BreachExchange mailing list archives
How to Help Merchants Avoid a Cyber Attack
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 25 Mar 2014 19:05:21 -0600
http://vsr.edgl.com/reseller-stories/How-to-Help-Merchants-Avoid-a-Cyber-Attack91554 It happens literally every day: businesses' computer systems are breached and sensitive data is stolen. The incidents are so frequent that many have learned to tune them out--if they get reported on at all. Lately, mega-breaches grab headlines and concern among non-security folks increases for a few days, but all interest fades as the next scandalous headline dominates the news. The latest big-name victims are Target, Neiman Marcus and Michaels. But this round of incidents does have some important implications for solution providers and their customers. Here are some common questions solution providers are asking about what happened, and what they can do. Breaches happen every day. How is this one different? The malware used in the Target breach, dubbed BlackPOS, uses a new technique that has important implications for small and mid-size merchants. Hackers, in the past, generally grabbed data in transit, a technique that's largely been addressed via encryption. Another popular victim has been large stores with payment data that were improperly stored too long in backend databases. This one goes to the edge, using memory scraping via malware installed on the payment device to collect card numbers in clear text, transaction by transaction. "This was a very elaborate attack that uses vulnerability to install something on the POS devices," and perhaps should have been detected by network security measures, says Markku Willgren, president of U.S. operations for Blancco (www.blancco.com). The ability of hackers to attain personal customer data at the store level was also a concern, he says, particularly since PII (personally identifiable information) should not even be stored there. Jim Maloney, CICO of Mercury Payment Systems (www.mercurypay.com), says anti-virus services continue to evolve as a result of this new type of attack. The typical approach is to use anti-virus solutions based on the malware's signature; it takes one to three weeks to develop a proper anti-virus signature that detects and prevents that malware's pattern of activity. But now, some hackers are creating malware that they can change after it's installed to make it more effective, so the signature would be out of date even when it's new. Some anti-virus solutions include behavioral-based approaches that recognize general classes of malware behavior and are not dependent on specific signatures. Another approach is application whitelisting--allowing only those activities that follow the expected pattern of the legitimate software, and blocking everything else. Jason Oxman, CEO of the processor trade organization Electronic Transactions Association (ETA, www.electran.org), reminds solution providers that fraud remains a tiny fraction of transactions--less than six cents of every $100 in an industry that processes more than $4.4 trillion a year. He argues that "the level of security has changed to make networks more secure over time." Aren't my customers too small to be targets? No. Small merchants are already experiencing breaches all the time. And the strategy used in the Target incident, in which card data was collected transaction by transaction rather than in a big chunk, means a smaller retailer is equally vulnerable to an attack. Since many SMBs are too small to include solid IT security talent, solution providers need to fill that role. "VARS need to take on the responsibility to be the trusted advisor for data security as well as a provider of complete solutions (not Band-Aids) for all of the merchants' retail technology and service needs," says Joe Finizio, executive director of industry strategies and relations at the Retail Solution Providers Association (RSPA, www.gorspa.org). If Target was PCI certified and got breached, what is the value of certification? Security folks are fond of noting that security is a moving target, and that PCI measures security at a moment in time. In addition, PCI regulations are built on what security experts know and the type of attacks that have already happened--they're responsive. PCI is still a solid set of basic steps to ensure at least a minimal level of security. There's nothing preventing merchants from doing more, except it tends to be expensive. "PCI is absolutely a great standard," says ETA's Oxman. "But it does not apply to retailers' own in-house systems where they store customer data. It's important for retailers to view this as a wake-up call to make sure there is not readily accessible unencrypted data." Many experts are bullish on tokenization and encryption as ideal additional steps toward security of the current payment processing system, so that card data is encrypted in the firmware of the payment device, and like EMV, becomes unusable if intercepted. Certainly, the PCI Security Standards Council can be expected to develop additional requirements as the nature of the breach becomes fully understood. But some observers believe it will take government action to spur the kind of investment required to fully overhaul the existing system, rather than creating more rules and layers on the existing one. Others expect industry, not government, to solve the problem, since the players fully understand the risks in cost and customer trust that come with a breach. Would having EMV measures in place have helped? Partially. EMV is superior to mag stripe, because instead of communicating a static card number, each transaction carries a unique data stamp which prevents the transaction data from being fraudulently reused, even if it is stolen from a merchant's or processor's database. So if a hacker intercepted the data coming out of an EMV terminal, it would be useless in one common use of stolen card data--to create a duplicate card. It is, however, still usable online at e-commerce sites that do not ask for the CVV, the three-digit number on the back of the card. So in countries where EMV is already widely adopted, it has driven a lot of fraudulent activity online. Of course, a lot has to happen to get to such pervasive adoption in the U.S., not the least of which is for members of the card associations to start issuing chip cards. There are also some technical obstacles to overcome to make EMV work, as well as the need to get to a critical mass of retailer adopters. RSPA's Finizio says certification of software for EMV is a lot more comprehensive than PCI and can be costly as well; as a result many ISVs are not yet ready. The language of the Durbin Amendment, limiting debit fees, is also creating complexity, he says, as are questions about applicability to mobile. He believes the October 2015 deadline for shifting liability to non-EMV merchants for fraud will be postponed. RSPA has a PCI committee and is also working with CARDS (Coalition of Associations for Retail Data Security) to help solve the issues. Another important note: EMV isn't perfect either. In February, PayPal President David Marcus announced that his EMV-protected credit card information was skimmed in the U.K. and was used to make fraudulent purchases. What should I be asking my payment partners? "Questions like 'Are you planning to move the POS Out-of-Scope?' or 'Do you support encrypted MSRs and/or tokenization?' will soon drive ISVs to move in a more security-driven direction," says Terry Zeigler, president/CEO of Datacap Systems (www.datacapsystems.com). "VARs should be talking with card processing partners to understand what data security vulnerabilities the processors are currently aware of, and what they see coming down the road so that everyone can plan for orderly and cost effective upgrades to evolving card data security and business system compliancy. "Big steps have been taken to eliminate card data storage and protect any card data that is stored at retail locations, but additional steps are needed to protect card data from the point of entry and in transit all the way through the card processing process, including operating system and environmental vulnerabilities (such as temporary storage buffers that aren't actually within the normal control of ISVs or VARs)," Zeigler adds. "There is still a lot to be done to enable retailers to accept card payments safely and securely." Am I liable for my customers' PCI compliance? The answer is complicated, especially for those not well versed in legalese. Experts recommend building strong, clear language into fully executed contracts that makes it clear to retailers that the ultimate liability lies with them. After all, a portion of PCI compliance addresses business practices rather than technology, such as maintaining good passwords practices and creating checks and balances to avoid fraudulent activities by staff. Solution providers must avoid making claims and assurances about the compliance status of a given solution that could be construed as a guarantee. They should also be able to demonstrate that they performed due diligence in designing and implementing strong security measures along with recommending good processes, so they have a strong defense should the question of liability come up. For example, the payment processor and POS provider both tried to shift blame to Symbits (www.symbits.com), a Coral Gables, Fla., MSP, when the Continuum partner's customer got breached. But Symbits was able to document all the steps they had taken to prove their due diligence in securing and monitoring the network. Ultimately, the connection between the point of sale and backend PC was found to be the weak point, says Carlos Miyares, sales director. "Having an MSP partner saved them a ton of work" in identifying the problems and establishing new best practices, he says. While we wait for details and anti-malware, what best security practices should we make sure are in place at my clients' locations? There are a lot of security 101 type steps to take. According to the U.S. Secret Service, 90 percent of breaches can be prevented if a site has secure remote access and practices good, ongoing password administration. Also: - Make sure POS hardware isn't used for web browsing, e-mail and other connected applications - Keep software and operating systems up to date - Use firewalls, anti-virus and anti-malware - Maintain separate public and operations networks - Install updated switches "Make sure the POS is configured correctly," says Mercury's Maloney, including strong passwords, secure networks and encryption on wireless networks. For those accessing customers' networks remotely, such as MSPs, "it's important to turn those on only when needed. Do not leave them open all the time." Symbits implemented a highly secure protocol for their client's POS provider to re-establish direct access into the network to reduce that vulnerability. "More comprehensive third-party security audits, wider deployment of two-factor authentication, more stringent code reviews, and a sophisticated security program can all help," says Mark Stanislav, security evangelist at Duo Security (www.duosecurity.com). "Training employees more adequately against phishing attacks and similar social-engineering efforts can help reduce the likelihood of an outsider tricking employees into malicious activities." It's important to implement processes to ensure data is kept for no longer than it's needed, adds Blancco's Willgren. What vulnerabilities in security most often get overlooked by merchants? "Making sure the network is secure is a top concern, but often for businesses it's a bottom concern," says Chris Wiser, founder and CEO of MSP TechSquad IT (www.techsquadit.com). "They need to have an active technology budget with a focus on network security and compliance." Duo's Stanislav says traditional security failures like un-patched operating systems, vulnerable network services, outdated browser plugins, and poor external network security are all potential downfalls for retailers. "While organizations may know what best practices are, it's rare to see them actually using them all," he says. "Probably the most overlooked vulnerabilities in retailers' credit card data security are in areas they don't directly have control over, and may not even be aware of, such as temporary data storage that is controlled by operating systems that may allow card data to remain in the clear and unprotected for some period of time," says Datacap's Zeigler. "This can occur simply because the operating system or system environment isn't expecting users to be accessing that data storage before it is cleared or reused." How can I make the most of this high profile breach to help my clients? Security is just one of a lot of developments in payment going on right now. The prominence of the breach makes it a great door-opener to launch into a discussion of processing in general, including: - The October 2015 EMV deadline - Aging infrastructure and hardware in place at many retailers - Adding tokenization and end-to-end encryption to payments infrastructure - The rapidly approaching sunset of Microsoft's XP support, which also means the end of antivirussupport for XP machines - Mobile payment, and its opportunities in customerconvenience, as well as loyalty, marketing and other business-building services - Emerging solutions such as NFC, BTL (Bluetooth Low Energy), wallets and digital currency such as Bitcoin - Collaborate with processors and payment software - ISVs for the right solution "EMV is going to force change anyway," says Mercury's Maloney. "As long as you're changing hardware, you should be giving you serious consideration to going encryption right at the device." ETA's Oxman recommends solution providers consider attaining certification credentials through the association's educational programs. Will this increase interest in all the new emerging payment platforms? If those companies do their marketing right, yes. The time is right for those companies to capitalize on the distrust developing in current payment infrastructure and make the case for why their solutions are more secure. The question is, who has both the goods and the deep pockets to make the most of the opportunity? Solution providers need to develop a solid understanding of what's out there, but avoid investing too many resources in any one provider until the market shakes out. Mercury Payment's Maloney, for one, says he's intrigued by approaches that register credit card data at the back end, so that transactions are performed as card not present, and therefore card data is not exposed.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- How to Help Merchants Avoid a Cyber Attack Audrey McNeil (Mar 31)