By Roy Urrico
Finopotamus aims to highlight white papers, surveys, blogs and reports that provide a glimpse as to what is taking place and/or impacting credit unions and other organizations in the financial services industry.
A data breach report and how to identify brute force attacks highlight a cybersecurity roundup.
Data Breaches Down, Supply Chain Attacks Up in Third Quarter
Data breaches were down for the third quarter of 2024 from the previous quarter, continuing a downward trend, according to the Q3 2024 Data Breach Report from El Cajon, Calif.-based Identity Theft Resource Center (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime. The ITRC report revealed there were 672 publicly reported data compromises in the third quarter, an 8% decrease compared to the 732 compromises in the second quarter of this year.
The year-to-date number of compromises (2,242) is 70% of the year-end 2023 total, making a new record-high number of compromises unlikely in 2024. The top compromises by industry for the third quarter: financial services, 141; healthcare, 123; professional services, 91; manufacturing, 66; and education, 33.
However, supply chain attacks, included within all sectors and industries, rose 203% in the third quarter. After dropping in the first two quarters of 2024 (50 in the first quarter, 30 in second quarter), 91 organizations felt the impact of third-party vendor attacks.
Report highlights also include:
The number of victims decreased 77% in the third quarter of 2024 (241,889,316) over the second quarter (1,043,903,153), primarily due to the Ticketmaster and Advance Auto Parts data events in quarter two, which accounted for 940 million victims alone.
In the third quarter 2024, MC2 Data, a data broker that primarily sells personal information for background checks, acknowledged a data leak impacting 100 million people. AT&T also revealed a data breach affecting 110 million victims. Adjusting for these two incidents, all other compromises in the quarter impacted approximately 31 million victims.
“While we will likely not set a new record for the number of data compromises in a single year as we did in 2023, there are some interesting trends in the Q3 2024 Data Breach Report,” said Eva Velasquez, president/CEO of the ITRC. “In particular, the number of businesses reporting multiple data breaches in the past 12 months and the return of mega-data breaches that impact more than 100 million people. These trends prove that businesses must continue to prioritize data and identity protection, and consumers must take the steps needed to make their information less valuable to criminals.”
Financial Institutions (FIs) Grappling with Brute Force Attacks on Cards
Trisha Wells, vice president of authorization risk management with St. Petersburg, Fla.-based Velera, formerly PSCU/Co-op Solutions, discussed ways credit unions can identify warning signs and embrace ways to defend against brute force attacks in a blog. The Velera blog connects credit union professionals through insights and industry expertise.
“Brute force fraud involves perpetrators using iterative trial and error tests on partial card information to validate credit or debit card data that was obtained illicitly – often through criminal techniques such as phishing or skimming,” explained Wells. “The goal of fraudsters is to profit off the acquired information before the card issuer becomes aware of the fraudulent activity and closes the compromised account.”
Wells described how brute force attacks, a direct threat to credit unions and their members, is surging. “Over the summer, a file with over 9 billion pieces of data was posted to a hacking site, and is an example of the type of information attackers will use to target systems not protected against brute force attacks.”
Brute force fraud, also referred to as “BIN attacks,” encompasses perpetrators inputting the initial six to eight digits of a card, known as the bank identification number (BIN), into a scripting program, Wells noted. This automated program then subsequently generates various combinations for the full card number, security code and expiration date. The various combinations undergo validation through card-not-present transactions.
The methods used can differ with each brute force fraud attempt. Fraudsters could channel trial transactions through legitimate and well-known merchants, and fictitious merchants created specifically for fraudulent purposes.
“While credit unions are already engaged in measures to prevent and recover from fraud, cybercrime threats evolve constantly and brute force attacks are on the rise,” explained Wells. “While there is no foolproof defense against brute force card fraud, credit unions can proactively adopt measures to reduce the likelihood of successful attacks.
One effective strategy may be implementing card number randomization, which minimizes vulnerability to attacks that target sequentially ordered cards. Moreover, avoiding batch issuance of expiration dates and opting for randomized dates can provide an additional layer of defense.
Proactively monitoring for brute force fraud attacks and analyzing any suspicious trends are crucial for acting quickly and minimizing damage. These attacks may reveal themselves through distinct patterns, such as a sudden surge in authorization declines, often linked to sequentially ordered cards. Other red flags include a surge in low-dollar transactions within a short timeframe and a rise in errors related to Card Verification Value 2 (CVV2) and expiration dates. Leading-edge technologies, particularly machine learning, can play a pivotal role in analyzing data to detect patterns indicative of brute force card fraud.
When confronting brute force attacks, credit unions have several courses of action, according to Wells:
One strategic response involves establishing global rules for protection after identifying a pattern from a brute force attack. These rules, when uniformly enforced across the network, serve to decline or closely monitor transactions associated with the attack. “This proactive approach minimizes losses and prevents similar vulnerabilities in others,” Wells said.
Another course of action is immediate card reissuance. “This preemptive measure is aimed at thwarting follow-on fraud, which is a subsequent wave of fraudulent transactions that might stem from the initial attack,” he added.
Alternatively, financial institutions can leverage robust monitoring systems to bolster the security of compromised cards. Wells suggested an integral part of this particular response strategy is implementing a tagging system, which provides analysts with a powerful tool to meticulously monitor affected cards, manage losses effectively and establish a comprehensive reference for future actions.