23 March 2017

European Payments Council: 2016 payment threats trends report

The present document aims to provide an insight in the latest developments during the last years on threats affecting payments, including cybercrime. It attempts to create awareness on these matters in order to allow stakeholders involved with payments to decide on possible actions.

During the last year cybercrime has proven to have a greater degree of professionalism regarding organisation and sophistication of the attacks. The number of D (DoS) attacks is still growing and they are still frequently targeting the financial sector. 

Also social engineering attacks and phishing attempts are still increasing and remain instrumental in combination with malware. Whereas before customers, retailers and SMEs have been the main focus, the last year more and more company executives, employees (through CEO fraud), financial institutions and payment infrastructures appear to become preferred targets. 

Malware remains a major threat against cyber security for everybody in the society. More in particular ransomware has been on the rise during the past year. This type of attacks appears to be more profitable to the attackers than the traditional banking Trojans. It is not possible to achieve full protection to not be hit by a malware attack. However, by following a few simple advices the risk of such attacks can be reduced.

There is a continuation of botnets and because of the high volume of infected consumer devices (e.g. PCs, mobile devices, etc.) severe threats remain. Besides a still increasing level of professionalism among the attackers whereby addresses of infected computers or bots are sold or rented, the usage of IoT devices (such as CCTVs and home routers) for launching DDoS attacks was to be noted during the past year. It is expected that the usage of these devices to launch attacks will further increase over the years to come.

Also multi-vector attacks are on the rise and have been targeting a number of financial institutions over the past year. Advanced Persistent Threats and 0-day attacks cannot be detected and encountered with the traditional defense mechanisms.

Along with the “classic” threats mentioned above, new risks are arising from the use of innovative technologies. Mobility is part of both consumers' and enterprises' daily life and operation. Smart mobile devices have become a commodity in Europe enabling a wide variety of mobile apps, incuding payment apps. As a result they are becoming more and more an attractive target for cyber criminals, along with the IoT devices. The number and types of IoT devices is continuously increasing, posing the risk of new types of attack.

The need for reducing operational costs and the huge and rapidly growing size of data lead to new business decisions for adopting cloud and big data analytics technologies. Data everywhere, 'data in flight', data produced and stored in billions of interconnected devices, and data in the cloud. Innovation, like IoT devices and mobile apps/wallets, and new technologies are bringing new opportunities to businesses but new risks too. 

There is also a competitive market drive for user-friendliness and simplicity which leads to increased pressure on security resources and difficult trade-offs to be made by PSPs. The challenge will be to find the right balance between the user-friendliness and the security measures needed. As security becomes more regulated (NIS Directive, GDPR, PSD2), payments also face a new regulatory landscape in Europe, which increases on one hand the security barrier with respect to fraud (e.g. customer authentication) but at the same time also “opens up” the payment value chain which introduces new security challenges for all stakeholders involved.

Another important aspect to mitigate the risks related to payments is the sharing of fraud intelligence and information on incidents amongst PSPs. However often this is being limited by existing regulations related to data protection, even more so in the case of cross-border sharing.

Finally, PSPs must understand the emerging threats, the possible impacts and should keep investing in appropriate security technologies.

Full report

© EPC