Shopping used to seem so simple. All you needed to buy something was enough cash in your pocket. Today however, the number of alternate payment methods is rather dizzying; from Bitcoins, ApplePay, credit cards and debit cards, to online payment services. In the 2013 report Digital Laundry: An analysis of online currencies, and their uses in cybercrime, Raj Samani, Special Advisor for Cybercrime, European Cybercrime Centre, discussed the main electronic and virtual money platforms available at the time.
A significant focus is placed on vulnerabilities associated with credit card and debit card transactions. That makes sense because most digital transactions use these forms of payment. However, with the growth in alternate payment methods, the number of attack surfaces have multiplied, giving cyber thieves many, many targets from which to choose.
Little innovation is seen in attack methods associated with debit and credit cards. Most attacks approach payment card theft in the same way they have for the past 10 years, by attacking payment mechanisms or the databases containing card data. Once they have obtained the card data, they sell it as quickly as possible and packet the profit.
Now however, the game is changing. Given the plethora of payment methods, most of which still require usernames and passwords, credentials have become very valuable. To steal credentials, the cybercriminals are targeting the consumers directly because they are both the source of the credentials and the weakest link in the payment process.
Payment systems cybercriminals will increasingly focus on attacks that lead to the theft and sale of credentials. We think that they will leverage traditional, time-proven mechanisms, including phishing attacks and keystroke loggers, but new methods will emerge too. The number of payment system thefts will continue its relentless growth.