Monday, August 3, 2015
The advisory, titled Alert and Recommendations: Securing Merchant Card Payment Systems from the Risks of Remote Access, identifies common cyber exploitation threats and proposes tactics, techniques and procedures that retailers and payment service providers can use to help mitigate attacks. These methods, called TTPs, are straight out of the FS-ISAC, R-CISC and Secret Service playbooks.
The report's TTPs and security controls focus on four key vulnerabilities in POS systems:
A front page disclaimer positions the advisory as a general overview and point of reference. Its recommendations are meant to enhance but not replace the Payment Card Industry Data Security Standard and third-party vendors that help small merchants implement security controls and protect their processing environments.
Cyber crime has evolved over the years into a highly sophisticated, multibillion dollar industry. Attackers tend to be knowledgeable about their targets and use their knowledge and expertise to create elegant hacking tools that can be seamlessly integrated into payment processing environments. The growing popularity of customized POS systems has spawned equally popular customized malware designed to exploit databases and payment processing systems by using remote access tools.
One of the most popular methods that hackers use to get into proprietary systems is to target employees who have remote access to a company's virtual private network. Once the criminals have access to an employee's log-in, they can wreak havoc and steal sensitive data. "Implementing multifactor authentication on remote access devices reduces the risk of attackers gaining access to the network," the report stated, noting that these remote access platforms are frequently overlooked and vulnerable to attack.
The race is on in the United States for merchants to upgrade and implement Europay, MasterCard and Visa-compliant POS systems before the Oct. 1 liability shift. The report proposes that service providers bundle other security services with updated chip card readers to further reduce risks. These services may include end-to-end encryption, tokenization and physically attaching a handheld credit card processing unit to a secure platform. "Criminals have been known to replace existing handheld units with compromised units which capture card and PIN information," the report stated.
The report indicated there are no shortcuts to maintaining a secure environment and recommended continual monitoring of the entire POS environment, including internal firewalls, Internet access, physical access and use of multifactor authentication. "Implement multifactor authentication for the employees involved in managing the transactions of customer data and updating the applications protecting those transactions," it stated.
Criminals are adept at reviewing software documentation and exploiting its defaults. Merchants and service providers must take special care to change default settings in hardware and software, including and, most especially, default passwords.
Criminals also stress test their malware against an array of anti-virus software programs. The report warns against relying solely on these programs to detect newer forms of malware. While anti-virus programs can identify older versions of malware, a multilayered approach that includes programs that detect key-loggers and host-based intrusion systems is recommended.
The report's extended list of malware family members is tempered by the presence of law enforcement and dedicated task forces working with payments industry stakeholders to protect and secure processing systems. The FS-ISAC and R-CISC encourage their members and businesses unaffiliated with either organization to report suspicious activities. The U.S. Secret Service, a component of the U.S. Department of Homeland Security, is actively investigating "emerging financial, electronic and cyber-crimes."
Visa's recently formed partnerships with security firms FireEye and Fast IDentity Online Alliance indicate its commitment to fighting cyber-crime. "Although we are leading efforts to render stolen data useless through smart technologies, data security remains foundational for merchants," said Visa Chief Executive Officer Charlie Scharf.
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
