In a period of less than one month, three different companies recently announced that they’ve suffered the same type of malware attack that stole the personal data of millions of Target and Home Depot customers a few years ago. Worse yet, many companies are still at risk of a similar breach.
Although details are still emerging on the full scope and scale of these data breaches, the overall message is that these so-called “Point-of-Sale” (PoS) malware attacks could have—and should have—been prevented. The fact of the matter is, credit card data often is not encrypted at the point-of-sale, allowing hackers to easily carry out a payment card attack.
“PoS systems are often the weak link in the chain,” says George Rice, senior director of payments for HPE Security at Hewlett Packard Enterprise.
In a recent example, Landry’s, a multibrand dining, hospitality, entertainment, and gaming company, said on Jan. 29 that it received a report one month earlier of “suspicious activity” regarding its payment card systems. “Findings from the investigation show that criminal attackers were able to install a program on payment card processing devices at certain of our restaurants, food and beverage outlets, spas, entertainment destinations, and managed properties,” Landry’s said in a statement.
These attacks took place as early as May 2014 and as late as December 2015. For its part, Landry’s said “enhanced security measures, including end-to-end encryption, have been implemented to prevent a similar issue from occurring in the future.”
In a second payment card attack, hospitality company Hyatt Hotels said on Jan. 14 that it completed its investigation into unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 2015 and December 2015.
“The biggest struggle we see is getting business owners and C-levels on board with the plan. They still believe it’s not going to happen to them.”
Erik Knight, Founder and CEO, SimpleWan
In a third malware attack to come to light in January, fast-food chain Wendy’s admitted that it, too, was investigating claims of a possible credit card breach at some of its nationwide locations.
In each of these attacks, the malware was designed to collect payment card data—cardholder name, card number, expiration date, and internal verification code—from cards used onsite as the data was being routed through affected payment processing systems.
To combat this problem, in 2006 American Express, Discover, JCB International, MasterCard, and Visa banded together and created the PCI Security Standards Council, which describes itself as “a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security.” It does this by providing best practices and training for upholding the PCI Data Security Standards (PCI DSS), a substantial collection of security measures (520 requirements in all) for credit card transactions.
Although compliance with the PCI DSS helps drive payment card compliance, it’s not the only solution. “Of all the data breaches our forensics team has investigated over the last 10 years, not a single organization was PCI DSS-compliant at the time of the breach,” according to Verizon’s 2015 PCI Compliance Report. “There’s a clear correlation between non-compliance and an organization’s chances of suffering a data breach.”
Lessons Learned from Payment Breaches
Below is an excerpt from Verizon’s 2015 PCI Compliance Report describing lessons learned from payment breaches as it relates to compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Logging, Monitoring, Patching and Maintaining
Although we’re still seeing breaches even with good system hardening [Requirement 2], none of the companies that had suffered a breach complied with the requirements for maintaining systems and software security [Requirement 6] or logging and monitoring [Requirement 10]. Patching, maintaining, and monitoring key systems is critical for achieving sustainable security. And companies that exhibit poor logging and monitoring are likely to take longer to spot breaches, giving criminals more time to do more damage. As reported in the DBIR (Data Breach Investigations Report) each year, many breaches go undetected for months or even years.
Most security professionals are very familiar with the concept of least-privilege access, but as business demands and complexity grow, so too do the administrative challenges of adhering to it in practice. Apparently, breach victims struggle with this much more than other organizations. Breached companies were equally bad at authenticating access [Requirement 8].
Every day, attackers are vigorously and repeatedly probing your defenses and trying to penetrate your perimeter, and the firewall is your first line of defense. Firewalls only work effectively if architected, tuned, and maintained properly. Seventy-one percent of our QSA (Qualified Standard Assessor) clients met all the controls associated with maintaining firewalls [Requirement 1] at the time of their interim assessment. In comparison, just 27 percent of breached organizations did. This suggests that ineffective perimeter security is a key contributor to the likelihood of suffering a breach.
Malware is another major threat. And again, we see a large gap between the groups on maintaining anti-virus [Requirement 5]. Eighty percent of our QSA clients maintained all the controls in this area, compared to just 36 percent in the group of breached companies. CHD (cardholder data) breaches typically involve a number of techniques, but many culminate in dropping a piece of malware on a high-value system. Having anti-virus software on all in-scope systems isn’t just a PCI DSS requirement, it should be a fundamental part of any security program.
PCI DSS compliance “should not be seen in isolation, but as part of a comprehensive information security and risk-management strategy,” the Verizon report stated. “PCI DSS compliance is a baseline, an industry-wide minimum acceptable standard, not the pinnacle of payment card security.”
