The 12 Biggest Security Threats to Payments
Consumers ask a lot of you in terms of convenience, speed and, above all, security. This puts the pressure on you to offer a pain-free consumer experience that is also highly secure. And when you accept payments, you need to secure all parts of your organization. Here’s an actual example: one major breach occurred when an air conditioning vendor was hacked, allowing hackers to access the corporate network and finally the point of sale network. This highlights the importance of understanding the threat landscape we face today.
For the past 20 years, I’ve been creating an annual list of the top 12 cybersecurity threats, which I call “Gene’s Dirty Dozen.” The overarching concepts may be the same for everyone, but the details will vary. Remember, this is my personal professional opinion, not legal advice.
Without further ado, let’s get to the top 12 cybersecurity threats to processing payments today.
12. The Next Employee You Lay Off
According to the FBI, 90 percent of crimes are committed by internal employees. These employees often have excess access and privileges they may not necessarily need. In fact, 55 percent of these internal incidents involved privilege abuse.1
A disgruntled ex-employee may exploit their access for nefarious means, while an unaware ex-employee may simply act in a careless manner and expose sensitive data.
It’s vital for organizations to have security policies in place regarding employee terminations. You should also work to limit access to an as-needed basis, and implement multiple redundancies to prevent one bad apple from spoiling the bunch.
11. Media Saturation Causing Desensitization
When the first big breach occurred, I spoke with the company to learn from them. It was an unusual event, which made it incredibly newsworthy. Fast-forward to the present and breaches seem to happen every other day. Employees and executive leaders may become desensitized to the seriousness of a breach.
It's important to make security a priority in the minds of your team. Remember, there’s no such thing as a small breach. There’s a reason they make so many headlines.
10. Internet of Things (IoT) Attacks
As a society, we certainly don’t seem to have trust issues when it comes to IoT devices. But the fact is, if something is internet-enabled, it can be hacked. Cars, refrigerators and even children’s toys can be accessed by bad actors.
With Gartner estimating that 50 trillion gigs of data will be sent by IoT devices by 2020, hackers are sensing a massive opportunity. Always change passwords and factory security settings when employing these devices.
9. Over-trusting Encryption
Encryption is a great thing, but it’s not everything. Encryption of data is only as safe as the encryption type you use and how the keys are managed. Payment Card Industry (PCI) compliance does not allow encryption to take data out of PCI scope.
Simply put, encryption should be employed as part of a total solution, not as the only solution.
8. Cloud Unpreparedness
Everybody is rushing to put their data into the cloud, and it makes sense. The cloud offers many benefits and is undeniably the way forward, but migrating to the cloud should be done with care.
It all starts with asking the right questions. Who will own the data? What data should be in the cloud? What data should be omitted from the cloud? How is data handled once it is no longer needed? Finally, take the time to understand what data protection controls YOU are responsible to provide.
7. Smarter Phishing and Spear Phishing
Phishing used to be easy to identify. Poor spelling and grammar were dead giveaways, as was the non-personal nature of the email. Well the “Dear sir/madam” intro has been replaced by very targeted messaging. “CEO Wire Fraud” attacks accounted for $2.3 billion in losses, according to the FBI. This “spear phishing” features language that is very specific to the recipient, and often high-level folks with top access and the ability to authorize payments.
Never authorize access or payments to people you don’t recognize. Follow up with people in your organization responsible for such things.
6. Mobile and BYOD
Mobile devices are prevalent in our enterprises, and not all of them are company issued (bring your own device). Unmanaged mobile devices present many threats. Non-compliant and jail-broken devices are often easy to exploit, and employees frustrated by multiple-authorization requests may simply get around your controls.
Anticipate this by developing a comprehensive mobile device management (MDM) strategy and stick to it. Work to understand how your employees are using these devices and implement policies to address said usage. Also, make it a priority to know all the devices using your network.
5. Failed Understanding of InfoSec and Cyber Risk
We’re sometimes our own worst enemies and what we don’t know can hurt our organizations. Risk is always seen through the eyes of the risk-taker, and if you’re unable to articulate the risks, people won’t see them.
Make education a priority. Don’t assume that everyone will value security as highly as you do. Put yourself in the shoes of the risk-taker and formulate a plan to address their risks.
4. Service Providers
Third parties have become a large part of many infrastructures owing to their cost-savings, expertise and capabilities. Many are trusted with sensitive info, making them a very tight extension of your organization. Sadly, the Ponemon Institute states that third-party organizations accounted for (or were involved in) 42 percent of all data breaches.
Be strict in your third-party service provider evaluations. Ensure they have a solid track record of security.
3. Application/Middleware Vulnerabilities
Breaching the perimeter is no longer the preferred attack vector. Attackers are now taking advantage of the proliferation of applications across the typical enterprise. Most vendors will do the right thing with vulnerabilities and patches, but you must remain vigilant.
Establish an application security program to address this need. Scan internal apps and do frequent code reviews. Keep your security program up to date by always installing the latest versions of all security solutions.
2. Poor Patching
Patching is a critical activity for any progressive, security-conscious organization. Unfortunately, patching demands must be addressed on operating systems, applications and network infrastructure, making it a bit of a hindrance in some minds.
It’s important to patch often and completely. Back in 2014, about half of all exploits went from the publishing of the vulnerability to being hacked in less than a month. Last year, 99.99 percent of vulnerabilities compromised were done so more than one year after they were identified.. You must patch frequently and patch often.
