Subway Sandwich’s $3M Security Lesson

Instead of coming in with guns and robbing the till, criminals can target small businesses, and steal from them digitally, across the planet.  The tools used in the crime are widely available to anyone willing to take the risks, and small businesses’ generally poor security practices and reliance on inexpensive software packages makes them easy pickings. 

In a scheme dating back at least to 2008, ArsTechnica reports a band of Romanian hackers has been stealing payment card data from the point-of-sale (POS) systems of hundreds of small retail businesses, including over 150 Subway restaurant franchises, ringing up over $3 million in fraudulent charges.  In an indictment unsealed in a New Hampshire court, the hackers are alleged to have gathered the credit and debit card data from over 80,000 victims. 

The methods used by the attackers were not sophisticated.  The compromised systems were located through an IP addresses scan for any systems with a specific type of remote desktop access software running (port scan).  The software was either unprotected or used poor passwords as protection, and provided back door access to the POS systems. Continue reading →

PCI Awareness Training

The PCI Security Standards Council has announced the availability of online official PCI Awareness training.  The cost of the course is currently $495.  This is a four hour introductory level course, designed for anyone interested in PCI, providing an overview of PCI security basics.  The training offers the opportunity for anyone to learn about PCI DSS, its impact and benefits, and the importance of PCI compliance, in a self-paced course

This program is intended to help stakeholders better understand and implement the standards, covering the following topics:

• What is PCI and what does it mean to meet compliance with the PCI Data Security Standard.
• Key roles and responsibilities in the compliance process.
• How credit card brands differ in their requirements for PCI reporting and validation.
• Overview of the transaction process, including infrastructure used to accept payment cards, and communicate with the verification and payment facilities.
• Real world examples of PCI challenges and successes.

The new online format allows access to the knowledge base of official PCI trainers from the comfort of your home or office.  Organizations looking to educate their employees across business functions about their roles in maintaining PCI compliance should definitely take advantage of this course.  The course also offers up to 4 continuing professional education credits for security staff development.

The PCI Data Security Standard requires organizations to provide security awareness training annually to staff.  This official PCI Awareness course is an opportunity to begin meeting that commitment.

To register for PCI Awareness online, please click here, or visit the PCI DSS web site.

Personally, I think that this sort of training should be delivered free of charge to encourage adoption and improve compliance, or at least at a significantly lower price point to gain deep organizational penetration, but I don’t run the world…  Maybe its time to start putting out the “UnOfficial PCI Awareness” training.  There is a PCI course offered by IT-Governance for $75, and Clearent claims to offer a free awareness program.

New PCI Supplement – Protecting Telephone-Based Card Data

Today, customers can swipe credit cards in POS readers, they can use e-commerce sites online, or quite commonly use the telephone to complete payment transactions.  New guidance has just been issued by the PCI Security Standards Council aimed at securing stored payment card data collected via call centers and over-the-phone payments.  This directive is highly necessary and very timely.  Card data collected over the telephone or by voice-based payment systems are often overlooked as a vulnerable payments channel and have become a targets for criminals.

The PCI Council’s Protecting Telephone-Based Payment Card Data information supplement provides actionable recommendations for merchants and service providers to process payment card data over the phone in a secure manner.  What makes phone-based payments unique and more vulnerable than other payment processing methods is the regulatory requirement to record the calls, and the “card-not-present” capture and storage of sensitive CVV or CVC authentication data.  It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.  These authentication codes should not be stored in any manner.  Full primary account numbers (PANs) cannot be kept without additional protective controls in place.  PAN data should be encrypted if it must be stored.  Most payments made to call centers or over the phone with service reps are recorded.  Here’s a little PCI compliance secret for you.       ‘If you don’t need it, don’t store it.’

In face-to-face and e-commerce environments, risk-mitigating technologies have helped significantly reduce fraud rates, resulting in a shift of card fraud towards the Mail Order / Telephone Order (MOTO) space.  Until now, these phone-based transaction records have fallen outside the scope of the PCI standards.  The response to those merchants concerned enough with compliance to have asked, have heard the response from the PCI  council; If there is no way to extract the card data from the audio, PCI rules do not apply.  With the emergence and general acceptance of digitally recorded files for call recording, these records can now be easily be searched and extracted.  More merchants are using audio recordings, but are not encrypting or destroying the data.

