It’s a tough time to be a retailer. Massive point-of-sale (POS) breaches continue to make headlines on a regular basis, and they can have a significant impact on consumers’ trust in a company and its brand. Just recently, the Hudson’s Bay Company (HBC), owner of retailers Saks Fifth Avenue, Saks OFF 5th and Lord & Taylor, acknowledged that an undisclosed number of customers’ payment card data had been stolen, and HBC shares fell more than 6 percent in response to the news.
According to security firm Gemini Advisory, the Fin7 hacker group stole data on more than five million credit and debit cards that had been used at HBC credit card terminals beginning in May 2017. “Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised,” the firm wrote in a blog post examining the breach.
Evolving threats
Don Duncan, security engineer at NuData Security, told eSecurity Planet by email that POS systems are often dangerously easy to penetrate with malware, including the following (among many others):
- Dexter was discovered by Seculert (now Radware) researchers in 2012. The malware uploads data from the infected device to a command and control server, then uses an online parsing tool to separate out credit card data.
- vSkimmer malware, a successor to Dexter, dates back to 2013. If the infected device isn’t connected to the Internet, the malware waits for a USB device with a specific volume name to be connected, then copies stolen data to that device.
- Backoff malware, which also dates back to 2013, scrapes memory for track data, logs keystrokes, and connects to a command and control server to upload stolen data and download additional malware.
- PoSeidon malware, discovered by Cisco researchers in 2015, installs a keylogger and searches the POS device’s memory for number sequences that match credit card data — then uploads that data to an exfiltration server.
- UDPoS malware, only recently discovered by Forcepoint researchers, poses as a LogMeIn service pack and uses DNS requests to transfer stolen data to a command and control server.
Errors to avoid
To protect yourself against most POS malware, watch out for these three key (and all too common) mistakes:
- Not patching systems: While some advanced threats target zero day vulnerabilities, far more simply take advantage of known vulnerabilities that have had patches available for months, Thycotic chief security scientist Joseph Carson said by email.
- Using POS devices for other tasks: Carson said retailers too often allow users to leverage POS systems for common tasks like checking email or surfing the Web. “This type of poor security practice should be avoided at all costs, as it exposes the company to easily become a victim of cybercrime.”
- Focusing only on the perimeter: A multi-layered approach is key. “It is imperative that companies implement a multi-layered approach to security, incorporating artificial intelligence, machine learning and device intelligence to protect customer data from being compromised in the event an initial breach occurs,” Simility co-founder and CTO Kedar Samant said.
The starting point: PCI DSS compliance
The Payment Card Industry Data Security Standard (PCI DSS), one of many compliance regulations affecting companies in just about every industry, covers basic requirements for point-of-sale endpoint security, including the use of a firewall, changing passwords from vendor-supplied defaults, protection of stored data, encrypted transmission of sensitive data, use of antivirus software, restriction of physical access to payment card data, and more.
Multi-factor authentication is also required for remote access. “Having multiple factors to help ensure only authorized personnel are able to access appropriate resources goes a long way toward securing environments, but only if taken as one of many security layers in depth,” Aaron Reynolds, vice president for payments advisory and assessments at Coalfire, said by email.
That speaks to a larger point regarding PCI compliance: It’s just a starting point, not a guarantee of security. “The PCI SSC standards have continually improved and strive to keep up with the changing threat landscape, but it is always incumbent on the merchant to understand the risks relevant to their environment and implement appropriate security measures,” Reynolds said.
Still, PCI can be a very good start – Reynolds said he hasn’t seen a single major data breach where post-breach analysis didn’t show a lack of sufficient security controls that were specifically addressed by PCI DSS.
Three steps to an ideal POS security solution
The three most important factors in protecting cardholder data, Reynolds said, are tokenization, encryption, and fraud prevention – which means an ideal security solution, particularly for SMBs, would include tokenization, point-to-point encryption (P2PE) and EMV.
“The three together are still not a security ‘silver bullet,’ but they go a very long way toward the ability for a merchant to maintain a secure and maintainable environment,” he said.
- EMV: Ruston Miles, founder and chief strategy officer at Bluefin Payment Systems, said smaller retailers in particular have to understand that EMV alone is not enough – it can reduce the successful use of fraudulent cards at the point of sale, but it won’t prevent the POS device from leaking data as a result of malware or other cyber threats. “Unfortunately, this has been the case in many recent high-profile breaches where EMV/chip card terminals were in use,” he said.
- Tokenization: Add tokenization to the mix, Miles said, and you’re in much better shape. “Tokenization replaces the card data with a token or reference number so that if a hacker gains entry to the POS system, all they get is useless token numbers that they cannot use to commit fraud or sell on the dark Web,” he said.
- Point-to-point encryption: P2PE and tokenization, Miles said, are the one-two punch of an approach to card data security called data devaluation. “The idea is that, if a card is encrypted while it’s moving through the POS and tokenized if it is stored on the POS, then it’s useless to hackers and protects the retailers from the potentially devastating effects of a breach,” he said.
…and a fourth step: employee training
There’s one more factor to keep in mind through all of this: the human element. It’s critical that your cyber security teams are sufficiently funded, with adequate staffing and training, Imperva CTO Terry Ray said by email. Cyber security is often underfunded until a company is breached, at which point some additional funding will be allocated – but security teams remain generally small and stretched thin. Higher budgets, better staffing and ongoing training are key.
And that’s not just true for your security team. It’s critical to engage your employees in improving security, Coalfire’s Reynolds said. “Employees have to maintain secure access, passwords, and several other security best practices to prevent breaches into their systems,” he said. “Annual or regularly occurring training is key to keeping employees knowledgeable and up to date in a dynamically changing cyber environment.”
For more, see Designing Employee Security Awareness Training That Works.
