Attacks/Breaches
7/15/2014
03:45 PM
Chris Nutt
Chris Nutt
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Payment Card Data Theft: Tips For Small Business

For small businesses looking to reduce their exposure to data theft the good news is the advantage of being small.

Nothing frightens me more than walking into a local business and watching them swipe my credit card through a card reader connected to a desktop or laptop computer. Unprotected cables lay exposed between the card reader, system, and other network or peripheral devices. So many attack vectors -- all low-hanging fruit for an enterprising criminal targeting payment card data.

Based on my experience investigating payment card data theft, a number of questions immediately come to mind:

  • Is unencrypted card data transmitted through any of those cables?
  • Is the card-processing software configured correctly and up-to-date?
  • Has the computer’s operating system been hardened?
  • Is the computer running antivirus and is it up-to-date?
  • Do the company outsource IT management and is there a remote management port open to the Internet?
  • Do the company browse the Internet or read email on that computer?

I’m not worried about my own card being compromised. I know that as long as I’m using a major brand, and not a debit card connected to my checking account, that I’ll have little to no liability. I am however, concerned for the vendor. In the nine years I’ve performed incident response investigations, I’ve spoken with dozens of compromised small business owners. Time and time again, they have told me they cannot afford to decline payment card transactions, nor can they pay for an investigation that may cost thousands or tens-of-thousands of dollars.

The good news is that small businesses have the advantage of being, well -- small.

With fewer terminals and backend systems, small businesses are not as dependent upon a large and complex POS or back office system. The lack of a complex POS or back office system would allow a small business owner to move to newer and more secure platforms and/or outsource and transfer the risk and costs associated with data theft to the service provider. Moving to a more secure platform and/or reducing the size of the environment through outsourcing would reduce the likelihood that a small business will be the source of card data theft and be required to finance a costly investigation.

Here are some recommendations to follow that will help reduce your small business’s exposure to payment card data theft:

Do not maintain a Payment Card Industry (PCI) environment or maintain the smallest PCI environment possible.

  • Consider the use of a mobile or tablet device to process card data. The operating system for many of these devices is more secure than the desktop operating system running on many traditional POS systems. An ideal example would be a non-jailbroken iPad or iPhone that you solely use for card transactions, and a PCI DSS (Data Security Standard) compliant mobile card reader, such as Square or Stripe.
  • Consider using a cellular network for card transactions instead of your wired or wireless network. This will prevent you from processing card data on the same LAN or WiFi network that is used by your business or customers.

If you must process transactions using a traditional Point of Sale (POS) system:

  • Start by reconsidering this requirement. Unless all of the services provided with a compliant mobile card reader fall far short of your accounting or inventory management requirements, it may not be worth the added risk. Attackers have repeatedly proven that traditional POS systems, even when properly configured and fully patched, are vulnerable.
  • Use a standalone POS PIN Pad that connects via plain old telephone system (POTS). This removes the computer and your network from the equation, but may not be a long-term solution as telecom providers move to decommission POTS.
  • Keep the system fully patched, harden the configuration/eliminate unnecessary services, and run antivirus.
  • Ensure all POS software is up to date and configured as directed by the vendor, since the default settings may not be secure.
  • Do not outsource the maintenance of these devices to a company that will directly access remote management ports over the Internet.

Important best practices for all systems:

  • Protect the physical security of all systems that store, process, or transmit cardholder information. All security is lost if an attacker can alter or replace your equipment. 
  • Do not allow systems in you PCI environment to connect to the Internet, aside from the connections required to process card transactions or patch the system.
  • Do not allow systems in your PCI environment to connect to any systems on your network that are not necessary for processing card transactions or patching.

What about small businesses that conduct business online? In my experience, self-hosted solutions, whether reliant on internally developed or commercial off the shelf (COTS) software, are a significant risk. Attackers are adept at exploiting vulnerabilities in internet-facing applications used to process PCI data.

Small business owners should consider using a PCI DSS compliant provider when handling online transactions. This process can be made transparent to the customer. It transfers the risks and costs associated with data theft to the service provider.

Following these recommendations will not magically solve the problem of cardholder data theft. After all, small businesses aren’t the only targets. We’ve seen plenty of large retailers, banks, and payment processors fall victim to attacks. However, these steps will transfer risk away from small businesses that cannot (and should not) bear the burden of operating a secure PCI environment.

While some of these solutions may increase transaction costs, it’s likely that some or all of the cost will be offset by the reduced cost of managing systems, networks, and by the reduced risk of having to conduct a costly investigation.

 

Chris Nutt is the Director of Incident Response and Malware of Mandiant. He has nine years of experience in enterprise incident response, working with the federal government, defense industrial base, and Fortune 100 companies. He has extensive experience in incident ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
catvalencia
50%
50%
catvalencia,
User Rank: Apprentice
8/12/2014 | 5:14:32 AM
Re: Square & iphones
Very informative! Information regarding one's card, such as card numbers and so forth, should be kept hidden, such as shredding statements or blacking out sensitive information before throwing them away. Another good tip is to constantly monitor the account. Check statements thoroughly and promptly and report any suspicious purchases immediately. Source: Credit Card Fraud

 
KateN232
50%
50%
KateN232,
User Rank: Apprentice
7/21/2014 | 10:52:20 AM
Re: Square & iphones
The Cloud And Big Data as an important part of small business

Using of big data and the cloud have great influence on practically each business industry. It allows companies of all sizes to serve customers more effectively, analyze and improve business processes. Read more https://www.snappii.com/resource-center/cloud-big-data-important-part-small-business/
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
7/18/2014 | 11:10:37 AM
Re: Square & iphones
I have to agree, I hope they read this.  Many of the small businesses that utilize square appear to use their personal devices.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
7/16/2014 | 12:21:17 PM
Re: Square & iphones
It would be beneficial to small merchants if card processing vendors suggest this practice to their clients, who do not normally hear or read about these little issues regarding their choice of payment systems. Since vendors already supply information to accompany their products, additional information like this would be valuable. Although the argument could be made that it would detract from the attractiveness of their product as a convenient addition to something merchants already use on a daily basis, it would serve to force the buyers to weigh the risk themselves, and at the very least, keep them informed.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/16/2014 | 11:47:27 AM
Re: Square & iphones
I don't think the word has gotten out to the small  merchants that I've seen working with Square. Hopefully a few of them are reading this blog!
ChrisNuttMandiant
50%
50%
ChrisNuttMandiant,
User Rank: Author
7/16/2014 | 11:26:30 AM
Re: Square & iphones
Hey Marilyn,

I would definitely recommend that vendors use a dedicated device for carrying out card transactions.  Having a dedicated device would mean that only the application(s) required for the card transactions would be installed; reducing the likelihood that unnecessary third-party applications would reduce the security of the device.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
7/16/2014 | 10:13:14 AM
Re: Square & iphones
I would definitely suggest a cellular mobile device used exclusively for that purpose, and not for games, mail, etc. Additionally, if the card transaction is transmitted via the same network used by other computing devices, or if the mobile device connects to that network at all, then the PCI scope expands to include every device on that network.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/16/2014 | 8:34:53 AM
Square & iphones
good information here, Chris. I found your suggestion about using a non-jailbroken iPad or iPhone with mobile card reader like Square or Stripe particularly noteworthy. I've seen a number of small merchants use Square with their personal iphone. So are you sayng they should have a dedicated phone solely for those transactions? 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.