Key points:

• Explains how the PCI-DSS applies to card holder data stored in call recording systems.
• Recommendations for assessing risk and applicable controls of call center operations.
• Specific guidance around storage of sensitive authentication data, which includes suggested methods to meet PCI-DSS requirement 3.2.
• Guidance on some of the key considerations faced by call centers when implementing PCI-DSS requirements.

Do More Than The PCI Minimum

No matter what type of business you run, from brick and mortar to virtual online, if you accept credit cards, you MUST keep the information that you gather secure.  This is more than just something that you have to do to remain compliant with The Payment Card Industry Data Security Standard (PCI DSS). 

  This is something that you OWE to your customers, regardless of regulatory and industry requirements. 

It is your responsibility, it is good business practice, and it also makes good sense. 

.

.

Credit card fraud and misuse costs businesses billions of dollars annually.  The cost per incident may vary, but can typically include:

• Loss of income from fraudulent transactions
• Costs of incident investigation and litigation
• Costs associated with correcting the cause of the breach
• Costs associated with auditing for further compromise and hardening against recurrence
• Costs of reissuing cards to customers
• Loss of reputation, customer confidence and future business
• Fines imposed by credit card companies
• Loss of ability to accept credit cards for payment

How much would your business need to pay out under each of these categories if there is a single breach?  Wouldn’t the costs of doing compliance right the first time balance out with the avoidance of that single breach?  Attackers continue to target banks and larger businesses, but are expanding their efforts to include smaller businesses while maintaining their focus on credit and debit card fraud.  You will spend the money to get it right after that first breach, and may never be able to fully recover your reputation, or to regain the assurance that your network has been returned to a clean and secure state.  Once roaches infest a building, it is very difficult to remove them all.  Once a network is compromised, it is never again completely your own.  The defenders of the network and data need to find every potential weakness, every point of entry, in order to properly defend it.  The attackers need only find one.

Continue reading →

Cisco Releases PCI Survey Findings

Cisco has unveiled the results of a survey of 500 IT decision-makers regarding the PCI Data Security Standard (PCI DSS) 5 years after its introduction.   Surprisingly positive, to me it demonstrates the value that increased awareness and applying the foundational basics of information security can have.

 The survey included IT decision-makers involved in PCI-compliance programs from several industries, aiming to gauge adoption, uncover the costs and challenges associated with compliance, and measure adoption of certain technologies to better understand the approaches that organizations are taking to meet the requirements.

.

.

Key survey findings

• 70% of respondents feel their organization is more secure than if PCI compliance were not required.
• 87% believe PCI requirements are necessary for protecting cardholder data.
• Retail and financial services respondents both felt comfortable in their likelihood to pass an assessment of their PCI compliance.
• 67% of respondents anticipate spending on PCI compliance will increase in the next year, indicating positive executive and board buy-in.
• 60% of respondents suggested that PCI-compliance projects can drive other IT or network security projects.

Top challenges

• When asked to define specific challenges for implementing the PCI DSS requirements, educating employees on the proper handling of cardholder data was the single most highly recognized problem identified, at 43%.
• Updating antiquated systems was named by 32% of respondents.
• Of the 12 PCI requirements, the top 3 issues for achieving or maintaining compliance were;
  • Tracking and monitoring access to network resources and cardholder data (37%),
  • Developing and maintaining secure systems and applications (32% ),
  • Protecting stored cardholder data (30%)

Adherence to PCI

Government fared better than other sectors on PCI assessments, but the vast majority of respondents are making strides in protecting their sensitive cardholder data.

• 78% passed their previous initial assessment.
• 85% believe they would currently pass an assessment.
• 85% of governmental organizations passed their initial assessment.
• 72% of health care organizations passed.
• More than 85% of respondents were aware of the clarifications and recommendations in the newly announced PCI DSS 2.0 standards.

http://newsroom.cisco.com/dlls/2011/prod_011211.html

WikiLeaks – Could It Happen To You?

For enterprise IT managers and security professionals, the on-going WikiLeaks disclosures underscore the information security gaps that exist even when common security controls are in use by large organizations.  It is not necessarily the controls themselves that are flawed, but more often the supporting processes and procedures that were quickly pulled together under pressure, and seldom if ever revisited or audited at a granular level for optimal performance and completeness.

