The Green Sheet Online Edition
August 24, 2015 • Issue 15:08:02
Public, private effort to secure systems, reduce cyber crime
Alina, ChewBacca and Punkey are just a few names on a long list of POS malware infiltrating the payment processing community. A report published July 7, 2015, by the Financial Services Information Sharing and Analysis Center, the Retail Cyber Intelligence Sharing Center and the United States Secret Service, with the support of Visa Inc., highlights malware as an immediate danger to POS systems.
The advisory, titled Alert and Recommendations: Securing Merchant Card Payment Systems from the Risks of Remote Access, identifies common cyber exploitation threats and proposes tactics, techniques and procedures that retailers and payment service providers can use to help mitigate attacks. These methods, called TTPs, are straight out of the FS-ISAC, R-CISC and Secret Service playbooks.
The report's TTPs and security controls focus on four key vulnerabilities in POS systems:
- Unauthorized access via remote access
- Exploiting commercial application vulnerabilities
- Email phishing
- Unsafe web browsing from computer systems used to collect, process, store or transmit customer information
Remote access controls
A front-page disclaimer positions the advisory as a general overview and point of reference. Its recommendations are meant to enhance, but not replace, the Payment Card Industry Data Security Standard. Nor are they intended to undermine the efforts of third-party vendors that help small merchants implement security controls and protect their processing environments.
The report noted that cyber crime has evolved over the years into a highly sophisticated, multibillion dollar industry. Attackers tend to be knowledgeable about their targets and use their knowledge and expertise to create elegant hacking tools that can be seamlessly integrated into payment processing environments. The growing popularity of customized POS systems has spawned equally popular customized malware designed to exploit databases and payment processing systems by using remote access tools.
One of the most popular methods that hackers use to get into proprietary systems is to target employees who have remote access to a company's virtual private network. Once the criminals have access to employee login information, they can wreak havoc and steal sensitive data. "Implementing multifactor authentication on remote access devices reduces the risk of attackers gaining access to the network," the report stated, noting that remote access platforms are frequently overlooked and vulnerable to attack.
Authentication, encryption, tokenization
The race is on in the United States for merchants to upgrade and implement Europay, MasterCard and Visa-compliant POS systems before the Oct. 1 liability shift. The report proposes that service providers bundle other security services with updated chip card readers to further reduce risks. These services may include end-to-end encryption, tokenization and physically attaching a handheld credit card processing unit to a secure platform.
"Criminals have been known to replace existing handheld units with compromised units which capture card and PIN information," the report stated.
The report authors also found there are no shortcuts to maintaining a secure environment and recommended continual monitoring of the entire POS environment, including internal firewalls, Internet access, physical access and use of multifactor authentication. "Implement multifactor authentication for the employees involved in managing the transactions of customer data and updating the applications protecting those transactions," the report stated.
White listing, anti-virus not enough
Criminals are adept at reviewing software documentation and exploiting its defaults. Merchants and their service providers must take special care to change default settings in hardware and software, including and, most especially, default passwords.
Criminals also stress test their malware against an array of anti-virus software programs. The report warns against relying solely on such programs to detect newer forms of malware. While anti-virus programs can identify older versions of malware, a multilayered approach that includes programs that detect key-loggers and host-based intrusion systems is recommended.
The report's extended list of malware variations is tempered by the presence of law enforcement and dedicated task forces working with payments industry stakeholders to protect and secure processing systems. The FS-ISAC and R-CISC encourage their members and businesses unaffiliated with either organization to report suspicious activities. The U.S. Secret Service, a component of the U.S. Department of Homeland Security, is actively investigating "emerging financial, electronic and cyber-crimes."
Visa's recently formed partnerships with security firms FireEye Inc. and Fast IDentity Online Alliance indicate its commitment to fighting cyber crime. "Although we are leading efforts to render stolen data useless through smart technologies, data security remains foundational for merchants," said Visa Chief Executive Officer Charlie Scharf.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.