You may have heard about the recent large data breach with
Heartland Payment Systems in which hackers planted malware to specifically
capture TRACK 2 information along with credit card data; subsequently using it
in a fraudulent manner, later discovering that the breach had been present
since fall of 2008. In this case the only way in which Heartland detected the
breach was through an alert they received from Visa / Mastercard in regards to
suspicious charges linked to Heartland Payment Systems. I cautioned of the high probability of this occurring on more
of a regular basis in August 2008 in an article published in the Information
Security Systems Association (ISSA) Journal titled “Breaching Wireless POS Networks”
and in an article published in CIO Magazine and ISC2 Journal titled “Anatomy
of a Data Breach: A Global Perspective”. The major points that I stressed in the above articles mainly
had to do with focusing efforts on securing / hardening the systems themselves,
not just encrypting communications as recommended by PCI standards.
Essentially
if the system itself is vulnerable to attack – meaning unpatched, out-of-date
or ineffective AV or other security miss-configurations – a hacker can simply
plant malware that will reside within the communications channel to intercept
data before it is encrypted; this way the hacker can intercept the information
that is being entered or transmitted (before encryption) from the terminal in a
‘live’ fashion as opposed to attacking data that is already in transmission
that likely will be encrypted and already secure. This is the weakest link here
folks.
What we will likely find in common with these types of breaches:
- The payment processing systems ‘themselves’ were
probably not as secure as one would think, the primary focus from a security
perspective was put on encrypting data in motion; what we will see here is
systems that could contain the following: not frequently patched, ineffective
AV, password policy is not complex enough, services are not locked down, among
a host of other things.
Lack of audit controls to monitor for suspicious
activity inside the network originating from the POS terminals to the payment processing systems.