In the wake of high-profile retailer breaches, how is the payment industry responding?
The year 2013 looks likely to be defined as the year of the data breach, as fraudsters evolve their methods into wide scale attacks on payment systems utilising several methods -writes Victoria Conroy.
In the last issue of PCM (March/April 2014), we looked at the ramifications spreading from the high-profile data breaches at US retailers Target and others like Neiman Marcus. In the case of Target, around 40 million credit and debit card files were stolen from Target between 27 November and 15 December 2013, with around 70 million records stolen, including the name, address, email address and phone number of Target customers.
The breach has resulted in an estimated cost of around $200 million for banks and credit unions to reissue nearly 22 million cards. Target has now announced that it will be spending around $100 million to upgrade its POS terminals to support EMV cards. However, industry sources claim that even if Target had deployed EMV-enabled terminals before the breach, it would not have stopped fraudsters from stealing the information, given that there was no end-to-end encryption in place, meaning that card numbers and data could still be stolen and used fraudulently.
In the latest bad news for Target, three US banks have now filed a class-action lawsuit against the retailer and security firm Trustwave, claiming the two companies should be held liable for expenses associated with Target’s 2013 payments breach that exposed around 40 million credit and debit cards.
The banks allege that Trustwave, as Target’s security vendor, neglected to ensure and maintain Target’s overall network security by failing to maintain Target’s ongoing compliance with PCI data security standards, which ultimately resulted in the breach. In response, Trustwave CEO Robert McCullen said that the company had not been hired by Target to manage data security or IT obligations. “Trustwave did not monitor Target’s network, nor did Trustwave process cardholder data for Target,” he said.
In April 2014, Target outlined planned security enhancements and announced the appointment of Bob DeRodes as its new chief information officer. In his role, DeRodes will assume oversight of the Target technology team and operations, with responsibility for the ongoing data security enhancement efforts as well as the development of Target’s long-term information technology and digital roadmap.
Target has announced that it is implementing enhanced monitoring and logging including additional rules, alerts, centralising log feeds and enabling additional logging capabilities; installation of application white-listing POS systems; enhanced segmentation including POS management tools; streamlining of network firewall rules and development of a comprehensive firewall governance process. The retailer is also decommissioning vendor access to the server impacted in the breach and disabling select vendor access points including FTP and telnet protocols.
It is also accelerating its transition to EMV cards. Beginning in early 2015, the entire REDcard portfolio, including all Target-branded credit and debit cards, will be enabled with MasterCard’s chip and PIN solution. Existing co-branded cards will be reissued as MasterCard co-branded chip and PIN cards.
More recent breaches include a US liquor store chain, Spec’s, which has revealed that around 500,000 customers may had have their card data stolen in a breach going back around 18 months to October 2012 and which may have continued until March this year. Meanwhile, also in March this year, the Californian Department of Motor Vehicles (DMV) announced it was investigating a potential security breach within its credit card processing services. The DMV, which collects card fees via its website, said there was “no evidence” of a direct breach of its computer systems, but that it was made aware of the problems by law enforcement officials after MasterCard alerted banks to compromised cards.
The emergence of Heartbleed
As if these breaches weren’t bad enough, the emergence of the Heartbleed virus earlier this year only served to highlight how the payment industry is fighting a fraud war on several fronts. A flaw in OpenSSL, security software used worldwide, could allow fraudsters to gain access to sensitive information stored in the memory of an affected system with just a basic network request.
Trustwave Security research manager John Mille told PCM: “Although the bug was only announced recently, it has been present in OpenSSL versions released since March 14, 2012, giving attackers ample opportunity to steal certificates or other sensitive information. Web servers are not the only possible target for an attack; any programme using an affected version of OpenSSL and is exposed to the internet is vulnerable.
“Since SSL is what allows internet users to securely send sensitive information such as passwords and credit cards, it is a cornerstone of modern e-commerce. It is estimated that OpenSSL is used on 60% of internet-facing, SSL-enabled services. While not all of these services will be vulnerable, the effects of this bug are widespread. Users should check with their go-to websites that contain sensitive information such as their banking and email providers and ask them if they were affected, and if so, how they have patched the vulnerability. Once the provider has confirmed their service is fixed, users should also change their passwords. Businesses that host their own affected SSL services should strongly consider revoking their current certificates, as compromise could lead to abuse of their users and damage to their reputation. SSL certificate owners will need to work with their Certificate Authority (CA) to reissue their certificates.”
