Avoidable POS breaches reflect security apathy, changing risks: AFP

Neil Gaughan

Retailers have put customers’ sensitive details at risk by failing to upgrade point of sale (POS) terminals that have subsequently been compromised by hackers, a senior Australian Federal Police (AFP) investigator has warned.

Neil Gaughan, assistant commissioner with the AFP’s High Tech Crime Operations unit, told attendees at the Symantec Symposium in Melbourne that a failure to take basic security precautions had compromised customer data in the past and was continuing to do so.

“The biggest threat we see at the moment is compromises of POS terminals,” Gaughan said. “We anticipate that about one percent of [attacks] we see are actually using new exploits. The majority of exploits used to extract information from companies are not new exploits.”

He cited two recent cases – a medium-sized national retailer whose POS system was hacked and “potential fraud in the tens of millions of dollars” instigated, and a Sri Lankan gang that sold compromised systems to retailers on both coasts before quietly revisiting the locations and skimming off credit-card details – in which a disciplined patching regime would have prevented the intrusions.

Gaughan compared information-security theories to those used in physical security, where layers of protection can dissuade would-be attackers that will look elsewhere for softer targets. “If you’ve updated those systems sufficiently you’ve actually mitigated the attack,” he said. “We’ve almost reached saturation in the level of education we can give the customer, and some people still don’t get the message. We probably need a tsunami cyber-event for some people to take this more seriously.”

Although he cited the increasing difficult of forensic examinations due to broader use of strong encryption and challenges with inter-jurisdictional investigations, Gaughan said an even bigger problem was that many Australian companies are still sweeping many criminal incidents under the carpet.

The AFP had recently worked with several financial-services companies that had been extorted by criminals who had threatened to launch denial of service (DoS) attacks against the companies unless they paid a ransom. Many had succumbed – making them targets for repeated extortion and contributing to a climate where online extortion against businesses is not only rife and profitable but rarely reported.

“This is what I see as the new black,” Gaughan explained, “because it’s fundamentally very quick, and it’s a good way for people to make money in a criminal sense. A lot of people aren’t reporting these issues to police because they just hope the DoS attacks will go away. But once you pay, you’re in a cycle of continuing payment.”

Gaughan slammed the lack of a mandatory reporting regime for data breaches, arguing that the culture of suppression was preventing law-enforcement authorities from getting a true picture of the activities of online criminals.

He was also supportive of data retention proposals – a controversial point that is currently under discussion within the parliaments of Australia and elsewhere – and said it was surprising consumers had united against the proposals when they were proving more than happy to allow their personal shopping habits to be collected in minute detail by retail giants.

“We’ve got to get this argument right, because at the moment the left side holds sway,” he said. Yet financial crimes aren’t the only area where Gaughan sees problems: he also cited the growing dangers posed by mobile devices, noting that it is entirely possible for malware to load itself onto a smartphone, then surreptitiously record conversations and ambient sounds, and collect personal data.

“The implications are broader than just criminal activity, particularly in relation to espionage,” he said. “What we can do with a mobile phone now, compared with what we can do in the majority of the real world, is actually quite frightening.

“[Extortion via DoS] is what I see as the new black because it’s fundamentally very quick, and it’s a good way for people to make money in a criminal sense.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts