Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/23/2015
07:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Black Friday Security: Brick-and-Mortar Retailers Have Cyber Threats, Too

PoS malware, ways to trick new payment technology, and zero tolerance for down-time or slow-time make for a stressful combination.

UPDATED: Cyber Monday sports a techie handle, but good ol' Black Friday is fraught with plenty of cybersecurity challenges as well. When shoppers hit the mall worrying about long lines and hot deals, security pros need to worry about point-of-sale (PoS) malware, fraud, new mobile payment technology, and the recent EMV liability shift.

 

PoS Threats On the Rise

Although PoS malware got the most attention in the summer of 2014, Trend Micro found that, in the third quarter of 2015, PoS malware increased by 66% in the third quarter of 2015 and that attackers were quite indiscriminate about their targets. Forty-five percent of it was hitting small- to medium-sized businesses.

Larger franchises are not out of the woods though. Just last week, a hospitality brand, Starwood Hotels was breached by PoS malware, exposing payment card data of customers at 54 of its hotel properties. The precise culprit has not been revealed, but the FIN5 gang has been using RawPOS to hit hotels all year.

Plus, there's new PoS malware on the scene:

  • Cherry Picker, discovered by Trustwave this month, has been around since 2011, but has remained nearly undetected in all that time because of its sophisticated encryption and obfuscation techniques.
  • AbaddonPOS: discovered by ProofPoint, also has elite obfuscation techniques, including tricks to wipe evidence of itself away. It also includes anti-analysis capabilities to frustrate researchers. Abaddon has spread through the Vawtrak malware.
  • ModPOS: described this week by iSIGHT Partners as "the most sophisticated PoS malware ever," it's more than just a card scraper. It's modular malware with a keylogger, uploader/downloader, and an assortment of plugins -- and every module operates in kernel mode where it's hard to find and hard to eject.

The immediate concern with PoS threats are that they scrape payment data stored upon them. However, researchers are also finding that attackers are also using PoSes as an entry point into the rest of the network.

"One of the reasons that PoS devices have been such an effective attack surface is that many are left unprotected without any resident anti-malware security," says Mark Parker, senior product manager at iSheriff. "These devices were long considered 'dumb terminals' and that reputation has been slow to change while the devices themselves have become more capable and in fact are often scaled down Windows machines."

[Once the systems at your brick-and-mortar shop are locked down, make sure your online shop is ready for the rush. Read "Cyber Monday: What Retailers & Shoppers Should Watch For."]

"The key to protecting cardholder data is to practice security beyond compliance by not leaving anything behind for hackers to steal," says J.D. Oder, CTO and senior vice president of research and development, Shift4 Corp. "When EMV, point-to-point encryption, and tokenization are properly implemented in a merchant environment, sensitive payment card data doesn’t enter their systems and a 'cardholder data environment' ceases to exist outside of a secured payment device."

Oders says payment card data is safest when it's hosted offsite, rather than at the retail location. "This leaves no payment data in the merchant environment to be stolen and used by hackers, even if malware were to enter the POS or PMS," he says. "After all, they can’t steal what you don’t have."

He also recommends encrypting data in-memory as well as full point-to-point encryption to protect the data in transit.

 

More EMV Adoption Not An Immediate Cure

Expanded adoption of EMV technology should theoretically be a positive change for brick-and-mortar security this season.

EMV, or chip-and-PIN, is a replacement for the old magnetic stripe cards. Stolen magstripe data can be turned into counterfeit credit cards, and skimmers make it very easy to steal. Yet, in the US, EMV adoption was very sluggish because both merchants and card issuers were holding out for the other to make the first move.

But last month the EMV "liability shift" took effect. So in the event of payment card fraud, whichever party -- merchant or card issuer -- that has the lesser security is the one to be stuck with liability. So if the card issuer has put an EMV chip in the card, but the merchant has not updated their PoS terminals to accept EMV, then the merchant eats the cost; and vice versa.

More chip-and-PIN cards will be in use at stores this holiday season, which could be a good thing. However, experts say not to expect an improvement overnight.

"I would tell retailers EMV is going to complicate their life" this Black Friday, says Rajesh Sharma, vice president of banking and payment applications at INSIDE Secure. As customers and customer service reps alike become familiar with the technology, lines at the register may move slowly. A slow line isn't going to be tolerated for long. So if an EMV purchase fails on the first attempt, the salepeople may quickly resort to swiping the magstripes just to keep the line moving.

"From the retailer's point-of-view, it's all about risk-reward," says Suni Munshani, CEO of Protegrity. "If security gets in the way, if some infrastructure gets in the way, they'll rip it out."

Criminals know that all too well, he says, and they'll manipulate that fact with social engineering, which untrained workers rarely recognize. "It's frightfully expensive to train temporary staff," he says.

 

Mobile Payment Schemes Can Be Manipulated

On top of EMV, retail sales reps have to learn all about payments made with mobile devices through systems like Apple Pay, Android Pay, and Samsung Pay.

Thirty-nine percent of respondents to a survey conducted by INSIDE Secure plan to make in-store purchases with a mobile device this holiday season. Plus, 17% of those who did not make mobile payments last year are planning to use the technology this year.

The hold-outs, according to the survey, cite security and privacy as their key reasons for declining to use it: 70% were concerned about fraud, and 70% about the privacy of their transaction data.

However, these technologies are actually doing quite a lot right when it comes to security. Payment technology experts praised Apple Pay when it was released for tokenizing payments, never communicating credit card data to the merchant, and adding biometrics to the process.

That doesn't mean it's fraud-proof. Mobile payment technology is "definitely something we've seen criminals more interested in in the last year," says John Miller, director of ThreatScape Cyber Crime at iSIGHT Partners.

Cybercriminals are not exploiting vulnerabilities in the mobile payment technology per se, says Miller, but they're compromising weaknesses in the enrollment process. They simply load stolen payment account data into one of those mobile payment systems -- which they can do, because the banks don't always do a very good job of making sure that the device to which the account is provisioned is actually a device owned by the accountholder. Thus, an attacker can walk into a store and use their Droid or iPhone to make a purchase with someone else's money.

Apple Pay was only released in September 2014, and by March of 2015, millions of dollars of fraudulent purchases had already been made in this way with Apple Pay. 

"[Attackers are] doing in-store fraud despite EMV," says Miller, "despite all those protections."

 

No tolerance for down-time

"The recovery time for retail is very, very small," says Munshani. "This is when they make the most revenue."

So obviously, any denial of service -- via an attack, a system failure, or a bad patch -- is unacceptable. The concern is if a zero-day PoS vulnerability hits -- one that threatens a data theft, not a denial of service -- will retailers simply ignore it, and say 'remind me in January'?

"I don't think that would be the response anymore," says Miller. He says that retailers' awareness of security and its importance has improved enough that they would not simply ignore a critical threat. "They would want to clean it up, but they might not know how."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12881
PUBLISHED: 2019-06-18
i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c in the Linux kernel 4.15.0 on Ubuntu 18.04.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact via crafted ioctl calls to /dev/dri/card0.
CVE-2019-3953
PUBLISHED: 2019-06-18
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 10012 RPC call.
CVE-2019-12133
PUBLISHED: 2019-06-18
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system ...
CVE-2019-12592
PUBLISHED: 2019-06-18
A universal Cross-site scripting (UXSS) vulnerability in the Evernote Web Clipper extension before 7.11.1 for Chrome allows remote attackers to run arbitrary web script or HTML in the context of any loaded 3rd-party IFrame.
CVE-2017-8328
PUBLISHED: 2019-06-18
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross site request forgery prot...