Cisco: POS Systems Key Vulnerability in Security Breaches

 
 
By Jeffrey Burt  |  Posted 2014-01-14
 
 
 

The personal data on the magnetic stripe of payment cards continues to be a prime target for cyber-thieves, whose job is made significantly easier by the vulnerabilities in the point-of-sale machines being used by retailers such as Target, according to security officials at Cisco Systems.

The company's Threat Research, Analysis and Communications (TRAC) team took a look at recent high-profile security breaches at Target and Neiman Marcus and noted that as long as the United States continues to use such magnetic stripe payment cards in everyday transactions, retailers in the country and their customers will be at risk.

In a lengthy post on the Cisco blog site, Levi Gundert, technical lead for TRAC, said the United States is one of few remaining first-world countries that continue to use such cards, which makes U.S. businesses an easy target for cyber-attackers. There are no more efficient ways for thieves to steal "track data" from the stripes on these cards and many times the associated PINs, Gundert wrote. The point-of-sale (POS) machines found in businesses like Target are vulnerable to attacks because they use third-party software that's installed in the systems.

"The problem is that the payment card data is susceptible to interception in memory before the encryption process and transmission across the network," he wrote.

To reduce the instance and damage from future POS attacks, businesses need to consider hardware encryption devices at the point of sale.

"If POS hardware encryption remains an unjustifiable business expense, companies should re-examine security policies to ensure that payment card data is included in the critical data category," Gundert wrote. "This is data that must receive a logical and operational moat to ensure absolute detection of unauthorized access and irregular movement. There are too many ways to initially compromise the network; rather it is the internal critical data that must be identified, segmented, and monitored."

Target acknowledged Dec. 19 that a data breach into its U.S. retail stores had affected 40 million customer credit and debit card accounts (it later updated that number to 70 million). Exact details of the breach have not been released, but Target officials said Dec. 27 that the customer PIN data was encrypted using the Triple Data Encryption Standard (DES). Neiman Marcus confirmed Jan. 10 that hackers also had stolen credit card information of its customers.

In his blog post, Gundert outlines methods hackers will use to work their way into large retail operations like Target and Neiman Marcus, and what they'll do and look for once inside the network. He also outlined some steps and tool sets network security professionals can use to better protect the business from hackers and intruders.

"The most useful indicator of compromise (IOC) chain to focus on for future detection is the importation of a tool set, a new process running on the POS terminal, and finally the exfiltration of compressed files with uniform size and frequency," Gundert wrote. "Create an operational play (and playbook if needed) specific to alerting on this chain of events or any specific event that can be effectively tuned to dispel the typical noise. There are plenty of tool sets to accomplish the play."

In addition, businesses should leverage application and process change detection on all payment card processing systems, he said.

"Any change on the end point or multiple end points should be cause for immediate analysis," Gundert wrote. "Also, while most protocols tend to use compression for efficiency and speed gains, the compression tools themselves should be limited to an approved list."

Businesses that use POS machines need to take steps to better protect customer data because those systems will continue to be at risk.

"The attacks on payment card data will continue to focus on POS systems, but well thought out detection plays, and/or the implementation of hardware encryption can dramatically help prevent future negative headlines," he wrote.

Rocket Fuel