News about POS malware breaches affecting two retailers hit the headlines last week, this time featuring a fast-food restaurant chain in the U.S. that operates around 3,500 locations across the country, most of which are franchised, and a popular supermarket.
Both entities, like others before them, were notified of suspicious activity by a third-party service provider who spotted the potential issues. The breaches could have originated either from internal vulnerabilities or through third-party suppliers.
In one of the cases, the card breach was reported publicly on Sept. 26, but the card information had apparently been up for sale in underground online shops for over a week. One illicit shop in particular, known as Joker’s Stash, reportedly had been selling the cards under the batch name FireTigerrr since Sept. 18. Another cybercrime service that checks card validity for fraudsters saw the first batch appear as early as Sept. 15.
This means the breach has been collecting data on an ongoing basis. According to the cards-for-sale lists from the shop, the incident spanned locations in a variety of states. See Figure 1 below (Note: In fraudster lingo, dumps refer to card data stolen from the magnetic stripe of the compromised card and subsequently used for cloning the data onto blank plastic cards).
Figure 1: Screen capture from Joker’s Stash showing cards for sale (Source: Krebs on Security)
Attacks against organizations that operate a large number of point-of-sale (POS) endpoints are fruitful for cybercriminals looking to gain access to credit card information, which is precisely why we’re seeing more of these cases than ever. Yet another breach was being investigated during the writing of this post and, once again, payment card data was the target.
Card Breaches and the POS Malware Angle
To mitigate the risk of payment card breaches, security professionals and the C-suite must focus on two major angles. The more immediate and low-level one is the POS malware angle. Although it sounds like a technical matter, it touches on many aspects of the organization’s information security.
POS malware has been around for over a decade now, operated by actors ranging from lone fraudsters to organized crime groups. Through the years, POS malware has not made significant strides in technical terms, simply because it has not needed to. Most POS malware codes are RAM scrapers that make their way into the target endpoint, focus on reading unencrypted card data in the random access memory (RAM) zone and steal data amassed through the days and weeks of the breach.
Since most POS endpoints are not regularly used for internet browsing, RAM-scraping malware can make it to the endpoint through:
- Physical access to the POS endpoint by a malicious individual;
- Penetration of a malicious actor to the higher-privilege systems of the retailer; or
- A poisoned update of the endpoint software delivered by central IT.
One of the most recent examples of POS malware modus operandi is MajikPOS. Attackers begin by penetrating the target organization’s systems to reach the control zone for different POS endpoints. They connect to the endpoint using remote access, either one that’s already installed or one they activate, such as virtual network connection (VNC) or remote desktop protocol (RDP) access. The connection can be made by stealing or guessing the password. Once in, the attackers install the POS malware on the endpoint. From there, the malware runs in the background and continually sends out the stolen data to the attacker’s designated server.
The POS malware angle is also an overall malware angle. Organizations normally mitigate this threat with appropriate privilege management, encryption, and antimalware controls. That said, the inherently decentralized nature of the security scheme for chain stores and restaurants makes for an added challenge. With so many franchised locations, it is difficult to enforce the same controls throughout all the environments. This calls for applying very defined standards and then monitoring to ensure that those are upheld in all locations. Moreover, when there are so many POS endpoints exposed to the access of an unlimited number of employees working in different locations, securing the POS demands much more control than any other endpoint operated by office-based organizations.
Fortunately, most organizations have Payment Card Industry Data Security Standard (PCI DSS) compliance and security hygiene measures implemented to help mitigate the threat from the more obvious entry points, including:
- Risk-based patch and update management;
- Extra controls governing what can reach the live POS machines to prevent rogue updates;
- Strict password management to ensure that passwords cannot be guessed easily;
- Next-generation endpoint detection and response (EDR) or endpoint protection platforms (EPP) to detect the latest threats from attackers. Unfortunately, only using antivirus will not suffice here because these Trojans morph quickly to delay or bypass detection by antivirus solutions;
- Layered privileged account permissions to limit user privileges as much as possible on the connected systems and prevent access to unauthorized programs;
- A demilitarized zone (DMZ) to segment the POS network from user traffic and act as an extra layer of protection to hinder attackers from compromising the POS environment;
- Blocking the option to run removable media on risky endpoints, especially any system connected with the POS itself. This access should be entrusted to an authorized administrator with proper activity monitoring in place;
- Limiting any internet access from the endpoint that is not directly generated by the POS application;
- Hardening security around remote access to the POS, whether your organization uses installed software or the endpoint’s RDP connection. Use IP filtering, strong passwords and two-factor authentication to prevent unauthorized remote access;
- Separating guest Wi-Fi from the operational connection, and then securing the Wi-Fi and Bluetooth connections to terminals and hand-held card swipe machines to prevent the signal from being intercepted and the data from being siphoned remotely;
- Obfuscation and encryption of the data to prevent its use if ever leaked or stolen; and
- Role-based training to limit the potential for a physical breach, malicious tampering with equipment and employee misuse that could lead to trouble down the line.
Security of a POS Starts and Ends with Penetration Testing
Beyond security hygiene and adhering to a security framework and best practices, many organizations are failing to prioritize testing their POS endpoints, likely because they expect to buy a secure product out of the box. That’s not always the case because POS endpoints can contain security issues in the hardware, hand-held devices, POS software application and all the custom code that goes into such applications.
