As we start the new year, we like to look back at the year that was and do our best to prepare for the year ahead. Yes, it’s time to join my colleagues in the security industry, peer into my magical crystal ball and provide a glimpse of what is to come. Over the next few weeks, I will break down ten security predictions for this year. Grab a nice hot beverage, curl up next to the fire and enjoy!
Prediction 1: PII is The New Hotness
2015 continued the trend of major retail data breaches resulting in bulk debit and credit card theft, but it also marked a shift that will accelerate in 2016. In the coming year, expect attackers to move away from targeting financial information and instead target personally identifiable information (PII). In 2015, we continued to see credit/debit card theft at the likes of America’s Thrift Stores, The Trump Hotel Collection, Hilton Hotel properties, Service Systems Associates, Hershey Park, Harbortouch and White Lodging, but in 2015 we also learned of major breaches in the healthcare (Anthem and CareFirst BlueCross BlueShield) and government (Office of Personnel Management) sectors that targeted PII. The quest for PII is being driven by two separate groups of attackers. While nation states desire PII for espionage, criminals are also shifting to PII as it is generally more valuable than credit and debit cards, which are getting more challenging to harvest in bulk due to greater awareness of the problem and new technology. Why would a social security number be of greater value than a credit card number, which can be used directly to procure goods and services? PII is highly sought after in the underground as it can be leveraged to commit financial fraud such as applying for credit, submitting false medical/insurance claims or filing fraudulent tax refunds. Whereas credit cards can be easily cancelled, changing one’s name, address and social security number generally isn’t an option, so the stolen data remains valuable for a longer period of time. The shift will be motivated in part by the push to move to Chip and PIN (aka EMV) debit and credit cards, which combat RAM scraping malware with tokenization. Don’t however expect credit and debit card fraud to disappear entirely as EMV technology has seen slow adoption in the US, despite an October 2015 deadline and the technology does nothing to combat card not present (online) theft. In 2016, attackers will increasingly target sectors known to store bulk PII including finance, healthcare and government entities to harvest valuable PII.