vulnerabilities as it will only make things simpler for a fraudster.
With so many ways to prevent cyberattacks, it’s important to recognize that the underlying value for fraudsters remains the data they steal from their victims. In order to have a data breach at all, there needs to be data for a hacker to steal. One of the most effective ways to prevent a data breach is to reduce the amount of data stored as much as possible, especially sensitive information like payment card and authentication data. As we like to put it, they can’t hack what you don’t hold!
DTMF masking solutions, like Cardprotect by Semafone, help ensure that your customers’ payment data never even makes it into the contact center in the first place. Using Cardprotect, when customers choose to make a payment over the phone, instead of having to read their card number out loud, they’re able to punch it in using their telephone keypad. The software replaces the dial tones with flat tones so they’re indistinguishable, enabling the Customer Service Representative (CSR) to stay on the line with the customer the entire time. Cardprotect then passes the transaction details directly to the payment service provider (PSP), bypassing the contact center entirely, and ensuring that this sensitive data is never stored on premises. Another benefit users of Cardprotect will find is that they can achieve PCI DSS compliance, significantly reducing the scope of applicable controls for the contact center infrastructure, in addition to the costs of compliance.
Taking the proper precautions ahead of time can go a long way in preventing a cyberattack. Armed with the knowledge of the most common types of cyberattacks, you can now formulate a plan to secure your company and avoid having your own organization appear as a negative headline.