We asked our case expert, Forensic Tech/Systems Analyst Dr. Sean McLinden, to explain the recent wave of data breach attacks involving credit and debit / payment cards, similar to matters we’ve worked on for clients together. Dr. McLinden here explains how “bad guys” get away with it, and what you can do to avoid falling victim to their unlawful – and hard to detect – schemes.
Point of Sale (POS) malware is becoming increasingly common, for a variety of reasons. First, whereas older POS systems were highly proprietary, more modern systems use commodity components which often use public specifications for interoperability with systems from other vendors. Where there exists the opportunity to explore the code, there lies a greater opportunity to exploit it. This is especially true of components which use complex operating systems such as Windows and Linux, where there may be multiple lines of attack on your system(s).
There are two technologies the Payment Card Industry (“PCI”) use to protect data:
- Encryption handles arbitrary types and sizes of data, but because it is based upon published algorithms, it can be exploited by those who know the algorithms and the encryption keys.
- Tokenization, on the other hand, is often used to obfuscate structured, fixed length data (e.g. SSNs). An arbitrary ‘token’ is created to take the place of the real data, with the ‘mapping’ between the token and the real data stored at a secured server. Because the token is arbitrary, there is no way to determine the actual data that it represents. Encrypted data may be vulnerable anywhere it is communicated whereas tokenized data is vulnerable only before the token is obtained. In modern electronic commerce, this is usually the point of sale where the merchant ‘swipes’ the magnetic stripe or scans the card’s chip.
Until the token has been created and substituted, the raw data may exist in computer memory (RAM). Capturing the information can be as simple as taking a snapshot of the RAM and scanning it for unencrypted strings that match the pattern of magnetic stripe Track data. Unfortunately, the tools with which to do this are widely available and not, typically, identified by antivirus scanner software, as they are often used for legitimate purposes such as software debugging. Even the way in which these tools are packaged may not identify them as malicious until suspicion arises as a result of the detection of compromised accounts.
Because the tools used in many POS attacks are not identified as malicious, data breaches can be undetected for months — allowing for the collection of large volumes of data.
Because the tools used in many POS attacks are not identified as malicious, data breaches can be undetected for months — allowing for the collection of large volumes of data. In a client’s matter recently, customer data was compromised for more than six months before the vendor became aware that it had been compromised. That discovery came only after a process of elimination excluded all other vendors who had serviced the same customers.
While computer viruses are often identified by network activity (e.g. communication with Command and Control Centers), POS malware often creates temporary files of compromised credentials, using backdoors for intruders to retrieve these files at will. These backdoors may consist of accounts created by the POS installers for installation, configuration or support which were never deactivated after system installation, or where default passwords programmed by the system’s manufacturer or installer(s) were never changed. As a result, the vulnerability may be hiding in plain sight. The fact that vulnerable systems may be located in protected physical locations makes it more likely that legitimate remote administration tools may be installed which can be exploited if not properly secured. Worst of all, if the access is infrequent and by “known” users, this network activity may not be identified as suspicious.
In another merchant’s case from 2012, an account created for debugging was never deactivated. Even though the POS vendor informed its customers of the vulnerability, it did so only by mail. Some customers never read the technical services bulletin or implemented the recommendations, and the POS vendor never followed through to be sure that its recommendations had been followed. (There is another lesson to learn here: be certain to have regular maintenance performed by trained professionals who keep current with system changes on all of your businesses’ systems.)
POS malware represents a unique adaptation of tools and techniques to address the specific behaviors and potential vulnerabilities of the PCI processing chain. Because of the nature of tools used in the construction of a POS compromise, traditional antivirus products may be inadequate to address the needs of many common PCI environments. The same can be said for cybersecurity professionals who do not have extensive experience in the PCI/POS domain. Proper PCI audits can help to prevent attacks from known actors but, as the saying goes, you don’t know what you don’t know. Hiring professionals with proven track records in dealing with PCI/POS systems is essential to preventing adverse outcomes.
