As Europay, MasterCard and Visa (EMV) credit cards roll out across the US this year, it will be more difficult for cyber criminals to steal credit card data from brick and mortar retailers. EMV, sometimes called “chip and pin” or “chip and signature” has been in use around the world for many years now, and the lack of adoption in the US is one of the reasons credit card fraud is more than the rest of the world combined.
Specifically, October 2015 is when the “shift in liability” will happen. What this means is come October, financial losses for a data breach will become the responsibility of the weakest link in the payment chain. Any retailer or financial institution that is not EMV-capable will be liable for any losses that result from fraudulent use of those cards.
So what will the cyber threat landscape look like after October? By this time next year, we expect to see:
1) A sharp increase in attacks against online retailers. Every country that has adopted EMV experienced a sharp rise in attacks against online retailers soon after adoption. We can expect the same here in the US. Visa and MasterCard both offer EMV solutions for online shopping using EMV cards, but it has not been made much of a priority yet. Great news for hackers!
2) Continued attacks against healthcare organizations. Over the past several months, the sheer volume of data and number of healthcare related data breaches has been staggering. Healthcare data is extremely lucrative – state sponsored hackers pay top dollar for it and identity thieves can use it for any number of purposes including tax fraud and prescription drug fraud. Additionally, many healthcare/dental insurance providers are still using SSNs as ID numbers for individuals (including children). Expect to see criminals take advantage of these basic weaknesses.
3) Ransomware attacks. CryptoWall, CryptoLocker, CTB-Locker, PolloCrypt…the list goes on. They keep surfacing in the news with new variants and advanced capabilities because they continue to be lucrative.
4) Reward program attacks. Give us your name, email address, phone number, home address, etc. and save 15%! If you’ve ever experienced identity theft, you probably avoid these programs like the plague.
How do they protect the Personally Identifiable Information (PII) you provide them with?
What security compliance program do they adhere to in order to protect this sensitive information?
Are they selling it? These programs continue to proliferate and the amount of PII they hold is growing every day.