Category Archives: PCI DSS

The slow rise in POS terminal attacks

Late last year there was conversation about the increasing frequency of point of sale (POS) terminal fraud, especially in the US. An extremely high-profile case that was discussed by security professionals with cyber security jobs and no doubt those on the hunt for IT security contract jobs concerned four Romanian nationals and a multimillion dollar scheme to commit POS fraud, which would have resulted in hundreds of merchants being swindled as well as compromising 80,000 US citizens.

They were attempting to do this remotely by hacking into POS systems and stealing data and payment from credit cards, debit cards and prepaid cards, but were, luckily, nabbed by the authorities. They face five years in prison if convicted.

“The hackers allegedly scanned the internet to identify vulnerable POS systems with certain remote desktop software applications installed on them, and then used the applications to log into the targeted POS system, either by guessing the passwords or using password-cracking software programs,” Wired.com reported at the time.

It’s a serious threat, which the security industry most certainly has on its radar. Roll on the start of this month and the dialogue about POS attacks is still as topical as ever.

Speaking to SC Magazine, Bill Farmer, chief executive officer of Mako Networks, turned the discussion to “rogue terminals”, which exist outside of the central network, and are used as a mechanism to “harvest data” out of a business and into the hands of cyber criminals. What’s interesting is that adept criminals operate in a very surreptitious way.

“The cyber criminal will modify the device to steal the information and transmit it out to be stored,” he said. “It is not easily detectable as the compromised modules are transmitting data out for months at a time and are often in high-traffic places.”

They then collect this data, keep onto it for months, then use it for small transactions a few months later and then at cash machines where lots of cash is extracted, Mr Farmer added.

What then can be done to eliminate this threat? Simple security measures can be effective – all of which deny cyber criminals easy access into a system. You wouldn’t leave your back door open at home or in your office would you? Apply the same concept to POS terminals.

One of the recurring themes is for organisations not to “affiliate” the name of the business with a Wi-Fi network. This is like handing swindlers the golden key.

Another strategy includes making sure that payment systems conform to the Payment Council Industry (PCI) Data Security Standard. The PCI Security Standards Council is a most useful asset given that it is responsible for the development, management, education and awareness of industry standards.

Carry out penetration tests as a form of risk assessment to identify weaknesses in the system. Especially vulnerable organisations are those that have POS terminals in a variety of locations and with a sizeable workforce who may, on occasion, leave terminals unattended.

Finally, keep one step ahead of the game, be leaders and innovate. Technology in the digital age doesn’t stop for anyone and neither should you. Invest in new equipment, get regular software updates. Change is good and it puts cyber criminals on the back foot. We’ve got competition, they lament. Indeed they have.

Some things can’t be swept under the carpet and forgotten

“Why can’t we just ignore PCI DSS and get on with life?”

Now if that didn’t get you jumping off your seat with a certain “Hang on, what was that?” spot of confusion, then we admire your restraint. It certainly got us animated, curious and chatting away.

Why so? Well, this is the question that passes through the mind of many people, something that Jeremy King, European director for the PCI Security Standard Council, knows all too well.

Speaking soon at the next Manchester RANT forum, and having already presented this at the London RANT, Mr King discusses that while many people may indeed have this opinion of PCI DSS (Payment Card Industry Data Security Standard), the alternative – which he equates to burying one’s head in the sand – would be somewhat regressive.

PCI DSS is, after all, designed to be a full-bodied, comprehensive security standard applicable for ubiquitous use, geared towards service providers and organisations that handle cardholder information. Its aim is for safety and preservation of the integrity of information at every step, for all sorts of cards including debit, credit, prepaid and POS.

As the PCI Security Standard Council states on its website, PCI DSS provides a robust security process that includes prevention, detection and appropriate reaction to most security incidents. The most visible security measure is in thwarting criminals from accessing card payment details for fraudulent purposes. It is effective, yes, but critics go further and say that the weaknesses inherent in the system are serious.

Robert Havelt, director of penetration testing at Trustwave’s SpiderLabs, states that PCI-compliant networks are open to exploitation because refined malware, custom-made, allows criminals to bypass certain barriers, opening the back door, and allowing them to navigate through other channels to the jackpot: the store of sensitive data. This, he argues, downplays the effectiveness of segregating payment card data. It can be accessed.

It’s a topic that gets people heated up. It’s interesting, it’s relevant and it affects everyone involved. The idea behind PCI DSS is to be applauded and it is an effective measure against security breaches. However, it can be improved. Listen to what Mr King has to say at the end of the month and offer your thoughts.

The RANT forum takes place in London on the last Wednesday of each month.