While point-of-sale (POS) systems are present in hospitality, health care and other consumer driven businesses, they are an especially critical part of every retailer’s IT footprint. According to the Verizon 2015 Data Breach Investigation Report, attacks on POS systems continue to be the top security incident with confirmed data breaches, and a majority of the breaches continue to take weeks to months to simply detect, much less mitigate. Through resale or direct fraud, an attacker’s objective is to steal valuable customer payment data and profit from it, and the financial impact of a data breach to the retailer can be up to $165 per record (Ponemon 2015). H1 is Title Case Like This, Maximum Two Lines.
Additional pressure continues to mount for merchants to secure their point of sale environments. On top of the increase in POS attacks, U.S. merchants are being pressured to replace their traditional magnetic strip readers with EMV (EuroPay, Mastercard, VISA chip card) systems. EMV will decrease fraud during card-present transactions, but industry experts expect fraud activity to shift to card-not-present transactions. The advent of EMV also shifts the liability for fraud from the issuer to the merchants, if they don’t adopt EMV. EMV systems require additional security controls (such as strong encryption) because criminals can still compromise data at the point of sale even when consumers use the chip. They may not use that stolen data to make a counterfeit EMV card, but they can still profit from breaching e-commerce merchants because there is no physical card required. Merchants need to offer a POS system that balances customer experience with protection.
The Range of POS Malware Behaviors
Malware developed specifically for POS devices is available today on the black market. Because POS system breaches require the attacker to wait for the transaction to occur then collect the payment data, compromises must be stealthy enough to endure. Most POS breaches are for obvious data (card number, card verification value (CVV) number, PIN and name) to use for fraudulent purchases, but criminals are also after data like email addresses, telephone numbers, transaction history, purchase history and other behavioral data for competitive data mining.
POS attack methods are becoming more varied and adaptable. Evolving evasion techniques make detection by traditional antivirus difficult or impossible. The initial infiltration may be accomplished through social engineering via email phishing, exploiting a weakness in an external facing system with SQL injection, or even by using a manufacturer’s default password. Once in, criminals will obtain user credentials through a range of techniques to traverse the network to find card data environment (CDE). Or malware will propagate with the intent to steal and transmit data to an external system.
POS systems can be easy targets if the payment data travels through internal systems in an unencrypted format. Attackers will often install network-sniffing malware to intercept the payment data in transit. Currently PCI DSS does not require certain networks (such as POS machines to store server, POS Payment Application to POI Device, Payment Application to Payment Gateway) to be encrypted. As a result, many merchants are starting to use network-level encryption to protect against these attacks. Merchants may have implemented SSL (Secure Sockets Layer) in the past, but the revisions in the PCI DSS 3.1 specify more robust encryption. SSL isn’t just noted as weak, it has been demonstrated to be vulnerable through Heartbleed and Poodle. For this reason, current network software based encryption may not guarantee data protection. PCI 3.1 mandates merchants to move to better encryption for data in transit by June, 2016.
POS threats continue to evolve beyond network based sniffing as well. Attackers recognize that payment data is not always encrypted—often card data is stored in plaintext in memory. This provides a brief but effective window of attack. Through memory scraping, payment data is copied from RAM and transmitted back to the attacker. The growth in new variants of POS “RAM scraper” vectors grew from just two in 2013 to five in 2014 (Trend Micro). Most recent RAM scraping attacks (such as the FYSNA malware family, also known as “Chewbacca”) use the Tor network to communicate with their Command and Control server for hiding data exfiltration, making them very difficult to detect.
Out-the-Box POS Protection
Knowing your attacker’s specific behavior and providing continuous monitoring for these behaviors can greatly reduce the risk of a successful POS attack. In retail, with large numbers of automated and opportunistic attacks, taking weeks and months to discover, perpetrators have often been gone and damage done by the time security teams have caught up. With time being a critical factor, Tripwire recognizes that security is not one size fits all and has developed protection policies specifically for POS devices. Tripwire® Enterprise, an industry-leading security configuration management solution, includes Tripwire POS Threat Protection, an exclusive set of POS threat detection and prevention rules. Detecting POS attacks as they occur reduces the potential for massive damage and the time needed to recover.
A Comprehensive & Adaptive POS Security Solution
POS devices are purpose-built with predictable configurations, so monitoring for change is critical. Tripwire solutions proactively alert if your POS devices, servers and network infrastructure have changed and are more susceptible to compromise.
Tripwire Enterprise (Security Configuration Management) provides continuous in-depth monitoring of systems, files and many other network nodes to ensure highest integrity and to detect changes and threats to prevent breaches. Tripwire Enterprise includes Tripwire POS Threat Protection, which delivers new policy content focused on specific POS threats (such as common weaknesses and exploitable configuration settings) that help attackers access critical POS devices and customer credit card data.
Tripwire POS Threat Protection:
- Delivers comprehensive POS protection with over 35 policies and 55 tests
- Provides early detection, reducing the time for massive damages
- Reduces recovery time
- Tripwire File Integrity Monitoring (FIM) tracks the who, what and when of changes to assets and judge what’s likely a threat.
- Tripwire Configuration Compliance. Manager monitors network infrastructure to ensure it’s compliant and secure according your policy, without requiring endpoint agent deployment.
- 85% of breaches could be prevented by remediating known vulnerabilities (ICS-CERT). Tripwire IP360™ assesses and prioritizes vulnerabilities according to a risk prioritization methodology so IT security can quickly and effectively reduce overall network risk. It can be deployed on-premise or in the cloud. This vulnerability risk prioritization can be imported to Tripwire Enterprise for labeling and prioritizing assets for remediation.
- Tripwire Log Center® reliably and securely collects, analyzes and correlates log data from devices, servers, applications and automated security processes to improve security and dramatically simplify compliance. The log data can be shared with IT security or with SIEM systems.
- Tripwire Connect collects security posture data and represents it in business logic on simple dashboards. It offers CISOs and teams such as IT Security, Compliance, and IT Operations a quick status update.
- Tripwire Security Intelligence Hub provides at-a-glance information about the state of your organization’s risk status and compliance initiatives. It automates risk reporting for any audience, and can provide the same data in differing views according to their needs.
- Tripwire solutions also integrate with other network and endpoint security applications to automate workflows and improve the accuracy and reduce the time to detect and protect against advanced threats.
Tripwire solutions offer real time information on the configuration and security of your POS systems, providing actionable alerts and reporting to close the door to attackers.