Home > Guidance > Transactions

Transactions

Cybercriminals are migrating away from basic “smash and grab” attacks on static data. Instead, they are increasingly targeting data in transit. Security around stored data is increasing making it harder to access. Data in transit is usually more up to date meaning the extracted data is always fresh, whereas in the “smash and grab” attacks, attackers have to verify the validity of the information. According to research from Trustwave’s SpiderLabs, in 66% of data breach investigations in 2010, attackers opted to harvest data in-transit over stored data that was targeted only 26.5% of the time.

As various application security standards and regulatory requirements such as the Payment Card Industry Data Security Standard (PCI DSS) continue to take hold, archived data is becoming less available to criminals.

PCI

The PCI DSS requirements attempt to enforce very specific rules on all the stakeholders in a transaction process; the cardholder data (in a compliant implementation) is no longer stored on the systems for longer than necessary. The only way for attackers to obtain data, then, is to look at the transaction flow and sniff the valuable information as it is being processed, meaning looking for stored data is not an option.

Many of the entities that needed to receive incident response services believed they had purchased a “PCI compliant” system and that this purchase ensured ongoing compliance. Unfortunately, those vendors selling the products and services that are responsible for the handling of payment card data often use the term “PCI compliance” incorrectly.

A properly validated application or system can support PCI compliance when configured correctly, but additional (and ongoing) steps will most likely be required on behalf of the vendor to ensure that the system is properly secured and compliance requirements are met. Unfortunately this doesn’t seem to be the case in many investigations.

Human error

With 107 trillion emails being sent in 2010, it was inevitable some of them were going to end up in the wrong place. Emails that contain sensitive information cause havoc when is falls into the wrong hands. Unfortunately, we see this happening everyday, costing local authorities and the taxpayer millions of pounds. It is becoming increasingly important that local authorities have strict policies in place for the handling of sensitive information to which they must comply, but this does not mean there are still no risks involved in the exchange of data.

A recent example of data loss due to human error is when a fax was sent to the wrong address that prompted the first £100,000 fine by the IC0 in 2010.

It is simple for anyone to enter a wrong destination address and click send, without double-checking where it is actually going. Most people have caused simple errors like this before, but the majority of the time having no impact due to the nature of the information. Nonetheless, it is still happening and is just as simple to make the mistake when handling sensitive information.