Carbon Black's security risk and compliance officer Christopher Strand told iTWire in an interview: "PoS breaches continue to mushroom globally. While there is pressure for full adoption of EMV technology (smart chip and pin) it is going to take a lot of time to completely roll-out to users and endpoints.
"In the interim common types of malware that use memory scraping on PoS endpoints will continue to gather payment data."
PoS (Point of Sale) breaches last year included up to 3.2 million Visa and MasterCard users in India from a malware breach of Hitachi’s Payment Services Platform. Essentially cyber criminals gained user information over six weeks that allowed them to use fake cards in China.
Q. Is EMV just a part of the solution?
Strand: EMV, as with other encryption and token technology at the transaction inception points, will not eliminate the malware threat. Exploits have continually evolved to find new ways to exploit these systems and steal critical data even with EMV implementations.
Even EMV has been compromised. Even as PoS defences are enhanced, all it does is result in more attacks to other segments of the payment systems entirety (such as eCommerce systems, and shared servers, etc.)
Regardless, payment providers must focus on the security posture of their entire infrastructure – there is no replacement for true in-depth, defence coverage throughout the payment systems.
Q. Will attackers continue to target ill-prepared and older PoS systems?
Strand: Continued use of unsupported or unpatched PoS operating systems, especially in developing economies, leaves providers vulnerable to attack – there are a large percentage that are “out of support” where security patches to fix vulnerabilities are no longer available. These providers are at an increased risk of breaching compliance posture and payment industry regulations.
Many of the PoS malware variants are years old and still work, especially on systems that are poorly patched (zero-day exploits still work), in a state needing upgrades, or that are integrated with other unsupported systems.
Q. Do things like CNP, mobile payments, and e-commerce widen the threat window?
Strand: “Card not present’ (CNP) still presents a vast array of threats to organisations. Businesses expect providers to handle these issues, but both must focus on the security posture of their entire infrastructure.
Businesses need to be vigilant and proactive to ensure their security posture is solid across all their sensitive systems and have “defence in depth” throughout their stores, PoS systems, and back-end and corporate systems. They need visibility to respond quickly if something in their payment ecosystem is awry – otherwise, they are just another weak link in the payments chain.
Providers need to unite with the wealth of threat intelligence available in the marketplace. Shared threat intelligence will evolve security posture – no e-commerce vendor should go it alone.
Q. Are increasingly complex regulatory environments presenting new challenges to providers?
Strand: There will be a continued trend of increased regulations, and fines, for payment systems breaches. Many providers who simply consider breaches inevitable and a cost of doing business may find they are now liable.
Most regulations will shift to proactive security. The core requirements will make providers and businesses provide proactive analysis of their systems and give auditors and security managers a real sense of the risk posed by any of the security gaps within the ecosystem. For example, patch management and vulnerability assessment will need to be real-time.
PCI-DSS, with its ever-changing data security needs, is only going to get tougher and require all payment chain links to measure each of their policies and security controls. This is in tandem with many other cyber and data security mandates to holistically address payment security.
Q. Won't increasing awareness of security breaches and how they happened lead to more sophisticated PoS malware?
Strand: Every time there is a PoS breach, cyber criminals get to learn of more of the weaknesses to exploit and malware becomes more sophisticated.
Businesses must embrace the inevitability of cyber attacks and better malware – what you protect against today, will not necessarily work tomorrow. Current PoS malware focuses on different segments of an organisation’s environment, not always the obvious attack vectors and generally harder to detect.
Q. Is the payment card industry under threat?
Strand: Absolutely, but we need e-commerce and e-payment so it is a matter of security evolving faster than the bad guys to maintain confidence in the system. I have mentioned that it is time for all providers to adopt a “you show me yours and vice versa” information sharing to bring some semblance of sense to fighting cyber criminals.
Attack vectors and variants are becoming more innovative and resilient. A good example was the Oracle MICRO where attackers compromised a customer support portal. Cyber criminals will focus on aging, unsupported, geographically distributed systems, holiday periods when systems are stressed and known vulnerabilities are easier to exploit, or those lacking security controls that provide sufficient visibility. I repeat that aging, unpatched and out-of-support systems still in use are most at risk. PoS vulnerabilities can be a conduit to the greater computing ecosystem
But with the number of unsupported systems still increasing (either due to cost or convenience or not adopting full EVM), organisations are struggling to apply measurable analytics or frameworks that can help discover security gaps.
As an IT auditor, I have used risk modelling and assessment to measure various attributes of organisations that are under many different types of regulatory scrutiny. Business risk and measurement across IT and security systems are not new concepts!
IT policy, business process, and financial hygiene are often applied against a scorecard to establish qualitative and quantitative proof of compliance. While the concept of measuring cyber security has become a necessary process, it is still complex and those who struggle with it are at increased risk from cyber threats.
Many common frameworks and some regulations have provisions that help measure the effectiveness of security controls – PCI DSS, HIPAA, and other financial security regulations (FFIEC, HKMA).
Kindred organisations have created collective hubs of shared data to better share security intelligence – retail has RILA (Retail Industry Leaders Association), financial services has the FS-ISAC (Financial Services Information sharing and Analysis Centre) and more.
But the bad guys also share – they are even better in using collective and community intelligence to their advantage.
End-of-life systems are vulnerable, yet these are still widely used in the payments system. XP and XP-embedded is long gone but many PoS systems still run on it! Windows Server 2003 reached its end-of-life last year yet many backends use it. Security gaps and vulnerability of these systems are still being discovered!
Q. Can you summarise the issues?
- Security – unsupported machines create huge vulnerabilities including inadequate denial of service (DoS), buffer overflow and code execution issues. Cyber criminals look for low-hanging fruit.
- “Out of support” – too many popular POS operating systems are “out of support” – more low hanging fruit.
- Non-compliance. PCI, HIPAA, or Dodd-Frank and most regulations require vulnerabilities to be patched within 30 days of discovery. It is impossible if patch updates aren’t happening.
- PII risk. Older versions of operating systems and software make it almost impossible to ensure the confidentiality of critical information such as PII, user data, healthcare records, and credit card information.
- Audit risk. Outdated systems cannot meet the audit “proof" that information is safe and secure from threats.
- Unpatchable and outdated systems lead to “zero-day forever scenarios”. There will be no new patches for zero-day attacks – vulnerabilities can never be remediated. Microsoft’s official position is: “Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognised control failure by an internal or external audit body, leading to the suspension of certifications, and/or public notification of the organisation’s inability to maintain its systems and customer information.”
- Breach and data compromise.: Malware can access highly confidential information such as patient healthcare records.
- Financial penalties: Your organisation can be fined for failure to pass compliance audits or for being in a noncompliant state
- Damage to or illicit use of your patient healthcare records: A most devastating consequence and one that is difficult to remediate. Your organisation’s public image can suffer from a breach or failure to operate in a compliant state.