This year, Verizon’s 2014 Data Breach Investigations Report (DBIR) indicates that 2013 was a transition year, moving from geopolitical attacks to large-scale attacks on payment card systems. Verizon was able to classify nearly ten years’ worth of data into 9 incident patterns representing 94% of the confirmed data breaches they analyzed from 2013.
Key findings included:
- 99% of breaches targeting POS systems are discovered by external sources
- 87% of breaches are successful within seconds to minutes
- 85% of breaches targeting POS systems take weeks to discover
- POS Intrusions, Web App Attacks and Cyber-espionage account for 71% of all attacks
Clearly as this figure from their report shows for 2013 data examined, Point-of-Sale (POS), web app attacks, cyber-espionage and card skimmers were the top concerns for data disclosure. The focus of this article is POS attacks, where 100% of those incidents resulted in data exfiltration.
Verizon defines POS as “remote attacks against the environments where retail transactions are conducted, specifically where card-present purchases are made.” POS intrusions are most common in restaurants, hotels, grocery stores, and brick-and-mortar retailers.
Verizon differentiates “crimes involving tampering with or swapping out devices…covered in the Skimming pattern.” In the skimming pattern, there are some percentage of POS breaches such as at gas station kiosks but they group those types of POS differently due to the ease with which they can be tampered.
Per the chart below, POS is the most commonly seen breach incident for Accommodation and Food Services at 75%, and the second-highest POS is for retail at 31% (the only higher for retailers is 33% for DOS). This is the highest concentration of incident attack pattern in any industry.
POS intrusions are most often attributed to criminal organizations operating out of Eastern Europe. They’re fast, professional and efficient. Here’s a simplistic event chain of two major steps seen in POS intrusions where successful exfiltration has occurred, along with explanations and recommendations (some from Verizon, some from me) on how to mitigate the typical POS threat.
Attacker Step #1 – Compromise the POS device
Situation and Methods – Brute Force and Stolen Credentials
- POS has internet access
- The attackers scan the internet for open remote-access ports
- Third party manager’s remote access software is poorly configured for security
- Default, weak or no passwords, or device names, vendor names
- Third party managers have been known to use the same password for all customers, allowing hackers access to their internals as well as all their customers using the POS
- Once identified as a point of sale device, execute a script to begin trying likely or stolen credentials to get into the device (brute force).
Recommendations – Steps You Can Take
- Restrict or limit your third party management vendor’s remote access to your POS device
- Have business discussion with your vendor on how and when they access your device, as well as their guidance on the best security settings for your situation
- Don’t allow your workers to use the internet on that POS device for browsing, email, social media or gaming
- Require 2-factor authentication if possible (this may be a discussion with your third party management vendor)
- At minimum have a strict hardened password policy, no shared passwords, and consistent change
Attacker Step #2 – Install malware to capture credit card information from the mag stripe in process (usually unencrypted while being processed and stored in memory) and exfiltrate.
Situation and Methods – Malware
- POS device access is most commonly gained through brute force or stolen credentials
- The device is then infected with the most common malware – RAM-scrapers to capture unencrypted information in memory for exfiltration
- Attend to PCI DSS standards which require merchants to encrypt data both at rest and in motion, minimizing an attacker’s ability to capture data in transit
Recommendations – Steps You Can Take
- Strong password hygiene will make access harder
- Larger stores should consider two-factor authentication or multi-factor especially between their organization and the third party vendor
- POS, file servers, databases, desktops, and any system in the processing path should have installed and maintained file integrity monitoring software to catch malware or configuration changes
- Watch for suspicious or anomalous network activity and investigate
- Have your network logging active and don’t write over old backups – some breaches are not discovered for weeks or months
- Larger organizations should not allow flat or hub and spoke architectures to help limit a single-location breach from gaining access to corporate resources
- Segment the POS network from corporate, and increase the security for what may have been trusted connections between remote store locations and the corporate office
In Verizon’s 2013 DBIR companies were urged to continue their activities of prevention, but as much as possible, begin to focus on detection and discovery to reduce the breach timeline.
Here’s 2014’s breach timeline, and in summary, it’s painful that successful breaches occur within seconds-to-minutes and 88% are exfiltrating information within those minutes.
Discovery that a breach has occurred is long after exfiltration – 85% in weeks (meaning 1-4 weeks), and 13% take months. That’s a lot of stolen credit cards. POS is alive and well – let’s change that for 2015’s DIBR.
- Verizon 2014 DBIR: Hide Your Servers and Call the Cops
- Verizon DBIR: The Hackers are Winning
- Verizon DBIR: 2013 Data Breach Review
- Stopping the Heartbleed
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock