Attacks/Breaches
11/25/2015
12:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Hilton Data Breach Focuses Attention On Growing POS Malware Threat

Analysts expect an increase in POS attacks against retailers and others during this holiday shopping season.

News this week about a data breach at Hilton Worldwide has focused attention on what many security researchers say is an uptick in the use of point-of-sale (POS) system malware to steal payment card data from retailers and other organizations.

Hilton on Tuesday confirmed that unknown attackers had broken into some of its POS systems and stolen names, card numbers, expiration dates and security codes belonging to an unspecified number of credit and debit cardholders. But personal identification numbers (PINs) or addresses were not compromised, the company said.

[PoS malware, ways to trick new payment technology, and zero tolerance for down-time or slow-time make for a stressful combination. Read "Black Friday Security: Brick-and-Mortar Retailers Have Cyber Threats, Too."]

Hilton’s statement suggests that hackers had access to its POS systems for a total of at least 17 weeks spanning two different time periods, the first between Nov. 18 and Dec. 5, 2014 and the second between April 21 and July 27, 2015.

Hilton did not say whether this meant it suffered two separate incursions or whether the same hackers who had accessed its POS systems in 2014 accessed them again this year. As has become standard in such situations, the company has offered one year of free credit monitoring services to customers impacted by the breach.

Hilton is the second hotel chain to announce a breach in the past several days. Just last week, Starwood Hotels -- the owner of brands like Sheraton, Westin, and W Hotels -- disclosed that hackers had breached POS systems at over two dozen of its properties.

Like Hilton, Starwood did not disclose the number of people affected by the breach but confirmed that sensitive cardholder data had been compromised. In Starwood’s case, the relevant POS systems appear to have been attacked separately over a time span starting November 2014 and continuing through the end of June 2015.

The PoS malware responsible for the attacks on Hilton and Starwood have not been named. No indications have been given yet that the stealthy ModPOS, detailed by iSIGHT Partners this week, was to blame.

The breaches are just the beginning of what security analysts predict will be a spate of attacks on vulnerable POS systems this holiday season. “Point of sale (POS) systems – what consumers often call the checkout system - are often the weak link in the chain,” for retailers and businesses in the hospitality industry said Mark Bower, global director of product management for HPE Security following the recent attack on Starwood.

“A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data,” said Bower.

The holiday shopping rush creates the perfect opportunity for attackers to target POS systems, compliance services provider Trustwave said in a recent report. According to the company, some 40 percent of breaches in 2014 were POS-related, with almost all of them resulting from remote access vulnerabilities and weak passwords. Attackers targeted POS systems using at least 70 individual POS malware tools. Input validation errors stemming from SQL injection flaws and unpatched vulnerabilities caused 75 percent of the breaches that Trustwave reviewed.

Such issues could pose even bigger concerns this year, say some security vendors.  For one thing, retailers are still only working to meet PCI 3.0 compliance requirements, says Chris Strand, senior director of compliance, Bit9+Carbon Black.

This is also the first holiday shopping season after the EMV liability shift went into effect, which means that in the event of payment card fraud, whichever party -- merchant or card issuer -- has failed to implement EMV Chip-and-PIN technology is the one stuck with liability for the fraud. Thus, EMV will now be in greater use, and many consumers will have an entirely new purchasing experience this season.

The fact that the end of life for Windows XP embedded is coming up in January adds to the problem, says Strand, referring to the fact that many POS systems still continue to run the operating system.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/1/2015 | 8:16:17 AM
Re: POS Exploitation
Indeed.  I recently gave a talk on cyber insurance and cyber liability issues at MIT, and one of the primary problems we're seeing is that whereas enterprise is getting on board, SMEs feel priced out of the cyber insurance market or otherwise feel that it is inaccessible -- simply because of its complexity.  Alas, SMEs are the ones most deeply impacted by a data loss or data breach.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/29/2015 | 8:05:55 PM
Re: POS
A simple little one-sheet instruction manual, or email, or pop-up when paying a bill online, or whatnot, could go a long way in educating customers.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/29/2015 | 8:04:25 PM
Re: Dumb POS
@Dr. T: Indeed, going back to the old cash registers would certainly make things more secure -- but then would be an obstacle to data collection.

The real problem, typically, is infrastructure.  The Target hack, for instance, was made possible because of the fact that the vendor's HVAC was connected to the same infrastructure as the POS systems were.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/29/2015 | 8:02:20 PM
Re: POS
Apple Pay and Google Pay are not inherently more secure; they just have different security vulnerabilites than EMV (or, for that matter, black-stripe cards).  Lose your device and you're potentially screwed (especially what with easily hackable fingerprint biometrics).  And there may still be viable MitM attacks.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/29/2015 | 5:01:10 PM
Re: POS
I've heard some companies that have Apple Pay capabilities ready are not necessarily always active.

IE: stores can use Apple Pay but have yet to set it up. Can anyone add to this?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/29/2015 | 4:59:27 PM
Re: POS Exploitation
@Joe: That's a little brazen on the CIO's part.

And yes it could be part of design...hopefully companies that go down this road have good cyber security insurance and their breach falls under the terms of their policy.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/29/2015 | 4:56:34 PM
Re: POS
@Joe. Agreed. I'm not even sure what that might look like in terms of approach. I envision similar to when Apple is teaching people how to use iCloud or BestBuy holds a tech learning session (etc) but instead with EMV? 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2015 | 12:03:20 PM
Re: POS
I hear you, I would say Everybody should be equally responsible credit card company, bank and retail delivery company has to be equally responsible, that would take us to Apple Pay and we will have less troubles.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2015 | 12:01:13 PM
Re: POS Exploitation
Obviously PCI compliance is not optional anymore if you are making business with government or other big companies, they ask their sub-contactors be PCI compliant anymore.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2015 | 11:56:11 AM
Re: POS Exploitation
Agree, most POS is old technology so changing it costly but as Target and Hilton realize not changing is apparently more costly.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Why else would HR ask me if I have a handicap?"
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.