Mark Kedgley, chief technology officer at New Net Technologies (NNT), told PCM that early change detection is vital in identifying potential security breaches and, based on reports published so far, it certainly would have helped in the case of the Target breach.
“The Target story will be played out for months to come. The only positive is that such a high-profile security breach shows that it can happen to any organisation at any time. Hopefully it will force other organisations to review their own security practices and procedures to assess where they can improve. Not just retailers either – any organisation with sensitive data to protect should take heed. NNT specialises in change and configuration management with file integrity monitoring (FIM). Operated correctly, within an active security framework where unusual and suspicious activity is investigated, we have shown how FIM could have been used to head off this type of attack before damage was done.”
A resurgence in RAM scrapers
Global security solutions specialist Verizon recently published its seventh annual data breach report, analysing more than 1,300 confirmed data breaches as well as more than 63,000 reported security incidents. The 2014 report also analysed 856 security incidents within the finance sector, including 465 where a data breach was confirmed. With all the news around POS attacks at major retailers, the report found that industries commonly hit by POS intrusions are restaurants, hotels, grocery stores and other brick-and-mortar retailers, where intruders attempt to capture payment card data. Verizon states that such attacks, while high-profile, are not really indicative of the actual picture of cyber-crime.
Breaches of POS systems are centred around network vulnerability, according to Verizon. Perpetrators scan the internet for open remote-access ports and if the script identifies a device as a POS, it issues likely credentials (brute force) to access the device. They then install malware (RAM scraper) to collect and exfiltrate (export data) payment card information.
One intriguing finding of the report is the renaissance of RAM scraping malware as the primary tool used to capture data. RAM scrapers allow payment card data to be grabbed while processed in memory (where it is unencrypted) rather than when stored on disk or in transit across the network (where it is ostensibly encrypted). Essentially, RAM scrapers are injected into running processes to steal payment card data before it’s encrypted by a POS system and the back-end servers that manage them.
It’s interesting, but not necessarily surprising, that RAM scraping has usurped keyloggers as the most common malware functionality associated with POS compromises. One viable theory is that keyloggers are more easily spotted than the memory-scraping code witnessed in this data set. Target has already admitted that malware was found on its POS systems during a forensic investigation.
Catching up with cyber-crime
Regardless of how large the victim organisation was or which methods were used to steal payment card information, there is another commonality shared in 99% of the cases covered by the Verizon report: someone else told the victim they had suffered a breach. According to Verizon, this is no different than in years past, and notification by law enforcement and fraud detection are the most common discovery methods. In many cases, investigations into breaches uncover other victims, which explains why law enforcement is the top method of discovery and the top contributor of POS intrusions. In short, payment card breaches are typically discovered only after the criminals begin using their ill-gotten gains for fraud and other illicit purposes.
“After analysing ten years of data, we realise most organisations cannot keep up with cyber-crime – and the bad guys are winning,” said Wade Baker, principal author of the data breach investigations report series at Verizon. “But by applying big data analytics to security risk management, we can begin to bend the curve and combat cyber-crime more effectively and strategically. Organisations need to realise no one is immune from a data breach. Compounding this issue is the fact that it is taking longer to identify compromises within an organisation – often weeks or months, while penetrating an organisation can take minutes or hours,” Baker added.
According to Raja Ray, director of products and solutions at POS terminal manufacturer VeriFone, encryption of card data will now be at the forefront in the fight against fraud: “As criminals become more sophisticated, it is vital to lock down every part of the payment process, not just card acceptance. The mandated PCI Standard has gone a long way to addressing this by ensuring best practice in terms of handling, transmitting and storing card holder data – and making sure this is maintained through regular auditing by QSAs.
“While this reduces the opportunity of theft, unencrypted data travelling along the payment pipe is still vulnerable. Many parties now insist on point-to-point encryption or P2PE, which encrypts data throughout the transaction path. Even if the data is accessed by an unauthorised person, it is useless to them, without the relevant decryption keys. Used in conjunction with tokenisation, this keeps the chain safe, while still allowing retailers to access CRM-related customer data. It is vital that in our increasingly online and mobile world that retailers, banks, card issuers and payment providers make sure consumers are protected against any threat. That means constantly upgrading systems, standards and processes to keep one step ahead of criminals.”