Risk
12/22/2013
12:03 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%
Repost This

Target Breach Should Spur POS Security, PCI 3.0 Awareness

Advanced skimming attack against Target's whole network of point-of-sale devices will likely keep momentum moving forward for improving payment application security

The breach of cardholder data for 40 million Target customers that's been speculated to have been triggered by attacks against Target's point-of-sale (POS) systems has served as prime example for why security professionals have pushed for improved POS and payment application security in the last few years. And with increased scrutiny expected by the payment card brands on POS and payment application security as a result of more stringent standards written into PCI DSS 3.0 and PA DSS 3.0, Target's breach serves as further reminder for why POS systems need to be on retailers' immediate-term radar, experts say.

"There are some sophisticated attackers that understand payment processing and possess the high level of hacking skills needed to break into larger, more secure victims," says Lucas Zaichkowsky, enterprise defense architect at AccessData.

According to Chris Strand, director of compliance for Bit9, the difference between the Target attack and most traditional forms of skimming attacks that attack individual POS devices is the sweeping nature of data collection across a whole network of devices. Rather than physically tampering with devices, attackers are going to be looking for a path of least resistance.

"This is a common type of attack that we're going to see more and more prevalent because the attackers will take the path of least resistance, and, in this case, they're realizing that these POS systems are not protected from a vulnerability perspective," Strand says. "The fact is that the current security mechanisms they're using to guard the internals of these POS systems is vastly inadequate to protect the inner systems and software running on these things."

In addition to the scale of the attack and volume of cardholder data taken, also troubling was the depth of that data, which included track data.

"Loss of the track information from the credit cards is particularly nasty as it can allow for card cloning," says James Lyne, global head of security research at Sophos. "That said, just the cardholder's name, card, and security code has the potential for widespread online ordering fraud, which can be particularly nasty considering we're in the midst of the holiday season."

Lyne says he believes the Target breach points to poor architectural and business practices.

"It is critical that organizations handling such data take steps to protect it -- such large volumes of data should never be accessible by one user or process -- and should be encrypted to segment the data and should be detected if an export of such size occurs," Lyne says.

[Are you using your human sensors? See Using The Human Perimeter To Detect Outside Attacks.]

According to experts with SecureState, a PCI Forensic Investigator, they believe that as further details emerge it will be shown that Target was not compliant with PCI standards. Part of the issue, experts say, could be that Target's custom developed payment application was not up to par with PA DSS requirements.

"For a hacker to be able to infiltrate Target's network and access the POS application, several PCI-DSS and PA-DSS controls must not have been implemented effectively. Thus, Target was not compliant during the time of the breach," says Ken Stasiak, CEO of SecureState. "How can I be so sure? We handle these investigations for the payment card brands, and in all of the investigations we performed, the merchant was not compliant to PCI-DSS controls during a breach."

But many security insiders have noted that Target has a particularly secure information security practice -- they point to its fast discovery and disclosure of the breach as testament to that -- and some wonder what the other factors at play may have been.

"As Target is known to encrypt wireless transmission between the point-of-sale terminal and the wireless router, intercepting the personally identifiable information must have happened elsewhere in the processing chain," says Girish Bhat, senior product manager at Wave Systems. "To carry an attack of this magnitude during the busiest holiday season is extremely difficult and may have involved multiple insiders."

Regardless of the intricacies of the cause of the Target breach, the ultimate lesson is that organizations need to pay greater attention to the POS-related changes put forward by the PCI Security Standards Council.

"The security controls that merchants are using to meet the requirements on those POS systems are being highly scrutinized by the standard," Strand says. "If you read through the standard, the overarching theme is to take a proactive stance when you implement your security controls for guard these systems. That is going to cause merchants to go out and say we need to readdress this. In the time being, I think we're going to see more breaches like the recent Target breach."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bill Frank
50%
50%
Bill Frank,
User Rank: Apprentice
1/22/2014 | 11:25:08 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
According to Brian Krebs (http://krebsonsecurity.com/201..., who seems to have the best information, the cardholder data was scraped from the memory of the POS terminals themselves. Therefore encrypting the data at rest or in-motion would not have prevented the attackers from capturing the cardholder data.

Krebs went on to say that the cardholder data was then moved to a compromised server, most likely in the Target data center. So why didn't Target's firewalls' policies deny this communication between the POS terminals and this server? Also, since this communication happened can we deduce that Target was not in PCI DSS compliance requirement #1 - Install and maintain a firewall configuration to protect cardholder data?

