If you’re in information security, you can’t help thinking about your job every time you go shopping. Whenever I swipe or insert my card, I think about how that transaction occurs, how it’s being protected, and how it might be compromised. It’s enough to make one a little paranoid.
The budding paranoia is well-founded, based on what we’ve seen with credit card breaches recently. If you want a solid history of point-of-sale breaches, OpenDNS maintains a good interactive timeline.
It’s not just that these are credit card breaches, though. It’s that we’ve seen a marked increase in the use of targeted malware to compromise card data at the point-of-sale device. Our friends at Trend Micro noted a 66 percent increase in the POS malware detection volume.
While the traditional retail establishments have been popular targets, the threat extends to any company that runs point-of-sale. Most recently, we’ve seen a spate of identified compromises at hotels, like Hyatt, Starwood and Hilton.
We’re also seeing the malware itself evolve to be more effective and less detected. These samples are, of course, just those that *were* detected, so it’s a safe assumption that they represent the tip of the iceberg in terms of POS malware.
Before you jump to the conclusion that EMV, aka ‘chip and pin,’ aka ‘chip and signature,’ will save the day, there’s clear evidence that it won’t. EMV systems definitely help prevent card present fraud, which is what they’re designed to do, but they don’t prevent human error in deployment or point-of-sale code. The fact is, credit card data is stolen all over the world, EMV or not.
While we talk about attacks, most of this data should properly be called ‘identified compromises’ or ‘detected malware.’ It’s clear from the fact that the malware was already present that the successful attacks weren’t detected in the first place.
Just Say No to Doom and Gloom
I’m personally not in favor of threat discussions that don’t offer any actions to take. We all know there’s no silver bullet solution out there, and for every threat I’ve ever explored, there’s some action that can be taken.
With point-of-sale malware, we need to focus on a two-pronged strategy of prevention and detection. While traditional anti-malware products can identify known instances of malicious code, they can’t detect what they don’t know about. The result is a kind of arms race between anti-malware vendors and malware authors.
By shifting the detection strategy away from examining code to detecting suspicious changes that indicate malicious behavior on the POS system, we can expand the scope of detection and catch more advanced threats.
For example, there’s no reason that the network configuration of a point-of-sale system should change outside of a designated change window. Detecting these changes, potentially in real-time, can identify malware attempting to exfiltrate data. The logic applies to changes to the users on the system and other criteria.
By cataloging these behaviors – instead of malware samples – and monitoring for changes that match, we can detect the malicious activity instead of the malicious code.
While there’s plenty of attention paid to the technical details of new and interesting malware, the infection vector is almost always something well understood and preventable.
We’re talking about the exploitation of known and published vulnerabilities, phishing scams and theft of third-party access. The controls and processes that help address these weaknesses are well outlined in the SANS/CIS Critical Security Controls. Implementing the first four consistently in a point-of-sale environment would prevent many malware infections.
The missing link in the CSCs is really phishing though there’s benefit in that regard, as well. While some phishing may actually get a user to directly install malicious code, there’s often a vulnerability and exploit in that path somewhere.
Of course, securing configurations can include identifying where other anti-malware controls should be deployed in the infrastructure.
Changing the Game at Tripwire
As I said I don’t like ‘doom and gloom’ without action, and those actions aren’t always directed at others. That wouldn’t be fair.
Looking at the situation with point-of-sale malware, and considering the large number of customers we already have in the retail space, Tripwire decided to put together a Point-of-Sale Threat Protection pack for Tripwire Enterprise.
The released, downloadable content includes rules and policies for identifying suspicious behaviors related to point-of-sale compromises. You can dig into the details here and see a demo here. We’ve also published a whitepaper on best practices for protecting POS devices to go along with the new capabilities.
We shared our plans and content with the analysts at the 451 Group to get their thoughts, which are published in this report.
Let Me Sum Up
When you start with baselining and detecting change, there are a lot of capabilities that can be easily developed. The Tripwire Enterprise platform provides a ton of options for extending capabilities to new and innovative security use cases. Helping to reduce the effectiveness of point-of-sale malware is just one of them.
If you’re a customer and you’re doing something cool with Tripwire products, let us know.
Title image courtesy of ShutterStock