The dark web, currently hosting tens of thousands of listings for a variety of illicit goods and services has finally come to the attention of the South African market. As a place where users can anonymously purchase credentials to stolen credit card data, the dark web has put a target on every South African citizen owning a credit card, moreover every business in possession databases and Point-of-Sale (PoS) systems carrying this information. In addition, whether due to lack of interest or just plain ignorance, some organisations have been ‘slow on the uptake’ when incorporating and implementing the appropriate prevention technology and processes. Consequently, businesses need to become ever more conscious of the dark web, and consider it as a viable threat to their customer’s wallet, and to the company’s reputation. In today’s cyber-climate organisations should be preparing themselves, instead of acting like the dark web is just another episode of Mr. Robot.
Is there a target on my back?
Many people believe that hackers choose specific people when looking to steal credit card information, and while it is true that hackers do their homework, they do not necessarily look for specific people to rip-off. In fact, hackers prefer stealing from databases that carry tens of thousands of people’s credit card information. In this way, once a hacker has access to these card numbers, the hacker can maximise his or her return on investment by selling this information on the dark web and minimise the risk.
It is safe to say that hackers (usually) don’t mean it personally when they steal credit card information. The reality is, many if not most payment card breaches hit retail and hospitality businesses. In recent years, these breaches were the result of attackers infecting PoS systems with memory-scraping malware.
Dark web, the Internet’s equivalent to a black hole in space
Bestowed its name for the fact that what goes in, never comes back out, the dark web is virtually untraceable. Most systems individuals work on today have some sort or authentication process in place. For example, an ADSL provider supplies the consumer with a username and password, and once the user is connected to the Internet, a verification process takes place. When it comes to the dark web, nobody logs or has the tools to track individuals and hold them accountable for the goods/ information they steal and then upload. Although some aspects of the dark web can be like Google, where one can go and search for a site and buy goods. The dark web uses unknown sites that are available to the public as a host for a portal.
In saying this, yes, there are business that are able to monitor the dark web. However, even though accessing the dark web may not be as hard as it once sounded, nothing can be done once the information has already been loaded – other than cancelling the credit card.
Ignorance is not bliss
Organisations need to stay up to date with the latest fraud scams including the theft of customer credit card details that are sold on the dark web. Lack of encryption between card readers and the PoS payment systems makes the stealing of credit card information easier for the attacker. It may be easier to claim that the companies PoS system will not be attacked nevertheless, ignorance is not the answer. Attacks on businesses are becoming an increasing problem in South Africa, and no one can claim to know the future.
Prevention – case and point
The proper systems and procedures need to be in place, to protect an organisation and its customers’ information. Encryption, Payment Card Industry Data Security Standard (PCI DSS) compliance and standardisation is therefore key to the survival of the business. Whether the hacker tries to steal from a PoS system or sends a mass mail to the company triggering malware, the organisation needs to be prepared rather that retaliate.
The smartest strategy is creating a secure environment and to stay ahead of PoS threats. Organisations need to become compliant with PCI DSS. This set of rules and best practices measures the level of compliance required for various merchants. Business’ can also protect payment data with credit card encryption. Encrypting a credit card number in the card reader hardware means that there’s now nothing of interest for hacker and therefore adds an extra level of security.
Thus, organisations need to stay one step ahead of the hacker, by keeping the company’s technology up-to-date, and steering clear of storing credit card data. Employees also need to be informed about scams and have top of mind awareness regarding credit card fraud. Credit card information is readily available and even though South Africa still operates mostly in cash – the world is changing. By preparing for looming attacks, business’ can protect their customer’s data and their reputations. Putting the measures in place to keep company data as well as their customers’ credit card information off the dark web is a priority, enabling these organisations to prevent negligence claims, and the cost of reimbursing the customer if a loss occurs.
by Simeon Tassev, Managing Director and QSA at Galix Networking