The U.S. Department of Homeland Security has issued an alert to businesses throughout the United States about a malware infection that invades point-of-sale (POS) systems and sends the credit card information of people to cyber-criminals.
The malware, which is being called Backoff by security researchers, operates by gaining access to POS systems through an administrator account, according to DHS.
Backoff is closely related to the malware that infected Target in 2013, according to Jerome Segura, senior security researcher at Malwarebytes. The Malwarebytes security software was already detecting Backoff before the DHS alert and identifying it as a Trojan, Segura said.
He credited DHS with providing the security industry with the signatures of the various iterations of the malware so that antivirus software could identify and blog the malware.
The U.S. Computer Emergency Response Team (US-CERT) provided technical details for identifying malware and specific instructions so that businesses with POS systems could prevent a similar malware attack. While the DHS report is highly technical and is aimed at security experts, the suggestions it makes for avoiding future attacks are really fairly straightforward.
The single overarching theme is that retailers are getting hit by malware because they aren’t following even the most basic security practices. Simple things such as upgrading their POS software or the operating system on their computers would prevent most attacks.
Other basic steps, such as using strong passwords, would at least slow down the attacks. Likewise, simple segmentation of networks so that the POS systems aren’t on the same network as the sales or accounting departments would make a big difference.
Segura said that most people in business didn’t think of their POS machines as computers and didn’t realize they could be infected by malware. In reality, he said, the POS systems were mostly Windows XP machines that had never been updated.
Making matters worse, many of the POS systems used remote access methods that were easy to subvert using a brute force process of simply hitting the remote access system with constant login attempts until something worked. The hackers would keep hitting client machines until they found one with privileged access that they could subvert.
“It’s easier to piggy back on a trusted user,” Segura said. “In a lot of cases, both the POS software and the OS are outdated. They may not have security software.” In many cases, malware can penetrate a POS system because companies don’t want to pay for updated versions of the software they use.
Backoff Malware Spread Might Have Been Contained With Basic Defenses
“The money they saved by not upgrading is coming back to them,” he said. “It’s a real eye-opener. The damages are real. It’s really crucial to upgrade systems.”
For its part, DHS isn’t saying anything beyond the statements it’s already published. When asked about details of the malware attack, a DHS spokesman said, “No comment.”
While further comment would be a big help to the business community in the United States, at least the agency did provide a great deal of useful information beyond just details of the malware itself. Those recommendations included practices such as using two-factor authentication to access POS systems, running security software on those systems and paying attention to the results of security scans.
Many of the recommendations made by DHS are in reality basic security practices that are all too often ignored. One such recommendation is to, in the words of DHS, “configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts.”
“This prevents unlimited unauthorized attempts to log in whether from an unauthorized user or via automated attack types like brute force.” This is Security 101. Why this isn’t implemented in every access point is a mystery.
Another no-brainer is to limit who can log in to the POS system remotely. It’s good that DHS is reminding readers of this, but it shouldn’t be necessary. Likewise, the recommendation to use firewalls should be obvious. Sadly, far too many merchants never got the memo about basic security.
That memo exists and merchants or anyone else can read about payments and security at the Website of the PCI Security Standards Council. There’s even a compliance guide that merchants can use so that they can make sure they’re protecting credit card data responsibly.
In addition, merchants that accept credit cards are required to safeguard customer data using those compliance standards as a condition to being allowed to accept credit cards in the first place. Violate those standards and your company could find itself unable to accept cards at all.
Unfortunately, the Payment Card Industry doesn’t appear to do a lot to enforce its compliance standards, since it has only banned merchants from accepting credit card payments in a handful of cases.
Because of this, the most significant downside that a company suffers in the wake of a breach may be the subsequent negative publicity and loss of business. This turned out to be a significant cost for Target—a much higher cost than it would have been to have updated its machines.