If the headlines have taught us anything this year, it’s that hackers have their eyes set on retail point-of-sale systems. In just the first three quarters, information on more than 75 million credit cards has been stolen or exposed.
Data breaches are—unfortunately—becoming a part of daily life. So far this year, I have been the victim or no fewer than six major breaches and I am not an exception. But despite the seeming ubiquity of these attacks, the sad part is that most of them could have been avoided.
This fact was made clear during a webinar discussion on POS Security last month with SANS’ Wes Whittaker and Bit9 + Carbon Black’s Chris Strand. Out of this discussion, four key points emerged that call attention to the specific gaps in POS system design and retail IT policies that hackers are using to steal hundreds of millions of credit cards and why wider adoption of next-generation security solutions is badly needed.
Point #1: PCI Compliance does not equal security.
First, consider this: many of the organizations breached this year were PCI-complaint at the moment of compromise.
Now consider how much money these organizations spent each year on technology, services and auditors to certify and maintain compliance.
And for what?
The bottom line: While regulations have an important role to play in ensuring participants in any market meet a minimum set of essential standards, they are in no way a security guarantee. Yet for many retailers, the PCI-DSS standard has become the bar upon which their security posture is based.
The reliance retailers and other organizations place on regulation as a means of securing business and consumer information has to evolve and move beyond agreeing to the letter of the law. Instead, organizations must take the steps necessary to adhere to the spirit of the law. Security is a process, not a checklist, and any organization that does not understand this difference is going to be vulnerable.
Point #2: Magnetic Strip Cards are Vulnerable by Design
To understand today’s POS attacks you need to have a basic understanding of how credit cards work and why the data stored on them is valuable and vulnerable.
The modern, magnetic strip credit card was invented by IBM in 1969 and has remained largely unchanged since then. Because of this, cards that rely on static authentication, as opposed to more advanced EMV authentication standards, have become prime targets for hackers.
The typical magnetic strip card consists of three tracks: Track 1, Track 2 and Track 3. All are embedded in the same magnetic strip. We’ll focus here on Track 1 and Track 2 as these contain the information most interesting to hackers.
Essentially the same in function, both Track 1 and Track 2 can be used for processing. The key difference is in the amount of data contained, but it is important to note that neither track is encrypted on the card.
Track 1: (IATA)
Maximum length: 79 7-bit characters (6 bits, 1 parity bit)
Data Stored: Card number, holder name, expiration date
Encryption Level: None
Originally developed for use with airline reservations, Track 1 is the most data-rich of the three tracks and is the only track capable of containing the alphanumeric characters needed to encode the cardholder name. Read-only, it leverages 6-bit + parity encoding to store the card number, expiration date, cardholder first/last name and “discretionary data,” which the issuer can use to store additional information such as a CVV/CVC code. Track 1 is not as widely used as Track 2, but ATM providers and others have recently increased adoption because of the opportunity that cardholder name information provides to deliver more customized experiences.
Track 2: (ABA)
Maximum length: 40 bytes
Data Stores: Card number, expiration date
Encryption Level: None
Standardized by the American Bankers Association, Track 2 is the de-facto standard for most credit and ATM card processing today. Encoded in a 5-bit scheme inclusive of up to 16 character types, Track 2 is not able to support alphanumeric characters and therefore does not include the account holder’s name.
Rather, Track 2 data only contains card number, expiration date, a card qualification code that identifies the card type (credit, debit, etc.) and room for limited “discretionary data” that can be added by the issuer. For example, American Express uses this space to include an issue date in the track and many debit cards will include a PIN offset code.
Bottom Line: Magnetic strip information is insecure and a prime target for attack. Armed with a card number, expiration date, CVV/CVC code, and the name of a cardholder, a hacker has everything they need to create counterfeit cards or to make fraudulent purchases online.
#3: POS Systems Are Sitting Ducks and Golden Geese
Today’s point-of-sale systems are not your grandfather’s crank-operated NCR, but rather complex computer systems tied into a retailer’s payment, inventory, CRM and HR systems. It is estimated that 76 percent of the 10 million POS systems in the U.S. are running Windows, making them vulnerable to the same attacks and malware as any other PC or corporate server.
Often armed with nothing more than antivirus software (the bare minimum for PCI compliance) most POS devices are effectively sitting ducks for targeted attacks.
While PCI compliance has strict guidelines to ensure protection of credit card data, there are still critical gaps in the system that hackers are successfully using to steal information, particularly in the area of data encryption.
The result has been POS systems with large collections of extremely valuable data, guarded only by defenses that an advanced attacker easily can evade.
While PCI requires end-to-end encryption of sensitive payment data whenever it is transmitted, received or stored, it does not require this for data being processed in memory. As such, most POS applications do not encrypt credit card data when processing in RAM.
To an opportunistic attacker, this makes a vulnerable POS system less of a sitting duck and more of a golden goose. By simply gaining access and installing malware on a vulnerable machine a hacker can quickly pull Track 1 and Track 2 data straight out of the POS terminals’ active memory. Over a few days, weeks or months a single POS machine can provide a hacker with data on thousands of credit cards. Given that it takes 87 days on average to detect an attack, hackers often are able to harvest cards for weeks or months before being shut down.
Here on the #Bit9Blog, we’ve written repeatedly on these malware families and the ways that hackers are gaining access to corporate POS devices. If you’d like to know more about these specific malware families or attacks, and how Bit9’s unique approach stops them, check out some of our earlier posts:
Bottom Line: Due to gaps in PCI data encryption standards (and without additional protection beyond antivirus), POS machines will remain inherently vulnerable to RAM-scraping malware attacks such as those that hit Target, Home Depot and Goodwill.
Point #4: Retailers Need to Lead, not Follow on Security
Rather than simply asking “Are we complaint?” retailers need to begin thinking seriously about security as a process, not a checklist. Policies and investment models should reflect this approach.
In today’s fast-moving threat landscape, compliance standards and security frameworks are quickly becoming outdated. As foot soldiers on the front lines of today’s cyber battlefield, retailers must be agile in their approach to stay protected and should be leaders, not followers, in the adoption and development of innovative new technologies.
If the past is any indication of the future, organizations that fail to adopt “offense-informs-defense approaches” to security will remain vulnerable and continue to have to inform millions of customers that their data and privacy have been violated.