If developers fail to regularly test those endpoints, criminals are likely to do just that: test for gaps, and attempt to compromise that merchant to access the plethora of vulnerable POS machines it operates. Threat actors use a number of techniques, from bribing insiders to obtaining POS machines to run their own testing, to identify security gaps and plan their attacks accordingly. For cybercriminals, POS endpoints are the low-hanging fruit because these potential vulnerabilities are not as thoroughly documented as those of other operating systems. When testing POS systems that were never checked before, testers often find issues very early on in the process.
On the merchant’s side, organizations that buy and operate POS machines often rely on the basics of Payment Application Data Security Standard (PA-DSS) requirements, which are derived from the PCI-DSS standard but do not always offer the level of testing that the endpoints require.
To minimize the window of opportunity for attackers, the security team should contract a reputable penetration testing provider to perform manual testing on the POS itself, in addition to the network security that’s applied to the connecting systems. When testers identify vulnerabilities, the merchant’s security team can turn to its vendor with a requirement to fix the gap. In cases where the gap cannot be remedied, the security team can give an accurate assessment of the risk and subsequently apply the necessary mitigation strategies and compensating controls to ensure that the risk aligns with the organization’s risk appetite. This is an easy win for a chief information security officer (CISO), especially since card breaches have been prevalent and well-documented, to illustrate the business case for mandating more security.
Of course, card breaches would mean a lot less to criminals if they could not use the data to clone new cards. That can happen if more banks adopt chip-and-PIN cards across the board. This is no silver bullet to prevent all misuse of payment card data, but it will greatly limit fraudsters’ ability to clone cards due to complication and cost.
Better card security can drive more criminals to the online channel for card-not-present (CNP) fraud, but that channel has already taken steps toward becoming more secure. Overcoming these hurdles can help weed out the less skilled bunch over time, which may result in an overall drop in fraud rates.
Card Breaches and the Third-Party Insecurity Angle
The second major angle of the card breach epidemic is the break-in through third-party vendors. Every organization holds numerous relationships with third parties that have access to its infrastructure. These relationships can sometimes be abused when an attacker conducts reconnaissance and looks for the path of least resistance.
Breaching secure organizations through third parties is a notoriously problematic concept and can happen to just about any company. Security measures should be revisited and enhanced to help limit exposure to a bare minimum, determine liability and set up an effective response strategy.
When contracting third-party providers, their infrastructure and access to the organization’s own resources become extensions of the overall security and risk management plan. During the contract negotiation phase, information security management must come into the process to conduct a risk assessment, share and establish requirements and procedures, identify potential gaps and ways to address them, and build the necessary blocks directly into the contract with the provider. Relevant network access and adherence to security requirements should be monitored and periodically audited to limit the potential for error or oversight.
This is where the vendor relationship comes into play once again for addressing security issues in the hardware and software contract. The contract has to contain a detailed security section to define what types of security issues will be addressed, how rapidly, and who holds the liability in the interim.
Criticality of Incident Response and Crisis Communications
Even with all security controls in place, a breach by a persistent, advanced and motivated threat actor can befall any organization of any size in any sector. With the impact of breach costs quantified, the business case of a response plan is very straightforward.
The criticality of incident management and response cannot be stressed enough. The ability to manage incidents according to a tested plan can define the results, affecting both the hard costs of a breach and the softer costs or collateral damage, including reputational damage, drop in stock value and customer/revenue loss.
Whether a DIY program based on a defined framework, a designated solution or managed incident response (IR) services, an incident response team, along with plans adapted to the organization’s risk profile, business continuity goals and contingency resources, can dramatically reduce the time to detect issues before they become problems. IR can further contribute to lowering the cost of a data breach.
It is important to gather an IR team, establish skill-based roles and then drill the response plans regularly to train the team and achieve better results over time. But aside from the technical side of the response plan, the literal response — the one made of words and numbers — can be the first and most impactful part of recovering from a breach.
Crisis Communication at the Break of Breach News
Crisis communication and media relations have become critical parts of responding to a breach at the earliest stages of having to disclose it. Since you don’t want the bad news to reach the media prematurely, this sensitive stage of the discovery process can potentially affect the response from regulatory, insurance, legal, customers, public stakeholders, and the organization’s own management and employees.
It is vital to consider the media response in the overall incident response plan and assign the proper stakeholders to the task. Defining who should speak for the organization in the event of a breach can help employees and lower management avoid having to respond to unvetted questions from reporters without authority.
More importantly, preparation helps designated executives speak about incidents with clarity and precision, assuring all stakeholders that proper containment, investigation, eradication and reporting processes are underway. Neglecting to manage the communication plan in times of crisis can result in loss of goodwill and heavy reputational damage, potentially including the resignation of top executives.
Affected Customers in the Wake of a POS Breach
Very large payment card data breaches have been rising in numbers over the past five years due to the entry of organized cybercrime gangs into that playing field.
In the wake of a breach, affected consumers should follow these tips:
- Look out for a notification from your card issuer, and opt to immediately cancel your card and have a new card issued.
- Review card statements for odd transactions and report them to your issuer. Don’t just focus on high-price purchases since, in some cases, criminals first attempt very low purchase amounts to test the card’s validity and their ability to successfully use it.
- Consider adding SMS or email alerts about card transactions that surpass a certain threshold.
- Beware of potential social engineering attacks and spam emails that will come after the breach.
- If you return to the same compromised merchant before the issue is contained, stay vigilant of your card usage and keep monitoring your statement.
- Sign up for credit monitoring services.