2011 Global Security Report. The report is based on 200 case investigations, penetration testing and other security research conducted by Trustwave's SpiderLabs during 2010.' />
GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Securing a place for EMV in the USA

Patti Murphy
The Takoma Group


Industry Update

PCI seeks ISO nominations for advisory board

A new wave of mobility

Defying the dragons

Cyber security concerns


GS Advisory Board:
Game changers for 2011 - Part 1

The power of selling at the top

Research Rundown

Selling Prepaid

Prepaid in brief

A phone card opportunity calls

Jeffrey Shavitz
Charge Card Systems Inc.

Will gift cards no longer be sold in New Jersey?


What does a processor do?

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
Gaining wisdom from mistakes

Ken Musante
Eureka Payments LLC

Approaching Asia

Donna Sesto Neary

Leads, leads, leads - Part 1: Lead generation

Peggy Bekavac Olson
Strategic Marketing

PCI vendor selection

Tim Cranny
Panoptic Security Inc.

The risks of riding the gravy train

Jeff Fortney
Clearent LLC

Company Profile

USA ePay

New Products

Receipt paper takes on the rainbow

Colored receipt paper rolls
POS Supply Solutions


Thriving in a multicultural environment


10 Years ago in
The Green Sheet


Resource Guide


A Bigger Thing

The Green Sheet Online Edition

February 14, 2011  •  Issue 11:02:01

previous next

Cyber security concerns

POS system integrators - companies that install and maintain POS systems - may be creating vulnerabilities that can be exploited by cyber criminals, according to Trustwave's 2011 Global Security Report. The report is based on 200 case investigations, penetration testing and other security research conducted by Trustwave's advanced security team, SpiderLabs, during 2010.

Seventy-five percent of data thefts researched by SpiderLabs occurred within POS systems, making it the most commonly breached type of system, by far.

"In our experience, many POS integrators are often not skilled in security best practices, leaving their clients open for attack," the report stated. "In 87 percent of the POS breach cases, third party integrators used some form of default credentials with either remote access systems or at the operating systems level."

Nicholas Percoco, Senior Vice President and head of SpiderLabs, said POS integrators often receive minimal training focused on "how to get the system up and running as soon possible" rather than full training on system security.

Responsibility for security often gets shifted to merchants, who assume they are protected, according to Percoco. "You expect them [the integrators] to do a complete job," he said. "Security needs to be part of that complete job when installing and maintaining a point-of-sale system."

Card data favorite target

In 85 percent of the data thefts investigated by Spider-Labs, payment card data was the target.

A section within the report claimed that in the "vast majority of cases" in which payment card data was breached, the investigators found instances in which the breached systems were out of compliance with Payment Card Industry (PCI) Data Security Standard (DSS) requirements. For example, in 84 percent of the cases involving loss of payment card data, the businesses lacked a firewall, despite the fact that PCI DSS Requirement 1 mandates the installation and maintenance of a firewall configuration to protect cardholder data, the report said.

SpiderLabs attributed the lack of compliance to the misconception that purchase of a "PCI compliant system" ensures ongoing compliance.

Cyber criminals one step ahead

The 2011 Global Security Report also revealed other intriguing trends, including the fact that a single crime syndicate was responsible for more than 30 percent of all 2010 data breaches Trustwave investigated.

Percoco said the profitability of cyber crime has given rise to sophisticated organizations comprising individuals with separate specialties, from developers who can build customized malware to black market experts who know how to monetize extracted data.

The report also pointed to anti-virus software's failure to keep pace with constantly changing forms of malware. "Generic, widespread malware is slowly becoming more customized, one-off pieces of software - a trend that is challenging the foundation of the anti-virus industry," the report stated.

Increasingly, malware is being used to hijack in-transit data rather than stored data, because "fresh data" is more likely to contain valid card numbers.

In addition, cyber criminals are exploiting new platforms and other points of entry made more accessible due to the Internet. "Privacy, once coveted, is decreasing with the advent of social media tools," the report stated. "Intent on accessing private data, the new attack vectors from 2010 are none other than client-side, mobile and social networking."

Security strategies recommended

In the report, SpiderLabs recommends strategies to help counter some of the trends noted in 2010, including developing a mobile security program, using multifactor authentication, educating employees on the risks of attacks via social media, and creating and monitoring standards for client-side software, such as browsers. For a full version of the report, go to www.trustwave.com/gsr.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios