How to Help Merchants Avoid a Cyber Attack

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://vsr.edgl.com/reseller-stories/How-to-Help-Merchants-Avoid-a-Cyber-Attack91554

It happens literally every day: businesses' computer systems are breached
and sensitive data is stolen. The incidents are so frequent that many have
learned to tune them out--if they get reported on at all. Lately,
mega-breaches grab headlines and concern among non-security folks increases
for a few days, but all interest fades as the next scandalous headline
dominates the news.

The latest big-name victims are Target, Neiman Marcus and Michaels. But
this round of incidents does have some important implications for solution
providers and their customers. Here are some common questions solution
providers are asking about what happened, and what they can do.

Breaches happen every day. How is this one different?

The malware used in the Target breach, dubbed BlackPOS, uses a new
technique that has important implications for small and mid-size merchants.
Hackers, in the past, generally grabbed data in transit, a technique that's
largely been addressed via encryption. Another popular victim has been
large stores with payment data that were improperly stored too long in
backend databases. This one goes to the edge, using memory scraping via
malware installed on the payment device to collect card numbers in clear
text, transaction by transaction.

"This was a very elaborate attack that uses vulnerability to install
something on the POS devices," and perhaps should have been detected by
network security measures, says Markku Willgren, president of U.S.
operations for Blancco (www.blancco.com). The ability of hackers to attain
personal customer data at the store level was also a concern, he says,
particularly since PII (personally identifiable information) should not
even be stored there.

Jim Maloney, CICO of Mercury Payment Systems (www.mercurypay.com), says
anti-virus services continue to evolve as a result of this new type of
attack. The typical approach is to use anti-virus solutions based on the
malware's signature; it takes one to three weeks to develop a proper
anti-virus signature that detects and prevents that malware's pattern of
activity. But now, some hackers are creating malware that they can change
after it's installed to make it more effective, so the signature would be
out of date even when it's new.
Some anti-virus solutions include behavioral-based approaches that
recognize general classes of malware behavior and are not dependent on
specific signatures. Another approach is application whitelisting--allowing
only those activities that follow the expected pattern of the legitimate
software, and blocking everything else.

Jason Oxman, CEO of the processor trade organization Electronic
Transactions Association (ETA, www.electran.org), reminds solution
providers that fraud remains a tiny fraction of transactions--less than six
cents of every $100 in an industry that processes more than $4.4 trillion a
year. He argues that "the level of security has changed to make networks
more secure over time."

Aren't my customers too small to be targets?

No. Small merchants are already experiencing breaches all the time. And the
strategy used in the Target incident, in which card data was collected
transaction by transaction rather than in a big chunk, means a smaller
retailer is equally vulnerable to an attack.

Since many SMBs are too small to include solid IT security talent, solution
providers need to fill that role. "VARS need to take on the responsibility
to be the trusted advisor for data security as well as a provider of
complete solutions (not Band-Aids) for all of the merchants' retail
technology and service needs," says Joe Finizio, executive director of
industry strategies and relations at the Retail Solution Providers
Association (RSPA, www.gorspa.org).

If Target was PCI certified and got breached, what is the value of
certification?

Security folks are fond of noting that security is a moving target, and
that PCI measures security at a moment in time. In addition, PCI
regulations are built on what security experts know and the type of attacks
that have already happened--they're responsive. PCI is still a solid set of
basic steps to ensure at least a minimal level of security. There's nothing
preventing merchants from doing more, except it tends to be expensive.

"PCI is absolutely a great standard," says ETA's Oxman. "But it does not
apply to retailers' own in-house systems where they store customer data.
It's important for retailers to view this as a wake-up call to make sure
there is not readily accessible unencrypted data."

Many experts are bullish on tokenization and encryption as ideal additional
steps toward security of the current payment processing system, so that
card data is encrypted in the firmware of the payment device, and like EMV,
becomes unusable if intercepted.

Certainly, the PCI Security Standards Council can be expected to develop
additional requirements as the nature of the breach becomes fully
understood. But some observers believe it will take government action to
spur the kind of investment required to fully overhaul the existing system,
rather than creating more rules and layers on the existing one. Others
expect industry, not government, to solve the problem, since the players
fully understand the risks in cost and customer trust that come with a
breach.

Would having EMV measures in place have helped?

Partially. EMV is superior to mag stripe, because instead of communicating
a static card number, each transaction carries a unique data stamp which
prevents the transaction data from being fraudulently reused, even if it is
stolen from a merchant's or processor's database. So if a hacker
intercepted the data coming out of an EMV terminal, it would be useless in
one common use of stolen card data--to create a duplicate card. It is,
however, still usable online at e-commerce sites that do not ask for the
CVV, the three-digit number on the back of the card. So in countries where
EMV is already widely adopted, it has driven a lot of fraudulent activity
online.

Of course, a lot has to happen to get to such pervasive adoption in the
U.S., not the least of which is for members of the card associations to
start issuing chip cards. There are also some technical obstacles to
overcome to make EMV work, as well as the need to get to a critical mass of
retailer adopters.

RSPA's Finizio says certification of software for EMV is a lot more
comprehensive than PCI and can be costly as well; as a result many ISVs are
not yet ready. The language of the Durbin Amendment, limiting debit fees,
is also creating complexity, he says, as are questions about applicability
to mobile. He believes the October 2015 deadline for shifting liability to
non-EMV merchants for fraud will be postponed. RSPA has a PCI committee and
is also working with CARDS (Coalition of Associations for Retail Data
Security) to help solve the issues.

Another important note: EMV isn't perfect either. In February, PayPal
President David Marcus announced that his EMV-protected credit card
information was skimmed in the U.K. and was used to make fraudulent
purchases.

What should I be asking my payment partners?

"Questions like 'Are you planning to move the POS Out-of-Scope?' or 'Do you
support encrypted MSRs and/or tokenization?' will soon drive ISVs to move
in a more security-driven direction," says Terry Zeigler, president/CEO of
Datacap Systems (www.datacapsystems.com). "VARs should be talking with card
processing partners to understand what data security vulnerabilities the
processors are currently aware of, and what they see coming down the road
so that everyone can plan for orderly and cost effective upgrades to
evolving card data security and business system compliancy.

"Big steps have been taken to eliminate card data storage and protect any
card data that is stored at retail locations, but additional steps are
needed to protect card data from the point of entry and in transit all the
way through the card processing process, including operating system and
environmental vulnerabilities (such as temporary storage buffers that
aren't actually within the normal control of ISVs or VARs)," Zeigler adds.
"There is still a lot to be done to enable retailers to accept card
payments safely and securely."

Am I liable for my customers' PCI compliance?

The answer is complicated, especially for those not well versed in
legalese. Experts recommend building strong, clear language into fully
executed contracts that makes it clear to retailers that the ultimate
liability lies with them. After all, a portion of PCI compliance addresses
business practices rather than technology, such as maintaining good
passwords practices and creating checks and balances to avoid fraudulent
activities by staff.

Solution providers must avoid making claims and assurances about the
compliance status of a given solution that could be construed as a
guarantee. They should also be able to demonstrate that they performed due
diligence in designing and implementing strong security measures along with
recommending good processes, so they have a strong defense should the
question of liability come up.

For example, the payment processor and POS provider both tried to shift
blame to Symbits (www.symbits.com), a Coral Gables, Fla., MSP, when the
Continuum partner's customer got breached. But Symbits was able to document
all the steps they had taken to prove their due diligence in securing and
monitoring the network. Ultimately, the connection between the point of
sale and backend PC was found to be the weak point, says Carlos Miyares,
sales director. "Having an MSP partner saved them a ton of work" in
identifying the problems and establishing new best practices, he says.

While we wait for details and anti-malware, what best security practices
should we make sure are in place at my clients' locations?

There are a lot of security 101 type steps to take. According to the U.S.
Secret Service, 90 percent of breaches can be prevented if a site has
secure remote access and practices good, ongoing password administration.
Also:

- Make sure POS hardware isn't used for web browsing, e-mail and other
connected applications
- Keep software and operating systems up to date
- Use firewalls, anti-virus and anti-malware
- Maintain separate public and operations networks
- Install updated switches

"Make sure the POS is configured correctly," says Mercury's Maloney,
including strong passwords, secure networks and encryption on wireless
networks. For those accessing customers' networks remotely, such as MSPs,
"it's important to turn those on only when needed. Do not leave them open
all the time." Symbits implemented a highly secure protocol for their
client's POS provider to re-establish direct access into the network to
reduce that vulnerability.

"More comprehensive third-party security audits, wider deployment of
two-factor authentication, more stringent code reviews, and a sophisticated
security program can all help," says Mark Stanislav, security evangelist at
Duo Security (www.duosecurity.com). "Training employees more adequately
against phishing attacks and similar social-engineering efforts can help
reduce the likelihood of an outsider tricking employees into malicious
activities."

It's important to implement processes to ensure data is kept for no longer
than it's needed, adds Blancco's Willgren.

What vulnerabilities in security most often get overlooked by merchants?

"Making sure the network is secure is a top concern, but often for
businesses it's a bottom concern," says Chris Wiser, founder and CEO of MSP
TechSquad IT (www.techsquadit.com). "They need to have an active technology
budget with a focus on network security and compliance."

Duo's Stanislav says traditional security failures like un-patched
operating systems, vulnerable network services, outdated browser plugins,
and poor external network security are all potential downfalls for
retailers. "While organizations may know what best practices are, it's rare
to see them actually using them all," he says.

"Probably the most overlooked vulnerabilities in retailers' credit card
data security are in areas they don't directly have control over, and may
not even be aware of, such as temporary data storage that is controlled by
operating systems that may allow card data to remain in the clear and
unprotected for some period of time," says Datacap's Zeigler. "This can
occur simply because the operating system or system environment isn't
expecting users to be accessing that data storage before it is cleared or
reused."

How can I make the most of this high profile breach to help my clients?

Security is just one of a lot of developments in payment going on right
now. The prominence of the breach makes it a great door-opener to launch
into a discussion of processing in general, including:

- The October 2015 EMV deadline
- Aging infrastructure and hardware in place at many retailers
- Adding tokenization and end-to-end encryption to payments infrastructure
- The rapidly approaching sunset of Microsoft's XP support, which also
means the end of antivirussupport for XP machines
- Mobile payment, and its opportunities in customerconvenience, as well as
loyalty, marketing and other business-building services
- Emerging solutions such as NFC, BTL (Bluetooth Low Energy), wallets and
digital currency such as Bitcoin
- Collaborate with processors and payment software
- ISVs for the right solution


"EMV is going to force change anyway," says Mercury's Maloney. "As long as
you're changing hardware, you should be giving you serious consideration to
going encryption right at the device."

ETA's Oxman recommends solution providers consider attaining certification
credentials through the association's educational programs.

Will this increase interest in all the new emerging payment platforms?

If those companies do their marketing right, yes. The time is right for
those companies to capitalize on the distrust developing in current payment
infrastructure and make the case for why their solutions are more secure.
The question is, who has both the goods and the deep pockets to make the
most of the opportunity? Solution providers need to develop a solid
understanding of what's out there, but avoid investing too many resources
in any one provider until the market shakes out.

Mercury Payment's Maloney, for one, says he's intrigued by approaches that
register credit card data at the back end, so that transactions are
performed as card not present, and therefore card data is not exposed.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!