Compromised Third-Party Credentials Lead to Major POS Intrusions
The most recent confirmed retail data breach affecting about 5 percent of Wendy’s restaurants involved a compromise of their point-of-sale (POS) system. Access to POS devices, including POS terminals, are often targeted by attackers as they collect magnetic stripe information from customers, which includes credit and debit card numbers.
In their SEC filings, Wendy’s revealed that malware was installed through the use of compromised third-party vendor credentials, likely starting in the fall of 2015. The restaurant also found that approximately 50 franchise restaurants are suspected of, or found to have unrelated security issues, according to eWeek.com.
In 2014, Target’s major breach of the credit card and personal data of more than 110 million consumers went down in a similar way - Target’s HVAC vendor was targeted by a phishing email attack containing malware that stole credentials from an employee to gain access to Target’s billing system, according to KrebsonSecurity.com. The attackers were able to move from the billing system to the internal network in order to access POS devices.
Yet another retailer, Jimmy John’s, was breached when their POS vendor, Signature Systems, was compromised via stolen credentials, allowing an attacker to remotely access the POS systems of their clients.
Preventing a POS breach means protecting against an exploit leveraging stolen, weak or default passwords - which account for 63% of all data breaches, according to Verizon’s latest Data Breach Investigations Report (DBIR). According to the report, the use of stolen credentials to access POS environments is significant:
…keylogging malware has a significant role in many POS attacks, being a common method of capturing valid credentials to be used against POS assets.
Ninety-seven percent of the breaches involved the use of legitimate partner access - that means a third party of some sort, which can be seen in the case of Target with the HVAC vendor and Wendy’s with an unnamed third-party vendor. That definitely makes a case for retailers to secure their POS and CDE environments against unauthorized access via third parties.
So how can retailers protect against a similar breach? Here’s a few tips for managing third-party vendor access and security:
- Limit what access they have. Use the principle of least privileges to ensure they only have access to what they need to do their job.
- Deploy two-factor authentication. Add another layer of protection that simply and effectively blocks remote attacks using stolen credentials. The standards in the latest version of PCI DSS 3.2 state that two-factor authentication must be used for all system administrators with access to the cardholder environment (CDE), whether local or remote, and that includes third-party access.
- Set temporary access controls. Use a two-factor authentication solution that allows you to generate temporary, one-time and time-based passcodes for access that expire after a set amount of time.
- Monitor and block access. Track where your users are authenticating from, and block them if they attempt to authenticate from an untrusted location or network with geolocation controls.
- Segment networks properly. Isolate systems that store, process or transmit cardholder data from those that do not - separate the cardholder data environment (CDE) from the rest of your network.
- Keep internal documents internal. In the case of Target, they left massive amounts of internal documentation for vendors on a variety of public websites. Even though it doesn’t seem explicitly sensitive, that kind of information makes it easy for attackers to figure out what applications and operating systems they’re using, in addition to usernames and server names.
Find out more tips and information about retail breaches by downloading Duo’s Modern Guide to Retail Security Risks: Avoiding Catastrophic Data Breaches in the Retail Industry. In this report, you’ll learn about:
- New risks to the retail industry presented by cloud, mobile and Bring Your Own Device (BYOD)
- Business and compliance drivers for strengthening authentication security
- How outdated security solutions can no longer effectively protect retailers and consumers alike
- How implementing a modern two-factor authentication solution can work to protect the new IT model
Ideal for CISOs, security, compliance and risk management officers, IT administrators and other professionals concerned with information security, this guide is for IT decision-makers that need to implement strong authentication security, as well as those evaluating two-factor authentication solutions for organizations in the retail industry.