This entire ordeal also serves to highlight the importance of adopting a “trust, but verify” approach to hiring practices and access control.  This means that you need to be just a little bit more paranoid regarding your practices, without distrusting your employees.  Remember that everyone that you hire is human, and that people will make mistakes if mistakes are possible.  They are (hopefully) hired due to their capabilities and experience, but what really separates them from the other candidates that showed up for an interview?  Were you able to validate their claims of reliability and trustworthiness?  Trust that they will exercise good judgement, work towards corporate betterment, but verify that each access to sensitive data or corporate intellectual property is properly justified.   Remove the temptation to go astray, and by all means, let them know that you verify.  Your intentions are to DISCOURAGE criminal or damaging behavior, not ENTRAP those who may err or fall prey to social engineering.

What controls should be in place?  That depends on the type and classification of the information that is at risk.  When it comes to client financial and personal information, it is clear that monitoring, notification and escalation controls are a requirement.  Take a lesson from PCI, even if you don’t adopt it formally.  The PCI DSS is simply basic computer security.  A quick review of the 12 main PCI requirements shows nothing revolutionary, and they offer a solid starting point for virtually any security compliance engagement. 

Continue reading →

Visa Revokes PCI Approval From PIN Pads After Breach

In a move that seems to reflect a very different PCI approach coming from the world’s largest card brand, Visa has ripped the PCI approval from two Ingenico PIN entry devices (PEDs) after a data breach.  What makes this move especially interesting is how it undercuts two strongly held Visa positions, in terms of publishing the names of vendors whose products are engaged in PCI issues and in its position that no PCI-compliant retailer has ever been breached.

Behind all of this commotion are an increasing number of physical attacks against PEDs.

StoreFrontBackTalk

RAM Scrapers

A new flavor of malware is aiming at grabbing valuable data from memory in point-of-sale systems   Verizon Business Data Breach Investigation Report has included RAM scrapers in a recent list of the top data breach attack vectors and has prompted discussion about how much of a threat it poses.

A RAM scraper is identified in the report as a piece of customized malware created to grab credit card, PIN, and other confidential information out of a system’s volatile random access memory. The RAM-scraping breaches in Verizon’s report occurred in point-of-sale (POS) servers. RAM scraping is not really new, but Verizon flagged the emergent threat trend in POS devices as a tactical change.

The data in RAM is often easier to grab than at the reader or off of the computer’s hard disk.  Current PCI compliance standards require the end-to-end encryption of sensitive payment card data when being transmitted, received, or stored.  Unencrypted credit card data may be exposed during processing, remaining resident in the POS device’s RAM for a period of time.  That’s where the malware can capture the strings related to card identifiers rather than performing bulk data grabs, reducing the likelihood of detection.

One of the incidents Verizon Business’s RISK Team investigated was discovered as a result of a spike in credit card fraud reports coming from a casino: The RAM scraper itself wasn’t detected on the server.  The scraper dumped the card data to a file named dumper.dll in a Windows system subdirectory, where it waited for backdoor access and retrieval.

POS RAM scrapers enter systems that are either insufficiently protected, such as those that use default credentials, or that get compromised by trusted partners, according to the Verizon report.  Ram scrapers are typically a secondary infection agent, most often installed after a system has been compromised using some other primary attack method.  Backdoor access and command/control agents are common features of RAM scraper attacks.  Because this malware is typically customized for each attack, its signatures are less likely to be recognized by antivirus software.

The best way to detect a RAM scraper is via regular traffic and critical file monitoring and log analysis. Here are 10 tips for protecting against malware in general  and RAM scraping in particular, gleaned from the report:

1. Make use of hardware AND software firewalls.
2. Install and maintain antivirus software.
3. Perform regular system maintenance, patching, logging, and complete reviews of POS systems.
4. Regularly confirm the integrity of your intrusion detection systems.
5. Monitor file integrity.  These files will often try to attach to real processes or system files.
6. Monitor disk activity and watch out for file-creation in system and temporary subfolders.
7. There is absolutely no excuse for default credentials on ANY computer, much less systems that process financial transactions.
8. Bear in mind that end-to-end encryption doesn’t always include the clear-data processes happening at the end-points.
9. Deny, if possible, admin-level credentials to POS and POS support vendors and reset vendor credentials and settings.
10. Minimize and test data persistence in memory. Just because the specs say data persists for a millisecond doesn’t make it true.

While Verizon found POS systems to be at risk of RAM scraping in their report, the technique also lends itself to use against other systems’ volatile memory.  You may be surprised at how much data is sitting in the RAM of your network printers, for instance…