Continuous Endpoint Visibility Renders Future Point-of-Sale System Breaches Less Likely
US retail outlets still appear an attractive target for hackers seeking credit card data as Marriott franchisee White Lodging Services Corp announced a data breach in the Spring of 2015, affecting customers at 14 hotels across the country from September 2014 to January 2015. This incident comes after White Lodging suffered a similar breach in 2014. The attackers in both cases were reportedly able to compromise the Point-of-Sale systems of the Marriott Lounges and Restaurants at several locations run by White Lodging. The attackers were able to obtain names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. Point-of-Sale systems were also the target of recent breaches at Target, Neiman Marcus, Home Depot, and others.
Traditionally, Point-of-Sale (or POS) systems at many US retail outlets were “locked down” Windows machines running a small set of applications geared toward their function—ringing up the sale and processing a transaction with the Credit Card merchant or bank. Modern POS terminals are essentially PC’s that run email applications, web browsers and remote desktop tools in addition to their transaction software. To be fair, they are almost always deployed behind a firewall, but are still ripe for exploit. The best defenses can and will be breached if the target is valuable enough. For example, remote control tools used for management and updating of the POS systems are often hijacked by hackers for their purposes.
The credit card or payment processing network is a completely separate, air-gapped, and encrypted network. So how did hackers managed to steal the credit card data? They stole the data while it was in memory on the POS terminal while the payment process was being conducted. Even if retailers don’t store credit card information, the data can be in an unencrypted state on the POS machine while the payment transaction is confirmed. Memory-scraping POS malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are used by the data thieves to harvest the credit card information in its unencrypted state. The data is then usually encrypted and retrieved by the hackers or sent to the Internet where it’s retrieved by the thieves.
Ziften’s solution provides continuous endpoint visibility that can find and remediate these types of threats. Ziften’s MD5 hash analysis can detect new and suspicious processes or .dll files running in the POS environment. Ziften can also kill the process and collect the binary for further action or analysis. It’s also possible to detect POS malware by alerting to Command and Control traffic. Ziften’s integrated Threat Intel and Custom Threat Feed options allows customers to alert when POS malware communicates to C&C nodes. Finally, Ziften’s historical data allows customers to kick start the forensic examination of how the malware got in, what it did after it was installed, and executed and other machines are infected.
It’s past time for retailers to step up the game and look for new solutions to protect their customers’ credit cards.