Why hackers may be stealing your credit card numbers for years

Hackers may have the upper hand for years as the retail industry slowly upgrades its systems, analysts said

While conducting a penetration test of a major Canadian retailer, Rob VandenBrink bought something from the store. He later found his own credit card number buried in its systems, a major worry.

The retailer, which has hundreds of stores across Canada, otherwise had rock-solid security and was compliant with the security guidelines known as the Payment Card Industry's Data Security Standards (PCI-DSS), said VandenBrink, a consultant with the IT services company Metafore.

But a simple configuration error allowed him to gain remote access. From there, he found the retailer was vulnerable to the same problem that burned Target, Neiman Marcus, Michaels, UPS Store and others: card data stored in memory that is vulnerable to harvesting by malicious software.

The problem is growing worse. The U.S. Department of Homeland Security and Secret Service warned last month that upwards of 1,000 businesses may be infected by malware on their electronic cash registers, known in the industry as point-of-sale devices.

So why are the data thieves winning? Security analysts say point-of-sale malware is neither new nor particularly sophisticated. Programs such as Backoff, BlackPOS and JackPOS hunt down clear-text payment card details jammed in a jumble of data in a computer's memory, a process known as "RAM scraping."

Merchants who handle card data are required to be PCI-DSS compliant or face liability if cardholder data leaks. But the latest security specification, PCI-DSS version 3.0, doesn't mandate that merchants use technologies that encrypt card data from the moment a person's card is swiped, referred to as point-to-point encryption.

Using that kind of technology would eliminate the in-memory malware problem, security experts say.

The PCI Security Standards Council, which develops PCI-DSS, did recommend last Wednesday that merchants switch to using that kind of encryption technology.

But retailers often have long technology refresh cycles, so it could be five to seven years before most move to it. Fraud is expected to migrate from big retailers that resolve the weaknesses to smaller ones who have not, said Avivah Litan, a Gartner analyst who consults with banks and card companies.

"In general, I think we are stuck with these point of sale breaches for many years," Litan said.

Retailers are also missing keys signs in their network logs that they're under attack. Subsequently, most breaches are discovered by third parties, such as when fraud shows up on cards, said Bryan Sartin, managing director for Verizon's Risk Team, which investigates data breaches.

Many merchants are using "1990s technology to react to modern-era cyberattacks," Sartin said.

Merchants can be fined by card companies for breaches and are on the hook to pay for forensic investigations, which for PCI-related breaches can cost upwards of US$100,000, said Nick Economidis, an underwriter with the Beazley Group, which has seen its data breach insurance business boom.

In recent years, merchants have occasionally struck back, suing suppliers and integrators of POS systems. Those lawsuits have generally argued the suppliers are liable for breaches due to setup and maintenance errors.

Interestingly, very few of the lawsuits are ever litigated, as POS suppliers often choose to settle, said Charles Hoff, an Atlanta-based lawyer who has been involved in many such actions.

POS suppliers "may feel that they have a strong defense but they don't like the scrutiny in terms of the media," Hoff said. "It certainly doesn't help them in the marketplace. They want to figure out a way to keep their [customers] and not lose them."

All merchants want to do is "sell what they're selling," said Pam Galligan, vice president of compliance and industry relations for Mercury Payment Systems, whose payment processing technology is built into various POS systems.

"PCI asks these merchants to comply with an increasingly technical set of requirements," she said. "They don't want to spend a lot of time and energy trying to protect their card environments."

There's a broad effort under way to ensure that merchants are up to speed with PCI-DSS 3.0, which comes into force on Jan. 1. But it's complex: there are 12 main requirements and more than 250 sub-requirements.

Galligan said Mercury works to ensure its POS partners are up on PCI. Hoff is co-founder and CEO of PCI University, an organization that tries to explain PCI-DSS to people who aren't data security experts.

Merchants are under heavy pressure to handle card data right every time, all the time. The PCI Council advises that retailers can't just pass an annual audit and forget about it. A main concern is that networks are modified over time, which could inadvertently create weak points for hackers to capitalize on.

That is exactly what happened with the Canadian retailer VandenBrink tested. The company had recently finished a hardware refresh and in the process left two open Internet-facing telnet and SSH ports, he said.

The ports were password protected, but using various techniques, VandenBrink eventually discovered the right passwords. That allowed him to get access to where the payment card data was held in memory, including his own.

"I was surprised," he said. "There were thousands of cards in memory."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecuritydata breachExploits / vulnerabilitiesdata protectionmalwarePCI Security Standards CouncilfraudMetafore

More about GartnerSSHVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts