Why hackers may be stealing your credit card numbers for years

Hackers may have the upper hand for years as the retail industry slowly upgrades its systems, analysts said

While conducting a penetration test of a major Canadian retailer, Rob VandenBrink bought something from the store. He later found his own credit card number buried in its systems, a major worry.

The retailer, which has hundreds of stores across Canada, otherwise had rock-solid security and was compliant with the security guidelines known as the Payment Card Industry's Data Security Standards (PCI-DSS), said VandenBrink, a consultant with the IT services company Metafore.

But a simple configuration error allowed him to gain remote access. From there, he found the retailer was vulnerable to the same problem that burned Target, Neiman Marcus, Michaels, UPS Store and others: card data stored in memory that is vulnerable to harvesting by malicious software.

The problem is growing worse. The U.S. Department of Homeland Security and Secret Service warned last month that upwards of 1,000 businesses may be infected by malware on their electronic cash registers, known in the industry as point-of-sale devices.

So why are the data thieves winning? Security analysts say point-of-sale malware is neither new nor particularly sophisticated. Programs such as Backoff, BlackPOS and JackPOS hunt down clear-text payment card details jammed in a jumble of data in a computer's memory, a process known as "RAM scraping."

Merchants who handle card data are required to be PCI-DSS compliant or face liability if cardholder data leaks. But the latest security specification, PCI-DSS version 3.0, doesn't mandate that merchants use technologies that encrypt card data from the moment a person's card is swiped, referred to as point-to-point encryption.

Using that kind of technology would eliminate the in-memory malware problem, security experts say.

The PCI Security Standards Council, which develops PCI-DSS, did recommend last Wednesday that merchants switch to using that kind of encryption technology.

But retailers often have long technology refresh cycles, so it could be five to seven years before most move to it. Fraud is expected to migrate from big retailers that resolve the weaknesses to smaller ones who have not, said Avivah Litan, a Gartner analyst who consults with banks and card companies.

"In general, I think we are stuck with these point of sale breaches for many years," Litan said.

Retailers are also missing keys signs in their network logs that they're under attack. Subsequently, most breaches are discovered by third parties, such as when fraud shows up on cards, said Bryan Sartin, managing director for Verizon's Risk Team, which investigates data breaches.

Many merchants are using "1990s technology to react to modern-era cyberattacks," Sartin said.

Merchants can be fined by card companies for breaches and are on the hook to pay for forensic investigations, which for PCI-related breaches can cost upwards of US$100,000, said Nick Economidis, an underwriter with the Beazley Group, which has seen its data breach insurance business boom.

In recent years, merchants have occasionally struck back, suing suppliers and integrators of POS systems. Those lawsuits have generally argued the suppliers are liable for breaches due to setup and maintenance errors.

Interestingly, very few of the lawsuits are ever litigated, as POS suppliers often choose to settle, said Charles Hoff, an Atlanta-based lawyer who has been involved in many such actions.

POS suppliers "may feel that they have a strong defense but they don't like the scrutiny in terms of the media," Hoff said. "It certainly doesn't help them in the marketplace. They want to figure out a way to keep their [customers] and not lose them."

All merchants want to do is "sell what they're selling," said Pam Galligan, vice president of compliance and industry relations for Mercury Payment Systems, whose payment processing technology is built into various POS systems.

"PCI asks these merchants to comply with an increasingly technical set of requirements," she said. "They don't want to spend a lot of time and energy trying to protect their card environments."

There's a broad effort under way to ensure that merchants are up to speed with PCI-DSS 3.0, which comes into force on Jan. 1. But it's complex: there are 12 main requirements and more than 250 sub-requirements.

Galligan said Mercury works to ensure its POS partners are up on PCI. Hoff is co-founder and CEO of PCI University, an organization that tries to explain PCI-DSS to people who aren't data security experts.

Merchants are under heavy pressure to handle card data right every time, all the time. The PCI Council advises that retailers can't just pass an annual audit and forget about it. A main concern is that networks are modified over time, which could inadvertently create weak points for hackers to capitalize on.

That is exactly what happened with the Canadian retailer VandenBrink tested. The company had recently finished a hardware refresh and in the process left two open Internet-facing telnet and SSH ports, he said.

The ports were password protected, but using various techniques, VandenBrink eventually discovered the right passwords. That allowed him to get access to where the payment card data was held in memory, including his own.

"I was surprised," he said. "There were thousands of cards in memory."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags intrusionsecuritydata breachExploits / vulnerabilitiesdata protectionmalwarePCI Security Standards CouncilfraudMetafore

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?