Keys to the Digital Kingdom: Point-of-Sale Intrusions Rely on Stolen Credentials
Over 95 percent of security incidents involve credential-harvesting from customer devices, then logging into web applications with them, according to Verizon’s 2015 Data Breach Investigations Report (DBIR). And for the retail industry, point-of-service (POS) vendors were the main source of compromise.
POS intrusions have jumped to the top of the types of security incidents in 2015, while previously holding the eighth position in 2014, when they account for just .7 percent of all incidents. POS intrusions now account for 28.5 percent of all security incidents, followed by crimewave (18.8 percent) and cyber-espionage (18 percent). This highlights the need for endpoint security, now more than ever.
POS intrusions affected the accommodation, entertainment and retail industries the most. For smaller companies, POS devices were directly targeted, with attackers guessing or brute-forcing passwords to gain access, while larger organizations involved more complicated attacks. Typically, an initial system breach led to a POS system attack as criminals found a point of weakness and then moved deeper into a retailer’s network to find valuable data to steal.
The report found that many breached POS vendors had keyloggers installed in their systems via phishing campaigns or network breaches - and they all had their remote access credentials compromised. This made it easy for criminals to log into networks remotely, undetected, and exfiltrate customer payment card data.
One example of exploited remote access credentials is the case of a POS vendor Information Systems & Supplies (IS&S), serving chain restaurants like Dairy Queen and Buffalo Wild Wings. The attacker exploited stolen credentials for the company’s LogMeIn Remote Access application that allowed him/her to log in via web browser and access their computer remotely. Read more about it in POS Remote Access Software: Vulnerable Without 2FA.
The classic examples of an attacker breaching large retailers via their POS software vendors include Target, Jimmy John’s, Goodwill, Home Depot, Dairy Queen, and more recently, the soup chain Zoup. And yet another breach that may affect 70,000 consumers has been reported by Compass Group, comprised of 18 companies that provide food for events and organizations, including IBM, SAP, the District of Columbia Public Schools and the Academy Awards. The common denominator between Zoup and Compass Group? They used the same POS software provider, NEXTEP.
Verizon also reports a shift in the trend from relying on default credentials to capturing and using stolen credentials. Since stealing passwords can be achieved with simple, low-tech phishing emails, it makes sense that criminals would seek them out, as it opens more doors than trying default credentials to see if they work. The report also found that many retail breach incidents involved social engineering tactics, including phone calls to store employees asking for POS remote access credentials.
Retail breaches suck, but they can suck even more years after the fact. Recently, Target just settled with MasterCard over the costs associated with their 2013 data breach, as CNET.com reported. Target agreed to pay the card issuer $19 million to compensate for the costs of canceling accounts, creating new accounts and sending out new cards. But many other banks have had to foot the costs, as well, including JPMorgan Chase, which was also breached last year. According to CNET.com, the retailer is also in negotiations with Visa to settle a similar dispute.
So what to do? The DBIR suggested:
…there’s no getting around the fact that credentials are literally the keys to the digital kingdom. If possible, improve them with a second factor such as a hardware token or mobile app and monitor login activity with an eye out for unusual patterns.
Hardware tokens might be a pain to carry around, but a mobile app is an easy way to authenticate with your smartphone, something you likely carry around with you anyway. A two-factor authentication app that sends push notification authentication requests to your phone takes just a few taps to log into all of your apps securely.
And monitoring login activity can be easy with the help of geolocation data and other authentication logs that let you see where your users are logging in from. As part of your endpoint security strategy, you can also set precise policies and controls in order to restrict who can log in from where, and to what application.
Learn more about access security solutions and how to mitigate retail data risks in our Modern Guide to Retail Data Risks. Download our free guide today for a detailed overview of the retail industry's current state of security, and recommendations on safeguarding customer financial information.