Cybercriminals are broadening their targets in the nefarious search for personal information from data breaches. Fraud trends that could involve credit unions in 2017 are payment-based and so-called aftershock password attacks.
The Experian 2017 Data Breach Industry Forecast, from the Ireland-headquartered information group, outlined what it sees as the top five upcoming data breach trends and issues. While some archetypal hacker attacks continue to serve as go-to methods, there are evolving tools and focal points that are likely to become front-page news, based on Experian’s experience.
Their top data breach predictions from the fourth annual report:
- Aftershock password breaches will expedite the death of the password.
- Nation-state cyberattacks will move from espionage to war.
- Healthcare organizations will be the most targeted sector with new, sophisticated attacks emerging.
- Criminals will focus on payment-based attacks despite the EMV shift starting over a year ago.
- International data breaches will cause big headaches for multinational companies.
For credit unions, and other financial institutions, one issue rises to the top, according to Experian Data Breach Resolution Vice President Michael Bruemmer. Payment data will always be one of the most valuable types of information to criminals.
Payment attacks will continue to target companies, not despite of, but because of the recent EMV liability shift, Bruemmer explained. The transition from magnetic stripes to chip and PIN, has led to uneven adoption of the new technology, with companies either failing to fully adopt the chip and PIN technology, taking significant time to adopt new systems, and/or failing to implement EMV successfully, which has left companies vulnerable to payment breaches.
“As attackers continue targeting big retailers, as well as turn their attention to smaller franchised stores, more pressure and scrutiny will be placed on financial institutions that issue cards to monitor all accounts for fraudulent activity, and swiftly and sensitively notify affected individuals,” Bruemmer added.
Additionally, cybercriminals will focus further up the chain, targeting payment processors that could provide access to several payment systems if compromised. “We’ve already seen reports of one major processor getting hit and likely being the source for many of the restaurant breaches that happened this last year. Getting the potential keys to the castle for various and distributed systems is likely too tempting to pass up.”
The biggest threat next year to smaller financial institutions, such as credit unions, is the possibility of aftershock password breaches. “We’re starting to see more and more previous data breaches come back to haunt companies as attackers continue to sell personal credentials on the dark web, often years after the information was originally stolen,” Bruemmer said.
Experian compares this to an earthquake aftershock reverberating after the initial occurrence. Criminals use this information to access individuals’ personal accounts, and companies have to inform those affected of unauthorized logins. Bruemmer added, “Any smaller financial institutions that have yet to implement two-factor authentication for online services are likely to be at higher risk of experiencing an aftershock breach and subsequent increases in account takeover and fraud.”
Another trend that might go unnoticed is the growth of social engineering to defraud companies. “This is an easy and quick way for hackers to cash in and has a pretty low barrier to entry,” Bruemmer explained.
While credit unions are typically not liable for this type of loss, they could engage agitated members who are trying to recover money sent to criminals. This could have an impact on their relationship with the credit union. “It will be important for credit unions and other institutions to help educate their business customers about these types of scams to prevent them from occurring,” Bruemmer suggested.
