While conducting a penetration test of a major Canadian retailer, Rob VandenBrink bought something from the store. He later found his own credit card number buried in its systems, a major worry.
The retailer, which has hundreds of stores across Canada, otherwise had rock-solid security and was compliant with the security guidelines known as the Payment Card Industry’s Data Security Standards (PCI-DSS), said VandenBrink, a consultant with the IT services company Metafore.
But a simple configuration error allowed him to gain remote access. From there, he found the retailer was vulnerable to the same problem that burned Target, Neiman Marcus, Michaels, UPS Store and others: card data stored in memory that is vulnerable to harvesting by malicious software.
The problem is growing worse. The U.S. Department of Homeland Security and Secret Service warned last month that upwards of 1,000 businesses may be infected by malware on their electronic cash registers, known in the industry as point-of-sale devices.
So why are the data thieves winning? Security analysts say point-of-sale malware is neither new nor particularly sophisticated. Programs such as Backoff, BlackPOS and JackPOS hunt down clear-text payment card details jammed in a jumble of data in a computer’s memory, a process known as “RAM scraping.”
Merchants who handle card data are required to be PCI-DSS compliant or face liability if cardholder data leaks. But the latest security specification, PCI-DSS version 3.0, doesn’t mandate that merchants use technologies that encrypt card data from the moment a person’s card is swiped, referred to as point-to-point encryption.
Using that kind of technology would eliminate the in-memory malware problem, security experts say.
The PCI Security Standards Council, which develops PCI-DSS, did recommend last Wednesday that merchants switch to using that kind of encryption technology.
But retailers often have long technology refresh cycles, so it could be five to seven years before most move to it. Fraud is expected to migrate from big retailers that resolve the weaknesses to smaller ones who have not, said Avivah Litan, a Gartner analyst who consults with banks and card companies.
“In general, I think we are stuck with these point of sale breaches for many years,” Litan said.
Retailers are also missing keys signs in their network logs that they’re under attack. Subsequently, most breaches are discovered by third parties, such as when fraud shows up on cards, said Bryan Sartin, managing director for Verizon’s Risk Team, which investigates data breaches.
Many merchants are using “1990s technology to react to modern-era cyberattacks,” Sartin said.
Merchants can be fined by card companies for breaches and are on the hook to pay for forensic investigations, which for PCI-related breaches can cost upwards of US$100,000, said Nick Economidis, an underwriter with the Beazley Group, which has seen its data breach insurance business boom.
In recent years, merchants have occasionally struck back, suing suppliers and integrators of POS systems. Those lawsuits have generally argued the suppliers are liable for breaches due to setup and maintenance errors.
Interestingly, very few of the lawsuits are ever litigated, as POS suppliers often choose to settle, said Charles Hoff, an Atlanta-based lawyer who has been involved in many such actions.
POS suppliers “may feel that they have a strong defense but they don’t like the scrutiny in terms of the media,” Hoff said. “It certainly doesn’t help them in the marketplace. They want to figure out a way to keep their [customers] and not lose them.”
All merchants want to do is “sell what they’re selling,” said Pam Galligan, chief compliance officer for Mercury Payment Systems, whose payment processing technology is built into various POS systems.
“PCI asks these merchants to comply with an increasingly technical set of requirements,” she said. “They don’t want to spend a lot of time and energy trying to protect their card environments.”
There’s a broad effort under way to ensure that merchants are up to speed with PCI-DSS 3.0, which comes into force on Jan. 1. But it’s complex: there are 12 main requirements and more than 250 sub-requirements.
Galligan said Mercury works to ensure its POS partners are up on PCI. Hoff is co-founder and CEO of PCI University, an organization that tries to explain PCI-DSS to people who aren’t data security experts.
Merchants are under heavy pressure to handle card data right every time, all the time. The PCI Council advises that retailers can’t just pass an annual audit and forget about it. A main concern is that networks are modified over time, which could inadvertently create weak points for hackers to capitalize on.
That is exactly what happened with the Canadian retailer VandenBrink tested. The company had recently finished a hardware refresh and in the process left two open Internet-facing telnet and SSH ports, he said.
The ports were password protected, but using various techniques, VandenBrink eventually discovered the right passwords. That allowed him to get access to where the payment card data was held in memory, including his own.
“I was surprised,” he said. “There were thousands of cards in memory.”