Tis’ a bad season for retailers! It seems like any organization that accepts card data for its merchandize seems to be getting hacked. The number of cards breached seem to never count below the 10s of millions. First it was Target, Neimann Marcus and P.F.Chang’s. The Target Card Breach was the big one. It is speculated that over 110 million cards were breached. The most recent one was Home Depot, which suffered a major card breach. Details are yet to emerge, but Brian Krebs from krebsonsecurity.com suggests that nearly all of Home Depot’s stores were hit with this breach. The year 2014 is clearly emerging as the ‘annushorribilis’ for retailers. There has been a spate of breaches at retail organizations after the massive breaches of TJ-Maxx and the like in 2007. Things have changed ever so subtly for the retail industry. We have been working extensively over the last few months with major retailers all over the APAC and MENA regions and we notice some dangerous trends. Trends, that if not set right, could lead to more front page news (not of the good kind) from retailers. Let’s look at 3 major lessons that retailers need to learn *RIGHT NOW* to avoid such catastrophes for their own companies:
The POS Has Evolved
The POS Device (Point of Sale Device) has gone from being a glorified calculator to becoming a technology super gizmo over the last 10 years. From having simple POS calculation machines that “do billing”, we now have integrated POS terminals that manage payments, inventory updates, discounts, self-checkout, NFC, etc. In addition, Mobile POS devices and cashier-less self checkout devices have become the norm in the modern retail establishment. As a retail organization or chain scales in revenue, their appetite for integrated systems has increased. However, there has not been a consequent shift in the security mindset for these devices. Retail Security teams still see the POS device as a ‘cute little terminal’ that does everything from billing to payments ‘in a jiffy’. However, the POS device is a full-fledged computer that is subject to all the risks that a typical workstation has, and more. I would equate the POS to an ATM. In fact its more difficult to secure. If you are a high-volume merchant, chances are that there could be several threats to POS devices across several locations that could be completely eluding you and your security team.
A Modern POS Device
Additionally, there are several new considerations. How is the POS loaded? Is it secure? What is the possibility of malware entering the device? How are repairs handled? How are the updates configured? BlackPOS is the malware that affected Target. Its also rumoured to be awfully similar to the malicious code that affected Home Depot. The code has been around since 2013 or so and has been extremely effective.
Basically BlackPOS attaches itself to the POS process using an Inter-Process Hook that scans the process memory, its memory chunks and fetches the Track 1 and Track 2 data (Sensitive Data of the Customer’s payment card). This is shipped off to an attacker at a remote location or a bunch of remote locations. The malware has been designed for the POS world and has specific information on memory injection. Specialists speculate that the malware could enter the system using an update process where it receives updates from centralized servers.
There is a high probability that your standard Anti-Virus software won’t catch it, and even if it does catch some variants, these pieces of malware are constantly re-engineered to appear completely different. Tough luck catching that!
In our experience, we find that retailers do not devote the time and attention required to secure their POS infrastructure, both servers and devices. These servers are (mostly) internal. IT and Security teams largely perceive the risk to be purely ‘internal’ and consequently, in the ‘low’ category. On more than one occasion we found that compromising these central servers to intercept communications and load malware is a relatively trivial task to an insider and a determined outsider.
The Point of Sale malware being sold online. Source:krebsonsecurity.com
Your Network Is Back Focus
I still worry that this problem is a silent, but massive issue that everyone seems to be wantonly ignoring. I have two words for you. “Egress”, “Filtering”. Now the threat of someone/malware stealing card numbers from your network is only realized when data is taken *out* of your network. This is a fundamental requirement of any kind of cardholder data theft. However, I have not seen too many retailers take this issue seriously. Networks are still designed to keep bad stuff out (from the outside) rather than stop the assets (in this case, Cardholder Data) from going outside the network from the inside.
The solution to this problem is well known. But in all this talk of Advanced attacks, simple firewall management and network security seems to have been forgotten. Attackers can look at pulling out data using FTP, using encrypted file transfers, use SSH tunnels, HTTP tunnels and so on to get the information out. Your defense on the network depends on the following:
- Understand the traffic that absolutely has to leave or enter the network. Firewall rules and IPS has to be designed in absolutely adherance and coherence to both these ingress and egress principles. Remember, with network ports and firewall rules, “specific is terrific!”
- Segment this section of the network (POS) to ensure that limited number of protocols are required to operate within and outside the segmented network. Segmentation must clear and precisely delineated from the rest of the network.
- Have a solid detection and incident management system. If you are able to detects potential attacks or attacks in progress. Quick corrective measures can be taken to curb a widespread breach.
PCI (Alone) Is Not The Answer!
The PCI-DSS has become a bane and a crutch for the retail industry. Several people mistakenly perceive it to be “the only security standard ever needed”. They believe that if they are compliant and certified, against the PCI-DSS, their work in security is done and they are good to go. At the outset, the PCI-DSS as a compliance standard is very important for retailers and the entire payment card industry. It has introduced some very powerful and in several cases, extremely necessary controls to address security risks to cardholder data. For instance, security for POS devices, network security requirements addressed above are actually covered in great depth by the PCI-DSS.
However, the trouble lies in the way the standard is interpreted. For instance, lets say that I am a retailer who has a large infrastructure with integrated POS systems. The PCI-QSA (Qualified Security Assessor) assesses my environment and scope against the PCI standards, including my OS Security, Network Security controls and certifies me as compliant. Now, as a result of this certification, my perception of security and risk has changed. The compliance (PCI-DSS) has lulled the organization into thinking that its secure against myriad threats including BlackPOS and others. The organization starts looking at PCI as a goal, rather than an attestation of its security practices. No standard, and I repeat, No Standard can keep up to the most modern and updated threats.
PCI-DSS has been remarkably up-to-date given its complexity and operating industry, but can be no match for a constantly evolving threat landscape. If you equate compliance to security, then I am afraid that you are sitting in the wrong bus. You need to get off at the next station and look at a risk and security based approach. Do not confuse PCI-DSS for something it is not. Its a compliance standard. Its an attestation of your compliance to a given baseline at a given point in time. Nothing more, Nothing less.
So In Conclusion
I think we have established without a doubt that retail attacks and retail malware is a serious issue in the industry. However, solutions to these problems are well within reach and in the realm of practicality. In a nutshell: