1

NOT FOR UNAUTHORISED DISTRIBUTION

www.Alt3.co.ukCYBER THEFT:

2014 – and beyond. The wholesale organised theft and use of credit card details

www.alt3.co.uk

james@alt3.co.uk

Alt3understanding future risks and opportunities

2

NOT FOR UNAUTHORISED DISTRIBUTION

www.Alt3.co.uk

BACKGROUND

Pre-2012: mostly small scale theft of credit card details

widespread

increasing large scale organised crime involvement

more value than drugs and arms trade

increasing sophistication

“cat and mouse” between security and theft

increasing sophistication of security

some sectors / countries lacking sophistication of security

3

NOT FOR UNAUTHORISED DISTRIBUTION

www.Alt3.co.uk

BACKGROUND

2012 - 2014: small scale, widespread theft continues

notable prevalence of theft by large scale organised crime

overall value of theft increasing

major input into other areas of organised crime

increasing incursions into big business and high profile IP

increasing scrutiny from police and security services

greater sophistication of card / data security

some countries continuing to lag behind - therefore targets

4

NOT FOR UNAUTHORISED DISTRIBUTION

www.Alt3.co.uk

MAIN TARGET

2014: United States

Sector: retail

Volumes: millions of individual card details - data

How: till payment systems

Value: $hundreds of millions

Route: malware

Reason: a lack of sophisticated security and a lack of data standards (PCI DSS) making “whole” data easy to recognise and steal

UPSIDE: US companies have a statutory obligation to “go public” as soon as they discover a data breach

5

NOT FOR UNAUTHORISED DISTRIBUTION

www.Alt3.co.uk

EUROPE 2014 – obscuring data ...

The growth of Near Field Communication (NFC): “contactless” technology that does not leave the CVV or the card holders name

The widespread use of chip and pin

The widespread use of data standards including separating key data fields

Increasing bank and credit card company alerts and exchange of information

FUTURE: increasing smartphone contactless enablement

increasing following the US lead in reporting data breaches

6

NOT FOR UNAUTHORISED DISTRIBUTION

www.Alt3.co.uk

THE FUTURE

New security measures:

do not eliminate fraud

makes it more difficult to obtain “whole” card data and more difficult to obtain “bulk” data – therefore less value and less attractive to organised crime

European Regulators will be able to bestow fines up to 5% of the WORLDWIDE revenue of companies that lose data.

some companies investigating “insurance” to help pay for potential fines.

increasing strict data standards and identification / security around the data pathways

the new targeting of the core data of financial companies and data repositories

new security measures required around core data

7

NOT FOR UNAUTHORISED DISTRIBUTION

www.Alt3.co.uk

WHAT NEEDS TO BE DONE

Retailers need to:

be more aware of the entire payment lifecycle

analyse in detail the data pathways and determine / mitigate the inherent weaknesses including technology weakness, internet transactions AND cross border data movement

determine future weaknesses and assess technology / process to mitigate

share security information / advances with others in the same position – there is no point “re-inventing the wheel”. Shared security means greater security

encourage greater responsibility from customers

greater targeting of organised crime by national / international security services

8

NOT FOR UNAUTHORISED DISTRIBUTION

www.Alt3.co.uk

WHAT NEEDS TO BE UNDERSTOOD

Bad things don’t just happen to someone else.

Security is important.

Don’t be the next victim and lose hard won customer confidence.

9

NOT FOR UNAUTHORISED DISTRIBUTION

www.Alt3.co.uk

Thank you.

If you don't understand the risks, how can you prepare? Can you afford to let the issues be blurred?

james@alt3.co.uk