Friday, January 28, 2011
POS system integrators – companies that install and maintain POS systems – may be creating vulnerabilities that can be exploited by cyber criminals, according to Trustwave's 2011 Global Security Report. The report is based on 200 case investigations, penetration testing and other security research conducted by Trustwave's advanced security team, SpiderLabs, during 2010.
Seventy-five percent of data thefts researched by SpiderLabs occurred within POS systems, making it the most commonly breached type of system, by far. "In our experience, many POS integrators are often not skilled in security best practices, leaving their clients open for attack," the report stated. "In 87 percent of the POS breach cases, third party integrators used some form of default credentials with either remote access systems or at the operating systems level."
Nicholas Percoco, Senior Vice President and head of SpiderLabs, said POS integrators often receive minimal training focused on "how to get the system up and running as soon possible" rather than full training on system security.
Responsibility for security often gets shifted to merchants, who assume they are protected, according to Percoco. "You expect them [the integrators] to do a complete job," he said. "Security needs to be part of that complete job when installing and maintaining a point-of-sale system."
In 85 percent of the data thefts investigated by SpiderLabs, payment card data was the target. A section within the report claimed that in the "vast majority of cases" in which payment card data was breached, the investigators found instances in which the breached systems were out of compliance with Payment Card Industry (PCI ) Data Security Standard (DSS) requirements. For example, in 84 percent of the cases involving loss of payment card data, the businesses lacked a firewall, despite the fact that PCI DSS Requirement 1 mandates the installation and maintenance of a firewall configuration to protect cardholder data, the report said.
SpiderLabs attributed the lack of compliance to the misconception that purchase of a "PCI compliant system" ensures ongoing compliance.
The 2011 Global Security Report also revealed other intriguing trends, including the fact that a single crime syndicate was responsible for more than 30 percent of all 2010 data breaches Trustwave investigated.
Percoco said the profitability of cyber crime has given rise to sophisticated organizations comprising individuals with separate specialties, from developers who can build customized malware to black market experts who know how to monetize extracted data.
The report also pointed to anti-virus software's failure to keep pace with constantly changing forms of malware. "Generic, widespread malware is slowly becoming more customized, one-off pieces of software – a trend that is challenging the foundation of the anti-virus industry," the report stated.
Increasingly, malware is being used to hijack in-transit data rather than stored data, because "fresh data" is more likely to contain valid card numbers.
In addition, cyber criminals are exploiting new platforms and other points of entry made more accessible due to the Internet. "Privacy, once coveted, is decreasing with the advent of social media tools," the report stated. "Intent on accessing private data, the new attack vectors from 2010 are none other than client-side, mobile and social networking."
In the report, SpiderLabs recommends strategies to help counter some of the trends noted in 2010, including developing a mobile security program, using multifactor authentication, educating employees on the risks of attacks via social media, and creating and monitoring standards for client-side software, such as browsers.
For a full version of the report, go to www.trustwave.com/gsr .
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.