Our good partners at PayPros have issued a bulletin covering the recent large retailer credit card breaches. It is an interesting insight into what happen and how you, as a retailer, can prevent it from happening to your company. Contact us to make sure you are doing everything you can to protect your tasting room and wine club credit card information.
Introduction
The recent media coverage of compromised payment card data within a number of retail networks has prompted a flood of security concerns and media attention. We are providing this bulletin to educate our customers and partners about this increased security breach activity.
PayPros desires to keep our partners and their customers “ahead of the curve” with proactive solutions and security best practices to safeguard them from the adverse events of data compromise. This document outlines some details surrounding the increase in attacks and offers some suggestions on how to protect your organization from the impact of these threats.
Security Threats are Increasing and Getting More Sophisticated
Targeted attacks on security threat vulnerabilities in business application systems and networks are not new, however there are two very alarming trends that should be noted:
- Many security researchers have noted an increase in the number of compromised card sellers which has decreased the value of small batches of harvested payment card data on the criminal black markets. One should note down the cloud vulnerabilities and safeguard their system.
- This has resulted in market force changes leading attackers to increase their level of activity and to also target large databases and POS terminal networks containing this credit card information.
- New variants of advanced persistent malware threats enable cyber criminals to conduct large scale breaches of cardholder data.
Increased Sophistication of Malware Attack
As is the case with many breaches, the cyber criminal attackers use a virtual toolbox of crime ware to obtain credit card. In recent cases, security vendor analysis has confirmed that data thieves succeeded hacking web servers via sophisticated Malware. The infection then is used to command and control other servers and PC workstations in the network to aggregate payment card account and personal data harvested from endpoint devices infected with POS malware. The OT assessment for cyber risk is necessary to understand the kind of security needed.
The attack is believed to have occurred in three stages.
- Stage one: Malware infects the web server from a workstation in the network.
- Stage two: The infected web server Malware infects checkout counter lanes point of sale systems (POS) to extract credit card numbers and sensitive personal details.
- Stage three: Malware infected systems lie dormant for a few days avoiding detection, then wake up and begin transmitting the stolen data to an external FTP server, using another infected machine within the retail network.
In summary, Cyber criminals attempt to infect any computer in the network and then infiltrate one of the many points that expose this sensitive data in a network environment with the goal of harvesting track data and other payment card sensitive authentication data.
Additional Detail
Malware
There are many credible sources of security research and analysis that provide deep dive details on malware and variant malware involved in the latest uptick of cardholder data hacks at a number of large retail organizations. The most recent trend in this class of malware involves scanning RAM memory for data matching formats on track 1 and track 2 payment card data encoded on the magnetic stripe card by the card issuer. The Alina, BlackPOS, Chewbacca, Dexter and vSkimmer malware not inclusive of other variant malware have used similar methods to collect this data from as far back as 2010. Malware authors continually update their wares to avoid detection and take on stealth characteristics on the infected target.
Network Segmentation & Data Sniffing
To collect the matrix of card, transaction and personal data an attacker may attempt to exploit the attack surface of a wired or wireless network segment using hardware or software based “sniffers.”
Encrypting this transaction request data using SSL (Secure Sockets Layer) provides a measure of protecting data in transit between endpoints, however SSL v2 remains vulnerable to a variety of attacks designed to break the weak ciphers that encrypt data in that version. For this reason network software based encryption does not guarantee data protection.
Attackers may attempt the following.
- Capture the PIN or other data prior to encryption via key press activity or memory scraping
- Steal data and key encryption / decryption keys in addition to card data
- Conduct an offline brute force attack against the captured encrypted data using a large array of dedicated computers.
Recommendations
Businesses should consider the following to provide the best protection against these types of attacks.
- Lockdown Internet Access. Make sure that the internet connection from the street is plugged into a physical firewall and the firewall is programmed to lock down (stop) all traffic that is not otherwise permitted, as suggested here. Check that the firewall is capable of recognizing and stopping advanced software threats. Ask your product vendor if your firewall supports UTM (Unified Threat Management) and make sure it is turned on for additional protection. If the current firewall does not support UTM ask the vendor about an upgrade.
- The PCs running your payment application need to be segmented away from the rest of your general purpose PCs in the office. This creates a security zone inside your local network; all PCs running payment applications should be located in this security zone. The firewall programming of this security zone should be setup to recognize and detect packets of data that contain payment card account data being sent from your local network to outside cyber criminals.
- Additionally some level of physical control over wired network jacks in the segmented network and access points for wireless network segments should be in place so that new rogue devices can’t be introduced without being detected. Use switch port security features on your existing network equipment; this will alert you when an unauthorized device is plugged in. If your network equipment does not support that feature, use PC based wireless network client or other method to detect unauthorized wireless networks.
- Pursue and sustain compliance.
- This not only makes good business sense, it will provide businesses with the tools necessary to make their networks and systems a less attractive target to cyber criminals.
- Conduct regular PCI scans; verify that critical vendor security patches and updated malware and antivirus signatures and updates are in place.
PayPros lockdown certified software
Customers who are using an application that uses PayPros SecurePlus and is PayPros Lockdown certified have the maximum protection against these enhanced malware attacks.
The PayPros SecurePlus product line provides data encryption at the point of entry for swiped and hand keyed transactions and therefore protects businesses from RAM memory scraping type attacks. This means that should a business network become infected with malware and or variant malware attacks the Malware would not be able to harvest, aggregate and extract payment useable card data.
We Are Here To Help
PayPros provides our customers with a wide range of security services including:
- PayPros Customer Care – 24/7/365 phone, email and online support
- PayPros FraudWatch – Risk Monitoring and Business Fraud Assistance
- PayPros PCI Services
- PCI Validation
- Breach Support