To best mitigate a payment card attack, it may help to imitate remedial measures taken by those who have suffered a breach. Target, for example, said it has significantly strengthened security across its network by taking the following steps:
Enhancing monitoring and logging, including implementation of additional rules, alerts, centralizing log feeds, and enabling additional logging capabilities;
Implementing enhanced segmentation, including the development of point-of-sale management tools, reviewing and streamlining of network firewall rules, and developing a comprehensive firewall governance process;
Reviewing and limiting vendor access, including decommissioning vendor access to the server impacted in the breach and disabling select vendor access points; and
Enhancing security of accounts, including the coordinated reset of 445,000 Target team member and contractor passwords, broadening the use of two-factor authentication, expansion of password vaults, disabled multiple vendor accounts, reduced privileges for certain accounts, and developing additional training related to password rotation.
Data security experts recommend a variety of other ways in which companies can better defend their networks. That starts with intimately knowing your data: What data do you have that is most valuable to the company? Where is that data located?
“Data is what the attackers want to get,” says Travis Smith, senior security research engineer at Tripwire. “Data is the currency of the 21st Century.”
And if data is the currency of the new century, then mobile payments are the new wallet for containing it. Mobile payments and mobile wallets, which a few years ago were unheard of but now have become commonplace are meant to enhance the customer experience, but these too introduce new security vulnerabilities, particularly in the retail industry. “It’s a bad business decision to ignore security over ease-of-use,” says Smith.
To help mitigate a payment card attack, further, some large retailers—Target, Home Depot, Walmart, Sam’s Club, and more—have started to roll out chip-enabled technology. Such checkout terminals support Chip-and-PIN cards (also called EMV cards for Europay, MasterCard, and Visa), which include an embedded microchip that stores customer data, the idea being that the card must be present for a transaction to take place.
To complement chip-enabled technology, Data security experts recommend for industries that use PoS systems to protect cardholder data before the point-of-sale through such means as encryption and tokenization. “This allows for sensitive data to be protected at the moment of acceptance and remain protected throughout its lifecycle in the organization,” says Rice.
“Encrypting the data in the card reading terminal ahead of the point-of-sale eliminates the exposure of live information in vulnerable PoS systems,” Rice adds. “The attackers get only useless encrypted data.”
Beyond security measures, several companies in the retail industry have banded together to strengthen their defenses against hackers and data breaches. The industry initiative, known as the Retail Cyber Intelligence Sharing Center (R-CISC), is an independent organization through which more than 50 of the nation's largest retailers, federal law enforcement, and government agencies can share cyber-threat information to enhance the security of the retail industry’s networks and protect consumer data.
The centerpiece of R-CISC is the Retail Information Sharing & Analysis Center (R-ISAC), which functions as the information-sharing forum for retailers. Examples of threat information to be shared include:
A description of threat or attack activity observed
Specific attributes defining known or suspected threat activity
Incident details, describing the “who, what, where” of a particular threat, including the targeted sector and the nature of data exfiltrated
Tactics, techniques, or procedures of a particular threat
Particular weaknesses that attackers may seek to leverage or exploit
Data describing the motive of hackers, or type of attack, in order to aid in better detection and prevention of future threat activity
“If you can adopt this type of threat intelligence, you can get one up on your attackers,” says Smith.
Just as the first step to recovery is acknowledging you have a problem, the first step to an effective incident response plan is “knowing that you’ve been attacked,” says Smith. “That’s a huge problem for a lot of companies.”
According to the Verizon’s 2015 Data Breach Investigations Report, attackers in 60 percent of cases were able to compromise a company’s system within minutes. “Unfortunately, the proportion of breaches discovered within days still falls well below that of time to compromise,” the report said. “Even worse, the two lines are diverging over the last decade, indicating a growing ‘detection deficit’ between attackers and defenders. We think it highlights one of the primary challenges to the security industry.”
Once you know a breach has occurred, “you really need to kick off your incident response plan,” says Smith. That means figuring out what machines are have been effected and infected, he says.
“When it comes to incident response, the IT team is generally going to be the one leading the charge,” Smith adds. They do need to be empowered to take the appropriate steps, however, to get the business up and running, he says. “It’s not an IT problem anymore, it’s a business problem.”
From a technology standpoint, all the resources exist in the marketplace, says Erik Knight, founder and CEO of SimpleWan, a cloud-based router and service provider. “The biggest struggle we see is getting business owners and C-levels on board with the plan,” he says. “They still believe it’s not going to happen to them.”
That’s their first big mistake. “Doing nothing,” Knight says, “is an almost guaranteed ticket to having a problem.”