Cybercrime: What 2018 May Have in Store for the Payment Industry

Phishing scam, hacker attack and web security vector concept. Illustration of phishing and fraud, online scam and steal

Cyber-attacks are now estimated to cost UK businesses £29.1 billion annually and trends over the last few years suggest that attacks will increase in both magnitude and number over the next 12 months. Even the UK’s National Cyber Security Centre boss thinks a major cyber-attack in the UK is a matter of “not if, but when.”

2018 will no doubt see more businesses beefing up their security in response to these threats and also, to respond to the introduction of the EU’s GDPR’s data protection guidelines coming into force in May.

PCI Pal’s Tony Smith takes a look at the other trends in the cyber security industry during 2018, identifying the key risks businesses taking customer payments need to be aware of.

The risk of hacks even on big business will continue to grow

According to a report commissioned by US telecoms company Verizon, the number of attacks on businesses are increasing 50% year-on-year, and the trend is showing no signs of abating. Hackers aren’t just targeting poorly secured organisations, global brands have been targeted and even branches of government have fallen foul of intruders.

One such example was the highly publicised Shadow Brokers attack on the NSA in 2017, which saw the group release an alleged collection of the spy agency’s super-secret hacking tools and exploits in protest at US foreign policy decisions. And if the United States’ most secure agency can fall victim to hacking attacks, then anyone can.

Most hackers are concerned with their bottom line more than their political principles, however, and personal data represents a huge payday.

The rise of ransomware

2017 saw ransomware intrusions receive lots of media coverage, with attacks like WannaCry hitting headlines all around the world. The attack, while reasonably virulent, didn’t reap huge rewards for hackers when compared with others such as NotPetya, which cost one company alone upwards of $300 million.

The movement of ransomware into the public eye has been facilitated in part by so-called ransomware-as-a-service or RaaS, which sees non IT-savvy criminals able to buy code from creators on the Dark Web, to launch attacks of their own.

Attacks deriving from RaaS look likely to increase, owing to their potential profitability and virtually zero risk to the criminals involved.

Regulation changes

Noteworthy changes to the PCI DSS and the European Commission’s GDPR represent great jumping off points for companies looking to beef up their data security, but much broader changes are imminent, as businesses change the way they view attacks and, tellingly, how quickly they respond.

Rather than attempting to keep attackers out altogether, which it is now realised is a largely fruitless endeavour, companies and their security teams are beginning to view breaches as unavoidable, concentrating instead on descoping their contact centre and ultimately ensuring that attackers have nothing to steal if they are able to infiltrate a company’s security protocols.