It was recently reported that a major retailer has been affected by its second breach in the last three years. While this company stressed that no personal information such as names, addresses, social security numbers, and email addresses were obtained, they admit that some credit card numbers were stolen. Both of their breaches were caused by (guess what?) malware-infected POS systems.
Now, with this influx of credit card breaches, however, hackers are dedicating a lot of time for small profits on the dark web. Researchers estimate U.S.-based credit card data can be sold for $5-$30 depending on the data. Why so little? It’s basically supply-and-demand fundamentals. Data breaches become more prevalent and, thus, the market for stolen credit cards is flooded… therefore driving the price down.
Carding web security threat in which attackers use multiple, parallel attempts to authorize stolen credit card credentials. Carding is performed by bots, software used to perform automated operations over the Internet. The objective of carding is to identify which card numbers or details can be used to perform purchases.
Besides the damage caused to card owners, a carding attack can negatively affect businesses whose websites are used to authorize stolen credit cards. Carding typically results in chargebacks – these are disputed transactions that result in a merchant reversing the transaction and refunding the purchaser’s money. Carding forums used to share stolen credit card data, and discuss techniques for obtaining credit card data, validating it and using it for criminal activity
Chargebacks can happen for legitimate reasons (for example an erroneous purchase or a clerical error), but are very often the result of fraud techniques like carding. Every chargeback hurts a business’s reputation with credit card processors. Carding executed against a website can lead to poor merchant history and chargeback penalties.
So what’s to stop the POS malware trend from turning into the potentially devastating threat of POS ransomware? If retailers don’t protect themselves properly, this isn’t much of a stretch. Malware takes months to siphon credit card data from infected systems. Rather than gain access to a national chain’s POS to exfiltrate credit cards, cyber criminals could deploy ransomware that shuts down the POS systems… effectively bringing the business and all revenue to a screeching halt. This would likely prompt stores to pay the ransom right away, allowing the threat actors to profit within minutes. And with the impressive success of the global WannaCry outbreak, cybercriminals are taking notice of what works.
It’s no secret that major retailers and small businesses alike need to protect against malware and, now, ransomware threats to protect their customers’ data, as well as their brand and reputation. If customers lose trust, business suffers. So what can retailers do better to prevent these attacks from occurring, let alone reoccurring, in the first place?
How Can Retailers Protect Themselves?
Start by deploying a managed firewall across all locations, which can be done quickly and easily. These firewalls monitor payment card processing activity to ensure that malware is not entering and sensitive data is not exiting the network. The most important feature to look out for when selecting a firewall is the ability to control outbound network traffic—that way stores can prevent payment data from being sent to suspect sites and countries.
The latest string of breaches, however, reiterates that multi-location retail security requires a new approach, beyond the absolute minimums of maintaining PCI compliance and implementing a managed firewall. For a comprehensive toolbelt to stop cyber criminals before they do real damage, retailers should consider implementing the following technologies:
- File integrity monitoring (to tell you when files have changed that weren’t supposed to change)
- Unified threat management appliances (used to integrate security features such as firewall, gateway antivirus, and intrusion detection)
- Security information and event management, ideally with dormant malware hunting capabilities (used to centrally collect, store, and analyze log data and other data from various systems to provide a single point of view from which to be alerted to potential issues)
- Managed detection and response (brings advanced threat detection and response specifically to the POS systems to reduce malware detection gap and incident response times)
- Next-generation endpoint security solutions (used to stop attacks on the endpoint computers and servers before they can wreak havoc on other systems)
Merchants should also remember that being compliant may not be (and is usually not) the same thing as being secure. It’s one thing to do basically the bare minimum to meet compliance mandates, but it’s completely another thing to do IT security properly. Properly locked down systems take a willingness to bring in experts that have ‘been there, done that’ and know how to lock payment terminals down to where they can only operate as payment terminals and not as general use computers. While there are many tools available to help with many required tasks, the basic concept of proper security starts with an understanding that doing it right takes time, patience, and yes, at times, it will take money.
Netsurion, for example, offers managed security services to help highly distributed businesses achieve enterprise-level security. With its managed network security, these businesses can defend payment and other critical data from cyberthreats with 24/7 firewall uptime monitoring. PCI compliance support relieves the stress with on-on-one merchant support and an intuitive management portal. In addition, Netsurion subsidiary EventTracker’s security information and event management (SIEM) technology has made SIEM-at-the-Edge a reality. It is an advanced threat detection tool with log analysis, awareness, detection, and incident response that is effective and affordable.
EMV Implementation was Active During Breach
Regarding the most recent breach discussed above, it’s important to note that all of this brand’s stores did have EMV-capable credit card terminals. But not all banks have provided their customers with chip-enabled cards just yet, leaving those customers that used magnetic stripe cards more vulnerable to counterfeit fraud.
To minimize the damage hackers inflict on retail companies and their customers, retailers not only need to bolster network security, but the entire payments industry must work together to further the EMV migration and adoption of point-to-point encryption technology.
Lessons Learned
Hackers are after something– credit cards, personally identifiable information, bank credentials, or anything else that they can use to steal or sell for money. It is difficult and expensive for retailers, especially smaller ones or branch locations, to hire and retain an IT security team to combat these threats. For optimal success, security, and growth, advanced tools, including SIEM, should ideally be outsourced to a managed security firm that specializes in this type of service, which includes having expert threat researchers that are constantly looking for new activity that could point to a hacker trying to steal data from your systems. These tips should enable retailers to expand their businesses while keeping their customers’ data secure and loyalty strong.