GS Logo
The Green Sheet, Inc

Please Login

Banner Ad
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

Checks have staying power, paper not so much

Patti Murphy
ProScribes Inc.

News

Industry Update

Public, private effort to secure systems, reduce cyber crime

Appeals court revives ATM price-fixing case

Appeals court gives green light to CFPB challengers

First Data opens new chapter

Features

Bridging the EMV divide

The Mobile Buzz: Diners' technology wish list

Views

The very point of sale: Think big, go bold

Dale S. Laszig
DSL Direct LLC

Impact of scale on cost and margin in the U.S. merchant acquiring industry

Brooke Ybarra
First Annapolis Consulting

Education

Street SmartsSM:
The power of residual income - Part 1

Jeffrey I. Shavitz
TrafficJamming LLC

Who wins with AmEx full-service acquiring program?

Ken Musante and Jon Shipley
Eureka Payments LLC, Select Bankcard LLC

Legal ease: Choosing a lawyer for your payment business

Adam Atlas
Attorney at Law

Endemic lack of protection for card data in stores

Brand Barney
SecurityMetrics

Company Profile

AP Technology

New Products

Free online security learning center

SecurityMetrics Learning Center
SecurityMetrics

Business-driven video storytelling

Video Storytelling
Board Studios Inc.

Inspiration

The 'do' in the doldrums

Departments

Readers Speak

Letter from the editors

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

August 24, 2015  •  Issue 15:08:02

previous next

Public, private effort to secure systems, reduce cyber crime

Alina, ChewBacca and Punkey are just a few names on a long list of POS malware infiltrating the payment processing community. A report published July 7, 2015, by the Financial Services Information Sharing and Analysis Center, the Retail Cyber Intelligence Sharing Center and the United States Secret Service, with the support of Visa Inc., highlights malware as an immediate danger to POS systems.

The advisory, titled Alert and Recommendations: Securing Merchant Card Payment Systems from the Risks of Remote Access, identifies common cyber exploitation threats and proposes tactics, techniques and procedures that retailers and payment service providers can use to help mitigate attacks. These methods, called TTPs, are straight out of the FS-ISAC, R-CISC and Secret Service playbooks.

The report's TTPs and security controls focus on four key vulnerabilities in POS systems:

  1. Unauthorized access via remote access
  2. Exploiting commercial application vulnerabilities
  3. Email phishing
  4. Unsafe web browsing from computer systems used to collect, process, store or transmit customer information

Remote access controls

A front-page disclaimer positions the advisory as a general overview and point of reference. Its recommendations are meant to enhance, but not replace, the Payment Card Industry Data Security Standard. Nor are they intended to undermine the efforts of third-party vendors that help small merchants implement security controls and protect their processing environments.

The report noted that cyber crime has evolved over the years into a highly sophisticated, multibillion dollar industry. Attackers tend to be knowledgeable about their targets and use their knowledge and expertise to create elegant hacking tools that can be seamlessly integrated into payment processing environments. The growing popularity of customized POS systems has spawned equally popular customized malware designed to exploit databases and payment processing systems by using remote access tools.

One of the most popular methods that hackers use to get into proprietary systems is to target employees who have remote access to a company's virtual private network. Once the criminals have access to employee login information, they can wreak havoc and steal sensitive data. "Implementing multifactor authentication on remote access devices reduces the risk of attackers gaining access to the network," the report stated, noting that remote access platforms are frequently overlooked and vulnerable to attack.

Authentication, encryption, tokenization

The race is on in the United States for merchants to upgrade and implement Europay, MasterCard and Visa-compliant POS systems before the Oct. 1 liability shift. The report proposes that service providers bundle other security services with updated chip card readers to further reduce risks. These services may include end-to-end encryption, tokenization and physically attaching a handheld credit card processing unit to a secure platform.

"Criminals have been known to replace existing handheld units with compromised units which capture card and PIN information," the report stated.

The report authors also found there are no shortcuts to maintaining a secure environment and recommended continual monitoring of the entire POS environment, including internal firewalls, Internet access, physical access and use of multifactor authentication. "Implement multifactor authentication for the employees involved in managing the transactions of customer data and updating the applications protecting those transactions," the report stated.

White listing, anti-virus not enough

Criminals are adept at reviewing software documentation and exploiting its defaults. Merchants and their service providers must take special care to change default settings in hardware and software, including and, most especially, default passwords.

Criminals also stress test their malware against an array of anti-virus software programs. The report warns against relying solely on such programs to detect newer forms of malware. While anti-virus programs can identify older versions of malware, a multilayered approach that includes programs that detect key-loggers and host-based intrusion systems is recommended.

The report's extended list of malware variations is tempered by the presence of law enforcement and dedicated task forces working with payments industry stakeholders to protect and secure processing systems. The FS-ISAC and R-CISC encourage their members and businesses unaffiliated with either organization to report suspicious activities. The U.S. Secret Service, a component of the U.S. Department of Homeland Security, is actively investigating "emerging financial, electronic and cyber-crimes."

Visa's recently formed partnerships with security firms FireEye Inc. and Fast IDentity Online Alliance indicate its commitment to fighting cyber crime. "Although we are leading efforts to render stolen data useless through smart technologies, data security remains foundational for merchants," said Visa Chief Executive Officer Charlie Scharf.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services