1. Sophisticated (and Zero-Day) Malware
Malware has gotten very sophisticated, tracking everything from keystrokes to learning passwords, to infiltrating laptop cameras and microphones. URL scraping can see where you’ve been online, and bots can be installed in your system without you ever knowing it. This all adds up to bad actors knowing who you are, what you do, your passwords, etc. This is all bad news.
With malware and ransomware (encrypting your files until you pay a ransom to a hacker) on the rise, you must have the latest and greatest security software installed and running. You also must be vigilant in the links you click, the pages you visit and the people you interact with online.
The Landscape is Forever Changed
20 years ago, uncontrolled modems were a massive opportunity for hackers. Today, it’s malware, poor patching and middleware. Where lazy passwords were once a gateway, spear phishing campaigns now provide an easy in for bad guys. Much has changed, and if we’re to win in the war against cybercrime, it’s important we change our technology, processes and mindset.
Bad guys only need to get it right once to ruin all you have built. Ensure that doesn’t happen with a deep understanding of the threat landscape and solutions to defeat it.
One in five organizations experienced the theft of payments data in the past 12 months. See what 80 percent of executives are doing in response in 2018 Global Payments Insight Survey: Bill Pay Services from ACI Worldwide and Ovum.
1 Verizon Data Breach Investigations Report
Related Blog Posts
Sibos Preview: The Five Trends Transforming Real-Time Payments
Real-time is now a reality, with more than 30 schemes live around the world. And real-time is in the spotlight as banks and financial service providers make their way to Sydney for Sibos 2018. What better time to look ahead at the key trends that are going to shape the ongoing development of real-time payments.
Winners and Losers in the Regulation Vs Competition Debate? How About New Business Models?
As Summer has abruptly turned to Fall, I have found myself daydreaming of a European vacation (and yes, I realize it’s Fall there too… or rather, Autumn). Maybe it’s the Instagram feed full of friends on a summer sojourn to Italy, France, or Germany, or the constant barrage of Premier League kickoff commercials on the NBC Networks (Let’s Go Gunners!), but yesterday it was something else entirely that had me drifting off into a memory-induced Nutella-crepe state of euphoria.
API Management: The Reason Digital Open Banking Can Fly
When it comes to thinking about the different roles that an API Manager can play for an organization, I personally think that an airport provides the perfect analogy. The customer is the passenger, the third-party organizations using a bank’s APIs are the airlines and the airport itself is the bank. I also think this analogy helps to visualize the variety of API management capabilities – including the role of an API gateway.
The Mexican Fintech Revolution – ¿Qué onda in Open Banking?
Mexico has joined an elite group of nations, being amongst the first to pass open banking regulations. Specifically designed to open up its financial services and technology sector, the so-called ‘Fintech Law’ appears to have taken notes from PSD2, UK Open Banking, Singapore’s ‘organic’ approach, and others – and balances these against Mexico’s unique context and aims.
ACI’s Lu Zurawski, one of the industry's foremost open payments experts, and Sonia Gomez, a Latin America payments authority, discuss this balancing act; including the drivers, the regulation and the potential benefits.
Working Up An Appetite for APIs in Australia
This week ACI hosted the latest installment of our #paymentsforbreakfast forums in Australia, with the early birds catching the open banking worm in both Sydney and Melbourne.
Given the similarities between the Australian and UK open banking movements, we enticed ACI’s UK-based Lu Zurawski (Solutions Practice Lead - Retail Banking) to Australia to share his learnings from being heavily involved in the UK Open Banking working group.
APIs and Cash Management (Harnessing the Hammer, Part 2)
In my last blog post, we talked about the hammer and the nail; the hammer in this case being open APIs, and the nail being the market need to adapt to changes in customer behavior and expectations from our commercial market. We laid out why the US is in a different position when it comes to open APIs—it has to do entirely with the regulatory environment, which is allowing us to start with the largest revenue opportunity first. Finally, we challenged you, the reader, on how you can begin on your journey. And that is where we are going to pick things up. What steps can you take today, and what use cases can you explore as we start getting our hands dirty?
Three Key Takeaways from the Latest Payments Insight Survey
Blinkist is a reading app that summarizes books into 15-20 minute reads; these reads are called “blinks.” It’s helpful for a few reasons – I can scan books before I purchase them, I can get new ideas without having to read the full book, and I can learn to summarize information. It’s safe to say that I (and probably many who are strapped for time) are a little obsessed with Blinkist! So here I present my own summary – in three key takeaways – of the new ‘2018 Global Payments Insight Survey: Retail Banking,’ which finds that 51% of banks are increasing spend on payment technology.
The Hidden Cost of Digital Payments for Retail Payment Players
It is not exactly breaking news that non-cash payments are on the rise globally, with column inches dedicated to the launch of digital financial-inclusion projects. But going cashless is not only a challenge for humanitarian endeavors, or developing countries. We all agree that removing cash from the system will save payments players big bucks in the future, but we must also consider the immediate impact of digital transformation on the legacy infrastructure of the powerhouses of the payments ecosystem.
Why User Engagement Matters, Even for Enterprise Applications
As a User Experience Designer at ACI, I spend a lot of time watching users interact with my designs. I need to make sure our solutions work properly, but lately I’m more interested in how they make my users feel. Engagement is a dominant concept in user interface design right now. It’s important because positive emotional experiences often lead to increased use and loyalty.
Five Payments Trends to Watch in 2018 [Part 1]
2018 is set to be a year of rapid change and new challenges for payments players. The floodgates are opening with PSD2 and UK Open Banking coming into force, bringing an onslaught of new competitors and potential partners. Whether evolution is mandated or market-driven, banks and processors are facing a critical year in their long-term success.