The answer is that you can be completely compliant with the PCI DSS firewall requirements and still not block illicit communications. The reason is that PCI DSS does not specify the type of firewall to be used. Therefore you can use a legacy port-based, stateful inspection firewall, which cannot monitor all applications on all ports, all of the time, and be fully compliant. My point is that attackers can easily bypass a stateful inspection firewall. In fact, there are thousands of legitimate applications being used every day that bypass legacy firewalls. If you don't believe me, contact me, and I will prove to you.

I am not sure if it's OK to provide a link to a more detailed blog post I wrote about this a couple of days ago at www.riskpundit.com. If not, just delete this paragraph.
macker490
50%
50%
macker490,
User Rank: Ninja
12/28/2013 | 1:20:04 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
thanks
my remarks are not totally original,-- I would suggest reading this report
http://arstechnica.com/tech-po...
on Whitfield Diffie's testiomony as an expert witness for Newegg in their lawsuit v TQP

Whitield explains the realization that network commerce would require security and authentication -- and relates that to his participation in the development of public key cryptography

managing key trust should be taught in the 7th grade rather than wasting time factoring polynomials.
macker490
50%
50%
macker490,
User Rank: Ninja
12/27/2013 | 2:17:38 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
remember,-- it finally came out that the Heartland breach was an inside job,-- using USB sticks -- AGAIN

if you are interested in security get mother boards with PS/2 connectors for keyboard & mouse -- and NO USB connectors. ideally the connectors should be inside a locked case.
lancop
50%
50%
lancop,
User Rank: Apprentice
12/27/2013 | 1:53:02 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
While the article is a good start on the Target Breach discussion, it is of necessity highly speculative since the investigation is in progress and insider forensic details are not likely to be forthcoming any time soon. But the real meat & potatoes at this point are to be found in the reader comments by folks like Mike Acker, pgregory and inforiskgroup. How transactions are captured, authenticated and settled is at the core of every credit card breach that we find ourselves dissecting, so informed comments by IT security professionals that illuminate the inherent flaws in the curent standards or propose new processes that reduce the attack surface of credit card transaction systems are extremely helpful to all of us who play a role in the Information Technology arena. The Internet has become the public & private communications backbone of modern civilization, but financial transaction processing over this global network is rife with potential vulnerabilities that make fraudsters salivate in anticipation of a successful exploit at any point in the overall system. Given the costs & widespread disruption that POS breaches can cause to every party involved, it is critical to educate all IT professionals in security best practices and vulnerability assessment so that we can all be informed evangelists for continuous improvements to IT security standards. Otherwise, we will find civilization increasingly undermined by those dark forces that sneak around in cyberspace hunting for their next prey.
kenchu
50%
50%
kenchu,
User Rank: Apprentice
12/26/2013 | 11:39:16 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
Most Companies dont pay attention to IT depts suggestions until a tragedy like this Happens,IT Depts should have a more influential Role(CIO) in Day to day Running of a Compnay!!! the Company is work for had a similar situation....they never implemented full disk encryption for more than 45 years til senior executives laptop was stolen with Patient info.
kenchu
50%
50%
kenchu,
User Rank: Apprentice
12/26/2013 | 11:36:57 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
Great Discussion for a IT student,who has always been interested in Security and hope to actually branch out in the Future.Scary that Target was targeted like this but i could be wrong in suggesting that an inside man was involved...
pgregory98001
50%
50%
pgregory98001,
User Rank: Apprentice
12/26/2013 | 4:02:24 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
One point I didn't see in this article is that just being PCI compliant is nowhere near enough. One of PCI's greatest shortcomings is that it does not require the encryption of card data on internal networks. I am told that the reason for this is that many companies would have to pay too high a price to implement internal encryption. However, we may yet learn that the Target breach (as others) was a result of card numbers being transmitted in the clear through internal networks.
macker490
50%
50%
macker490,
User Rank: Ninja
12/26/2013 | 12:27:28 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.
macker490
50%
50%
macker490,
User Rank: Ninja
12/26/2013 | 12:26:32 PM
re: Target Breach Should Spur POS Security, PCI 3.0 Awareness
it is important to recognize that electronic fraud generally exploits our failure to authenticate transactions and transmittals. we have attempted to "port" our manual, "pen and ink" procedures into a digital network environment

public key encryption systems were then created to resolve this issue. sadly we have settled for the x.509 SSL certificate and allowed the bIG vENDORS to just sweep the issue under the carpet.

we should be teaching the 7th graders how to verify a PGP key trust model instead of wasting time factoring polynomials.

hint: if you are going to trust a key you are expected to verify it yourself, -- and sign for it. Yep, you should have your own PGP key if you are going to do any e/commerce, including downloading/installing software, banking, -- and -- credit cards.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web