Another deep dive into Verizon’s 2016 Data Breach Investigations Report shows that despite best efforts, point-of-sale devices themselves remain fraudsters’ reliable source of stolen data bounty. This is particularly true of those that directly “consume” information from magnetic stripes or point of sale controllers that typically function as aggregators of transactional data from terminals in a server-to-client relationship.
More importantly, this is true on the SMB and large retailer sides alike, with the use of static, single-factor authentication to steal credentials needed to breach systems. In general, attackers are issuing stolen credentials from a foothold on the network as opposed to directly from the Internet.
Malware Makes Its Mark
Malware, according to the report, is also making its mark and has become the “workhorse” of point of sale breaches experienced by merchants of all sizes and types. Even worse, there has been an evolution from “off-the-shelf” key-logging malware, to memory-scraping malware (RAM scrapers), to point of sale-specific RAM scrapers such as BlackPOS and PoSeidon. Look at the numbers: of the 525 retail and hotel data breaches with confirmed data disclosure cited in the report, 512 involved memory-scraping malware.
Additionally, in attacks on point of sale systems, C2 malware—which along with Backdoor is more prevalent now than in the past—is being used to ship captured data from its source. The reality, according to Verizon, is that popular point of sale malware families “are typically multifunctional, and some of the most notorious (Dexter, vSkimmer, Aline, Backoff, and JackPOS) have command and control/ backdoor capabilities.”
True as well is the fact that many point of sale malware families are typically multi-functional, and that in many cases, the use of some functionalities (e.g., “the one that stole the data,” according to the report) is easier to prove than the use of other functionalities (e.g., C2 beaconing). The spike in C2 and Backdoor, Verizon said, could be a product of “better windows into the entire behavior of the malware.”
What does this all mean for MSPs? For starters, it’s important to talk retailers out of using static single-factor authentication, given its attractiveness to attackers. Verizon recommends that authentication be shored up with a second factor—like a hardware token or a mobile app. Providing and signing up clients for monitoring services that keep a sharp focus on login activity, with a vigilant eye out for unusual system login patterns, is a good idea. So, too, is ensuring that clients have the tools or services to track remote logins—e.g., by their vendors—and verify any that are against the norm.
Segmentation is a must. Let retail clients know the importance of separating the point of sale environment from the corporate LAN. Ensure that the point of sale environment isn’t visible to the entire Internet. Finally, bring on the anti-malware ammunition, because as we can see from the report, it’s becoming more and more critical to quashing hackers’ attempts at breaking into the point of sale system.
You may not be able to sell merchants—especially SMB merchants—on all of these steps at the same time. But give it a try and do as much as you can, as soon as you can—because for the retail market, PCI compliance isn’t the be-all and end-all of point of sale data security.