POS Protection - If Target didn’t concern you, maybe Home Depot will?
Why Breach Prevention and Host Intrusion Detection Have Never Been More Valuable
A retailer we spoke to this week is treating the recent breaches at Target and Home Depot as their final warning ‘This is like a scary glimpse of the future for us – we could easily be in the same position as Target because we don’t have any idea what is going on with our POS systems’.
Fortunately they have heeded the warning – they have now implemented measures so that they do have visibility of change activity at the POS, but what about the thousands of other retailers yet to take any action? Will they be a victim of a breach before they take action?
For those retailers that would like to prevent a Target-style breach, what are the risks to the POS environment?
For this particular article we have decided to give you the conclusion/summary up front. There is a good deal of very valuable content below but if you go no further – we urge you to consider the following:
Protection of the Card Swipe
Card skimming card data thefts through modifications of the payment terminal or card swipe hardware are still among the most prevalent and successful. This relatively low-tech approach to stealing card data requires the magstripe reader hardware to be tampered with or replaced with a pre-modified device – it is still often too easy to dupe checkout staff into allowing a ‘maintenance guy’ to ‘upgrade’ their POS card reader. Where there is willing collusion between staff and the fraudsters things become even easier, not just in retail and restaurant businesses but call centers, gas stations and anywhere else where card numbers can be siphoned off.
So physical protection of the card swipe or PED (Pin Entry Device where Chip and Pin is used) is vital and POS staff need to be educated in the importance of protecting their POS systems and peripherals. At a corporate level, the card swipe devices can be monitored for integrity in the same way that the POS systems themselves can be tracked for any suspicious activity.
P2PE is gaining credibility as a ‘silver bullet’ for PCI DSS, albeit just for POS systems. The theory is that, by encrypting card details as soon as they hit the card swipe or PED (Pin Entry Device), the POS is then only handling pre-encrypted card data and is therefore de-scoped. This doesn’t mean the POS is secure or immune to malware, just that card data no longer exists in a non-encrypted format. So Visa and Mastercard are happy, but your systems are still left at risk of breach, and the business data-loss and disruption that follows. Of course, the call center and eCommerce infrastructure will not be able to use the P2PE approach so will still need ‘traditional’ security best practices to be applied.
For a certified P2PE solution, the encryption keys are administered by the P2PE service provider and this can be interpreted as de-scoping the merchant environment further. For most, the cost of implementation is still prohibitive when compared to the cost of implementing robust PCI measures for an existing POS solution – a complete swap-out of all card swipe/PEDs is required, POS system changes made, central infrastructure changes to accommodate the new encryption systems etc.
However, the costs of P2PE don’t end with the expense of a hardware upgrade. Providers of P2PE are firmly focused on the real prize, which is to take control of payment transactions and the small-but-valuable transaction fees. This is where the real ‘card skimming’ action is, charging a percentage-based fee from every single card transaction is highly lucrative and whoever controls the payment transaction infrastructure can call the shots on fees. The result is that the merchant using P2PE risks trading a slightly simplified (but far from eradicated) PCI DSS burden for a severely depleted bargaining position over payment transaction fees. There will always be other transaction providers and some of these will even be P2PE-based too, but migration to an alternative will be just as prohibitively expensive as the initial move to P2PE.
Little wonder that most merchants are opting out of P2PE.
Protecting the POS
The breaches at Target and Home Depot have reportedly suffered a similar infiltration by the BlackPOS malware. This is a nasty infection that sniffs out card numbers from the POS memory and processes prior to encryption. Card numbers are then stored on the POS terminal for later collection and file transfer out of the network to the waiting fraudsters. While Home Depot has not been fully investigated yet, the Target breach vector was one of their 3rd party suppliers with access to the network. This access was enough of a foothold to ultimately distribute BlackPOS to POS terminals and to also establish a Command and Control server within the Target estate.
While the hack was a very concerted and effective effort, BlackPOS leaves plenty of clues that should have been detected before damage was done:
- Service lists were modified
- Registry keys and values were changed
- New system files were created within the System32 folder
The particular version of BlackPOS evaded the POS Anti-Virus as it was a zero-day malware – a new version not know to AV providers and therefore invisible.
File Integrity Monitoring would have detected the new system file (dll) and should also have detected the registry and services list changes. Better still, a strong hardened build standard would have been implemented to restrict access and privileges on the POS system.
FIM and hardening for POS systems has become much more important in recent weeks due to the end of XP Support, with the majority of POS systems being run on Windows XP platforms.
Breaches such as those at Target and Home Depot could have been mitigated by taking some fairly simple steps: Start with the implementation of a hardened build standard with precision change detection (the PCI DSS recommends using the CIS Benchmarks as the best hardening standard to adopt) and this coupled with breach detection technology (FIM-based Host Intrusion Detection system or HIDS). This will ensure that even if a breach is successful, at least you can will be alerted to the fact immediately, so that any card data loss can be stopped – remember, Target lost data affecting over 70M individuals in just two and a half weeks, so where a breach can’t be prevented, speed of detection is critical.
POS terminals have been proven to be easy targets for criminals and simply too sensitive to leave them without defense measures implemented. When will you take action?